Glossary All PDF

ISACAGlossaryofTerms
Term Definition
Abend Anabnormalendtoacomputerjob;terminationofataskpriortoitscompletionbecauseofan
errorconditionthatcannotberesolvedbyrecoveryfacilitieswhilethetaskisexecuting
Acceptable Themaximumperiodoftimethatasystemcanbeunavailablebeforecompromisingthe
interruptionwindow achievementoftheenterprise'sbusinessobjectives
Acceptable use policy
Acceptableusepolicy A policy that establishes an agreement between users and the enterprise and defines for all parties'
Apolicythatestablishesanagreementbetweenusersandtheenterpriseanddefinesforallparties'
therangesofusethatareapprovedbeforegainingaccesstoanetworkortheInternet
Accesscontrol Theprocesses,rulesanddeploymentmechanismsthatcontrolaccesstoinformationsystems,
resourcesandphysicalaccesstopremises
Accesscontrollist(ACL) Aninternalcomputerizedtableofaccessrulesregardingthelevelsofcomputeraccesspermittedto
logonIDsandcomputerterminals
ScopeNote:Alsoreferredtoasaccesscontroltables
Accesscontroltable Aninternalcomputerizedtableofaccessrulesregardingthelevelsofcomputeraccesspermittedto
logonIDsandcomputerterminals
Accessmethod Thetechniqueusedforselectingrecordsinafile,oneatatime,forprocessing,retrievalorstorage
Theaccessmethodisrelatedto,butdistinctfrom,thefileorganization,whichdetermineshowthe
Th th d i l t d t b t di ti t f th fil i ti hi h d t i h th
recordsarestored.
Accesspath Thelogicalroutethatanendusertakestoaccesscomputerizedinformation
ScopeNote:Typicallyincludesaroutethroughtheoperatingsystem,telecommunicationssoftware,
selectedapplicationsoftwareandtheaccesscontrolsystem
Accessrights Thepermissionorprivilegesgrantedtousers,programsorworkstationstocreate,change,deleteor
viewdataandfileswithinasystem,asdefinedbyrulesestablishedbydataownersandthe
informationsecuritypolicy
Accessserver Providescentralizedaccesscontrolformanagingremoteaccessdialupservices
Accountability Theabilitytomapagivenactivityoreventbacktotheresponsibleparty
Accountabilityof Governanceensuresthatenterpriseobjectivesareachievedbyevaluatingstakeholderneeds,
governance conditionsandoptions;settingdirectionthroughprioritizationanddecisionmaking;andmonitoring
di i d i i di i h h i ii i dd i i ki d i i
performance,complianceandprogressagainstplans.Inmostenterprises,governanceisthe
responsibilityoftheboardofdirectorsundertheleadershipofthechairperson.
ScopeNote:COBIT5Perspective
Accountableparty Theindividual,grouporentitythatisultimatelyresponsibleforasubjectmatter,processorscope
ScopeNote:WithintheITAssuranceFramework(ITAF),theterm"management"isequivalentto
"accountableparty."
2015 ISACA All rights reserved. Page 1 of 103 ISACA Glossary of Terms
Term Definition
Acknowledgment(ACK) Aflagsetinapackettoindicatetothesenderthatthepreviouspacketsentwasacceptedcorrectly
by the receiver without errors, or that the receiver is now ready to accept a transmission
bythereceiverwithouterrors,orthatthereceiverisnowreadytoacceptatransmission
Activerecoverysite Arecoverystrategythatinvolvestwoactivesites,eachcapableoftakingovertheother'sworkload
(Mirrored) intheeventofadisaster
ScopeNote:Eachsitewillhaveenoughidleprocessingpowertorestoredatafromtheothersite
andtoaccommodatetheexcessworkloadintheeventofadisaster.
Activeresponse Aresponseinwhichthesystemeitherautomatically,orinconcertwiththeuser,blocksorotherwise
affectstheprogressofadetectedattack
ScopeNote:Takesoneofthreeforms:amendingtheenvironment,collectingmoreinformationor
strikingbackagainsttheuser
Activity ThemainactionstakentooperatetheCOBITprocess
Address Within computer storage the code used to designate the location of a specific piece of data
Withincomputerstorage,thecodeusedtodesignatethelocationofaspecificpieceofdata
Addressspace Thenumberofdistinctlocationsthatmaybereferredtowiththemachineaddress
ScopeNote:Formostbinarymachines,itisequalto2n,wherenisthenumberofbitsinthe
machineaddress.
Addressing Themethodusedtoidentifythelocationofaparticipantinanetwork
ScopeNote:Ideally,specifieswheretheparticipantislocatedratherthanwhotheyare(name)or
howtogetthere(routing)
Adjustingperiod Thecalendarcancontain"real"accountingperiodsand/oradjustingaccountingperiods.The"real"
accountingperiodsmustnotoverlapandcannothaveanygapsbetweenthem.Adjustingaccounting
periodscanoverlapwithotheraccountingperiods.
ScopeNote:Forexample,aperiodcalledDEC93canbedefinedthatincludes01DEC1993through
Scope Note: For example a period called DEC 93 can be defined that includes 01 DEC 1993 through
31DEC1993.AnadjustingperiodcalledDEC3193canalsobedefinedthatincludesonlyoneday:
31DEC1993through31DEC1993.
Administrativecontrol Therules,proceduresandpracticesdealingwithoperationaleffectiveness,efficiencyandadherence
toregulationsandmanagementpolicies
AdvancedEncryption Apublicalgorithmthatsupportskeysfrom128bitsto256bitsinsize
Standard(AES)
AdvancedEncryption Apublicalgorithmthatsupportskeysfrom128bitsto256bitsinsize
Standard(AES)
Advancedpersistent Anadversarythatpossessessophisticatedlevelsofexpertiseandsignificantresourceswhichallowit
threat(APT) tocreateopportunitiestoachieveitsobjectivesusingmultipleattackvectors(NISTSP80061)
ScopeNote:TheAPT:
1 pursues its objectives repeatedly over an extended period of time
1.pursuesitsobjectivesrepeatedlyoveranextendedperiodoftime
2.adaptstodefenderseffortstoresistit
3.isdeterminedtomaintainthelevelofinteractionneededtoexecuteitsobjectives
Adversary Athreatagent
Term Definition
Adware Asoftwarepackagethatautomaticallyplays,displaysordownloadsadvertisingmaterialtoa
computer after the software is installed on it or while the application is being used
computerafterthesoftwareisinstalledonitorwhiletheapplicationisbeingused
ScopeNote:Inmostcases,thisisdonewithoutanynotificationtotheuserorwithouttheusers
consent.Thetermadwaremayalsorefertosoftwarethatdisplaysadvertisements,whetherornot
itdoessowiththeusersconsent;suchprogramsdisplayadvertisementsasanalternativeto
sharewareregistrationfees.Theseareclassifiedasadwareinthesenseofadvertisingsupported
software,butnotasspyware.Adwareinthisformdoesnotoperatesurreptitiouslyormisleadthe
user,anditprovidestheuserwithaspecificservice.
Alertsituation Thepointinanemergencyprocedurewhentheelapsedtimepassesathresholdandthe
interruptionisnotresolved.Theenterpriseenteringintoanalertsituationinitiatesaseriesof
escalationsteps.
Alignment AstatewheretheenablersofgovernanceandmanagementofenterpriseITsupportthegoalsand
strategiesoftheenterprise
ScopeNote:COBIT5Perspective
Allocationentry Arecurringjournalentryusedtoallocaterevenuesorcosts
ScopeNote:Forexample,anallocationentrycouldbedefinedtoallocatecoststoeachdepartment
basedonheadcount.
Alpha Theuseofalphabeticcharactersoranalphabeticcharacterstring
Alternatefacilities Locationsandinfrastructuresfromwhichemergencyorbackupprocessesareexecuted,whenthe
mainpremisesareunavailableordestroyed
ScopeNote:Includesotherbuildings,officesordataprocessingcenters
Alternateprocess Automaticormanualprocessdesignedandestablishedtocontinuecriticalbusinessprocessesfrom
pointoffailuretoreturntonormal
Alternative routing
Alternativerouting A service that allows the option of having an alternate route to complete a call when the marked
Aservicethatallowstheoptionofhavinganalternateroutetocompleteacallwhenthemarked
destinationisnotavailable
ScopeNote:Insignaling,alternativeroutingistheprocessofallocatingsubstituteroutesforagiven
signalingtrafficstreamincaseoffailure(s)affectingthenormalsignalinglinksorroutesofthat
trafficstream.
AmericanStandard SeeASCII
CodeforInformation
Interchange
Amortization Theprocessofcostallocationthatassignstheoriginalcostofanintangibleassettotheperiods
benefited;calculatedinthesamewayasdepreciation
Analog Atransmissionsignalthatvariescontinuouslyinamplitudeandtimeandisgeneratedinwave
formation
ScopeNote:Analogsignalsareusedintelecommunications
Term Definition
Analyticaltechnique Theexaminationofratios,trends,andchangesinbalancesandothervaluesbetweenperiodsto
obtain a broad understanding of the enterprise'ssfinancialoroperationalpositionandtoidentify
obtainabroadunderstandingoftheenterprise financial or operational position and to identify
areasthatmayrequirefurtherorcloserinvestigation
ScopeNote:Oftenusedwhenplanningtheassuranceassignment
Anomaly Unusualorstatisticallyrare
Anomalydetection Detectiononthebasisofwhetherthesystemactivitymatchesthatdefinedasabnormal
Anonymity Thequalityorstateofnotbeingnamedoridentified
Antimalware Atechnologywidelyusedtoprevent,detectandremovemanycategoriesofmalware,including
computerviruses,worms,Trojans,keyloggers,maliciousbrowserplugins,adwareandspyware
Antivirussoftware AnapplicationsoftwaredeployedatmultiplepointsinanITarchitecture
Itisdesignedtodetectandpotentiallyeliminateviruscodebeforedamageisdoneandrepairor
quarantine files that have already been infected
quarantinefilesthathavealreadybeeninfected
Appearance Theactofgivingtheideaorimpressionofbeingordoingsomething
Appearanceof Behavioradequatetomeetthesituationsoccurringduringauditwork(interviews,meetings,
independence reporting,etc.)
ScopeNote:AnISauditorshouldbeawarethatappearanceofindependencedependsonthe
perceptionsofothersandcanbeinfluencedbyimproperactionsorassociations.
Applet Aprogramwritteninaportable,platformindependentcomputerlanguage,suchasJava,JavaScript
orVisualBasic
ScopeNote:AnappletisusuallyembeddedinanHyperTextMarkupLanguage(HTML)page
downloadedfromwebserversandthenexecutedbyabrowseronclientmachinestorunanyweb
basedapplication(e.g.,generatewebpageinputforms,runaudio/videoprograms,etc.).Applets
can only perform a restricted set of operations thus preventing or at least minimizing the possible
canonlyperformarestrictedsetofoperations,thuspreventing,oratleastminimizing,thepossible
securitycompromiseofthehostcomputers.However,appletsexposetheuser'smachinetoriskif
notproperlycontrolledbythebrowser,whichshouldnotallowanapplettoaccessamachine's
informationwithoutpriorauthorizationoftheuser.
Application Acomputerprogramorsetofprogramsthatperformstheprocessingofrecordsforaspecific
function
ScopeNote:Contrastswithsystemsprograms,suchasanoperatingsystemornetworkcontrol
program,andwithutilityprograms,suchascopyorsort
Applicationacquisition Anevaluationofanapplicationsystembeingacquiredorevaluated,thatconsiderssuchmattersas:
review appropriatecontrolsaredesignedintothesystem;theapplicationwillprocessinformationina
complete,accurateandreliablemanner;theapplicationwillfunctionasintended;theapplication
willfunctionincompliancewithanyapplicablestatutoryprovisions;thesystemisacquiredin
compliance with the established system acquisition process
compliancewiththeestablishedsystemacquisitionprocess
Application Descriptionofthelogicalgroupingofcapabilitiesthatmanagetheobjectsnecessarytoprocess
architecture informationandsupporttheenterprisesobjectives.
ScopeNote:COBIT5perspective
Term Definition
Application Theprocessofestablishingtheeffectivedesignandoperationofautomatedcontrolswithinan
benchmarking application
Applicationcontrols Thepolicies,proceduresandactivitiesdesignedtoprovidereasonableassurancethatobjectives
relevanttoagivenautomatedsolution(application)areachieved
Application Anevaluationofanapplicationsystemunderdevelopmentthatconsidersmatterssuchas:
developmentreview appropriatecontrolsaredesignedintothesystem;theapplicationwillprocessinformationina
complete,accurateandreliablemanner;theapplicationwillfunctionasintended;theapplication
willfunctionincompliancewithanyapplicablestatutoryprovisions;thesystemisdevelopedin
compliancewiththeestablishedsystemdevelopmentlifecycleprocess
Application Anevaluationofanypartofanimplementationproject
implementationreview
ScopeNote:Examplesincludeprojectmanagement,testplansanduseracceptancetesting(UAT)
procedures.
Applicationlayer IntheOpenSystemsInterconnection(OSI)communicationsmodel,theapplicationlayerprovides
services for an application program to ensure that effective communication with another
servicesforanapplicationprogramtoensurethateffectivecommunicationwithanother
applicationprograminanetworkispossible.
ScopeNote:Theapplicationlayerisnottheapplicationthatisdoingthecommunication;aservice
layerthatprovidestheseservices.
Application Anevaluationofanypartofaprojecttoperformmaintenanceonanapplicationsystem
maintenancereview
ScopeNote:Examplesincludeprojectmanagement,testplansanduseracceptancetesting(UAT)
procedures.
Applicationor Athirdpartythatdeliversandmanagesapplicationsandcomputerservices,includingsecurity
managedservice servicestomultipleusersviatheInternetoraprivatenetwork
provider(ASP/MSP)
Applicationprogram Aprogramthatprocessesbusinessdatathroughactivitiessuchasdataentry,updateorquery
ScopeNote:Contrastswithsystemsprograms,suchasanoperatingsystemornetworkcontrol
program,andwithutilityprogramssuchascopyorsort
Application Theactorfunctionofdevelopingandmaintainingapplicationprogramsinproduction
programming
Application Asetofroutines,protocolsandtoolsreferredtoas"buildingblocks"usedinbusinessapplication
programminginterface softwaredevelopment
(API)
ScopeNote:AgoodAPImakesiteasiertodevelopaprogrambyprovidingallthebuildingblocks
relatedtofunctionalcharacteristicsofanoperatingsystemthatapplicationsneedtospecify,for
example,wheninterfacingwiththeoperatingsystem(e.g.,providedbyMicrosoftWindows,
differentversionsofUNIX).AprogrammerutilizestheseAPIsindevelopingapplicationsthatcan
operate effectively and efficiently on the platform chosen
operateeffectivelyandefficientlyontheplatformchosen.
Applicationproxy Aservicethatconnectsprogramsrunningoninternalnetworkstoservicesonexteriornetworksby
creatingtwoconnections,onefromtherequestingclientandanothertothedestinationservice
Applicationsecurity Referstothesecurityaspectssupportedbytheapplication,primarilywithregardtotherolesor
responsibilitiesandaudittrailswithintheapplications
Term Definition
Applicationservice Alsoknownasmanagedserviceprovider(MSP),itdeploys,hostsandmanagesaccesstoapackaged
provider (ASP)
provider(ASP) application to multiple parties from a centrally managed facility.
applicationtomultiplepartiesfromacentrallymanagedfacility.
ScopeNote:Theapplicationsaredeliveredovernetworksonasubscriptionbasis.
Applicationsoftware Specializedtoolsthatcanbeusedtoanalyzetheflowofdatathroughtheprocessinglogicofthe
tracingandmapping applicationsoftwareanddocumentthelogic,paths,controlconditionsandprocessingsequences
ScopeNote:Boththecommandlanguageorjobcontrolstatementsandprogramminglanguagecan
beanalyzed.Thistechniqueincludesprogram/system:mapping,tracing,snapshots,parallel
simulationsandcodecomparisons.
Applicationsystem Anintegratedsetofcomputerprogramsdesignedtoserveaparticularfunctionthathasspecific
input,processingandoutputactivities
ScopeNote:Examplesincludegeneralledger,manufacturingresourceplanningandhuman
Scope Note: Examples include general ledger manufacturing resource planning and human
resource(HR)management.
Architecture Descriptionofthefundamentalunderlyingdesignofthecomponentsofthebusinesssystem,orof
oneelementofthebusinesssystem(e.g.,technology),therelationshipsamongthem,andthe
mannerinwhichtheysupportenterpriseobjectives
Architectureboard Agroupofstakeholdersandexpertswhoareaccountableforguidanceonenterprisearchitecture
relatedmattersanddecisions,andforsettingarchitecturalpoliciesandstandards
Arithmeticlogicunit Theareaofthecentralprocessingunit(CPU)thatperformsmathematicalandanalyticaloperations
(ALU)
Artificialintelligence Advancedcomputersystemsthatcansimulatehumancapabilities,suchasanalysis,basedona
predetermined set of rules
predeterminedsetofrules
ASCII Representing128characters,theAmericanStandardCodeforInformationInterchange(ASCII)code
normallyuses7bits.However,somevariationsoftheASCIIcodesetallow8bits.This8bitASCII
codeallows256characterstoberepresented.
Assembler Aprogramthattakesasinputaprogramwritteninassemblylanguageandtranslatesitintomachine
codeormachinelanguage
AssemblyLanguage Alowlevelcomputerprogramminglanguagewhichusessymboliccodeandproducesmachine
instructions
Assertion Anyformaldeclarationorsetofdeclarationsaboutthesubjectmattermadebymanagement
ScopeNote:Assertionsshouldusuallybeinwritingandcommonlycontainalistofspecific
attributesaboutthesubjectmatteroraboutaprocessinvolvingthesubjectmatter.
Assessment Abroadreviewofthedifferentaspectsofacompanyorfunctionthatincludeselementsnot
A broad review of the different aspects of a company or function that includes elements not
coveredbyastructuredassuranceinitiative
ScopeNote:Mayincludeopportunitiesforreducingthecostsofpoorquality,employee
perceptionsonqualityaspects,proposalstoseniormanagementonpolicy,goals,etc.
Term Definition
Asset Somethingofeithertangibleorintangiblevaluethatisworthprotecting,includingpeople,
information, infrastructure, finances and reputation
information,infrastructure,financesandreputation
Assurance Pursuanttoanaccountablerelationshipbetweentwoormoreparties,anITauditandassurance
professionalisengagedtoissueawrittencommunicationexpressingaconclusionaboutthesubject
mattersforwhichtheaccountablepartyisresponsible.Assurancereferstoanumberofrelated
activitiesdesignedtoprovidethereaderoruserofthereportwithalevelofassuranceorcomfort
overthesubjectmatter.
ScopeNote:Assuranceengagementscouldincludesupportforauditedfinancialstatements,
reviewsofcontrols,compliancewithrequiredstandardsandpractices,andcompliancewith
agreements,licenses,legislationandregulation.
Assuranceengagement Anobjectiveexaminationofevidenceforthepurposeofprovidinganassessmentonrisk
management,controlorgovernanceprocessesfortheenterprise.
ScopeNote:Examplesmayincludefinancial,performance,complianceandsystemsecurity
Scope Note: Examples may include financial performance compliance and system security
engagements
Assuranceinitiative Anobjectiveexaminationofevidenceforthepurposeofprovidinganassessmentonrisk
management,controlorgovernanceprocessesfortheenterprise
ScopeNote:Examplesmayincludefinancial,performance,complianceandsystemsecurity
engagements.
Asymmetrickey(public Aciphertechniqueinwhichdifferentcryptographickeysareusedtoencryptanddecryptamessage
key)
ScopeNote:SeePublickeyencryption.
AsynchronousTransfer Ahighbandwidthlowdelayswitchingandmultiplexingtechnologythatallowsintegrationofreal
Mode(ATM) timevoiceandvideoaswellasdata.Itisadatalinklayerprotocol.
ScopeNote:ATMisaprotocolindependenttransportmechanism.Itallowshighspeeddata
transferratesatupto155Mbit/s.
TheacronymATMshouldnotbeconfusedwiththealternateusageforATM,whichreferstoan
automatedtellermachine.
Asynchronous Characteratatimetransmission
transmission
Attack Anactualoccurrenceofanadverseevent
Attackmechanism Amethodusedtodelivertheexploit.Unlesstheattackerispersonallyperformingtheattack,an
attackmechanismmayinvolveapayload,orcontainer,thatdeliverstheexploittothetarget.
Attackvector Apathorrouteusedbytheadversarytogainaccesstothetarget(asset)
ScopeNote:Therearetwotypesofattackvectors:ingressandegress(alsoknownasdata
exfiltration)
Attenuation Reductionofsignalstrengthduringtransmission
Term Definition
Attestreporting AnengagementinwhichanISauditorisengagedtoeitherexaminemanagementsassertion
engagement regarding a particular subject matter or the subject matter directly
regardingaparticularsubjectmatterorthesubjectmatterdirectly
ScopeNote:TheISauditorsreportconsistsofanopinionononeofthefollowing:Thesubject
matter.Thesereportsrelatedirectlytothesubjectmatteritselfratherthantoanassertion.In
certainsituationsmanagementwillnotbeabletomakeanassertionoverthesubjectofthe
engagement.AnexampleofthissituationiswhenITservicesareoutsourcedtothirdparty.
Managementwillnotordinarilybeabletomakeanassertionoverthecontrolsthatthethirdpartyis
responsiblefor.Hence,anISauditorwouldhavetoreportdirectlyonthesubjectmatterratherthan
onanassertion.
Attitude Wayofthinking,behaving,feeling,etc.
Attributesampling Methodtoselectaportionofapopulationbasedonthepresenceorabsenceofacertain
characteristic
Audit Formalinspectionandverificationtocheckwhetherastandardorsetofguidelinesisbeing
followed records are accurate or efficiency and effectiveness targets are being met
followed,recordsareaccurate,orefficiencyandeffectivenesstargetsarebeingmet
ScopeNote:Maybecarriedoutbyinternalorexternalgroups
Auditaccountability Performancemeasurementofservicedeliveryincludingcost,timelinessandqualityagainstagreed
servicelevels
Auditauthority Astatementofthepositionwithintheenterprise,includinglinesofreportingandtherightsof
access
Auditcharter Adocumentapprovedbythosechargedwithgovernancethatdefinesthepurpose,authorityand
responsibilityoftheinternalauditactivity
ScopeNote:Thechartershould:
Establishtheinternalauditfuntionspositionwithintheenterprise
Authoriseaccesstorecords,personnelandphysicalpropertiesrelevanttotheperformanceofIS
audit and assurance engagementsDefine the scope of audit functions activities
auditandassuranceengagementsDefinethescopeofauditfunctionsactivities
Auditengagement Aspecificauditassignmentorreviewactivity,suchasanaudit,controlselfassessmentreview,
fraudexaminationorconsultancy.
ScopeNote:Anauditengagementmayincludemultipletasksoractivitiesdesignedtoaccomplisha
specificsetofrelatedobjectives.
p j
Auditevidence Theinformationusedtosupporttheauditopinion
Auditexpertsystems ExpertordecisionsupportsystemsthatcanbeusedtoassistISauditorsinthedecisionmaking
processbyautomatingtheknowledgeofexpertsinthefield
ScopeNote:Thistechniqueincludesautomatedriskanalysis,systemssoftwareandcontrol
objectivessoftwarepackages.
Audit objective
Auditobjective The specific goal(s) of an audit
Thespecificgoal(s)ofanaudit
ScopeNote:Theseoftencenteronsubstantiatingtheexistenceofinternalcontrolstominimize
businessrisk.
Term Definition
Auditplan 1.Aplancontainingthenature,timingandextentofauditprocedurestobeperformedby
engagement team members in order to obtain sufficient appropriate audit evidence to form an
engagementteammembersinordertoobtainsufficientappropriateauditevidencetoforman
opinion
ScopeNote:Includestheareastobeaudited,thetypeofworkplanned,thehighlevelobjectives
andscopeofthework,andtopicssuchasbudget,resourceallocation,scheduledates,typeof
reportanditsintendedaudienceandothergeneralaspectsofthework
2.Ahighleveldescriptionoftheauditworktobeperformedinacertainperiodoftime
Auditprogram Astepbystepsetofauditproceduresandinstructionsthatshouldbeperformedtocompletean
audit
Auditresponsibility Theroles,scopeandobjectivesdocumentedintheservicelevelagreement(SLA)between
managementandaudit
Auditrisk Theriskofreachinganincorrectconclusionbaseduponauditfindings
ScopeNote:Thethreecomponentsofauditriskare:
Controlrisk
Detectionrisk
Inherentrisk
Auditsampling Theapplicationofauditprocedurestolessthan100percentoftheitemswithinapopulationto
obtainauditevidenceaboutaparticularcharacteristicofthepopulation
Auditsubjectmatter Riskrelevanttotheareaunderreview:
risk Businessrisk(customercapabilitytopay,creditworthiness,marketfactors,etc.)
Contractrisk(liability,price,type,penalties,etc.)
Countryrisk(political,environment,security,etc.)
Projectrisk(resources,skillset,methodology,productstability,etc.)
Technologyrisk(solution,architecture,hardwareandsoftwareinfrastructurenetwork,delivery
channels etc )
channels,etc.)
ScopeNote:Seeinherentrisk
Audittrail Avisibletrailofevidenceenablingonetotraceinformationcontainedinstatementsorreportsback
totheoriginalinputsource
Audituniverse Aninventoryofauditareasthatiscompiledandmaintainedtoidentifyareasforauditduringthe
auditplanningprocess
ScopeNote:Traditionally,thelistincludesallfinancialandkeyoperationalsystemsaswellasother
unitsthatwouldbeauditedaspartoftheoverallcycleofplannedwork.Theaudituniverseserves
asthesourcefromwhichtheannualauditscheduleisprepared.Theuniversewillbeperiodically
revisedtoreflectchangesintheoverallriskprofile.
Auditability Theleveltowhichtransactionscanbetracedandauditedthroughasystem
Term Definition
Auditableunit Subjects,unitsorsystemsthatarecapableofbeingdefinedandevaluated
ScopeNote:Auditableunitsmayinclude:
Policies,proceduresandpractices
Costcenters,profitcentersandinvestmentcenters
Generalledgeraccountbalances
Informationsystems(manualandcomputerized)
Majorcontractsandprograms
Organizationalunits,suchasproductorservicelines
Functions,suchasinformationtechnology(IT),purchasing,marketing,production,finance,
accountingandhumanresources(HR)
Transactionsystemsforactivities,suchassales,collection,purchasing,disbursement,inventory
andcostaccounting,production,treasury,payroll,andcapitalassets
Financialstatements
Laws
Laws and regulations
Auditorsopinion AformalstatementexpressedbytheISauditorassuranceprofessionalthatdescribesthescopeof
theaudit,theproceduresusedtoproducethereportandwhetherornotthefindingssupportthat
theauditcriteriahavebeenmet.
ScopeNote:Thetypesofopinionsare:
Unqualifiedopinion:Notesnoexceptionsornoneoftheexceptionsnotedaggregatetoa
significantdeficiency
Qualifiedopinion:Notesexceptionsaggregatedtoasignificantdeficiency(butnotamaterial
weakness)
Adverseopinion:Notesoneormoresignificantdeficienciesaggregatingtoamaterialweakness
Authentication 1.Theactofverifyingidentity(i.e.,user,system)
ScopeNote:Risk:Canalsorefertotheverificationofthecorrectnessofapieceofdata
2.Theactofverifyingtheidentityofauserandtheuserseligibilitytoaccesscomputerized
information
ScopeNote:Assurance:Authenticationisdesignedtoprotectagainstfraudulentlogonactivity.It
p g p g g y
canalsorefertotheverificationofthecorrectnessofapieceofdata.
Authenticity Undisputedauthorship
Automatedapplication Controlsthathavebeenprogrammedandembeddedwithinanapplication
controls
Availability Ensuringtimelyandreliableaccesstoanduseofinformation
Awareness Beingacquaintedwith,mindfulof,consciousofandwellinformedonaspecificsubject,which
implies knowing and understanding a subject and acting accordingly
impliesknowingandunderstandingasubjectandactingaccordingly
Backdoor Ameansofregainingaccesstoacompromisedsystembyinstallingsoftwareorconfiguringexisting
softwaretoenableremoteaccessunderattackerdefinedconditions
Term Definition
Backbone Themaincommunicationchannelofadigitalnetwork.Thepartofanetworkthathandlesthemajor
traffic
ScopeNote:Employsthehighestspeedtransmissionpathsinthenetworkandmayalsorunthe
longestdistances.Smallernetworksareattachedtothebackbone,andnetworksthatconnect
directlytotheenduserorcustomerarecalled"accessnetworks."Abackbonecanspana
geographicareaofanysizefromasinglebuildingtoanofficecomplextoanentirecountry.Or,it
canbeassmallasabackplaneinasinglecabinet.
Backup Files,equipment,dataandproceduresavailableforuseintheeventofafailureorloss,ifthe
originalsaredestroyedoroutofservice
Backupcenter AnalternatefacilitytocontinueIT/ISoperationswhentheprimarydataprocessing(DP)centeris
unavailable
Badge Acardorotherdevicethatispresentedordisplayedtoobtainaccesstoanotherwiserestricted
facility,asasymbolofauthority(e.g.,thepolice),orasasimplemeansofidentification
ScopeNote:Alsousedinadvertisingandpublicity
Balancedscorecard DevelopedbyRobertS.KaplanandDavidP.Nortonasacoherentsetofperformancemeasures
(BSC) organizedintofourcategoriesthatincludestraditionalfinancialmeasures,butaddscustomer,
internalbusinessprocess,andlearningandgrowthperspectives
Bandwidth Therangebetweenthehighestandlowesttransmittablefrequencies.Itequatestothetransmission
capacityofanelectroniclineandisexpressedinbytespersecondorHertz(cyclespersecond).
Barcode Aprintedmachinereadablecodethatconsistsofparallelbarsofvariedwidthandspacing
Basecase Astandardizedbodyofdatacreatedfortestingpurposes
ScopeNote:Usersnormallyestablishthedata.Basecasesvalidateproductionapplicationsystems
and test the ongoing accurate operation of the system
andtesttheongoingaccurateoperationofthesystem.
Baseband Aformofmodulationinwhichdatasignalsarepulseddirectlyonthetransmissionmediumwithout
frequencydivisionandusuallyutilizeatransceiver
ScopeNote:Theentirebandwidthofthetransmissionmedium(e.g.,coaxialcable)isutilizedfora
singlechannel.
Baselinearchitecture Theexistingdescriptionofthefundamentalunderlyingdesignofthecomponentsofthebusiness
systembeforeenteringacycleofarchitecturereviewandredesign
Bastion Systemheavilyfortifiedagainstattacks
Batchcontrol Correctnesschecksbuiltintodataprocessingsystemsandappliedtobatchesofinputdata,
particularlyinthedatapreparationstage
ScopeNote:Therearetwomainformsofbatchcontrols:sequencecontrol,whichinvolves
numberingtherecordsinabatchconsecutivelysothatthepresenceofeachrecordcanbe
confirmed;andcontroltotal,whichisatotalofthevaluesinselectedfieldswithinthetransactions.
Term Definition
Batchprocessing Theprocessingofagroupoftransactionsatthesametime
ScopeNote:Transactionsarecollectedandprocessedagainstthemasterfilesataspecifiedtime.
Baudrate Therateoftransmissionfortelecommunicationsdata,expressedinbitspersecond(bps)
Benchmark Atestthathasbeendesignedtoevaluatetheperformanceofasystem
ScopeNote:Inabenchmarktest,asystemissubjectedtoaknownworkloadandtheperformance
ofthesystemagainstthisworkloadismeasured.Typically,thepurposeistocomparethemeasured
performancewiththatofothersystemsthathavebeensubjecttothesamebenchmarktest.
Benchmarking Asystematicapproachtocomparingenterpriseperformanceagainstpeersandcompetitorsinan
efforttolearnthebestwaysofconductingbusiness
Scope Note: Examples include benchmarking of quality logistic efficiency and various other metrics
ScopeNote:Examplesincludebenchmarkingofquality,logisticefficiencyandvariousothermetrics.
Benefit Inbusiness,anoutcomewhosenatureandvalue(expressedinvariousways)areconsidered
advantageousbyanenterprise
Benefitsrealization Oneoftheobjectivesofgovernance.Thebringingaboutofnewbenefitsfortheenterprise,the
maintenanceandextensionofexistingformsofbenefits,andtheeliminationofthoseinitiativesand
assetsthatarenotcreatingsufficientvalue
Binarycode Acodewhoserepresentationislimitedto0and1
Biometriclocks Doorandentrylocksthatareactivatedbysuchbiometricfeaturesasvoice,eyeretina,fingerprintor
signature
Biometrics Asecuritytechniquethatverifiesanindividualsidentitybyanalyzingauniquephysicalattribute,
such as a handprint
suchasahandprint
Bitstreamimage Bitstreambackups,alsoreferredtoasmirrorimagebackups,involvethebackupofallareasofa
computerharddiskdriveorothertypeofstoragemedia.
ScopeNote:Suchbackupsexactlyreplicateallsectorsonagivenstoragedeviceincludingallfiles
andambientdatastorageareas.
Blackboxtesting Atestingapproachthatfocusesonthefunctionalityoftheapplicationorproductanddoesnot
requireknowledgeofthecodeintervals
Blockcipher Apublicalgorithmthatoperatesonplaintextinblocks(stringsorgroups)ofbits
Botnet Atermderivedfromrobotnetwork;isalargeautomatedanddistributednetworkofpreviously
compromisedcomputersthatcanbesimultaneouslycontrolledtolaunchlargescaleattackssuchas
adenialofserviceattackonselectedvictims
Boundary Logicalandphysicalcontrolstodefineaperimeterbetweentheorganizationandtheoutsideworld
Term Definition
Bridge Datalinklayerdevicedevelopedintheearly1980stoconnectlocalareanetworks(LANs)orcreate
two separate LAN or wide area network (WAN) network segments from a single segment to reduce
twoseparateLANorwideareanetwork(WAN)networksegmentsfromasinglesegmenttoreduce
collisiondomains
ScopeNote:Abridgeactsasastoreandforwarddeviceinmovingframestowardtheirdestination.
ThisisachievedbyanalyzingtheMACheaderofadatapacket,whichrepresentsthehardware
addressofanNIC.
Bringyourowndevice Anenterprisepolicyusedtopermitpartialorfullintegrationofuserownedmobiledevicesfor
(BYOD) businesspurposes
Broadband Multiplechannelsareformedbydividingthetransmissionmediumintodiscretefrequency
segments.
ScopeNote:Broadbandgenerallyrequirestheuseofamodem.
Broadcast Amethodtodistributeinformationtomultiplerecipientssimultaneously
Brouter Device that performs the functions of both a bridge and a router
Devicethatperformsthefunctionsofbothabridgeandarouter
ScopeNote:Abrouteroperatesatboththedatalinkandthenetworklayers.Itconnectssamedata
linktypeLANsegmentsaswellasdifferentdatalinkones,whichisasignificantadvantage.Likea
bridge,itforwardspacketsbasedonthedatalinklayeraddresstoadifferentnetworkofthesame
type.Also,wheneverrequired,itprocessesandforwardsmessagestoadifferentdatalinktype
networkbasedonthenetworkprotocoladdress.Whenconnectingsamedatalinktypenetworks,it
isasfastasabridgeandisabletoconnectdifferentdatalinktypenetworks.
Browser Acomputerprogramthatenablestheusertoretrieveinformationthathasbeenmadepublicly
availableontheInternet;also,thatpermitsmultimedia(graphics)applicationsontheWorldWide
Web
Bruteforce Aclassofalgorithmsthatrepeatedlytryallpossiblecombinationsuntilasolutionisfound
Brute force attack
Bruteforceattack Repeatedly trying all possible combinations of passwords or encryption keys until the correct one is
Repeatedlytryingallpossiblecombinationsofpasswordsorencryptionkeysuntilthecorrectoneis
found
Budget Estimatedcostandrevenueamountsforagivenrangeofperiodsandsetofbooks
ScopeNote:Therecanbemultiplebudgetversionsforthesamesetofbooks.
Budgetformula Amathematicalexpressionusedtocalculatebudgetamountsbasedonactualresults,otherbudget
amountsandstatistics.
ScopeNote:Withbudgetformulas,budgetsusingcomplexequations,calculationsandallocations
canbeautomaticallycreated.
Budgethierarchy Agroupofbudgetslinkedtogetheratdifferentlevelssuchthatthebudgetingauthorityofalower
levelbudgetiscontrolledbyanupperlevelbudget
Budgetorganization Anentity(department,costcenter,divisionorothergroup)responsibleforenteringand
maintaining budget data
maintainingbudgetdata
Buffer Memoryreservedtotemporarilyholddatatooffsetdifferencesbetweentheoperatingspeedsof
differentdevices,suchasaprinterandacomputer
ScopeNote:Inaprogram,buffersarereservedareasofrandomaccessmemory(RAM)thathold
datawhiletheyarebeingprocessed.
Term Definition
Bufferoverflow Occurswhenaprogramorprocesstriestostoremoredatainabuffer(temporarydatastorage
area) than it was intended to hold
area)thanitwasintendedtohold
ScopeNote:Sincebuffersarecreatedtocontainafiniteamountofdata,theextra
informationwhichhastogosomewherecanoverflowintoadjacentbuffers,corruptingor
overwritingthevaliddataheldinthem.Althoughitmayoccuraccidentallythroughprogramming
error,bufferoverflowisanincreasinglycommontypeofsecurityattackondataintegrity.Inbuffer
overflowattacks,theextradatamaycontaincodesdesignedtotriggerspecificactions,ineffect
sendingnewinstructionstotheattackedcomputerthatcould,forexample,damagetheuser'sfiles,
changedata,ordiscloseconfidentialinformation.Bufferoverflowattacksaresaidtohavearisen
becausetheCprogramminglanguagesuppliedtheframework,andpoorprogrammingpractices
suppliedthevulnerability.
Bulkdatatransfer Adatarecoverystrategythatincludesarecoveryfromcompletebackupsthatarephysicallyshipped
offsite once a week
offsiteonceaweek
ScopeNote:Specifically,logsarebatchedelectronicallyseveraltimesdaily,andthenloadedintoa
tapelibrarylocatedatthesamefacilityastheplannedrecovery.
Bus Commonpathorchannelbetweenhardwaredevices
ScopeNote:Canbelocatedbetweencomponentsinternaltoacomputerorbetweenexternal
computersinacommunicationnetwork.
Busconfiguration Alldevices(nodes)arelinkedalongonecommunicationlinewheretransmissionsarereceivedbyall
attachednodes.
ScopeNote:Thisarchitectureisreliableinverysmallnetworks,aswellaseasytouseand
understand.Thisconfigurationrequirestheleastamountofcabletoconnectthecomputers
together and therefore is less expensive than other cabling arrangements It is also easy to extend
togetherand,therefore,islessexpensivethanothercablingarrangements.Itisalsoeasytoextend,
andtwocablescanbeeasilyjoinedwithaconnectortomakealongercableformorecomputersto
jointhenetwork.Arepeatercanalsobeusedtoextendabusconfiguration.
Businessbalanced Atoolformanagingorganizationalstrategythatusesweightedmeasuresfortheareasoffinancial
scorecard performance(lag)indicators,internaloperations,customermeasurements,learningandgrowth
(lead)indicators,combinedtoratetheenterprise
Businesscase Documentationoftherationaleformakingabusinessinvestment,usedbothtosupportabusiness
decisiononwhethertoproceedwiththeinvestmentandasanoperationaltooltosupport
managementoftheinvestmentthroughitsfulleconomiclifecycle
Businesscontinuity Preventing,mitigatingandrecoveringfromdisruption
ScopeNote:Thetermsbusinessresumptionplanning,disasterrecoveryplanningand
contingencyplanningalsomaybeusedinthiscontext;theyfocusonrecoveryaspectsof
contingency planning also may be used in this context; they focus on recovery aspects of
continuity,andforthatreasontheresilienceaspectshouldalsobetakenintoaccount.
COBIT5perspective
Businesscontinuity Aplanusedbyanenterprisetorespondtodisruptionofcriticalbusinessprocesses.Dependsonthe
plan(BCP) contingencyplanforrestorationofcriticalsystems
Term Definition
Businesscontrol Thepolicies,procedures,practicesandorganizationalstructuresdesignedtoprovidereasonable
assurance that the business objectives will be achieved and undesired events will be prevented or
assurancethatthebusinessobjectiveswillbeachievedandundesiredeventswillbepreventedor
detected
Businessdependency Aprocessofidentifyingresourcescriticaltotheoperationofabusinessprocess
assessment
Businessfunction Anactivitythatanenterprisedoes,orneedstodo,toachieveitsobjectives
Businessgoal Thetranslationoftheenterprise'smissionfromastatementofintentionintoperformancetargets
andresults
Businessimpact Theneteffect,positiveornegative,ontheachievementofbusinessobjectives
Businessimpact Aprocesstodeterminetheimpactoflosingthesupportofanyresource
analysis(BIA)
ScopeNote:TheBIAassessmentstudywillestablishtheescalationofthatlossovertime.Itis
predicatedonthefactthatseniormanagement,whenprovidedreliabledatatodocumentthe
potentialimpactofalostresource,canmaketheappropriatedecision.
Businessimpact
Business impact Evaluating the criticality and sensitivity of information assets
Evaluatingthecriticalityandsensitivityofinformationassets
analysis/assessment
(BIA) Anexercisethatdeterminestheimpactoflosingthesupportofanyresourcetoanenterprise,
establishestheescalationofthatlossovertime,identifiestheminimumresourcesneededto
recover,andprioritizestherecoveryofprocessesandthesupportingsystem
ScopeNote:Thisprocessalsoincludesaddressing:
Incomeloss
Unexpectedexpense
Legalissues(regulatorycomplianceorcontractual)
Interdependentprocesses
Lossofpublicreputationorpublicconfidence
Business interruption
Businessinterruption Anyevent,whetheranticipated(i.e.,publicservicestrike)orunanticipated(i.e.,blackout)that
Any event whether anticipated (i e public service strike) or unanticipated (i e blackout) that
disruptsthenormalcourseofbusinessoperationsatanenterprise
BusinessModelfor Aholisticandbusinessorientedmodelthatsupportsenterprisegovernanceandmanagement
InformationSecurity informationsecurity,andprovidesacommonlanguageforinformationsecurityprofessionalsand
(BMIS) businessmanagement
Businessobjective Afurtherdevelopmentofthebusinessgoalsintotacticaltargetsanddesiredresultsandoutcomes
Businessprocess Aninterrelatedsetofcrossfunctionalactivitiesoreventsthatresultinthedeliveryofaspecific
productorservicetoacustomer
Businessprocess Thepolicies,procedures,practicesandorganizationalstructuresdesignedtoprovidereasonable
control assurancethatabusinessprocesswillachieveitsobjectives.
Businessprocess
Business process Controlsoverthebusinessprocessesthataresupportedbytheenterpriseresourceplanningsystem
Controls over the business processes that are supported by the enterprise resource planning system
integrity (ERP)
Term Definition
Businessprocess Theindividualresponsibleforidentifyingprocessrequirements,approvingprocessdesignand
owner managing process performance
managingprocessperformance
ScopeNote:Mustbeatanappropriatelyhighlevelintheenterpriseandhaveauthoritytocommit
resourcestoprocessspecificriskmanagementactivities
Businessprocess Thethoroughanalysisandsignificantredesignofbusinessprocessesandmanagementsystemsto
reengineering(BPR) establishabetterperformingstructure,moreresponsivetothecustomerbaseandmarket
conditions,whileyieldingmaterialcostsavings
Businessrisk Aprobablesituationwithuncertainfrequencyandmagnitudeofloss(orgain)
Businessservice Anapplicationserviceprovider(ASP)thatalsoprovidesoutsourcingofbusinessprocessessuchas
provider(BSP) paymentprocessing,salesorderprocessingandapplicationdevelopment
Businesssponsor TheindividualaccountablefordeliveringthebenefitsandvalueofanITenabledbusiness
investmentprogramtotheenterprise
Businesstobusiness Transactionsinwhichtheacquirerisanenterpriseoranindividualoperatingintheambitsofhis/her
professional activity In this case laws and regulations related to consumer protection are not
professionalactivity.Inthiscase,lawsandregulationsrelatedtoconsumerprotectionarenot
applicable.
ScopeNote:Thecontractsgeneraltermsshouldbecommunicatedtotheotherpartyand
specificallyapproved.Somecompaniesrequiretheotherpartytofilloutcheckboxeswherethereis
adescriptionsuchas"Ispecificallyapprovetheclauses"Thisisnotconvincing;thebestsolutionis
p g g pp
theadoptionofadigitalsignaturescheme,whichallowstheapprovalofclausesandtermswiththe
nonrepudiationcondition.
Businesstoconsumer Sellingprocessesinwhichtheinvolvedpartiesaretheenterprise,whichoffersgoodsorservices,
andaconsumer.Inthiscasethereiscomprehensivelegislationthatprotectstheconsumer.
ScopeNote:Comprehensivelegislationincludes:
Regardingcontractsestablishedoutsidethemerchantsproperty(suchastherighttoendthe
contract with full refund or the return policy for goods)
contractwithfullrefundorthereturnpolicyforgoods)
Regardingdistancecontracts(suchasrulesthatestablishhowacontractshouldbewritten,specific
clausesandtheneedtotransmittotheconsumerandapproveit)
Regardingelectronicformofthecontract(suchasontheInternet,thepossibilityfortheconsumer
toexitfromtheprocedurewithouthavinghis/herdatarecorded)
Businesstoconsumer Referstotheprocessesbywhichenterprisesconductbusinesselectronicallywiththeircustomers
ecommerce(B2C) and/orpublicatlargeusingtheInternetastheenablingtechnology
Bypasslabelprocessing Atechniqueofreadingacomputerfilewhilebypassingtheinternalfile/datasetlabel.Thisprocess
(BLP) couldresultinbypassingofthesecurityaccesscontrolsystem.
Cadbury TheCommitteeontheFinancialAspectsofCorporateGovernance,setupinMay1991bytheUK
FinancialReportingCouncil,theLondonStockExchangeandtheUKaccountancyprofession,was
chaired by Sir Adrian Cadbury and produced a report on the subject commonly known in the UK as
chairedbySirAdrianCadburyandproducedareportonthesubjectcommonlyknownintheUKas
theCadburyReport.
Capability Anaptitude,competencyorresourcethatanenterprisemaypossessorrequireatanenterprise,
businessfunctionorindividuallevelthathasthepotential,orisrequired,tocontributetoabusiness
outcomeandtocreatevalue
Term Definition
CapabilityMaturity 1.Containstheessentialelementsofeffectiveprocessesforoneormoredisciplines
Model (CMM)
Model(CMM)
Italsodescribesanevolutionaryimprovementpathfromadhoc,immatureprocessestodisciplined,
matureprocesseswithimprovedqualityandeffectiveness.
2.CMMforsoftware,fromtheSoftwareEngineeringInstitute(SEI),isamodelusedbymany
enterprisestoidentifybestpracticesusefulinhelpingthemassessandincreasethematurityoftheir
softwaredevelopmentprocesses
ScopeNote:CMMrankssoftwaredevelopmententerprisesaccordingtoahierarchyoffiveprocess
maturitylevels.Eachlevelranksthedevelopmentenvironmentaccordingtoitscapabilityof
producingqualitysoftware.Asetofstandardsisassociatedwitheachofthefivelevels.The
standardsforlevelonedescribethemostimmatureorchaoticprocessesandthestandardsforlevel
fivedescribethemostmatureorqualityprocesses.
Amaturitymodelthatindicatesthedegreeofreliabilityordependencythebusinesscanplaceona
processachievingthedesiredgoalsorobjectives
A collection of instructions that an enterprise can follow to gain better control over its software
Capacitystresstesting Testinganapplicationwithlargequantitiesofdatatoevaluateitsperformanceduringpeakperiods.
Alsocalledvolumetesting
Capital Anexpenditurethatisrecordedasanassetbecauseitisexpectedtobenefitmorethanthecurrent
expenditure/expense period.Theassetisthendepreciatedoramortizedovertheexpectedusefullifeoftheasset.
(CAPEX)
Cardswipe AphysicalcontroltechniquethatusesasecuredcardorIDtogainaccesstoahighlysensitive
location.
ScopeNote:Ifbuiltcorrectly,cardswipesactasapreventivecontroloverphysicalaccesstothose
Scope Note: If built correctly card swipes act as a preventive control over physical access to those
sensitivelocations.Afteracardhasbeenswiped,theapplicationattachedtothephysicalcardswipe
devicelogsallcarduserswhotrytoaccessthesecuredlocation.Thecardswipedeviceprevents
unauthorizedaccessandlogsallattemptstoenterthesecuredlocation.
Cathoderaytube(CRT) Avacuumtubethatdisplaysdatabymeansofanelectronbeamstrikingthescreen,whichiscoated
withsuitablephosphormaterialoradevicesimilartoatelevisionscreenonwhichdatacanbe
displayed
Centralprocessingunit Computerhardwarethathousestheelectroniccircuitsthatcontrol/directalloperationsofthe
(CPU) computersystem
Centralizeddata Identifiedbyonecentralprocessoranddatabasesthatformadistributedprocessingconfiguration
processing
Certificate Atrustedthirdpartythatservesauthenticationinfrastructuresorenterprisesandregistersentities
(Certification) authority andissuesthemcertificates
(Certification)authority and issues them certificates
(CA)
Term Definition
Certificaterevocation Aninstrumentforcheckingthecontinuedvalidityofthecertificatesforwhichthecertification
list (CRL)
list(CRL) authority (CA) has responsibility
authority(CA)hasresponsibility
ScopeNote:TheCRLdetailsdigitalcertificatesthatarenolongervalid.Thetimegapbetweentwo
updatesisverycriticalandisalsoariskindigitalcertificatesverification.
Certificationpractice Adetailedsetofrulesgoverningthecertificateauthority'soperations.Itprovidesanunderstanding
statement(CPS) ofthevalueandtrustworthinessofcertificatesissuedbyagivencertificateauthority(CA).
ScopeNote:Intermsofthecontrolsthatanenterpriseobserves,themethoditusestovalidatethe
authenticityofcertificateapplicantsandtheCA'sexpectationsofhowitscertificatesmaybeused
Chainofcustody Alegalprincipleregardingthevalidityandintegrityofevidence.Itrequiresaccountabilityfor
anythingthatwillbeusedasevidenceinalegalproceedingtoensurethatitcanbeaccountedfor
from the time it was collected until the time it is presented in a court of law
fromthetimeitwascollecteduntilthetimeitispresentedinacourtoflaw.
ScopeNote:Includesdocumentationastowhohadaccesstotheevidenceandwhen,aswellasthe
abilitytoidentifyevidenceasbeingtheexactitemthatwasrecoveredortested.Lackofcontrolover
evidencecanleadtoitbeingdiscredited.Chainofcustodydependsontheabilitytoverifythat
evidencecouldnothavebeentamperedwith.Thisisaccomplishedbysealingofftheevidence,soit
g , p g y y p
cannotbechanged,andprovidingadocumentaryrecordofcustodytoprovethattheevidencewas
atalltimesunderstrictcontrolandnotsubjecttotampering.
Challenge/response AmethodofuserauthenticationthatiscarriedoutthroughuseoftheChallengeHandshake
token AuthenticationProtocol(CHAP)
ScopeNote:WhenausertriestologintotheserverusingCHAP,theserversendstheusera
"challenge,"whichisarandomvalue.Theuserentersapassword,whichisusedasanencryption
"challenge " which is a random value The user enters a password which is used as an encryption
keytoencryptthe"challenge"andreturnittotheserver.Theserverisawareofthepassword.It,
therefore,encryptsthe"challenge"valueandcomparesitwiththevaluereceivedfromtheuser.If
thevaluesmatch,theuserisauthenticated.Thechallenge/responseactivitycontinuesthroughout
thesessionandthisprotectsthesessionfrompasswordsniffingattacks.Inaddition,CHAPisnot
vulnerableto"maninthemiddle"attacksbecausethechallengevalueisarandomvaluethat
g
changesoneachaccessattempt.p
Changemanagement Aholisticandproactiveapproachtomanagingthetransitionfromacurrenttoadesired
organizationalstate,focusingspecificallyonthecriticalhumanor"soft"elementsofchange
ScopeNote:Includesactivitiessuchasculturechange(values,beliefsandattitudes),development
ofrewardsystems(measuresandappropriateincentives),organizationaldesign,stakeholder
management human resources (HR) policies and procedures executive coaching change leadership
management,humanresources(HR)policiesandprocedures,executivecoaching,changeleadership
training,teambuildingandcommunicationplanningandexecution
Term Definition
Channelservice Interfacesatthephysicallayeroftheopensystemsinterconnection(OSI)referencemodel,data
unit/digital service unit
unit/digitalserviceunit terminal equipment (DTE) to data circuit terminating equipment (DCE), for switched carrier
terminalequipment(DTE)todatacircuitterminatingequipment(DCE),forswitchedcarrier
(CSU/DSU) networks
Chargeback Theredistributionofexpenditurestotheunitswithinacompanythatgaverisetothem.
ScopeNote:Chargebackisimportantbecausewithoutsuchapolicy,misleadingviewsmaybegiven
astotherealprofitabilityofaproductorservicebecausecertainkeyexpenditureswillbeignoredor
calculatedaccordingtoanarbitraryformula.
Checkdigit Anumericvalue,whichhasbeencalculatedmathematically,isaddedtodatatoensurethatoriginal
datahavenotbeenalteredorthatanincorrect,butvalidmatchhasoccurred.
ScopeNote:Checkdigitcontroliseffectiveindetectingtranspositionandtranscriptionerrors.
Checkdigitverification Aprogrammededitorroutinethatdetectstranspositionandtranscriptionerrorsbycalculatingand
(selfchecking digit)
(selfcheckingdigit) checking the check digit
checkingthecheckdigit
Checklist Alistofitemsthatisusedtoverifythecompletenessofataskorgoal
ScopeNote:Usedinqualityassurance(andingeneral,ininformationsystemsaudit),tocheck
processcompliance,codestandardizationanderrorprevention,andotheritemsforwhich
consistencyprocessesorstandardshavebeendefined
Checkpointrestart Apointinaroutineatwhichsufficientinformationcanbestoredtopermitrestartingthe
procedures computationfromthatpoint
Checksum Amathematicalvaluethatisassignedtoafileandusedtotestthefileatalaterdatetoverifythat
thedatacontainedinthefilehasnotbeenmaliciouslychanged
ScopeNote:Acryptographicchecksumiscreatedbyperformingacomplicatedseriesof
mathematicaloperations(knownasacryptographicalgorithm)thattranslatesthedatainthefile
mathematical operations (known as a cryptographic algorithm) that translates the data in the file
intoafixedstringofdigitscalledahashvalue,whichisthenusedasthechecksum.Withoutknowing
whichcryptographicalgorithmwasusedtocreatethehashvalue,itishighlyunlikelythatan
unauthorizedpersonwouldbeabletochangedatawithoutinadvertentlychangingthe
correspondingchecksum.Cryptographicchecksumsareusedindatatransmissionanddatastorage.
Cryptographicchecksumsarealsoknownasmessageauthenticationcodes,integritycheckvalues,
g g y
modificationdetectioncodesormessageintegritycodes.
Chiefexecutiveofficer Thehighestrankingindividualinanenterprise
(CEO)
Chieffinancialofficer Theindividualprimarilyresponsibleformanagingthefinancialriskofanenterprise
(CFO)
Chiefinformation ThemostseniorofficialoftheenterprisewhoisaccountableforITadvocacy,aligningITand
officer (CIO)
officer(CIO) business strategies and planning resourcing and managing the delivery of IT services information
businessstrategies,andplanning,resourcingandmanagingthedeliveryofITservices,information
andthedeploymentofassociatedhumanresources
ScopeNote:Insomecases,theCIOrolehasbeenexpandedtobecomethechiefknowledgeofficer
(CKO)whodealsinknowledge,notjustinformation.Alsoseechieftechnologyofficer(CTO).
Term Definition
ChiefInformation Thepersoninchargeofinformationsecuritywithintheenterprise
Security Officer (CISO)
SecurityOfficer(CISO)
ChiefSecurityOfficer Thepersonusuallyresponsibleforallsecuritymattersbothphysicalanddigitalinanenterprise
(CSO)
Chieftechnology Theindividualwhofocusesontechnicalissuesinanenterprise
officer(CTO)
ScopeNote:Oftenviewedassynonymouswithchiefinformationofficer(CIO)
Cipher Analgorithmtoperformencryption
Ciphertext Informationgeneratedbyanencryptionalgorithmtoprotecttheplaintextandthatisunintelligible
totheunauthorizedreader.
Circuitswitched Adatatransmissionservicerequiringtheestablishmentofacircuitswitchedconnectionbeforedata
network canbetransferredfromsourcedataterminalequipment(DTE)toasinkDTE
Scope Note: A circuitswitched data transmission service uses a connection network

ScopeNote:Acircuitswitcheddatatransmissionserviceusesaconnectionnetwork.
Circularrouting Inopensystemsarchitecture,circularroutingisthelogicalpathofamessageinacommunication
networkbasedonaseriesofgatesatthephysicalnetworklayerintheopensystems
interconnection(OSI)model.
Cleartext Datathatisnotencrypted.Alsoknownasplaintext.
Clientserver Agroupofcomputersconnectedbyacommunicationnetwork,inwhichtheclientistherequesting
machineandtheserveristhesupplyingmachine
ScopeNote:Softwareisspecializedatbothends.Processingmaytakeplaceoneithertheclientor
theserver,butitistransparenttotheuser.
Cloudcomputing Convenient,ondemandnetworkaccesstoasharedpoolofresourcesthatcanberapidly
provisionedandreleasedwithminimalmanagementeffortorserviceproviderinteraction
Clustercontroller Acommunicationterminalcontrolhardwareunitthatcontrolsanumberofcomputerterminals
ScopeNote:Allmessagesarebufferedbythecontrollerandthentransmittedtothereceiver.
Coaxialcable Composedofaninsulatedwirethatrunsthroughthemiddleofeachcable,asecondwirethat
surroundstheinsulationoftheinnerwirelikeasheath,andtheouterinsulationwhichwrapsthe
secondwire
ScopeNote:Hasagreatertransmissioncapacitythanstandardtwistedpaircables,buthasalimited
rangeofeffectivedistance
Term Definition
COBIT 1.COBIT5:FormerlyknownasControlObjectivesforInformationandrelatedTechnology(COBIT);
now used only as the acronym in its fifth iteration. A complete, internationally accepted framework
nowusedonlyastheacronyminitsfifthiteration.Acomplete,internationallyacceptedframework
forgoverningandmanagingenterpriseinformationandtechnology(IT)thatsupportsenterprise
executivesandmanagementintheirdefinitionandachievementofbusinessgoalsandrelatedIT
goals.COBITdescribesfiveprinciplesandsevenenablersthatsupportenterprisesinthe
development,implementation,andcontinuousimprovementandmonitoringofgoodITrelated
governanceandmanagementpractices
ScopeNote:EarlierversionsofCOBITfocusedoncontrolobjectivesrelatedtoITprocesses,
managementandcontrolofITprocessesandITgovernanceaspects.AdoptionanduseoftheCOBIT
frameworkaresupportedbyguidancefromagrowingfamilyofsupportingproducts.(See
www.isaca.org/cobitformoreinformation.)
2.COBIT4.1andearlier:FormallyknownasControlObjectivesforInformationandrelated
Technology(COBIT).Acomplete,internationallyacceptedprocessframeworkforITthatsupports
Technology (COBIT) A complete internationally accepted process framework for IT that supports
businessandITexecutivesandmanagementintheirdefinitionandachievementofbusinessgoals
andrelatedITgoalsbyprovidingacomprehensiveITgovernance,management,controland
assurance model. COBIT describes IT processes and associated control objectives, management
CoCo CriteriaofControl,publishedbytheCanadianInstituteofCharteredAccountantsin1995
Codeofethics Adocumentdesignedtoinfluenceindividualandorganizationalbehaviorofemployees,bydefining
organizationalvaluesandtherulestobeappliedincertainsituations.
ScopeNote:Acodeofethicsisadoptedtoassistthoseintheenterprisecalledupontomake
decisionsunderstandthedifferencebetween'right'and'wrong'andtoapplythisunderstandingto
theirdecisions.
COBIT5perspective
Coevolving Originatedasabiologicalterm,referstothewaytwoormoreecologicallyinterdependentspecies
Originated as a biological term refers to the way two or more ecologically interdependent species
becomeintertwinedovertime
ScopeNote:Asthesespeciesadapttotheirenvironmenttheyalsoadapttooneanother.Todays
multibusinesscompaniesneedtotaketheircuefrombiologytosurvive.Theyshouldassumethat
linksamongbusinessesaretemporaryandthatthenumberofconnectionsnotjusttheircontent
p gy p, p ,
matters.Ratherthanplancollaborativestrategyfromthetop,astraditionalcompaniesdo,
corporateexecutivesincoevolvingcompaniesshouldsimplysetthecontextandletcollaboration
(andcompetition)emergefrombusinessunits.
Coherence Establishingapotentbindingforceandsenseofdirectionandpurposefortheenterprise,relating
differentpartsoftheenterprisetoeachotherandtothewholetoactasaseeminglyuniqueentity
Cohesion Theextenttowhichasystemunitsubroutine,program,module,component,subsystemperforms
a single dedicated function
asinglededicatedfunction.
ScopeNote:Generally,themorecohesivetheunit,theeasieritistomaintainandenhancea
systembecauseitiseasiertodeterminewhereandhowtoapplyachange.
Term Definition
Coldsite AnISbackupfacilitythathasthenecessaryelectricalandphysicalcomponentsofacomputer
facility, but does not have the computer equipment in place
facility,butdoesnothavethecomputerequipmentinplace
ScopeNote:Thesiteisreadytoreceivethenecessaryreplacementcomputerequipmentinthe
eventthattheusershavetomovefromtheirmaincomputinglocationtothealternativecomputer
facility.
Collision Thesituationthatoccurswhentwoormoredemandsaremadesimultaneouslyonequipmentthat
canhandleonlyoneatanygiveninstant(FederalStandard1037C)
CombinedCodeon Theconsolidationin1998ofthe"Cadbury,""Greenbury"and"Hampel"Reports
CorporateGovernance
ScopeNote:NamedaftertheCommitteeChairs,thesereportsweresponsoredbytheUKFinancial
ReportingCouncil,theLondonStockExchange,theConfederationofBritishIndustry,theInstituteof
Directors,theConsultativeCommitteeofAccountancyBodies,theNationalAssociationofPension
FundsandtheAssociationofBritishInsurerstoaddressthefinancialaspectsofcorporate
governance directors'remunerationandtheimplementationoftheCadburyandGreenbury
governance,directors remuneration and the implementation of the Cadbury and Greenbury
recommendations.
CommonAttack Acatalogueofattackpatternsasanabstractionmechanismforhelpingdescribehowanattack
PatternEnumeration againstvulnerablesystemsornetworksisexecutedpublishedbytheMITRECorporation
andClassification
(CAPEC)
Communication Acomputerembeddedinacommunicationssystemthatgenerallyperformsthebasictasksof
processor classifyingnetworktrafficandenforcingnetworkpolicyfunctions
ScopeNote:Anexampleisthemessagedataprocessorofadefensedigitalnetwork(DDN)
switchingcenter.Moreadvancedcommunicationprocessorsmayperformadditionalfunctions.
Communications Smallcomputersusedtoconnectandcoordinatecommunicationlinksbetweendistributedor
controller remote devices and the main computer thus freeing the main computer from this overhead
remotedevicesandthemaincomputer,thusfreeingthemaincomputerfromthisoverhead
function
Term Definition
Communitystrings Authenticateaccesstomanagementinformationbase(MIB)objectsandfunctionasembedded
passwords
ScopeNote:Examplesare:
Readonly(RO)GivesreadaccesstoallobjectsintheMIBexceptthecommunitystrings,butdoes
notallowwriteaccess
Readwrite(RW)GivesreadandwriteaccesstoallobjectsintheMIB,butdoesnotallowaccessto
thecommunitystrings
ReadwriteallGivesreadandwriteaccesstoallobjectsintheMIB,includingthecommunity
strings(onlyvalidforCatalyst4000,5000and6000seriesswitches)
SimpleNetworkManagementProtocol(SNMP)communitystringsaresentacrossthenetworkin
cleartext.Thebestwaytoprotectanoperatingsystem(OS)softwarebaseddevicefrom
unauthorizedSNMPmanagementistobuildastandardIPaccesslistthatincludesthesource
address of the management station(s) Multiple access lists can be defined and tied to different
addressofthemanagementstation(s).Multipleaccesslistscanbedefinedandtiedtodifferent
communitystrings.Ifloggingisenabledontheaccesslist,thenlogmessagesaregeneratedevery
timethatthedeviceisaccessedfromthemanagementstation.Thelogmessagerecordsthesource
IP address of the packet.
Comparisonprogram Aprogramfortheexaminationofdata,usinglogicalorconditionalteststodetermineortoidentify
similaritiesordifferences
Compartmentalization Aprocessforprotectingveryhighvalueassetsorinenvironmentswheretrustisanissue.Accessto
anassetrequirestwoormoreprocesses,controlsorindividuals.
Compensatingcontrol Aninternalcontrolthatreducestheriskofanexistingorpotentialcontrolweaknessresultingin
errorsandomissions
Competence Theabilitytoperformaspecifictask,actionorfunctionsuccessfully
Competencies The strengths of an enterprise or what it does well
Thestrengthsofanenterpriseorwhatitdoeswell
ScopeNote:Canrefertotheknowledge,skillsandabilitiesoftheassuranceteamorindividuals
conductingthework.
Compiler Aprogramthattranslatesprogramminglanguage(sourcecode)intomachineexecutable
instructions(objectcode)
CompletelyAutomated Atypeofchallengeresponsetestusedincomputingtoensurethattheresponseisnotgenerated
PublicTouringtestto byacomputer.Anexampleisthesiterequestforwebsiteuserstorecognizeandtypeaphrase
tellComputersand postedusingvariouschallengingtoreadfonts.
HumansApart
(CAPTCHA)
Completelyconnected Anetworktopologyinwhichdevicesareconnectedwithmanyredundantinterconnections
(mesh)configuration
(mesh) configuration betweennetworknodes(primarilyusedforbackbonenetworks)
between network nodes (primarily used for backbone networks)
Completenesscheck Aproceduredesignedtoensurethatnofieldsaremissingfromarecord
Compliance Adherenceto,andtheabilitytodemonstrateadherenceto,mandatedrequirementsdefinedby
lawsandregulations,aswellasvoluntaryrequirementsresultingfromcontractualobligationsand
internalpolicies
Term Definition
Compliancedocuments Policies,standardandproceduresthatdocumenttheactionsthatarerequiredorprohibited.
Violations may be subject to disciplinary actions.
Violationsmaybesubjecttodisciplinaryactions.
Compliancetesting Testsofcontroldesignedtoobtainauditevidenceonboththeeffectivenessofthecontrolsand
theiroperationduringtheauditperiod
Component Ageneraltermthatisusedtomeanonepartofsomethingmorecomplex
ScopeNote:Forexample,acomputersystemmaybeacomponentofanITservice,oran
applicationmaybeacomponentofareleaseunit.Componentsarecooperatingpackagesof
executablesoftwarethatmaketheirservicesavailablethroughdefinedinterfaces.Components
usedindevelopingsystemsmaybecommercialofftheshelfsoftware(COTS)ormaybepurposely
built.However,thegoalofcomponentbaseddevelopmentistoultimatelyuseasmanypre
developed,pretestedcomponentsaspossible.
Comprehensiveaudit Anauditdesignedtodeterminetheaccuracyoffinancialrecordsaswellastoevaluatetheinternal
controlsofafunctionordepartment
Computationally
Computationally Requiring a great deal of computing power; processor intensive
Requiringagreatdealofcomputingpower;processorintensive
greedy
Computeremergency Agroupofpeopleintegratedattheenterprisewithclearlinesofreportingandresponsibilitiesfor
responseteam(CERT) standbysupportincaseofaninformationsystemsemergency
Thisgroupwillactasanefficientcorrectivecontrol,andshouldalsoactasasinglepointofcontact
forallincidentsandissuesrelatedtoinformationsystems.
Computerforensics Theapplicationofthescientificmethodtodigitalmediatoestablishfactualinformationforjudicial
review
ScopeNote:Thisprocessofteninvolvesinvestigatingcomputersystemstodeterminewhetherthey
areorhavebeenusedforillegalorunauthorizedactivities.Asadiscipline,itcombineselementsof
lawandcomputersciencetocollectandanalyzedatafrominformationsystems(e.g.,personal
computers networks wireless communication and digital storage devices) in a way that is
computers,networks,wirelesscommunicationanddigitalstoragedevices)inawaythatis
admissibleasevidenceinacourtoflaw.
Computersequence Verifiesthatthecontrolnumberfollowssequentiallyandthatanycontrolnumbersoutofsequence
checking arerejectedornotedonanexceptionreportforfurtherresearch
Computerserver 1.Acomputerdedicatedtoservicingrequestsforresourcesfromothercomputersonanetwork.
Serverstypicallyrunnetworkoperatingsystems.
2.Acomputerthatprovidesservicestoanothercomputer(theclient)
Computeraided Theuseofsoftwarepackagesthataidinthedevelopmentofallphasesofaninformationsystem
softwareengineering
(CASE) ScopeNote:Systemanalysis,designprogramminganddocumentationareprovided.Changes
introducedinoneCASEchartwillupdateallotherrelatedchartsautomatically.CASEcanbe
installedonamicrocomputerforeasyaccess.
Computerassisted Anyautomatedaudittechnique,suchasgeneralizedauditsoftware(GAS),testdatagenerators,
audittechnique(CAAT) computerizedauditprogramsandspecializedauditutilities
Term Definition
Concurrencycontrol Referstoaclassofcontrolsusedinadatabasemanagementsystem(DBMS)toensurethat
transactions are processed in an atomic, consistent, isolated and durable manner (ACID). This
transactionsareprocessedinanatomic,consistent,isolatedanddurablemanner(ACID).This
impliesthatonlyserialandrecoverableschedulesarepermitted,andthatcommittedtransactions
arenotdiscardedwhenundoingabortedtransactions.
Concurrentaccess Afailoverprocess,inwhichallnodesrunthesameresourcegroup(therecanbeno[Internet
Protocol]IPor[mandatoryaccesscontrol]MACaddressinaconcurrentresourcegroup)andaccess
theexternalstorageconcurrently
Confidentiality Preservingauthorizedrestrictionsonaccessanddisclosure,includingmeansforprotectingprivacy
andproprietaryinformation
Configurablecontrol Typically,anautomatedcontrolthatisbasedon,andthereforedependenton,theconfigurationof
parameterswithintheapplicationsystem
Configurationitem(CI) Componentofaninfrastructureoranitem,suchasarequestforchange,associatedwithan
infrastructurewhichis(oristobe)underthecontrolofconfigurationmanagement
ScopeNote:Mayvarywidelyincomplexity,sizeandtype,fromanentiresystem(includingall
Scope Note: May vary widely in complexity size and type from an entire system (including all
hardware,softwareanddocumentation)toasinglemoduleoraminorhardwarecomponent
Configuration Thecontrolofchangestoasetofconfigurationitemsoverasystemlifecycle
management
Consolelog Anautomateddetailreportofcomputersystemactivity
Consulted InaRACI(responsible,accountable,consulted,informed)chart,referstothosepeoplewhose
opinionsaresoughtonanactivity(twowaycommunication)
Consumerization Anewmodelinwhichemergingtechnologiesarefirstembracedbytheconsumermarketandlater
spreadtothebusiness
Containment Actionstakentolimitexposureafteranincidenthasbeenidentifiedandconfirmed
Contentfiltering Controllingaccesstoanetworkbyanalyzingthecontentsoftheincomingandoutgoingpacketsand
eitherlettingthempassordenyingthembasedonalistofrules
ScopeNote:Differsfrompacketfilteringinthatitisthedatainthepacketthatareanalyzedinstead
oftheattributesofthepacketitself(e.g.,source/targetIPaddress,transmissioncontrolprotocol
[TCP]flags)
Context Theoverallsetofinternalandexternalfactorsthatmightinfluenceordeterminehowanenterprise,
entity,processorindividualacts
ScopeNote:Contextincludes:
technologycontext(technologicalfactorsthataffectanenterprise'sabilitytoextractvaluefrom
data)
datacontext(dataaccuracy,availability,currencyandquality)
skillsandknowledge(generalexperienceandanalytical,technicalandbusinessskills),
organizationalandculturalcontext(politicalfactorsandwhethertheenterpriseprefersdatato
intuition)
strategiccontext(strategicobjectivesoftheenterprise)
COBIT5perspective
Contingencyplan Aplanusedbyanenterpriseorbusinessunittorespondtoaspecificsystemsfailureordisruption
Term Definition
Contingencyplanning Processofdevelopingadvancearrangementsandproceduresthatenableanenterprisetorespond
to an event that could occur by chance or unforeseen circumstances.
toaneventthatcouldoccurbychanceorunforeseencircumstances.
Continuity Preventing,mitigatingandrecoveringfromdisruption
ScopeNote:Theterms"businessresumptionplanning,""disasterrecoveryplanning"and
"contingencyplanning"alsomaybeusedinthiscontext;theyallconcentrateontherecovery
aspectsofcontinuity.
Continuousauditing ThisapproachallowsISauditorstomonitorsystemreliabilityonacontinuousbasisandtogather
approach selectiveauditevidencethroughthecomputer.
Continuousavailability Nonstopservice,withnolapseinservice;thehighestlevelofserviceinwhichnodowntimeis
allowed
Continuous Thegoalsofcontinuousimprovement(Kaizen)includetheeliminationofwaste,definedas
improvement "activitiesthataddcost,butdonotaddvalue;"justintime(JIT)delivery;productionloadlevelingof
amountsandtypes;standardizedwork;pacedmovinglines;andrightsizedequipment
ScopeNote:AcloserdefinitionoftheJapaneseusageofKaizenis"totakeitapartandputitback
togetherinabetterway."Whatistakenapartisusuallyaprocess,system,productorservice.
Kaizenisadailyactivitywhosepurposegoesbeyondimprovement.Itisalsoaprocessthat,when
donecorrectly,humanizestheworkplace,eliminateshardwork(bothmentalandphysical),and
teachespeoplehowtodorapidexperimentsusingthescientificmethodandhowtolearntosee
p
andeliminatewasteinbusinessprocesses.
Control Themeansofmanagingrisk,includingpolicies,procedures,guidelines,practicesororganizational
structures,whichcanbeofanadministrative,technical,management,orlegalnature.
ScopeNote:Alsousedasasynonymforsafeguardorcountermeasure.
See also Internal control

SeealsoInternalcontrol.
Controlcenter Hoststherecoverymeetingswheredisasterrecoveryoperationsaremanaged
Controlframework Asetoffundamentalcontrolsthatfacilitatesthedischargeofbusinessprocessowner
responsibilitiestopreventfinancialorinformationlossinanenterprise
Controlgroup Membersoftheoperationsareawhoareresponsibleforthecollection,loggingandsubmissionof
inputforthevarioususergroups
Controlobjective Astatementofthedesiredresultorpurposetobeachievedbyimplementingcontrolproceduresin
aparticularprocess
ControlObjectivesfor Adiscussiondocumentthatsetsoutan"enterprisegovernancemodel"focusingstronglyonboth
EnterpriseGovernance theenterprisebusinessgoalsandtheinformationtechnologyenablersthatfacilitategood
enterprisegovernance,publishedbytheInformationSystemsAuditandControlFoundationin1999.
Control perimeter
Controlperimeter The boundary defining the scope of control authority for an entity
Theboundarydefiningthescopeofcontrolauthorityforanentity
ScopeNote:Forexample,ifasystemiswithinthecontrolperimeter,therightandabilityexistto
controlitinresponsetoanattack.
Term Definition
Controlpractice Keycontrolmechanismthatsupportstheachievementofcontrolobjectivesthroughresponsibleuse
of resources, appropriate management of risk and alignment of IT with business
ofresources,appropriatemanagementofriskandalignmentofITwithbusiness
Controlrisk Theriskthatamaterialerrorexiststhatwouldnotbepreventedordetectedonatimelybasisbythe
systemofinternalcontrols(SeeInherentrisk)
Controlriskself Amethod/processbywhichmanagementandstaffofalllevelscollectivelyidentifyandevaluaterisk
assessment andcontrolswiththeirbusinessareas.Thismaybeundertheguidanceofafacilitatorsuchasan
auditororriskmanager.
Controlsection Theareaofthecentralprocessingunit(CPU)thatexecutessoftware,allocatesinternalmemoryand
transfersoperationsbetweenthearithmeticlogic,internalstorageandoutputsectionsofthe
computer
Controlweakness Adeficiencyinthedesignoroperationofacontrolprocedure.Controlweaknessescanpotentially
resultinriskrelevanttotheareaofactivitynotbeingreducedtoanacceptablelevel(relevantrisk
threatensachievementoftheobjectivesrelevanttotheareaofactivitybeingexamined).Control
weaknesses can be material when the design or operation of one or more control procedures does
weaknessescanbematerialwhenthedesignoroperationofoneormorecontrolproceduresdoes
notreducetoarelativelylowleveltheriskthatmisstatementscausedbyillegalactsorirregularities
mayoccurandnotbedetectedbytherelatedcontrolprocedures.
Cookie Amessagekeptinthewebbrowserforthepurposeofidentifyingusersandpossiblypreparing
customizedwebpagesforthem
ScopeNote:Thefirsttimeacookieisset,ausermayberequiredtogothrougharegistration
process.Subsequenttothis,wheneverthecookie'smessageissenttotheserver,acustomizedview
basedonthatuser'spreferencescanbeproduced.Thebrowser'simplementationofcookieshas,
however,broughtseveralsecurityconcerns,allowingbreachesofsecurityandthetheftofpersonal
information(e.g.,userpasswordsthatvalidatetheuseridentityandenablerestrictedwebservices).
Corporateexchange
Corporate exchange Anexchangeratethatcanbeusedoptionallytoperformforeigncurrencyconversion.Thecorporate
An exchange rate that can be used optionally to perform foreign currency conversion The corporate
rate exchangerateisgenerallyastandardmarketratedeterminedbyseniorfinancialmanagementfor
usethroughouttheenterprise.
Corporategovernance Thesystembywhichenterprisesaredirectedandcontrolled.Theboardofdirectorsisresponsible
forthegovernanceoftheirenterprise.Itconsistsoftheleadershipandorganizationalstructuresand
processesthatensuretheenterprisesustainsandextendsstrategiesandobjectives.
Corporatesecurity Responsibleforcoordinatingtheplanning,development,implementation,maintenanceand
officer(CSO) monitoringoftheinformationsecurityprogram
Correctivecontrol Designedtocorrecterrors,omissionsandunauthorizedusesandintrusions,oncetheyaredetected
COSO CommitteeofSponsoringOrganizationsoftheTreadwayCommission
ScopeNote:COSO's"InternalControlIntegratedFramework"isaninternationallyaccepted
Scope Note: COSO's "Internal Control Integrated Framework" is an internationally accepted
standardforcorporategovernance.Seewww.coso.org.
Countermeasure Anyprocessthatdirectlyreducesathreatorvulnerability
Term Definition
Coupling Measureofinterconnectivityamongstructureofsoftwareprograms.
Couplingdependsontheinterfacecomplexitybetweenmodules.Thiscanbedefinedasthepointat
whichentryorreferenceismadetoamodule,andwhatdatapassacrosstheinterface.
ScopeNote:Inapplicationsoftwaredesign,itispreferabletostriveforthelowestpossiblecoupling
betweenmodules.Simpleconnectivityamongmodulesresultsinsoftwarethatiseasierto
understandandmaintainandislesspronetoarippleordominoeffectcausedwhenerrorsoccurat
onelocationandpropagatethroughthesystem.
Coverage Theproportionofknownattacksdetectedbyanintrusiondetectionsystem(IDS)
Crack To"breakinto"or"getaround"asoftwareprogram
ScopeNote:Forexample,therearecertainnewsgroupsthatpostserialnumbersforpirated
versions of software A cracker may download this information in an attempt to crack the program
versionsofsoftware.Acrackermaydownloadthisinformationinanattempttocracktheprogram
sohe/shecanuseit.Itiscommonlyusedinthecaseofcracking(unencrypting)apasswordorother
sensitivedata.
Credentialedanalysis Invulnerabilityanalysis,passivemonitoringapproachesinwhichpasswordsorotheraccess
credentialsarerequired
ScopeNote:Usuallyinvolvesaccessingasystemdataobject
Criteria Thestandardsandbenchmarksusedtomeasureandpresentthesubjectmatterandagainstwhich
anISauditorevaluatesthesubjectmatter
ScopeNote:Criteriashouldbe:Objectivefreefrombias,Measurableprovideforconsistent
measurement,Completeincludeallrelevantfactorstoreachaconclusion,Relevantrelatetothe
subjectmatter
Inanattestationengagement,benchmarksagainstwhichmanagement'swrittenassertiononthe
subjectmattercanbeevaluated.Thepractitionerformsaconclusionconcerningsubjectmatterby
referringtosuitablecriteria.
Criticalfunctions Businessactivitiesorinformationthatcouldnotbeinterruptedorunavailableforseveralbusiness
dayswithoutsignificantlyjeopardizingoperationoftheenterprise
Criticalinfrastructure Systemswhoseincapacityordestructionwouldhaveadebilitatingeffectontheeconomicsecurity
ofanenterprise,communityornation.
Criticalsuccessfactor ThemostimportantissueoractionformanagementtoachievecontroloverandwithinitsIT
(CSF) processes
Criticality Theimportanceofaparticularassetorfunctiontotheenterprise,andtheimpactifthatassetor
functionisnotavailable
Criticalityanalysis Ananalysistoevaluateresourcesorbusinessfunctionstoidentifytheirimportancetothe
enterprise and the impact if a function cannot be completed or a resource is not available
enterprise,andtheimpactifafunctioncannotbecompletedoraresourceisnotavailable
Term Definition
Crosscertification Acertificateissuedbyonecertificateauthority(CA)toasecondCAsothatusersofthefirst
certification authority are able to obtain the public key of the second CA and verify the certificates it
certificationauthorityareabletoobtainthepublickeyofthesecondCAandverifythecertificatesit
hascreated
ScopeNote:OftenreferstocertificatesissuedtoeachotherbytwoCAsatthesamelevelina
hierarchy
Crosssiterequest Atypeofmaliciousexploitofawebsitewherebyunauthorizedcommandsaretransmittedfroma
forgery(CSRF) userthatthewebsitetrusts(alsoknownasaoneclickattackorsessionriding);acronym
pronounced"seasurf"
Crosssitescripting Atypeofinjection,inwhichmaliciousscriptsareinjectedintootherwisebenignandtrustedweb
(XSS) sites
ScopeNote:Crosssitescripting(XSS)attacksoccurwhenanattackerusesawebapplicationtosend
maliciouscode,generallyintheformofabrowsersidescript,toadifferentenduser.Flawsthat
allow these attacks to succeed are quite widespread and occur anywhere a web application uses
allowtheseattackstosucceedarequitewidespreadandoccuranywhereawebapplicationuses
inputfromauserwithintheoutputitgenerateswithoutvalidatingorencodingit.(OWASP)
Cryptography Theartofdesigning,analyzingandattackingcryptographicschemes
Cryptosystem Apairofalgorithmsthattakeakeyandconvertplaintexttociphertextandback
Culture Apatternofbehaviors,beliefs,assumptions,attitudesandwaysofdoingthings
Customerrelationship Awaytoidentify,acquireandretaincustomers.CRMisalsoanindustrytermforsoftwaresolutions
management(CRM) thathelpanenterprisemanagecustomerrelationshipsinanorganizedmanner.
Cybercop Aninvestigatorofactivitiesrelatedtocomputercrime
Cyberespionage Activitiesconductedinthenameofsecurity,business,politicsortechnologytofindinformationthat
ought to remain secret It is not inherently military
oughttoremainsecret.Itisnotinherentlymilitary.
Cybersecurity Theprotectionofinformationassetsbyaddressingthreatstoinformationprocessed,stored,and
transportedbyinternetworkedinformationsystems
Cybersecurity Describesthestructure,componentsandtopology(connectionsandlayout)ofsecuritycontrols
architecture withinanenterprise'sITinfrastructure
p y p p
ScopeNote:Thesecurityarchitectureshowshowdefenseindepthisimplementedandhowlayers y
ofcontrolarelinkedandisessentialtodesigningandimplementingsecuritycontrolsinanycomplex
environment.
Cyberwarfare Activitiessupportedbymilitaryorganizationswiththepurposetothreatthesurvivalandwellbeing
ofsociety/foreignentity
Damageevaluation Thedeterminationoftheextentofdamagethatisnecessarytoprovideforanestimationofthe
recoverytimeframeandthepotentiallosstotheenterprise
Dashboard A tool for setting expectations for an enterprise at each level of responsibility and continuous
Atoolforsettingexpectationsforanenterpriseateachlevelofresponsibilityandcontinuous
monitoringoftheperformanceagainstsettargets
Term Definition
Dataanalysis Typicallyinlargeenterprisesinwhichtheamountofdataprocessedbytheenterpriseresource
planning (ERP) system is extremely voluminous, analysis of patterns and trends proves to be
planning(ERP)systemisextremelyvoluminous,analysisofpatternsandtrendsprovestobe
extremelyusefulinascertainingtheefficiencyandeffectivenessofoperations
ScopeNote:MostERPsystemsprovideopportunitiesforextractionandanalysisofdata(somewith
builtintools)throughtheuseoftoolsdevelopedbythirdpartiesthatinterfacewiththeERP
systems.
Dataclassification Theassignmentofalevelofsensitivitytodata(orinformation)thatresultsinthespecificationof
controlsforeachlevelofclassification.Levelsofsensitivityofdataareassignedaccordingto
predefinedcategoriesasdataarecreated,amended,enhanced,storedortransmitted.The
classificationlevelisanindicationofthevalueorimportanceofthedatatotheenterprise.
Dataclassification Anenterpriseschemeforclassifyingdatabyfactorssuchascriticality,sensitivityandownership
scheme
Data communications
Datacommunications Thetransferofdatabetweenseparatecomputerprocessingsites/devicesusingtelephonelines,
The transfer of data between separate computer processing sites/devices using telephone lines
microwaveand/orsatellitelinks
Datacustodian Theindividual(s)anddepartment(s)responsibleforthestorageandsafeguardingofcomputerized
data
Datadictionary Adatabasethatcontainsthename,type,rangeofvalues,sourceandauthorizationforaccessfor
eachdataelementinadatabase.
Italsoindicateswhichapplicationprogramsusethosedatasothatwhenadatastructureis
contemplated,alistoftheaffectedprogramscanbegenerated
ScopeNote:Maybeastandaloneinformationsystemusedformanagementordocumentation
purposes,oritmaycontroltheoperationofadatabase
Datadiddling Changingdatawithmaliciousintentbeforeorduringinputintothesystem
Data Encryption
DataEncryption An algorithm for encoding binary data
Analgorithmforencodingbinarydata
Standard(DES)
ScopeNote:ItisasecretkeycryptosystempublishedbytheNationalBureauofStandards(NBS),
thepredecessoroftheUSNationalInstituteofStandardsandTechnology(NIST).DESandits
variantshasbeenreplacedbytheAdvancedEncryptionStandard(AES)
Dataflow Theflowofdatafromtheinput(inInternetbanking,ordinarilyuserinputathis/herdesktop)to
output(inInternetbanking,ordinarilydatainabankscentraldatabase)
Dataflowincludestravelthroughthecommunicationlines,routers,switchesandfirewallsaswellas
processingthroughvariousapplicationsonservers,whichprocessthedatafromuserfingersto
storageinabank'scentraldatabase.
Dataintegrity Thepropertythatdatameetwithapriorityexpectationofqualityandthatthedatacanbereliedon
Data leakage
Dataleakage Siphoningoutorleakinginformationbydumpingcomputerfilesorstealingcomputerreportsand
Siphoning out or leaking information by dumping computer files or stealing computer reports and
tapes
Datanormalization Astructuredprocessfororganizingdataintotablesinsuchawaythatitpreservestherelationships
amongthedata
Dataowner Theindividual(s),normallyamanagerordirector,whohasresponsibilityfortheintegrity,accurate
reportinganduseofcomputerizeddata
Term Definition
Dataretention Referstothepoliciesthatgoverndataandrecordsmanagementformeetinginternal,legaland
regulatory data archival requirements
regulatorydataarchivalrequirements
Datasecurity Thosecontrolsthatseektomaintainconfidentiality,integrityandavailabilityofinformation
Datastructure Therelationshipsamongfilesinadatabaseandamongdataitemswithineachfile
Datawarehouse Agenerictermforasystemthatstores,retrievesandmanageslargevolumesofdata
ScopeNote:Datawarehousesoftwareoftenincludessophisticatedcomparisonandhashing
techniquesforfastsearchesaswellasforadvancedfiltering.
Database Astoredcollectionofrelateddataneededbyenterprisesandindividualstomeettheirinformation
processingandretrievalrequirements
Databaseadministrator Anindividualordepartmentresponsibleforthesecurityandinformationclassificationoftheshared
(DBA) datastoredonadatabasesystem
Thisresponsibilityincludesthedesign,definitionandmaintenanceofthedatabase.
Databasemanagement
Database management AAsoftwaresystemthatcontrolstheorganization,storageandretrievalofdatainadatabase
software system that controls the organization storage and retrieval of data in a database
system(DBMS)
Databasereplication Theprocessofcreatingandmanagingduplicateversionsofadatabase
ScopeNote:Replicationnotonlycopiesadatabasebutalsosynchronizesasetofreplicassothat
changesmadetoonereplicaarereflectedinalloftheothers.Thebeautyofreplicationisthatit
enablesmanyuserstoworkwiththeirownlocalcopyofadatabase,buthavethedatabaseupdated
asiftheywereworkingonasinglecentralizeddatabase.Fordatabaseapplicationsinwhich,
geographicallyusersaredistributedwidely,replicationisoftenthemostefficientmethodof
databaseaccess.
Databasespecifications Thesearetherequirementsforestablishingadatabaseapplication.Theyincludefielddefinitions,
fieldrequirementsandreportingrequirementsfortheindividualinformationinthedatabase.
Datagram Apacket(encapsulatedwithaframecontaininginformation),thatistransmittedinapacket
switchingnetworkfromsourcetodestination
Dataorientedsystems Focusesonprovidingadhocreportingforusersbydevelopingasuitableaccessibledatabaseof
development informationandtoprovideuseabledataratherthanafunction
Decentralization Theprocessofdistributingcomputerprocessingtodifferentlocationswithinanenterprise
Decisionsupport Aninteractivesystemthatprovidestheuserwitheasyaccesstodecisionmodelsanddata,to
systems(DSS) supportsemistructureddecisionmakingtasks
Decryption Atechniqueusedtorecovertheoriginalplaintextfromtheciphertextsothatitisintelligibletothe
reader
Thedecryptionisareverseprocessoftheencryption.
Decryptionkey Adigitalpieceofinformationusedtorecoverplaintextfromthecorrespondingciphertextby
decryption
Term Definition
Default Acomputersoftwaresettingorpreferencethatstateswhatwillautomaticallyhappenintheevent
that the user has not stated another preference
thattheuserhasnotstatedanotherpreference
Forexample,acomputermayhaveadefaultsettingtolaunchorstartNetscapewheneveraGIFfile
isopened;however,ifusingAdobePhotoshopisthepreferenceforviewingaGIFfile,thedefault
settingcanbechangedtoPhotoshop.Inthecaseofdefaultaccounts,theseareaccountsthatare
providedbytheoperatingsystemvendor(e.g.,rootinUNIX).
Defaultdenypolicy Apolicywherebyaccessisdeniedunlessitisspecificallyallowed;theinverseofdefaultallow
Defaultpassword Thepasswordusedtogainaccesswhenasystemisfirstinstalledonacomputerornetworkdevice
ScopeNote:ThereisalargelistpublishedontheInternetandmaintainedatseverallocations.
Failuretochangetheseaftertheinstallationleavesthesystemvulnerable.
Defense in depth
Defenseindepth The practice of layering defenses to provide added protection
Thepracticeoflayeringdefensestoprovideaddedprotection
Defenseindepthincreasessecuritybyraisingtheeffortneededinanattack.Thisstrategyplaces
multiplebarriersbetweenanattackerandanenterprise'scomputingandinformationresources.
Degauss Theapplicationofvariablelevelsofalternatingcurrentforthepurposeofdemagnetizingmagnetic
recordingmedia
ScopeNote:Theprocessinvolvesincreasingthealternatingcurrentfieldgraduallyfromzeroto
somemaximumvalueandbacktozero,leavingaverylowresidueofmagneticinductiononthe
media.Degausslooselymeanstoerase.
Demilitarizedzone Ascreened(firewalled)networksegmentthatactsasabufferzonebetweenatrustedand
(DMZ) untrustednetwork
ScopeNote:ADMZistypicallyusedtohousesystemssuchaswebserversthatmustbeaccessible
frombothinternalnetworksandtheInternet.
Demodulation Theprocessofconvertingananalogtelecommunicationssignalintoadigitalcomputersignal
Demographic Afactdeterminedbymeasuringandanalyzingdataaboutapopulation;itreliesheavilyonsurvey
researchandcensusdata.
Denialofserviceattack Anassaultonaservicefromasinglesourcethatfloodsitwithsomanyrequeststhatitbecomes
(DoS) overwhelmedandiseitherstoppedcompletelyoroperatesatasignificantlyreducedrate
Depreciation Theprocessofcostallocationthatassignstheoriginalcostofequipmenttotheperiodsbenefited
ScopeNote:Themostcommonmethodofcalculatingdepreciationisthestraightlinemethod,
which assumes that assets should be written off in equal amounts over their lives
whichassumesthatassetsshouldbewrittenoffinequalamountsovertheirlives.
DetailedIScontrols Controlsovertheacquisition,implementation,deliveryandsupportofISsystemsandservicesmade
upofapplicationcontrolsplusthosegeneralcontrolsnotincludedinpervasivecontrols
Term Definition
Detectionrisk TheriskthattheISauditorassuranceprofessionalssubstantiveprocedureswillnotdetectanerror
that could be material, individually or in combination with other errors
thatcouldbematerial,individuallyorincombinationwithothererrors
ScopeNote:Seeauditrisk
Detectiveapplication Designedtodetecterrorsthatmayhaveoccurredbasedonpredefinedlogicorbusinessrules
controls
Usuallyexecutedafteranactionhastakenplaceandoftencoveragroupoftransactions
Detectivecontrol Existstodetectandreportwhenerrors,omissionsandunauthorizedusesorentriesoccur
Device Agenerictermforacomputersubsystem,suchasaprinter,serialportordiskdrive
Adevicefrequentlyrequiresitsowncontrollingsoftware,calledadevicedriver.
Dialback Usedasacontroloverdialuptelecommunicationslines.Thetelecommunicationslinkestablished
throughdialupintothecomputerfromaremotelocationisinterruptedsothecomputercandial
back to the caller The link is permitted only if the caller is calling from a valid phone number or
backtothecaller.Thelinkispermittedonlyifthecalleriscallingfromavalidphonenumberor
telecommunicationschannel.
Dialinaccesscontrol Preventsunauthorizedaccessfromremoteuserswhoattempttoaccessasecuredenvironment
Rangesfromadialbackcontroltoremoteuserauthentication
Digitalcertificate Apieceofinformation,adigitizedformofsignature,thatprovidessenderauthenticity,message
integrityandnonrepudiation.Adigitalsignatureisgeneratedusingthesendersprivatekeyor
applyingaonewayhashfunction.
Digitalcertification Aprocesstoauthenticate(orcertify)apartysdigitalsignature;carriedoutbytrustedthirdparties
Digitalcodesigning Theprocessofdigitallysigningcomputercodetoensureitsintegrity
Digitalforensics Theprocessofidentifying,preserving,analyzingandpresentingdigitalevidenceinamannerthatis
legally acceptable in any legal proceedings
legallyacceptableinanylegalproceedings
Digitalsignature Apieceofinformation,adigitizedformofsignature,thatprovidessenderauthenticity,message
integrityandnonrepudiation
Adigitalsignatureisgeneratedusingthesendersprivatekeyorapplyingaonewayhashfunction.
Directreporting Anengagementinwhichmanagementdoesnotmakeawrittenassertionabouttheeffectivenessof
engagement theircontrolproceduresandanISauditorprovidesanopinionaboutsubjectmatterdirectly,suchas
theeffectivenessofthecontrolprocedures
Disaster 1.Asudden,unplannedcalamitouseventcausinggreatdamageorloss.Anyeventthatcreatesan
inabilityonanenterprise'sparttoprovidecriticalbusinessfunctionsforsomepredeterminedperiod
oftime.Similartermsarebusinessinterruption,outageandcatastrophe.
2.Theperiodwhenenterprisemanagementdecidestodivertfromnormalproductionresponses
2 The period when enterprise management decides to divert from normal production responses
andexercisesitsdisasterrecoveryplan(DRP).Ittypicallysignifiesthebeginningofamovefroma
primarylocationtoanalternatelocation.
Disasterdeclaration Thecommunicationtoappropriateinternalandexternalpartiesthatthedisasterrecoveryplan
(DRP)isbeingputintooperation
Term Definition
Disasternotification Thefeethattherecoverysitevendorchargeswhenthecustomernotifiesthemthatadisasterhas
fee occurred and the recovery site is required
occurredandtherecoverysiteisrequired
ScopeNote:Thefeeisimplementedtodiscouragefalsedisasternotifications.
Disasterrecovery Activitiesandprogramsdesignedtoreturntheenterprisetoanacceptablecondition
Theabilitytorespondtoaninterruptioninservicesbyimplementingadisasterrecoveryplan(DRP)
torestoreanenterprise'scriticalbusinessfunctions
Disasterrecoveryplan Typicallyareadthroughofadisasterrecoveryplan(DRP)withoutanyrealactionstakingplace
(DRP)deskchecking
ScopeNote:Generallyinvolvesareadingoftheplan,discussionoftheactionitemsanddefinition
ofanygapsthatmightbeidentified
Disasterrecoveryplan Asetofhuman,physical,technicalandproceduralresourcestorecover,withinadefinedtimeand
(DRP) cost an activity interrupted by an emergency or disaster
cost,anactivityinterruptedbyanemergencyordisaster
Disasterrecoveryplan Generallyarobusttestoftherecoveryplanrequiringthatsomerecoveryactivitiestakeplaceand
(DRP)walkthrough aretested
Adisasterscenarioisoftengivenandtherecoveryteamstalkthroughthestepsthattheywould
needtotaketorecover.Asmanyaspectsoftheplanaspossibleshouldbetested
Disastertolerance ThetimegapduringwhichthebusinesscanacceptthenonavailabilityofITfacilities
Disclosurecontrolsand Theprocessesinplacedesignedtohelpensurethatallmaterialinformationisdisclosedbyan
procedures enterpriseinthereportsthatitfilesorsubmitstotheU.S.SecurityandExchangeCommission(SEC)
ScopeNote:DisclosureControlsandProceduresalsorequirethatdisclosuresbeauthorized,
completeandaccurate,andrecorded,processed,summarizedandreportedwithinthetimeperiods
specifiedintheSECrulesandforms.Deficienciesincontrols,andanysignificantchangestocontrols,
must be communicated to the enterprises audit committee and auditors in a timely manner An
mustbecommunicatedtotheenterprisesauditcommitteeandauditorsinatimelymanner.An
enterprisesprincipalexecutiveofficerandfinancialofficermustcertifytheexistenceofthese
controlsonaquarterlybasis.
Discountrate Aninterestrateusedtocalculateapresentvaluewhichmightormightnotincludethetimevalueof
money,taxeffects,riskorotherfactors
Discoverysampling Aformofattributesamplingthatisusedtodetermineaspecifiedprobabilityoffindingatleastone
exampleofanoccurrence(attribute)inapopulation
Discretionaryaccess Ameansofrestrictingaccesstoobjectsbasedontheidentityofsubjectsand/orgroupstowhich
control(DAC) theybelong
ScopeNote:Thecontrolsarediscretionaryinthesensethatasubjectwithacertainaccess
permissioniscapableofpassingthatpermission(perhapsindirectly)ontoanyothersubject.
Diskmirroring Thepracticeofduplicatingdatainseparatevolumesontwoharddiskstomakestoragemorefault
tolerant.Mirroringprovidesdataprotectioninthecaseofdiskfailurebecausedataareconstantly
updatedtobothdisks.
Disklessworkstations AworkstationorPConanetworkthatdoesnothaveitsowndisk,butinsteadstoresfilesona
networkfileserver
Term Definition
Distributeddata Asystemofcomputersconnectedtogetherbyacommunicationnetwork
processing network
processingnetwork
ScopeNote:Eachcomputerprocessesitsdataandthenetworksupportsthesystemasawhole.
Suchanetworkenhancescommunicationamongthelinkedcomputersandallowsaccesstoshared
files.
Distributeddenialof Adenialofservice(DoS)assaultfrommultiplesources
serviceattack(DDoS)
Diverserouting Themethodofroutingtrafficthroughsplitcablefacilitiesorduplicatecablefacilities
ScopeNote:Thiscanbeaccomplishedwithdifferentand/orduplicatecablesheaths.Ifdifferent
cablesheathsareused,thecablemaybeinthesameconduitand,therefore,subjecttothesame
interruptionsasthecableitisbackingup.Thecommunicationservicesubscribercanduplicatethe
facilitiesbyhavingalternateroutes,althoughtheentrancetoandfromthecustomerpremisesmay
beinthesameconduit.Thesubscribercanobtaindiverseroutingandalternateroutingfromthe
local carrier including dual entrance facilities However acquiring this type of access is time
localcarrier,includingdualentrancefacilities.However,acquiringthistypeofaccessistime
consumingandcostly.Mostcarriersprovidefacilitiesforalternateanddiverserouting,although
themajorityofservicesaretransmittedoverterrestrialmedia.Thesecablefacilitiesareusually
locatedinthegroundorbasement.Groundbasedfacilitiesareatgreatriskduetotheaging
infrastructuresofcities.Inaddition,cablebasedfacilitiesusuallyshareroomwithmechanicaland
electricalsystemsthatcanimposegreatriskduetohumanerroranddisastrousevents.
Domain InCOBIT,thegroupingofcontrolobjectivesintofourlogicalstagesinthelifecycleofinvestments
involvingIT(PlanandOrganise,AcquireandImplement,DeliverandSupport,andMonitorand
Evaluate)
Domainnamesystem AhierarchicaldatabasethatisdistributedacrosstheInternetthatallowsnamestoberesolvedinto
(DNS) IPaddresses(andviceversa)tolocateservicessuchaswebandemailservers
Domainnamesystem
Domain name system TunnelingoverDNStogainnetworkaccess.Lowerlevelattackvectorforsimpletocomplexdata
Tunneling over DNS to gain network access Lowerlevel attack vector for simple to complex data
(DNS)exfiltration transmission,slowbutdifficulttodetect.
Domainnamesystem CorruptsthetableofanInternetserver'sDNS,replacinganInternetaddresswiththeaddressof
(DNS)poisoning anothervagrantorscoundreladdress
ScopeNote:Ifawebuserlooksforthepagewiththataddress,therequestisredirectedbythe
y p g
scoundrelentryinthetabletoadifferentaddress.Cachepoisoningdiffersfromanotherformof
DNSpoisoninginwhichtheattackerspoofsvalidemailaccountsandfloodsthe"in"boxesof
administrativeandtechnicalcontacts.CachepoisoningisrelatedtoURLpoisoningorlocation
poisoning,inwhichanInternetuserbehavioristrackedbyaddinganidentificationnumbertothe
locationlineofthebrowserthatcanberecordedastheuservisitssuccessivepagesonthesite.Itis
alsocalledDNScachepoisoningorcachepoisoning.
Double loop step

Doubleloopstep Integratesthemanagementoftactics(financialbudgetsandmonthlyreviews)andthemanagement
Integrates the management of tactics (financial budgets and monthly reviews) and the management
ofstrategy
ScopeNote:Areportingsystem,basedonthebalancedscorecard(BSC),thatallowsprocesstobe
monitoredagainststrategyandcorrectiveactionstobetakenasrequired
Downloading Theactoftransferringcomputerizedinformationfromonecomputertoanothercomputer
Term Definition
Downtimereport Areportthatidentifiestheelapsedtimewhenacomputerisnotoperatingcorrectlybecauseof
machine failure
machinefailure
Driver(valueandrisk) Adriverincludesaneventorotheractivitythatresultsintheidentificationofanassurance/audit
need
Drypipefire Referstoasprinklersystemthatdoesnothavewaterinthepipesduringidleusage,unlikeafully
extinguishersystem chargedfireextinguishersystemthathaswaterinthepipesatalltimes
ScopeNote:Thedrypipesystemisactivatedatthetimeofthefirealarmandwaterisemittedto
thepipesfromawaterreservoirfordischargetothelocationofthefire.
Dualcontrol Aprocedurethatusestwoormoreentities(usuallypersons)operatinginconcerttoprotecta
systemresourcesothatnosingleentityactingalonecanaccessthatresource
Duecare Thelevelofcareexpectedfromareasonablepersonofsimilarcompetencyundersimilarconditions
Duediligence Theperformanceofthoseactionsthataregenerallyregardedasprudent,responsibleandnecessary
to conduct a thorough and objective investigation review and/or analysis
toconductathoroughandobjectiveinvestigation,reviewand/oranalysis
Dueprofessionalcare Diligencethataperson,whopossessesaspecialskill,wouldexerciseunderagivensetof
circumstances
Dumbterminal Adisplayterminalwithoutprocessingcapability
ScopeNote:Dumbterminalsaredependentonthemaincomputerforprocessing.Allentereddata
areacceptedwithoutfurthereditingorvalidation.
Duplexrouting Themethodorcommunicationmodeofroutingdataoverthecommunicationnetwork
Dynamicanalysis Analysisthatisperformedinarealtimeorcontinuousform
DynamicHost Aprotocolusedbynetworkedcomputers(clients)toobtainIPaddressesandotherparameterssuch
ConfigurationProtocol asthedefaultgateway,subnetmaskandIPaddressesofdomainnamesystem(DNS)serversfroma
(DHCP) DHCPserver
ScopeNote:TheDHCPserverensuresthatallIPaddressesareunique(e.g.,noIPaddressis
Scope Note: The DHCP server ensures that all IP addresses are unique (e g no IP address is
assignedtoasecondclientwhilethefirstclient'sassignmentisvalid[itsleasehasnotexpired]).
Thus,IPaddresspoolmanagementisdonebytheserverandnotbyahumannetwork
administrator.
Dynamicpartitioning Thevariableallocationofcentralprocessingunit(CPU)processingandmemorytomultiple
applicationsanddataonaserver
Dynamicports Dynamicand/orprivateports49152through65535:NotlistedbyIANAbecauseoftheirdynamic
nature.
Eavesdropping Listeningaprivatecommunicationwithoutpermission
Echochecks Detectslineerrorsbyretransmittingdatabacktothesendingdeviceforcomparisonwiththe
originaltransmission
Ecommerce Theprocessesbywhichenterprisesconductbusinesselectronicallywiththeircustomers,suppliers
andotherexternalbusinesspartners,usingtheInternetasanenablingtechnology
ScopeNote:Ecommerceencompassesbothbusinesstobusiness(B2B)andbusinesstoconsumer
(B2C)ecommercemodels,butdoesnotincludeexistingnonInternetecommercemethodsbased
onprivatenetworkssuchaselectronicdatainterchange(EDI)andSocietyforWorldwideInterbank
FinancialTelecommunication(SWIFT).
Term Definition
Economicvalueadd TechniquedevelopedbyG.BennettStewartIIIandregisteredbytheconsultingfirmofStern,
(EVA) Stewart, in which the performance of the corporate capital base (including depreciated investments
Stewart,inwhichtheperformanceofthecorporatecapitalbase(includingdepreciatedinvestments
suchastraining,researchanddevelopment)aswellasmoretraditionalcapitalinvestmentssuchas
physicalpropertyandequipmentaremeasuredagainstwhatshareholderscouldearnelsewhere
Editcontrol Detectserrorsintheinputportionofinformationthatissenttothecomputerforprocessing
Maybemanualorautomatedandallowtheusertoeditdataerrorsbeforeprocessing
Editing Ensuresthatdataconformtopredeterminedcriteriaandenableearlyidentificationofpotential
errors
Egress Networkcommunicationsgoingout
Electronicdata Theelectronictransmissionoftransactions(information)betweentwoenterprises
interchange(EDI)
EDIpromotesamoreefficientpaperlessenvironment.EDItransmissionscanreplacetheuseof
standard documents including invoices or purchase orders
standarddocuments,includinginvoicesorpurchaseorders.
Electronicdocument Anadministrativedocument(adocumentwithlegalvalidity,suchasacontract)inanygraphical,
photographic,electromagnetic(tape)orotherelectronicrepresentationofthecontent
ScopeNote:Almostallcountrieshavedevelopedlegislationconcerningthedefinition,useandlegal
validityofanelectronicdocument.Anelectronicdocument,inwhatevermediathatcontainsthe
dataorinformationusedasevidenceofacontractortransactionbetweenparties,isconsidered
togetherwiththesoftwareprogramcapabletoreadit.Thedefinitionofalegallyvaliddocumentas
anyrepresentationoflegallyrelevantdata,notonlythoseprintedonpaper,wasintroducedintothe
legislationrelatedtocomputercrime.Inaddition,manycountriesindefininganddiscipliningthe
useofsuchinstrumentshaveissuedregulationsdefiningspecifics,suchastheelectronicsignature
anddatainterchangeformats.
Electronicfunds Theexchangeofmoneyviatelecommunications
transfer(EFT)
EFTreferstoanyfinancialtransactionthatoriginatesataterminalandtransfersasumofmoney
fromoneaccounttoanother
Electronicsignature Anytechniquedesignedtoprovidetheelectronicequivalentofahandwrittensignatureto
demonstratetheoriginandintegrityofspecificdata
Digitalsignaturesareanexampleofelectronicsignatures.
Electronicvaulting Adatarecoverystrategythatallowsenterprisestorecoverdatawithinhoursafteradisaster
ScopeNote:Typicallyusedforbatch/journalupdatestocriticalfilestosupplementfullbackups
takenperiodically;includesrecoveryofdatafromanoffsitestoragemediathatmirrorsdataviaa
communication link
communicationlink
Term Definition
Ellipticalcurve Analgorithmthatcombinesplanegeometrywithalgebratoachievestrongerauthenticationwith
cryptography (ECC)
cryptography(ECC) smaller keys compared to traditional methods, such as RSA, which primarily use algebraic factoring.
smallerkeyscomparedtotraditionalmethods,suchasRSA,whichprimarilyusealgebraicfactoring.
ScopeNote:Smallerkeysaremoresuitabletomobiledevices.
Embeddedaudit Integralpartofanapplicationsystemthatisdesignedtoidentifyandreportspecifictransactionsor
module(EAM) otherinformationbasedonpredeterminedcriteria
Identificationofreportableitemsoccursaspartofrealtimeprocessing.Reportingmayberealtime
onlineormayusestoreandforwardmethods.Alsoknownasintegratedtestfacilityorcontinuous
auditingmodule.
Encapsulation(objects) Thetechniqueusedbylayeredprotocolsinwhichalowerlayerprotocolacceptsamessagefroma
higherlayerprotocolandplacesitinthedataportionofaframeinthelowerlayer
Encapsulationsecurity Protocol,whichisdesignedtoprovideamixofsecurityservicesinIPv4andIPv6.ESPcanbeusedto
payload (ESP)
payload(ESP) provide confidentiality data origin authentication connectionless integrity an antireplay service (a
provideconfidentiality,dataoriginauthentication,connectionlessintegrity,anantireplayservice(a
formofpartialsequenceintegrity),and(limited)trafficflowconfidentiality.(RFC4303)
ScopeNote:TheESPheaderisinsertedaftertheIPheaderandbeforethenextlayerprotocol
header(transportmode)orbeforeanencapsulatedIPheader(tunnelmode).
Encryption Theprocessoftakinganunencryptedmessage(plaintext),applyingamathematicalfunctiontoit
(encryptionalgorithmwithakey)andproducinganencryptedmessage(ciphertext)
Encryptionalgorithm Amathematicallybasedfunctionor
calculationthatencrypts/decryptsdata
Encryptionkey Apieceofinformation,inadigitizedform,usedbyanencryptionalgorithmtoconverttheplaintext
totheciphertext
Enduser computing
Endusercomputing The ability of end users to design and implement their own information system utilizing computer
Theabilityofenduserstodesignandimplementtheirowninformationsystemutilizingcomputer
softwareproducts
Engagementletter FormaldocumentwhichdefinesanISauditor'sresponsibility,authorityandaccountabilityfora
specificassignment
Enterprise Agroupofindividualsworkingtogetherforacommonpurpose,typicallywithinthecontextofan
organizationalformsuchasacorporation,publicagency,charityortrust
Enterprisearchitecture Descriptionofthefundamentalunderlyingdesignofthecomponentsofthebusinesssystem,orof
(EA) oneelementofthebusinesssystem(e.g.,technology),therelationshipsamongthem,andthe
mannerinwhichtheysupporttheenterprisesobjectives
Enterprisearchitecture DescriptionofthefundamentalunderlyingdesignoftheITcomponentsofthebusiness,the
(EA)forIT relationshipsamongthem,andthemannerinwhichtheysupporttheenterprisesobjectives
Enterprisegoal
ScopeNote:SeeBusinessgoal
Enterprisegovernance Asetofresponsibilitiesandpracticesexercisedbytheboardandexecutivemanagementwiththe
goalofprovidingstrategicdirection,ensuringthatobjectivesareachieved,ascertainingthatriskis
managedappropriatelyandverifyingthattheenterprisesresourcesareusedresponsibly
Term Definition
Enterpriserisk Thedisciplinebywhichanenterpriseinanyindustryassesses,controls,exploits,financesand
management (ERM)
management(ERM) monitors risk from all sources for the purpose of increasing the enterprise'ssshortandlongterm
monitorsriskfromallsourcesforthepurposeofincreasingtheenterprise short and longterm
valuetoitsstakeholders
Eradication Whencontainmentmeasureshavebeendeployedafteranincidentoccurs,therootcauseofthe
incidentmustbeidentifiedandremovedfromthenetwork.
ScopeNote:Eradicationmethodsinclude:restoringbackupstoachieveacleanstateofthesystem,
removingtherootcause,improvingdefensesandperformingvulnerabilityanalysistofindfurther
potentialdamagefromthesamerootcause.
ERP(enterprise Apackagedbusinesssoftwaresystemthatallowsanenterprisetoautomateandintegratethe
resourceplanning) majorityofitsbusinessprocesses,sharecommondataandpracticesacrosstheentireenterprise,
system andproduceandaccessinformationinarealtimeenvironment
ScopeNote:ExamplesofERPincludeSAP,OracleFinancialsandJ.D.Edwards.
Error A deviation from accuracy or correctness
Adeviationfromaccuracyorcorrectness
ScopeNote:Asitrelatestoauditwork,errorsmayrelatetocontroldeviations(compliancetesting)
ormisstatements(substantivetesting).
Escrowagent Aperson,agencyorenterprisethatisauthorizedtoactonbehalfofanothertocreatealegal
relationshipwithathirdpartyinregardtoanescrowagreement;thecustodianofanasset
accordingtoanescrowagreement
ScopeNote:Asitrelatestoacryptographickey,anescrowagentistheagencyorenterprise
chargedwiththeresponsibilityforsafeguardingthekeycomponentsoftheuniquekey.
Escrowagreement Alegalarrangementwherebyanasset(oftenmoney,butsometimesotherpropertysuchasart,a
deedoftitle,website,softwaresourcecodeoracryptographickey)isdeliveredtoathirdparty
(called an escrow agent) to be held in trust or otherwise pending a contingency or the fulfillment of
(calledanescrowagent)tobeheldintrustorotherwisependingacontingencyorthefulfillmentof
aconditionorconditionsinacontract
ScopeNote:Upontheoccurrenceoftheescrowagreement,theescrowagentwilldelivertheasset
totheproperrecipient;otherwisetheescrowagentisboundbyhis/herfiduciarydutytomaintain
theescrowaccount.Sourcecodeescrowmeansdepositofthesourcecodeforthesoftwareintoan
y g yp y q y p y g ( g,
accountheldbyanescrowagent.Escrowistypicallyrequestedbyapartylicensingsoftware(e.g.,
licenseeorbuyer),toensuremaintenanceofthesoftware.Thesoftwaresourcecodeisreleasedby
theescrowagenttothelicenseeifthelicensor(e.g.,sellerorcontractor)filesforbankruptcyor
otherwisefailstomaintainandupdatethesoftwareaspromisedinthesoftwarelicenseagreement.
Ethernet Apopularnetworkprotocolandcablingschemethatusesabustopologyandcarriersensemultiple
access/collisiondetection(CSMA/CD)topreventnetworkfailuresorcollisionswhentwodevicestry
to access the network at the same time
toaccessthenetworkatthesametime
Event Somethingthathappensataspecificplaceand/ortime
Term Definition
Eventtype ForthepurposeofITriskmanagement,oneofthreepossiblesortsofevents:threatevent,loss
event and vulnerability event
eventandvulnerabilityevent
ScopeNote:Beingabletoconsistentlyandeffectivelydifferentiatethedifferenttypesofevents
thatcontributetoriskisacriticalelementindevelopinggoodriskrelatedmetricsandwellinformed
decisions.Unlessthesecategoricaldifferencesarerecognizedandapplied,anyresultingmetricslose
meaningand,asaresult,decisionsbasedonthosemetricsarefarmorelikelytobeflawed.
Evidence 1.Informationthatprovesordisprovesastatedissue
2.InformationthatanauditorgathersinthecourseofperforminganISaudit;relevantifitpertains
totheauditobjectivesandhasalogicalrelationshiptothefindingsandconclusionsitisusedto
support
ScopeNote:Auditperspective
Scope Note: Audit perspective
Exceptionreports Anexceptionreportisgeneratedbyaprogramthatidentifiestransactionsordatathatappeartobe
incorrect.
ScopeNote:Exceptionreportsmaybeoutsideapredeterminedrangeormaynotconformto
specifiedcriteria.
ExclusiveOR(XOR) TheexclusiveORoperatorreturnsavalueofTRUEonlyifjustoneofitsoperandsisTRUE.
ScopeNote:TheXORoperationisaBooleanoperationthatproducesa0ifitstwoBooleaninputs
arethesame(0and0or1and1)andthatproducesa1ifitstwoinputsaredifferent(1and0).In
contrast,aninclusiveORoperatorreturnsavalueofTRUEifeitherorbothofitsoperandsareTRUE.
Executablecode Themachinelanguagecodethatisgenerallyreferredtoastheobjectorloadmodule
Expert system
Expertsystem The most prevalent type of computer system that arises from the research of artificial intelligence
Themostprevalenttypeofcomputersystemthatarisesfromtheresearchofartificialintelligence
ScopeNote:Anexpertsystemhasabuiltinhierarchyofrules,whichareacquiredfromhuman
expertsintheappropriatefield.Onceinputisprovided,thesystemshouldbeabletodefinethe
natureoftheproblemandproviderecommendationstosolvetheproblem.
Exploit Fulluseofavulnerabilityforthebenefitofanattacker
Exposure Thepotentiallosstoanareaduetotheoccurrenceofanadverseevent
ExtendedBinarycoded An8bitcoderepresenting256characters;usedinmostlargecomputersystems
forDecimal
InterchangeCode
(EBCDIC)
Extendedenterprise Describesanenterprisethatextendsoutsideitstraditionalboundaries.Suchenterpriseconcentrate
on the processes they do best and rely on someone outside the entity to perform the remaining
ontheprocessestheydobestandrelyonsomeoneoutsidetheentitytoperformtheremaining
processes.
eXtensibleAccess Adeclarativeonlinesoftwareapplicationuseraccesscontrolpolicylanguageimplementedin
ControlMarkup ExtensibleMarkupLanguage(XML)
Language(XACML)
Term Definition
eXtensibleMarkup PromulgatedthroughtheWorldWideWebConsortium,XMLisawebbasedapplication
Language (XML)
Language(XML) development technique that allows designers to create their own customized tags, thus, enabling
developmenttechniquethatallowsdesignerstocreatetheirowncustomizedtags,thus,enabling
thedefinition,transmission,validationandinterpretationofdatabetweenapplicationsand
enterprises.
Externalrouter Therouterattheextremeedgeofthenetworkundercontrol,usuallyconnectedtoanInternet
serviceprovider(ISP)orotherserviceprovider;alsoknownasborderrouter.
Externalstorage Thelocationthatcontainsthebackupcopiestobeusedincaserecoveryorrestorationisrequiredin
theeventofadisaster
Extranet AprivatenetworkthatresidesontheInternetandallowsacompanytosecurelysharebusiness
informationwithcustomers,suppliersorotherbusinessesaswellastoexecuteelectronic
transactions
ScopeNote:DifferentfromanIntranetinthatitislocatedbeyondthecompany'sfirewall.
Therefore,anextranetreliesontheuseofsecurelyissueddigitalcertificates(oralternativemethods
of user authentication) and encryption of messages A virtual private network (VPN) and tunneling
ofuserauthentication)andencryptionofmessages.Avirtualprivatenetwork(VPN)andtunneling
areoftenusedtoimplementextranets,toensuresecurityandprivacy.
Failover Thetransferofservicefromanincapacitatedprimarycomponenttoitsbackupcomponent
Failsafe Describesthedesignpropertiesofacomputersystemthatallowittoresistactiveattemptstoattack
orbypassit
Fallbackprocedures Aplanofactionorsetofprocedurestobeperformedifasystemimplementation,upgradeor
modificationdoesnotworkasintended
ScopeNote:Mayinvolverestoringthesystemtoitsstatepriortotheimplementationorchange.
Fallbackproceduresareneededtoensurethatnormalbusinessprocessescontinueintheeventof
failureandshouldalwaysbeconsideredinsystemmigrationorimplementation.
Fallthroughlogic Anoptimizedcodebasedonabranchpredictionthatpredictswhichwayaprogramwillbranch
when an application is presented
whenanapplicationispresented
Falseauthorization Alsocalledfalseacceptance,occurswhenanunauthorizedpersonisidentifiedasanauthorized
personbythebiometricsystem
Falseenrollment Occurswhenanunauthorizedpersonmanagestoenrollintothebiometricsystem
ScopeNote:Enrollmentistheinitialprocessofacquiringabiometricfeatureandsavingitasa
personalreferenceonasmartcard,aPCorinacentraldatabase.
Falsenegative Inintrusiondetection,anerrorthatoccurswhenanattackismisdiagnosedasanormalactivity
Falsepositive Aresultthathasbeenmistakenlyidentifiedasaproblemwhen,inreality,thesituationisnormal
Faulttolerance Asystemslevelofresiliencetoseamlesslyreacttohardwareand/orsoftwarefailure
Feasibilitystudy Aphaseofasystemdevelopmentlifecycle(SDLC)methodologythatresearchesthefeasibilityand
adequacy of resources for the development or acquisition of a system solution to a user need
adequacyofresourcesforthedevelopmentoracquisitionofasystemsolutiontoauserneed
Term Definition
Fiberopticcable Glassfibersthattransmitbinarysignalsoveratelecommunicationsnetwork
ScopeNote:Fiberopticsystemshavelowtransmissionlossesascomparedtotwistedpaircables.
Theydonotradiateenergyorconductelectricity.Theyarefreefromcorruptionandlightning
inducedinterference,andtheyreducetheriskofwiretaps.
Field Anindividualdataelementinacomputerrecord
ScopeNote:Examplesincludeemployeename,customeraddress,accountnumber,productunit
priceandproductquantityinstock.
File Anamedcollectionofrelatedrecords
Fileallocationtable Atableusedbytheoperatingsystemtokeeptrackofwhereeveryfileislocatedonthedisk
(FAT)
ScopeNote:Sinceafileisoftenfragmentedandthussubdividedintomanysectorswithinthedisk,
theinformationstoredintheFATisusedwhenloadingorupdatingthecontentsofthefile.
Filelayout Specifiesthelengthofthefilerecordandthesequenceandsizeofitsfields
ScopeNote:Alsowillspecifythetypeofdatacontainedwithineachfield;forexample,
alphanumeric,zoneddecimal,packedandbinary.
Fileserver Ahighcapacitydiskstoragedeviceoracomputerthatstoresdatacentrallyfornetworkusersand
managesaccesstothosedata
ScopeNote:Fileserverscanbededicatedsothatnoprocessotherthannetworkmanagementcan
beexecutedwhilethenetworkisavailable;fileserverscanbenondedicatedsothatstandarduser
applicationscanrunwhilethenetworkisavailable.
FileTransferProtocol AprotocolusedtotransferfilesoveraTransmissionControlProtocol/InternetProtocol(TCP/IP)
(FTP) network(Internet,UNIX,etc.)
Filtering router
Filteringrouter A router that is configured to control network access by comparing the attributes of the incoming or
Arouterthatisconfiguredtocontrolnetworkaccessbycomparingtheattributesoftheincomingor
outgoingpacketstoasetofrules
FIN(Final) Aflagsetinapackettoindicatethatthispacketisthefinaldatapacketofthetransmission
Financialaudit Anauditdesignedtodeterminetheaccuracyoffinancialrecordsandinformation
Finger Aprotocolandprogramthatallowstheremoteidentificationofusersloggedintoasystem
Firewall Asystemorcombinationofsystemsthatenforcesaboundarybetweentwoormorenetworks,
typicallyformingabarrierbetweenasecureandanopenenvironmentsuchastheInternet
Firmware Memorychipswithembeddedprogramcodethatholdtheircontentwhenpoweristurnedoff
Fiscalyear Anyyearlyaccountingperiodwithoutregardtoitsrelationshiptoacalendaryear
Term Definition
Foreignkey Avaluethatrepresentsareferencetoatuple(arowinatable)containingthematchingcandidate
key value
keyvalue
ScopeNote:Theproblemofensuringthatthedatabasedoesnotincludeanyinvalidforeignkey
valuesisknownasthereferentialintegrityproblem.Theconstraintthatvaluesofagivenforeignkey
mustmatchvaluesofthecorrespondingcandidatekeyisknownasareferentialconstraint.The
relation(table)thatcontainstheforeignkeyisreferredtoasthereferencingrelationandthe
relationthatcontainsthecorrespondingcandidatekeyasthereferencedrelationortargetrelation.
(Intherelationaltheoryitwouldbeacandidatekey,butinrealdatabasemanagementsystems
(DBMSs)implementationsitisalwaystheprimarykey.)
Forensicexamination Theprocessofcollecting,assessing,classifyinganddocumentingdigitalevidencetoassistinthe
identificationofanoffenderandthemethodofcompromise
Formatchecking Theapplicationofanedit,usingapredefinedfielddefinitiontoasubmittedinformationstream;a
test to ensure that data conform to a predefined format
testtoensurethatdataconformtoapredefinedformat
Fourthgeneration Highlevel,userfriendly,nonproceduralcomputerlanguageusedtoprogramand/orreadand
language(4GL) processcomputerfiles
Framerelay Apacketswitchedwideareanetwork(WAN)technologythatprovidesfasterperformancethan
olderpacketswitchedWANtechnologies
ScopeNote:Bestsuitedfordataandimagetransfers.Becauseofitsvariablelengthpacket
architecture,itisnotthemostefficienttechnologyforrealtimevoiceandvideo.Inaframerelay
network,endnodesestablishaconnectionviaapermanentvirtualcircuit(PVC).
Framework
ScopeNote:SeeControlframeworkandITgovernanceframework.
Freeware Softwareavailablefreeofcharge
Frequency A measure of the rate by which events occur over a certain period of time
Ameasureoftheratebywhicheventsoccuroveracertainperiodoftime
Fulleconomiclifecycle Theperiodoftimeduringwhichmaterialbusinessbenefitsareexpectedtoarisefrom,and/or
duringwhichmaterialexpenditures(includinginvestments,runningandretirementcosts)are
expectedtobeincurredby,aninvestmentprogram
Functionpointanalysis Atechniqueusedtodeterminethesizeofadevelopmenttask,basedonthenumberoffunction
points
ScopeNote:Functionpointsarefactorssuchasinputs,outputs,inquiriesandlogicalinternalsites.
Gateway Adevice(router,firewall)onanetworkthatservesasanentrancetoanothernetwork
Term Definition
Generalcomputer AControl,otherthananapplicationcontrol,thatrelatestotheenvironmentwithinwhichcomputer
control based application systems are developed, maintained and operated, and that is therefore applicable
basedapplicationsystemsaredeveloped,maintainedandoperated,andthatisthereforeapplicable
toallapplications
Theobjectivesofgeneralcontrolsaretoensuretheproperdevelopmentandimplementationof
applicationsandtheintegrityofprogramanddatafilesandofcomputeroperations.Likeapplication
controls,generalcontrolsmaybeeithermanualorprogrammed.Examplesofgeneralcontrols
includethedevelopmentandimplementationofanISstrategyandanISsecuritypolicy,the
organizationofISstafftoseparateconflictingdutiesandplanningfordisasterpreventionand
recovery.
Generalizedaudit Multipurposeauditsoftwarethatcanbeusedforgeneralprocesses,suchasrecordselection,
software(GAS) matching,recalculationandreporting
Genericprocesscontrol Acontrolthatappliestoallprocessesoftheenterprise
Geographicdisk
Geographic disk Adatarecoverystrategythattakesasetofphysicallydisparatedisksandsynchronouslymirrors
A data recovery strategy that takes a set of physically disparate disks and synchronously mirrors
mirroring themoverhighperformancecommunicationlines
Anywritetoadiskononesidewillresultinawriteontheotherside.Thelocalwritewillnotreturn
untiltheacknowledgmentoftheremotewriteissuccessful.
Geographical Atoolusedtointegrate,convert,handle,analyzeandproduceinformationregardingthesurfaceof
informationsystem theearth
(GIS)
ScopeNote:GISdataexistasmaps,tridimensionalvirtualmodels,listsandtables
Goodpractice Aprovenactivityorprocessthathasbeensuccessfullyusedbymultipleenterprisesandhasbeen
showntoproducereliableresults
Governance Ensuresthatstakeholderneeds,conditionsandoptionsareevaluatedtodeterminebalanced,
agreedonenterpriseobjectivestobeachieved;settingdirectionthroughprioritizationanddecision
making; and monitoring performance and compliance against agreedon direction and objectives
making;andmonitoringperformanceandcomplianceagainstagreedondirectionandobjectives
ScopeNote:Conditionscanincludethecostofcapital,foreignexchangerates,etc.Optionscan
includeshiftingmanufacturingtootherlocations,subcontractingportionsoftheenterprisetothird
parties,selectingaproductmixfrommanyavailablechoices,etc.
Governanceenabler Something(tangibleorintangible)thatassistsintherealizationofeffectivegovernance
Governanceframework Aframeworkisabasicconceptualstructureusedtosolveoraddresscomplexissues.Anenablerof
governance.Asetofconcepts,assumptionsandpracticesthatdefinehowsomethingcanbe
approachedorunderstood,therelationshipsamongsttheentitiesinvolved,therolesofthose
involved,andtheboundaries(whatisandisnotincludedinthegovernancesystem).
ScopeNote:Examples:COBIT,COSOsInternalControlIntegratedFramework
Term Definition
Governanceof Agovernanceviewthatensuresthatinformationandrelatedtechnologysupportandenablethe
enterprise IT
enterpriseIT enterprise strategy and the achievement of enterprise objectives; this also includes the functional
enterprisestrategyandtheachievementofenterpriseobjectives;thisalsoincludesthefunctional
governanceofIT,i.e.,ensuringthatITcapabilitiesareprovidedefficientlyandeffectively.
ScopeNote:COBT5perspective
Governance,Risk Abusinesstermusedtogroupthethreecloserelateddisciplinesresponsiblefortheprotectionof
Managementand assets,andoperations
Compliance(GRC)
Governance/ ForeachCOBITprocess,thegovernanceandmanagementpracticesprovideacompletesetofhigh
managementpractice levelrequirementsforeffectiveandpracticalgovernanceandmanagementofenterpriseIT.They
arestatementsofactionsfromgovernancebodiesandmanagement.
Guideline A description of a particular way of accomplishing something that is less prescriptive than a
Adescriptionofaparticularwayofaccomplishingsomethingthatislessprescriptivethana
procedure
Hacker Anindividualwhoattemptstogainunauthorizedaccesstoacomputersystem
Handprintscanner Abiometricdevicethatisusedtoauthenticateauserthroughpalmscans
Harden Toconfigureacomputerorothernetworkdevicetoresistattacks
Hardware Thephysicalcomponentsofacomputersystem
Hashfunction Analgorithmthatmapsortranslatesonesetofbitsintoanother(generallysmaller)sothata
messageyieldsthesameresulteverytimethealgorithmisexecutedusingthesamemessageas
input
ScopeNote:Itiscomputationallyinfeasibleforamessagetobederivedorreconstitutedfromthe
resultproducedbythealgorithmortofindtwodifferentmessagesthatproducethesamehash
resultusingthesamealgorithm.
Hash total
Hashtotal The total of any numeric data field in a document or computer file
Thetotalofanynumericdatafieldinadocumentorcomputerfile
Thistotalischeckedagainstacontroltotalofthesamefieldtofacilitateaccuracyofprocessing.
Hashing Usingahashfunction(algorithm)tocreatehashvaluedorchecksumsthatvalidatemessage
integrity
Helpdesk Aserviceofferedviatelephone/Internetbyanenterprisetoitsclientsoremployeesthatprovides
information,assistanceandtroubleshootingadviceregardingsoftware,hardwareornetworks.
ScopeNote:Ahelpdeskisstaffedbypeoplewhocaneitherresolvetheproblemontheirownor
escalatetheproblemtospecializedpersonnel.Ahelpdeskisoftenequippedwithdedicated
customerrelationshipmanagement(CRM)softwarethatlogstheproblemsandtracksthemuntil
theyaresolved.
Term Definition
Heuristicfilter Amethodoftenemployedbyantispamsoftwaretofilterspamusingcriteriaestablishedina
centralized rule database
centralizedruledatabase
ScopeNote:Everyemailmessageisgivenarank,basedonitsheaderandcontents,whichisthen
matchedagainstpresetthresholds.Amessagethatsurpassesthethresholdwillbeflaggedasspam
anddiscarded,returnedtoitssenderorputinaspamdirectoryforfurtherreviewbytheintended
recipient.
Hexadecimal Anumberingsystemthatusesabaseof16anduses16digits:0,1,2,3,4,5,6,7,8,9,A,B,C,D,E
andF
Programmersusehexadecimalnumbersasaconvenientwayofrepresentingbinarynumbers.
Hierarchicaldatabase Adatabasestructuredinatree/rootorparent/childrelationship
ScopeNote:Eachparentcanhavemanychildren,buteachchildmayhaveonlyoneparent.
Scope Note: Each parent can have many children but each child may have only one parent
Hijacking Anexploitationofavalidnetworksessionforunauthorizedpurposes
Honeypot Aspeciallyconfiguredserver,alsoknownasadecoyserver,designedtoattractandmonitor
intrudersinamannersuchthattheiractionsdonotaffectproductionsystems
ScopeNote:Alsoknownas"decoyserver"
Horizontaldefensein Controlsareplacedinvariousplacesinthepathtoaccessanasset(thisisfunctionallyequivalentto
depth concentricringmodelabove).
Hotsite Afullyoperationaloffsitedataprocessingfacilityequippedwithbothhardwareandsystemsoftware
tobeusedintheeventofadisaster
Hub Acommonconnectionpointfordevicesinanetwork,hubsareusedtoconnectsegmentsofalocal
areanetwork(LAN)
ScopeNote:Ahubcontainsmultipleports.Whenapacketarrivesatoneport,itiscopiedtothe
Scope Note: A hub contains multiple ports When a packet arrives at one port it is copied to the
otherportssothatallsegmentsoftheLANcanseeallpackets.
Humanfirewall Apersonpreparedtoactasanetworklayerofdefensethrougheducationandawareness
Hurdlerate Alsoknownasrequiredrateofreturn,abovewhichaninvestmentmakessenseandbelowwhichit
doesnot
p p p p
ScopeNote:Oftenbasedonthecostofcapital,plusorminusariskpremium,andoftenvaried
basedonprevailingeconomicconditions
Hybridapplication Consistofacombinationofmanualandautomatedactivities,allofwhichmustoperateforthe
controls controltobeeffective
ScopeNote:Sometimesreferredtoascomputerdependentapplicationcontrols
Hyperlink Anelectronicpathwaythatmaybedisplayedintheformofhighlightedtext,graphicsorabutton
that connects one web page with another web page address
thatconnectsonewebpagewithanotherwebpageaddress
Hypertext Alanguagethatenableselectronicdocumentsthatpresentinformationtobeconnectedbylinks
insteadofbeingpresentedsequentially,asisthecasewithnormaltext
Term Definition
HypertextMarkup Alanguagedesignedforthecreationofwebpageswithhypertextandotherinformationtobe
Language (HTML)
Language(HTML) displayed in a web browser; used to structure informationdenoting certain text sure as headings,
displayedinawebbrowser;usedtostructureinformationdenotingcertaintextsureasheadings,
paragraphs,listsandcanbeusedtodescribe,tosomedegree,theappearanceandsemanticsofa
document
HypertextTransfer Aprotocolforaccessingasecurewebserver,wherebyalldatatransferredareencrypted.
ProtocolSecure
(HTTPS)
HypertextTransfer AcommunicationprotocolusedtoconnecttoserversontheWorldWideWeb.Itsprimaryfunction
Protocol(HTTP) istoestablishaconnectionwithawebserverandtransmithypertextmarkuplanguage(HTML),
extensiblemarkuplanguage(XML)orotherpagestoclientbrowsers
Identityaccess Encapsulatespeople,processesandproductstoidentifyandmanagethedatausedinan
management(IAM) informationsystemtoauthenticateusersandgrantordenyaccessrightstodataandsystem
resources.ThegoalofIAMistoprovideappropriateaccesstoenterpriseresources.
Idlestandby Afailoverprocessinwhichtheprimarynodeownstheresourcegroupandthebackupnoderuns
idle only supervising the primary node
idle,onlysupervisingtheprimarynode
ScopeNote:Incaseofaprimarynodeoutage,thebackupnodetakesover.Thenodesare
prioritized,whichmeansthatthesurvivingnodewiththehighestprioritywillacquiretheresource
group.Ahigherprioritynodejoiningtheclusterwillthuscauseashortserviceinterruption.
IEEE(Instituteof PronouncedItripleE;IEEEisanorganizationcomposedofengineers,scientistsandstudents
Electricaland
ElectronicsEngineers) ScopeNote:Bestknownfordevelopingstandardsforthecomputerandelectronicsindustry
IEEE802.11 AfamilyofspecificationsdevelopedbytheInstituteofElectricalandElectronicsEngineers(IEEE)for
wirelesslocalareanetwork(WLAN)technology.802.11specifiesanovertheairinterfacebetweena
wirelessclientandabasestationorbetweentwowirelessclients.
Image processing
Imageprocessing The process of electronically inputting source documents by taking an image of the document
Theprocessofelectronicallyinputtingsourcedocumentsbytakinganimageofthedocument,
therebyeliminatingtheneedforkeyentry
Imaging Aprocessthatallowsonetoobtainabitforbitcopyofdatatoavoiddamageoforiginaldataor
informationwhenmultipleanalysesmaybeperformed.
ScopeNote:Theimagingprocessismadetoobtainresidualdata,suchasdeletedfiles,fragmentsof
p y p
deletedfilesandotherinformationpresent,fromthediskforanalysis.Thisispossiblebecause
imagingduplicatesthedisksurface,sectorbysector.
Impact Magnitudeoflossresultingfromathreatexploitingavulnerability
Impactanalysis Astudytoprioritizethecriticalityofinformationresourcesfortheenterprisebasedoncosts(or
consequences)ofadverseevents
Inanimpactanalysis,threatstoassetsareidentifiedandpotentialbusinesslossesdeterminedfor
different time periods This assessment is used to justify the extent of safeguards that are required
differenttimeperiods.Thisassessmentisusedtojustifytheextentofsafeguardsthatarerequired
andrecoverytimeframes.Thisanalysisisthebasisforestablishingtherecoverystrategy.
Impactassessment Areviewofthepossibleconsequencesofarisk
ScopeNote:SeealsoImpactanalysis.
Term Definition
Impairment Aconditionthatcausesaweaknessordiminishedabilitytoexecuteauditobjectives
ScopeNote:Impairmenttoorganisationalindependenceandindividualobjectivitymayinclude
personalconflictofinterest;scopelimitations;restrictionsonaccesstorecords,personnel,
equipment,orfacilities;andresourcelimitations(suchasfundingorstaffing).
Impersonation AsecurityconceptrelatedtoWindowsNTthatallowsaserverapplicationtotemporarily"be"the
clientintermsofaccesstosecureobjects
ScopeNote:Impersonationhasthreepossiblelevels:identification,lettingtheserverinspectthe
client'sidentity;impersonation,lettingtheserveractonbehalfoftheclient;anddelegation,the
sameasimpersonationbutextendedtoremotesystemstowhichtheserverconnects(throughthe
preservationofcredentials).Impersonationbyimitatingorcopyingtheidentification,behavioror
actionsofanothermayalsobeusedinsocialengineeringtoobtainotherwiseunauthorizedphysical
access.
Implement In business includes the full economic life cycle of the investment program through retirement;
Inbusiness,includesthefulleconomiclifecycleoftheinvestmentprogramthroughretirement;
(i.e.,whenthefullexpectedvalueoftheinvestmentisrealized,asmuchvalueasisdeemedpossible
hasbeenrealized,oritisdeterminedthattheexpectedvaluecannotberealizedandtheprogramis
terminated)
Implementationlife Referstothecontrolsthatsupporttheprocessoftransformationoftheenterpriseslegacy
cyclereview informationsystemsintotheenterpriseresourceplanning(ERP)applications
ScopeNote:Largelycoversallaspectsofsystemsimplementationandconfiguration,suchas
changemanagement
Incident Anyeventthatisnotpartofthestandardoperationofaserviceandthatcauses,ormaycause,an
interruptionto,orareductionin,thequalityofthatservice
Incidentresponse Theresponseofanenterprisetoadisasterorothersignificanteventthatmaysignificantlyaffect
theenterprise,itspeople,oritsabilitytofunctionproductively
Anincidentresponsemayincludeevacuationofafacility,initiatingadisasterrecoveryplan(DRP),
performingdamageassessment,andanyothermeasuresnecessarytobringanenterprisetoamore
stablestatus.
Incidentresponseplan Theoperationalcomponentofincidentmanagement
ScopeNote:Theplanincludesdocumentedproceduresandguidelinesfordefiningthecriticalityof
incidents,reportingandescalationprocess,andrecoveryprocedures.
Inconsequential Adeficiencyisinconsequentialifareasonablepersonwouldconclude,afterconsideringthe
deficiency possibilityoffurtherundetecteddeficiencies,thatthedeficiencies,eitherindividuallyorwhen
aggregatedwithotherdeficiencies,wouldclearlybetrivialtothesubjectmatter.Ifareasonable
personcouldnotreachsuchaconclusionregardingaparticulardeficiency,thatdeficiencyismore
thaninconsequential.
Incremental testing
Incrementaltesting Deliberately testing only the value added functionality of a software component
Deliberatelytestingonlythevalueaddedfunctionalityofasoftwarecomponent
Term Definition
Independence 1.Selfgovernance
2.Thefreedomfromconditionsthatthreatenobjectivityortheappearanceofobjectivity.Such
threatstoobjectivitymustbemanagedattheindividualauditor,engagement,functionaland
organizationallevels.IndependenceincludesIndependenceofmindandIndependencein
appearance.
ScopeNote:SeeIndependenceofmindandIndependenceinappearance.
Independencein Theavoidanceoffactsandcircumstancesthataresosignificantthatareasonableandinformed
appearance thirdpartywouldbelikelytoconclude,weighingallthespecificfactsandcircumstances,thata
firms,auditfunctions,oramemberoftheauditteams,integrity,objectivityorprofessional
skepticismhasbeencompromised.
Independenceofmind Thestateofmindthatpermitstheexpressionofaconclusionwithoutbeingaffectedbyinfluences
thatcompromiseprofessionaljudgement,therebyallowinganindividualtoactwithintegrityand
exercise objectivity and professional skepticism
exerciseobjectivityandprofessionalskepticism.
Independent Theoutwardimpressionofbeingselfgoverningandfreefromconflictofinterestandundue
appearance influence
Independentattitude ImpartialpointofviewwhichallowsanISauditortoactobjectivelyandwithfairness
IndexedSequential Adiskaccessmethodthatstoresdatasequentiallywhilealsomaintaininganindexofkeyfieldstoall
AccessMethod(ISAM) therecordsinthefilefordirectaccesscapability
Indexedsequentialfile Afileformatinwhichrecordsareorganizedandcanbeaccessed,accordingtoapreestablishedkey
thatispartoftherecord
Information Anassetthat,likeotherimportantbusinessassets,isessentialtoanenterprisesbusiness.Itcan
existinmanyforms.Itcanbeprintedorwrittenonpaper,storedelectronically,transmittedbypost
orbyusingelectronicmeans,shownonfilms,orspokeninconversation.
Scope Note: COBIT 5 perspective

Information InformationarchitectureisonecomponentofITarchitecture(togetherwithapplicationsand
architecture technology)
Informationcriteria Attributesofinformationthatmustbesatisfiedtomeetbusinessrequirements
Information Dataorienteddevelopmenttechniquesthatworkonthepremisethatdataareatthecenterof
engineering informationprocessingandthatcertaindatarelationshipsaresignificanttoabusinessandmustbe
representedinthedatastructureofitssystems
Informationprocessing Thecomputerroomandsupportareas
facility(IPF)
Informationsecurity Ensuresthatwithintheenterprise,informationisprotectedagainstdisclosuretounauthorizedusers
(confidentiality),impropermodification(integrity),andnonaccesswhenrequired(availability)
Informationsecurity Thesetofresponsibilitiesandpracticesexercisedbytheboardandexecutivemanagementwiththe
governance goalofprovidingstrategicdirection,ensuringthatobjectivesareachieved,ascertainingthatriskis
managedappropriatelyandverifyingthattheenterprisesresourcesareusedresponsibly
Term Definition
Informationsecurity Theoverallcombinationoftechnical,operationalandproceduralmeasuresandmanagement
program structures implemented to provide for the confidentiality, integrity and availability of information
structuresimplementedtoprovidefortheconfidentiality,integrityandavailabilityofinformation
basedonbusinessrequirementsandriskanalysis
Informationsystems Thecombinationofstrategic,managerialandoperationalactivitiesinvolvedingathering,
(IS) processing,storing,distributingandusinginformationanditsrelatedtechnologies
ScopeNote:Informationsystemsaredistinctfrominformationtechnology(IT)inthatan
informationsystemhasanITcomponentthatinteractswiththeprocesscomponents.
Informationtechnology Thehardware,software,communicationandotherfacilitiesusedtoinput,store,process,transmit
(IT) andoutputdatainwhateverform
Informed InaRACIchart(Responsible,Accountable,Consulted,Informed),Informedreferstothosepeople
whoarekeptuptodateontheprogressofanactivity(onewaycommunication)
Infrastructureasa Offersthecapabilitytoprovisionprocessing,storage,networksandotherfundamentalcomputing
Service(IaaS) resources,enablingthecustomertodeployandrunarbitrarysoftware,whichcanincludeoperating
systems (OSs) and applications
systems(OSs)andapplications
Ingestion Aprocesstoconvertinformationextractedtoaformatthatcanbeunderstoodbyinvestigators.
ScopeNote:SeealsoNormalization.
Ingress Networkcommunicationscomingin
Inherentrisk Therisklevelorexposurewithouttakingintoaccounttheactionsthatmanagementhastakenor
mighttake(e.g.,implementingcontrols)
Inheritance(objects) Databasestructuresthathaveastricthierarchy(nomultipleinheritance)
Inheritancecaninitiateotherobjectsirrespectiveoftheclasshierarchy,thusthereisnostrict
hierarchyofobjects
Initialprogramload Theinitializationprocedurethatcausesanoperatingsystemtobeloadedintostorageatthe
(IPL) beginning of a workday or after a system malfunction
beginningofaworkdayorafterasystemmalfunction.
Initializationvector(IV) Amajorconcernisthewaythatwiredequivalentprivacy(WEP)allocatestheRC4initialization
collisions vectors(IVs)usedtocreatethekeysthatareusedtodriveapseudorandomnumbergeneratorthat
iseventuallyusedforencryptionofthewirelessdatatraffic.TheIVinWEPisa24bitfieldasmall
spacethatpracticallyguaranteesreuse,resultinginkeyreuse.TheWEPstandardalsofailstospecify
howtheseIVsareassigned.ManywirelessnetworkcardsresettheseIVstozeroandthenincrement
y y p p g (
thembyoneforeveryuse.IfanattackercancapturetwopacketsusingthesameIV(thesamekeyif y
thekeyhasnotbeenchanged),mechanismscanbeusedtodetermineportionsoftheoriginal
packets.Thisandotherweaknessesresultinkeyreuse,resultinginsusceptibilitytoattacksto
determinethekeysused.Theseattacksrequirealargenumberofpackets(56million)toactually
fullyderivetheWEPkey,butonalarge,busynetworkthiscanoccurinashorttime,perhapsinas
quicklyas10minutes(although,evensomeofthelargestcorporatenetworkswilllikelyrequire
muchmoretimethanthistogatherenoughpackets).InWEPprotectedwirelessnetworks,many
ti
timesmultiple,orall,stationsusethesamesharedkey.ThisincreasesthechancesofIVcollisions
lti l ll t ti th h d k Thi i th h f IV lli i
Injection Ageneraltermforattacktypeswhichconsistofinjectingcodethatistheninterpreted/executedby
theapplication.(OWASP)
Inputcontrol Techniquesandproceduresusedtoverify,validateandeditdatatoensurethatonlycorrectdata
areenteredintothecomputer
Term Definition
Inputsandoutputs Theprocessworkproducts/artifactsconsiderednecessarytosupportoperationoftheprocess
ScopeNote:Inputsandoutputsenablekeydecisions,providearecordandaudittrailofprocess
activities,andenablefollowupintheeventofanincident.Theyaredefinedatthekeymanagement
practicelevel,mayincludesomeworkproductsusedonlywithintheprocessandareoftenessential
inputstootherprocesses.TheillustrativeCOBIT5inputsandoutputsshouldnotberegardedasan
exhaustivelistsinceadditionalinformationflowscouldbedefineddependingonaparticular
enterprisesenvironmentandprocessframework.
COBIT5perspective
Instantmessaging(IM) Anonlinemechanismoraformofrealtimecommunicationbetweentwoormorepeoplebasedon
typedtextandmultimediadata
ScopeNote:Textisconveyedviacomputersoranotherelectronicdevice(e.g.,cellularphoneor
handhelddevice)connectedoveranetwork,suchastheInternet.
Intangibleasset Anassetthatisnotphysicalinnature
ScopeNote:Examplesinclude:intellectualproperty(patents,trademarks,copyrights,processes),
goodwill,andbrandrecognition
Integratedservices Apublicendtoenddigitaltelecommunicationsnetworkwithsignaling,switchingandtransport
digitalnetwork(ISDN) capabilitiessupportingawiderangeofserviceaccessedbystandardizedinterfaceswithintegrated
customercontrol
ScopeNote:Thestandardallowstransmissionofdigitalvoice,videoanddataover64Kpbslines.
Integratedtestfacilities
Integrated test facilities Atestingmethodologyinwhichtestdataareprocessedinproductionsystems
A testing methodology in which test data are processed in production systems
(ITF)
ScopeNote:Thedatausuallyrepresentasetoffictitiousentitiessuchasdepartments,customers
orproducts.Outputreportsareverifiedtoconfirmthecorrectnessoftheprocessing.
Integrity Theguardingagainstimproperinformationmodificationordestruction,andincludesensuring
informationnonrepudiationandauthenticity
Intellectualproperty Intangibleassetsthatbelongtoanenterpriseforitsexclusiveuse
ScopeNote:Examplesinclude:patents,copyrights,trademarks,ideas,andtradesecrets.
Interfacetesting Atestingtechniquethatisusedtoevaluateoutputfromoneapplicationwhiletheinformationis
sentasinputtoanotherapplication
Internalcontrol Therelevantenvironmentonwhichthecontrolshaveeffect
environment
Term Definition
Internalcontrolover Aprocessdesignedby,orunderthesupervisionof,theregistrantsprincipalexecutiveandprincipal
financial reporting
financialreporting financial officers, or persons performing similar functions, and effected by the registrantssboardof
financialofficers,orpersonsperformingsimilarfunctions,andeffectedbytheregistrant board of
directors,managementandotherpersonneltoprovidereasonableassuranceregardingthe
reliabilityoffinancialreportingandthepreparationoffinancialstatementsforexternalpurposesin
accordancewithgenerallyacceptedaccountingprincipals.
Includesthosepoliciesandproceduresthat:
Pertaintothemaintenanceofrecordsthatinreasonabledetailaccuratelyandfairlyreflectthe
transactionsanddispositionsoftheassetsoftheregistrant
Providereasonableassurancethattransactionsarerecordedasnecessarytopermitpreparationof
financialstatementsinaccordancewithgenerallyacceptedaccountingprinciples,andthatreceipts
andexpendituresoftheregistrantarebeingmadeonlyinaccordancewithauthorizationsof
managementanddirectorsoftheregistrant
Providereasonableassuranceregardingpreventionortimelydetectionofunauthorized
acquisition use or disposition of the registrants assets that could have a material effect on the
acquisition,useordispositionoftheregistrantsassetsthatcouldhaveamaterialeffectonthe
financial statements
Internalcontrol Thedynamic,integratedprocesseseffectedbythegoverningbody,managementandallotherstaff
structure thataredesignedtoprovidereasonableassuranceregardingtheachievementofthefollowing
generalobjectives:
Effectiveness,efficiencyandeconomyofoperations
Reliabilityofmanagement
Compliancewithapplicablelaws,regulationsandinternalpolicies
Managementsstrategiesforachievingthesegeneralobjectivesareaffectedbythedesignand
operationofthefollowingcomponents:
Controlenvironment
Informationsystem
Controlprocedures
Control procedures
Internalcontrols Thepolicies,procedures,practicesandorganizationalstructuresdesignedtoprovidereasonable
assurancethatbusinessobjectiveswillbeachievedandundesiredeventswillbepreventedor
detectedandcorrected
Internalpenetrators Authorizeduserofacomputersystemwhooverstepshis/herlegitimateaccessrights
ScopeNote:Thiscategoryisdividedintomasqueradersandclandestineusers.
p g y q
Internalrateofreturn Thediscountratethatequatesaninvestmentcostwithitsprojectedearnings
(IRR)
ScopeNote:WhendiscountedattheIRR,thepresentvalueofthecashoutflowwillequalthe
presentvalueofthecashinflow.TheIRRandnetpresentvalue(NPV)aremeasuresoftheexpected
profitabilityofaninvestmentproject.
Internalstorage Themainmemoryofthecomputerscentralprocessingunit(CPU)
International Standards TheworldslargestdeveloperofvoluntaryInternationalStandards
InternationalStandards The worlds largest developer of voluntary International Standards
Organization(ISO)
Term Definition
Internet 1.Twoormorenetworksconnectedbyarouter
2.TheworldslargestnetworkusingTransmissionControlProtocol/InternetProtocol(TCP/IP)to
linkgovernment,universityandcommercialinstitutions
InternetAssigned ResponsiblefortheglobalcoordinationoftheDNSroot,IPaddressing,andotherInternetprotocol
NumbersAuthority resources
(IANA)
Internetbanking UseoftheInternetasaremotedeliverychannelforbankingservices
ScopeNote:Servicesincludetraditionalones,suchasopeninganaccountortransferringfundsto
differentaccounts,andnewbankingservices,suchaselectronicbillpresentmentandpayment
(allowingcustomerstoreceiveandpaybillsonabankswebsite).
InternetControl Asetofprotocolsthatallowsystemstocommunicateinformationaboutthestateofserviceson
MessageProtocol othersystems
(ICMP)
ScopeNote:Forexample,ICMPisusedindeterminingwhethersystemsareup,maximumpacket
sizesonlinks,whetheradestinationhost/network/portisavailable.Hackerstypicallyuse(abuse)
ICMPtodetermineinformationabouttheremotesite.
InternetEngineering AnorganizationwithinternationalaffiliatesasnetworkindustryrepresentativesthatsetsInternet
TaskForce(IETF) standards.Thisincludesallnetworkindustrydevelopersandresearchersconcernedwiththe
evolutionandplannedgrowthoftheInternet.
InternetInterORB Developedbytheobjectmanagementgroup(OMG)toimplementCommonObjectRequestBroker
Protocol(IIOP) Architecture(CORBA)solutionsovertheWorldWideWeb
ScopeNote:CORBAenablesmodulesofnetworkbasedprogramstocommunicatewithone
another.Thesemodulesorprogramparts,suchastables,arrays,andmorecomplexprogram
subelements,arereferredtoasobjects.UseofIIOPinthisprocessenablesbrowsersandserversto
exchange both simple and complex objects This differs significantly from HyperText Transfer
exchangebothsimpleandcomplexobjects.ThisdifferssignificantlyfromHyperTextTransfer
Protocol(HTTP),whichonlysupportsthetransmissionoftext.
Internetprotocol(IP) Specifiestheformatofpacketsandtheaddressingscheme
InternetProtocol(IP) AnattackusingpacketswiththespoofedsourceInternetpacket(IP)addresses.
packetspoofing
ScopeNote:ThistechniqueexploitsapplicationsthatuseauthenticationbasedonIPaddresses.This
techniquealsomayenableanunauthorizedusertogainrootaccessonthetargetsystem.
Internetservice AthirdpartythatprovidesindividualsandenterpriseswithaccesstotheInternetandavarietyof
provider(ISP) otherInternetrelatedservices
InternetworkPacket IPXislayer3oftheopensystemsinterconnect(OSI)modelnetworkprotocol;SPXislayer4
Exchange/Sequenced transportprotocol.TheSPXlayersitsontopoftheIPXlayerandprovidesconnectionoriented
Packet Exchange
PacketExchange services
servicesbetweentwonodesonthenetwork.
between two nodes on the network
(IPX/SPX)
Interrogation Usedtoobtainpriorindicatorsorrelationships,includingtelephonenumbers,IPaddressesand
namesofindividuals,fromextracteddata
Term Definition
Interruptionwindow Thetimethatthecompanycanwaitfromthepointoffailuretotherestorationoftheminimumand
critical services or applications
criticalservicesorapplications
Afterthistime,theprogressivelossescausedbytheinterruptionareexcessivefortheenterprise.
Intranet AprivatenetworkthatusestheinfrastructureandstandardsoftheInternetandWorldWideWeb,
butisisolatedfromthepublicInternetbyfirewallbarriers
Intruder Individualorgroupgainingaccesstothenetworkandit'sresourceswithoutpermission
Intrusion Anyeventduringwhichunauthorizedaccessoccurs
Intrusiondetection Theprocessofmonitoringtheeventsoccurringinacomputersystemornetworktodetectsignsof
unauthorizedaccessorattack
Intrusiondetection Inspectsnetworkandhostsecurityactivitytoidentifysuspiciouspatternsthatmayindicatea
system(IDS) networkorsystemattack
Intrusionprevention Apreemptiveapproachtonetworksecurityusedtoidentifypotentialthreatsandrespondtothem
to stop or at least limit damage or disruption
tostop,oratleastlimit,damageordisruption
Intrusionprevention Asystemdesignedtonotonlydetectattacks,butalsotopreventtheintendedvictimhostsfrom
system(IPS) beingaffectedbytheattacks
Intrusivemonitoring Invulnerabilityanalysis,gaininginformationbyperformingchecksthataffectthenormaloperation
ofthesystem,andevenbycrashingthesystem
Investigation Thecollectionandanalysisofevidencewiththegoaltoidentifyingtheperpetratorofanattackor
unauthorizeduseoraccess
Investmentportfolio Thecollectionofinvestmentsbeingconsideredand/orbeingmade
IPaddress AuniquebinarynumberusedtoidentifydevicesonaTCP/IPnetwork
IPAuthentication ProtocolusedtoprovideconnectionlessintegrityanddataoriginauthenticationforIPdatagrams
Header(AH) (hereafterreferredtoasjust"integrity")andtoprovideprotectionagainstreplays.(RFC4302).
ScopeNote:AHensuresdataintegritywithachecksumthatamessageauthenticationcode,suchas
MD5,generates.Toensuredataoriginauthentication,AHincludesasecretsharedkeyinthe
algorithmthatitusesforauthentication.Toensurereplayprotection,AHusesasequencenumber
fieldwithintheIPauthenticationheader.
IPSecurity(IPSec) AsetofprotocolsdevelopedbytheInternetEngineeringTaskForce(IETF)tosupportthesecure
exchangeofpackets
Irregularity Violationofanestablishedmanagementpolicyorregulatoryrequirement.Itmayconsistof
deliberatemisstatementsoromissionofinformationconcerningtheareaunderauditorthe
enterpriseasawhole,grossnegligenceorunintentionalillegalacts.
ISO9001:2000 CodeofpracticeforqualitymanagementfromtheInternationalOrganizationforStandardization
(ISO).ISO9001:2000specifiesrequirementsforaqualitymanagementsystemforanyenterprise
that needs to demonstrate its ability to consistently provide products or services that meet
thatneedstodemonstrateitsabilitytoconsistentlyprovideproductsorservicesthatmeet
particularqualitytargets.
Term Definition
ISO/IEC17799 Thisstandarddefinesinformation'sconfidentiality,integrityandavailabilitycontrolsina
comprehensive information security management system.
comprehensiveinformationsecuritymanagementsystem.
ScopeNote:OriginallyreleasedaspartoftheBritishStandardforInformationSecurityin1999and
thenastheCodeofPracticeforInformationSecurityManagementinOctober2000,itwaselevated
bytheInternationalOrganizationforStandardization(ISO)toaninternationalcodeofpracticefor
informationsecuritymanagement.ThelatestversionisISO/IEC17799:2005.
ISO/IEC27001 InformationSecurityManagementSpecificationwithGuidanceforUse;thereplacementfor
BS77992.Itisintendedtoprovidethefoundationforthirdpartyauditandisharmonizedwithother
managementstandards,suchasISO/IEC9001and14001.
ITapplication Electronicfunctionalitythatconstitutespartsofbusinessprocessesundertakenby,orwiththe
assistanceof,IT
ITarchitecture DescriptionofthefundamentalunderlyingdesignoftheITcomponentsofthebusiness,the
relationshipsamongthem,andthemannerinwhichtheysupporttheenterprisesobjectives
ITgoal AstatementdescribingadesiredoutcomeofenterpriseITinsupportofenterprisegoals.An
outcomecanbeanartifact,asignificantchangeofastateorasignificantcapabilityimprovement.
ITgovernance Theresponsibilityofexecutivesandtheboardofdirectors;consistsoftheleadership,organizational
structuresandprocessesthatensurethattheenterprisesITsustainsandextendstheenterprise's
strategiesandobjectives
ITgovernance Amodelthatintegratesasetofguidelines,policiesandmethodsthatrepresenttheorganizational
framework approachtoITgovernance
ScopeNote:PerCOBIT,ITgovernanceistheresponsibilityoftheboardofdirectorsandexecutive
management.Itisanintegralpartofinstitutionalgovernanceandconsistsoftheleadershipand
organizationalstructuresandprocessesthatensurethattheenterprise'sITsustainsandextendsthe
enterprise'sstrategyandobjectives.
ITGovernance Foundedin1998bytheInformationSystemsAuditandControlAssociation(nowknownasISACA).
Institute(ITGI) ITGIstrivestoassistenterpriseleadershipinensuringlongterm,sustainableenterprisesuccessand
toincreasestakeholdervaluebyexpandingawareness.
ITincident Anyeventthatisnotpartoftheordinaryoperationofaservicethatcauses,ormaycause,an
interruptionto,orareductionin,thequalityofthatservice
ITinfrastructure Thesetofhardware,softwareandfacilitiesthatintegratesanenterprise'sITassets
ScopeNote:Specifically,theequipment(includingservers,routers,switchesandcabling),software,
services and products used in storing processing transmitting and displaying all forms of
servicesandproductsusedinstoring,processing,transmittinganddisplayingallformsof
informationfortheenterprisesusers
ITinvestment Atoolforsettingexpectationsforanenterpriseateachlevelandcontinuousmonitoringofthe
dashboard performanceagainstsettargetsforexpenditureson,andreturnsfrom,ITenabledinvestment
projectsintermsofbusinessvalues
Term Definition
ITrisk Thebusinessriskassociatedwiththeuse,ownership,operation,involvement,influenceand
adoption of IT within an enterprise
adoptionofITwithinanenterprise
ITriskissue 1.AninstanceofITrisk
2.Acombinationofcontrol,valueandthreatconditionsthatimposeanoteworthylevelofITrisk
ITriskprofile Adescriptionoftheoverall(identified)ITrisktowhichtheenterpriseisexposed
ITriskregister ArepositoryofthekeyattributesofpotentialandknownITriskissues
Attributesmayincludename,description,owner,expected/actualfrequency,potential/actual
magnitude,potential/actualbusinessimpact,disposition.
ITriskscenario ThedescriptionofanITrelatedeventthatcanleadtoabusinessimpact
ITservice ThedaytodayprovisiontocustomersofITinfrastructureandapplicationsandsupportfortheiruse
e.g.,servicedesk,equipmentsupplyandmoves,andsecurityauthorizations
ITsteeringcommittee AnexecutivemanagementlevelcommitteethatassistsinthedeliveryoftheITstrategy,oversees
daytodaymanagementofITservicedeliveryandITprojects,andfocusesonimplementation
aspects
ITstrategicplan Alongtermplan(i.e.,threetofiveyearhorizon)inwhichbusinessandITmanagement
cooperativelydescribehowITresourceswillcontributetotheenterprisesstrategicobjectives
(goals)
ITstrategycommittee AcommitteeattheleveloftheboardofdirectorstoensurethattheboardisinvolvedinmajorIT
mattersanddecisions
ScopeNote:ThecommitteeisprimarilyaccountableformanagingtheportfoliosofITenabled
investments,ITservicesandotherITresources.Thecommitteeistheowneroftheportfolio.
ITtacticalplan Amediumtermplan(i.e.,sixto18monthhorizon)thattranslatestheITstrategicplandirection
intorequiredinitiatives,resourcerequirementsandwaysinwhichresourcesandbenefitswillbe
monitoredandmanaged
ITuser ApersonwhousesITtosupportorachieveabusinessobjective
ITIL(ITInfrastructure TheUKOfficeofGovernmentCommerce(OGC)ITInfrastructureLibrary.Asetofguidesonthe
Library) managementandprovisionofoperationalITservices
ITrelatedincident AnITrelatedeventthatcausesanoperational,developmentaland/orstrategicbusinessimpact
Jobcontrollanguage Usedtocontrolrunroutinesinconnectionwithperformingtasksonacomputer
(JCL)
Journalentry Adebitorcredittoageneralledgeraccount,inOracle
SeealsoManualJournalEntry.
See also Manual Journal Entry
Judgmentsampling Anysamplethatisselectedsubjectivelyorinsuchamannerthatthesampleselectionprocessisnot
randomorthesamplingresultsarenotevaluatedmathematically
Kernelmode Usedforexecutionofprivilegedinstructionsfortheinternaloperationofthesystem.Inkernel
mode,therearenoprotectionsfromerrorsormaliciousactivityandallpartsofthesystemand
memoryareaccessible.
Term Definition
Keygoalindicator(KGI) Ameasurethattellsmanagement,afterthefact,whetheranITprocesshasachieveditsbusiness
requirements; usually expressed in terms of information criteria
requirements;usuallyexpressedintermsofinformationcriteria
Keylength Thesizeoftheencryptionkeymeasuredinbits
Keymanagement Managementpracticesthatarerequiredtosuccessfullyexecutebusinessprocesses
practice
Keyperformance Ameasurethatdetermineshowwelltheprocessisperforminginenablingthegoaltobereached
indicator(KPI)
ScopeNote:Aleadindicatorofwhetheragoalwilllikelybereached,andagoodindicatorof
capabilities,practicesandskills.Itmeasuresanactivitygoal,whichisanactionthattheprocess
ownermusttaketoachieveeffectiveprocessperformance.
Keyriskindicator(KRI) Asubsetofriskindicatorsthatarehighlyrelevantandpossessahighprobabilityofpredictingor
indicatingimportantrisk
Scope Note: See also Risk Indicator

ScopeNote:SeealsoRiskIndicator.
Keylogger Softwareusedtorecordallkeystrokesonacomputer
Knowledgeportal Referstotherepositoryofacoreofinformationandknowledgefortheextendedenterprise
ScopeNote:Generallyawebbasedimplementationcontainingacorerepositoryofinformation
providedfortheextendedenterprisetoresolveanyissues
Lagindicator MetricsforachievementofgoalsAnindicatorrelatingtotheoutcomeorresultofanenabler
ScopeNote:Thisindicatorisonlyavailableafterthefactsorevents.
Latency Thetimeittakesasystemandnetworkdelaytorespond
ScopeNote:Morespecifically,systemlatencyisthetimethatasystemtakestoretrievedata.
Network latency is the time it takes for a packet to travel from the source to the final destination
Networklatencyisthetimeittakesforapackettotravelfromthesourcetothefinaldestination.
Layer2switches Datalinkleveldevicesthatcandivideandinterconnectnetworksegmentsandhelptoreduce
collisiondomainsinEthernetbasednetworks
Layer3and4switches Switcheswithoperatingcapabilitiesatlayer3andlayer4oftheopensystemsinterconnect(OSI)
model.Theseswitcheslookattheincomingpacketsnetworkingprotocol,e.g.,IP,andthen
comparethedestinationIPaddresstothelistofaddressesintheirtables,toactivelycalculatethe
bestwaytosendapackettoitsdestination.
Layer47switches Usedforloadbalancingamonggroupsofservers
ScopeNote:Alsoknownascontentswitches,contentservicesswitches,webswitchesor
applicationswitches.
Leadindicator MetricsforapplicationofgoodpracticeAnindicatorrelatingtothefunctioningofanenabler
ScopeNote:Thisindicatorwillprovideanindicationonpossibleoutcomeoftheenabler.
Leadership Theabilityandprocesstotranslatevisionintodesiredbehaviorsthatarefollowedatalllevelsofthe
extendedenterprise
Term Definition
Leasedline Acommunicationlinepermanentlyassignedtoconnecttwopoints,asopposedtoadialuplinethat
is only available and open when a connection is made by dialing the target machine or network
isonlyavailableandopenwhenaconnectionismadebydialingthetargetmachineornetwork
Alsoknownasadedicatedline
Legacysystem Outdatedcomputersystems
Levelofassurance Referstothedegreetowhichthesubjectmatterhasbeenexaminedorreviewed
Librarian Theindividualresponsibleforthesafeguardandmaintenanceofallprogramanddatafiles
Licensingagreement Acontractthatestablishesthetermsandconditionsunderwhichapieceofsoftwareisbeing
licensed(i.e.,madelegallyavailableforuse)fromthesoftwaredeveloper(owner)totheuser
Lifecycle Aseriesofstagesthatcharacterizethecourseofexistenceofanorganizationalinvestment(e.g.,
product,project,program)
Likelihood Theprobabilityofsomethinghappening
Limitcheck
Limit check Tests specified amount fields against stipulated high or low limits of acceptability
Testsspecifiedamountfieldsagainststipulatedhighorlowlimitsofacceptability
ScopeNote:Whenbothhighandlowvaluesareused,thetestmaybecalledarangecheck.
Linkeditor(linkage Autilityprogramthatcombinesseveralseparatelycompiledmodulesintoone,resolvinginternal
editor) referencesbetweenthem
Literals Anynotationforrepresentingavaluewithinprogramminglanguagesourcecode(e.g.,astring
literal);achunkofinputdatathatisrepresented"asis"incompresseddata
Localareanetwork Communicationnetworkthatservesseveraluserswithinaspecifiedgeographicarea
(LAN)
ScopeNote:ApersonalcomputerLANfunctionsasadistributedprocessingsysteminwhicheach
computerinthenetworkdoesitsownprocessingandmanagessomeofitsdata.Shareddataare
storedinafileserverthatactsasaremotediskdriveforallusersinthenetwork.
Log Torecorddetailsofinformationoreventsinanorganizedrecordkeepingsystem,usuallysequenced
To record details of information or events in an organized recordkeeping system usually sequenced
intheorderinwhichtheyoccurred
Logicalaccess Abilitytointeractwithcomputerresourcesgrantedusingidentification,authenticationand
authorization.
Logicalaccesscontrols Thepolicies,procedures,organizationalstructureandelectronicaccesscontrolsdesignedtorestrict
accesstocomputersoftwareanddatafiles
Logoff Theactofdisconnectingfromthecomputer
Logon Theactofconnectingtothecomputer,whichtypicallyrequiresentryofauserIDandpasswordinto
acomputerterminal
Logs/logfile Filescreatedspecificallytorecordvariousactionsoccurringonthesystemtobemonitored,suchas
failedloginattempts,fulldiskdrivesandemaildeliveryfailures
Lossevent Anyeventduringwhichathreateventresultsinloss
ScopeNote:FromJones,J.;"FAIRTaxonomy,"RiskManagementInsight,USA,2008
Scope Note: From Jones J ; "FAIR Taxonomy " Risk Management Insight USA 2008
MACheader Representsthehardwareaddressofannetworkinterfacecontroller(NIC)insideadatapacket
Machinelanguage Thelogicallanguagethatacomputerunderstands
Magneticcardreader Readscardswithamagneticsurfaceonwhichdatacanbestoredandretrieved
Term Definition
Magneticinkcharacter Usedtoelectronicallyinput,readandinterpretinformationdirectlyfromasourcedocument
recognition (MICR)
recognition(MICR)
ScopeNote:MICRrequiresthesourcedocumenttohavespeciallycodedmagneticink
Magnitude Ameasureofthepotentialseverityoflossorthepotentialgainfromrealizedevents/scenarios
Mailrelayserver Anelectronicmail(email)serverthatrelaysmessagessothatneitherthesendernortherecipientis
alocaluser
Mainframe Alargehighspeedcomputer,especiallyonesupportingnumerousworkstationsorperipherals
Malware Shortformalicioussoftware
Designedtoinfiltrate,damageorobtaininformationfromacomputersystemwithouttheowners
consent
ScopeNote:Malwareiscommonlytakentoincludecomputerviruses,worms,Trojanhorses,
Scope Note: Malware is commonly taken to include computer viruses worms Trojan horses
spywareandadware.Spywareisgenerallyusedformarketingpurposesand,assuch,isnot
malicious,althoughitisgenerallyunwanted.Spywarecan,however,beusedtogatherinformation
foridentitytheftorotherclearlyillicitpurposes.
Management Plans,builds,runsandmonitorsactivitiesinalignmentwiththedirectionsetbythegovernance
bodytoachievetheenterpriseobjectives.
Management Anorganizedassemblyofresourcesandproceduresrequiredtocollect,processanddistributedata
informationsystem foruseindecisionmaking
(MIS)
Mandatoryaccess Ameansofrestrictingaccesstodatabasedonvaryingdegreesofsecurityrequirementsfor
control(MAC) informationcontainedintheobjectsandthecorrespondingsecurityclearanceofusersorprograms
actingontheirbehalf
Maninthemiddle Anattackstrategyinwhichtheattackerinterceptsthecommunicationstreambetweentwopartsof
attack the victim system and then replaces the traffic between the two components with the intruderss
thevictimsystemandthenreplacesthetrafficbetweenthetwocomponentswiththeintruder
own,eventuallyassumingcontrolofthecommunication
Manualjournalentry Ajournalentryenteredatacomputerterminal
ScopeNote:Manualjournalentriescanincluderegular,statistical,intercompanyandforeign
currencyentries.SeealsoJournalEntry.
Mapping Diagrammingdatathataretobeexchangedelectronically,includinghowtheyaretobeusedand
whatbusinessmanagementsystemsneedthem.
SeealsoApplicationTracingandMapping.
ScopeNote:Mappingisapreliminarystepfordevelopinganapplicationslink.
Masking Acomputerizedtechniqueofblockingoutthedisplayofsensitiveinformation,suchaspasswords,
on a computer terminal or report
onacomputerterminalorreport
Masqueraders Attackersthatpenetratesystemsbyusingtheidentityoflegitimateusersandtheirlogon
credentials
Masterfile Afileofsemipermanentinformationthatisusedfrequentlyforprocessingdataorformorethan
onepurpose
Term Definition
Materialmisstatement Anaccidentalorintentionaluntruestatementthataffectstheresultsofanaudittoameasurable
extent
Materialweakness Adeficiencyoracombinationofdeficienciesininternalcontrol,suchthatthereisareasonable
possibilitythatamaterialmisstatementwillnotbepreventedordetectedonatimelybasis.
Weaknessincontrolisconsideredmaterialiftheabsenceofthecontrolresultsinfailuretoprovide
reasonableassurancethatthecontrolobjectivewillbemet.Aweaknessclassifiedasmaterial
impliesthat:
Controlsarenotinplaceand/orcontrolsarenotinuseand/orcontrolsareinadequate
Escalationiswarranted
ThereisaninverserelationshipbetweenmaterialityandthelevelofauditriskacceptabletotheIS
auditorassuranceprofessional,i.e.,thehigherthematerialitylevel,thelowertheacceptabilityof
audit or assurance professional i e the higher the materiality level the lower the acceptability of
theauditrisk,andviceversa.
Materiality Anauditingconceptregardingtheimportanceofanitemofinformationwithregardtoitsimpactor
effectonthefunctioningoftheentitybeingaudited
Anexpressionoftherelativesignificanceorimportanceofaparticularmatterinthecontextofthe
enterpriseasawhole
Maturity Inbusiness,indicatesthedegreeofreliabilityordependencythatthebusinesscanplaceona
processachievingthedesiredgoalsorobjectives
Maturitymodel
ScopeNote:SeeCapabilityMaturityModel(CMM).
Maximumtolerable
Maximum tolerable Maximumtimethatanenterprisecansupportprocessinginalternatemode
Maximum time that an enterprise can support processing in alternate mode
outages(MTO)
Measure Astandardusedtoevaluateandcommunicateperformanceagainstexpectedresults
ScopeNote:Measuresarenormallyquantitativeinnaturecapturingnumbers,dollars,percentages,
etc.,butcanalsoaddressqualitativeinformationsuchascustomersatisfaction.Reportingand
g p p g g p g p
monitoringmeasureshelpanenterprisegaugeprogresstowardeffectiveimplementationof
strategy.
Mediaaccesscontrol Appliedtothehardwareatthefactoryandcannotbemodified,MACisaunique,48bit,hardcoded
(MAC) addressofaphysicallayerdevice,suchasanEthernetlocalareanetwork(LAN)orawireless
networkcard
Mediaaccesscontrol Auniqueidentifierassignedtonetworkinterfacesforcommunicationsonthephysicalnetwork
(MAC)address segment
Media oxidation
Mediaoxidation The deterioration of the media on which data are digitally stored due to exposure to oxygen and
Thedeteriorationofthemediaonwhichdataaredigitallystoredduetoexposuretooxygenand
moisture
ScopeNote:Tapesdeterioratinginawarm,humidenvironmentareanexampleofmediaoxidation.
Properenvironmentalcontrolsshouldprevent,orsignificantlyslow,thisprocess.
Term Definition
Memorydump Theactofcopyingrawdatafromoneplacetoanotherwithlittleornoformattingforreadability
ScopeNote:Usually,dumpreferstocopyingdatafromthemainmemorytoadisplayscreenora
printer.Dumpsareusefulfordiagnosingbugs.Afteraprogramfails,onecanstudythedumpand
analyzethecontentsofmemoryatthetimeofthefailure.Amemorydumpwillnothelpunlesseach
personknowswhattolookforbecausedumpsareusuallyoutputinadifficulttoreadform(binary,
octalorhexadecimal).
Message AnAmericanNationalStandardsInstitute(ANSI)standardchecksumthatiscomputedusingData
authenticationcode EncryptionStandard(DES)
Messagedigest Asmallerextrapolatedversionoftheoriginalmessagecreatedusingamessagedigestalgorithm
Messagedigest MessagedigestalgorithmsareSHA1,MD2,MD4andMD5.Thesealgorithmsareonewayfunctions
algorithm unlikeprivateandpublickeyencryptionalgorithms.
ScopeNote:Alldigestalgorithmstakeamessageofarbitrarylengthandproducea128bitmessage
digest.
Messageswitching Atelecommunicationsmethodologythatcontrolstrafficinwhichacompletemessageissenttoa
concentrationpointandstoreduntilthecommunicationspathisestablished
Metric Aquantifiableentitythatallowsthemeasurementoftheachievementofaprocessgoal
ScopeNote:MetricsshouldbeSMARTspecific,measurable,actionable,relevantandtimely.
Completemetricguidancedefinestheunitused,measurementfrequency,idealtargetvalue(if
appropriate)andalsotheproceduretocarryoutthemeasurementandtheprocedureforthe
interpretationoftheassessment.
Metropolitanarea Adatanetworkintendedtoserveanareathesizeofalargecity
network(MAN)
Microwave
Microwave Ahighcapacitylineofsighttransmissionofdatasignalsthroughtheatmospherewhichoften
A highcapacity lineofsight transmission of data signals through the atmosphere which often
transmission requiresrelaystations
Middleware Anothertermforanapplicationprogrammerinterface(API)
Itreferstotheinterfacesthatallowprogrammerstoaccesslowerorhigherlevelservicesby
providinganintermediarylayerthatincludesfunctioncallstotheservices.
Milestone Aterminalelementthatmarksthecompletionofaworkpackageorphase
ScopeNote:Typicallymarkedbyahighleveleventsuchasprojectcompletion,receipt,
endorsementorsigningofapreviouslydefineddeliverableorahighlevelreviewmeetingatwhich
theappropriatelevelofprojectcompletionisdeterminedandagreedto.Amilestoneisassociated
withadecisionthatoutlinesthefutureofaprojectand,foranoutsourcedproject,mayhavea
paymenttothecontractorassociatedwithit.
Miniaturefragment
Miniature fragment Using this method an attacker fragments the IP packet into smaller ones and pushes it through the
Usingthismethod,anattackerfragmentstheIPpacketintosmalleronesandpushesitthroughthe
attack firewall,inthehopethatonlythefirstofthesequenceoffragmentedpacketswouldbeexamined
andtheotherswouldpasswithoutreview.
Term Definition
Mirroredsite Analternatesitethatcontainsthesameinformationastheoriginal
ScopeNote:Mirroredsitesaresetupforbackupanddisasterrecoveryandtobalancethetraffic
loadfornumerousdownloadrequests.Suchdownloadmirrorsareoftenplacedindifferent
locationsthroughouttheInternet.
Missioncritical Anapplicationthatisvitaltotheoperationoftheenterprise.Thetermisverypopularfordescribing
application theapplicationsrequiredtorunthedaytodaybusiness.
Misusedetection Detectiononthebasisofwhetherthesystemactivitymatchesthatdefinedas"bad"
Mobilecomputing Extendstheconceptofwirelesscomputingtodevicesthatenablenewkindsofapplicationsand
expandanenterprisenetworktoreachplacesincircumstancesthatcouldneverhavebeendoneby
othermeans
ScopeNote:Mobilecomputingiscomprisedofpersonaldigitalassistants(PDAs),cellularphones,
laptopsandothertechnologiesofthiskind.
Mobile device
Mobiledevice A small handheld computing devices typically having a display screen with touch input and/or a
Asmall,handheldcomputingdevices,typicallyhavingadisplayscreenwithtouchinputand/ora
miniaturekeyboardandweighinglessthantwopounds
Mobilesite Theuseofamobile/temporaryfacilitytoserveasabusinessresumptionlocation
Thefacilitycanusuallybedeliveredtoanysiteandcanhouseinformationtechnologyandstaff.
Model Awaytodescribeagivensetofcomponentsandhowthosecomponentsrelatetoeachotherin
ordertodescribethemainworkingsofanobject,system,orconcept
MODEM Connectsaterminalorcomputertoacommunicationsnetworkviaatelephoneline
(modulator/demodulat
or) Modemsturndigitalpulsesfromthecomputerintofrequencieswithintheaudiorangeofthe
telephone system When acting in the receiver capacity a modem decodes incoming frequencies
telephonesystem.Whenactinginthereceivercapacity,amodemdecodesincomingfrequencies.
Modulation Theprocessofconvertingadigitalcomputersignalintoananalogtelecommunicationssignal
Monetaryunit Asamplingtechniquethatestimatestheamountofoverstatementinanaccountbalance
sampling
Monitoringpolicy Rulesoutliningordelineatingthewayinwhichinformationabouttheuseofcomputers,networks,
applicationsandinformationiscapturedandinterpreted
Multifactor Acombinationofmorethanoneauthenticationmethod,suchastokenandpassword(orpersonal
authentication identificationnumber[PIN]ortokenandbiometricdevice).
Multiplexor Adeviceusedforcombiningseverallowerspeedchannelsintoahigherspeedchannel
Mutualtakeover Afailoverprocess,whichisbasicallyatwowayidlestandby:twoserversareconfiguredsothat
bothcantakeovertheothernodesresourcegroup.Bothmusthaveenoughcentralprocessingunit
(CPU) power to run both applications with sufficient speed or expected performance losses must be
(CPU)powertorunbothapplicationswithsufficientspeed,orexpectedperformancelossesmustbe
takenintoaccountuntilthefailednodereintegrates.
Term Definition
NationalInstitutefor Developstests,testmethods,referencedata,proofofconceptimplementations,andtechnical
Standards and
Standardsand analyses to advance the development and productive use of information technology
analysestoadvancethedevelopmentandproductiveuseofinformationtechnology
Technology(NIST)
ScopeNote:NISTisaUSgovernmententitythatcreatesmandatorystandardsthatarefollowedby
federalagenciesandthosedoingbusinesswiththem.
Netpresentvalue Calculatedbyusinganaftertaxdiscountrateofaninvestmentandaseriesofexpectedincremental
(NPV) cashoutflows(theinitialinvestmentandoperationalcosts)andcashinflows(costsavingsor
revenues)thatoccuratregularperiodsduringthelifecycleoftheinvestment
ScopeNote:ToarriveatafairNPVcalculation,cashinflowsaccruedbythebusinessuptoabout
fiveyearsafterprojectdeploymentalsoshouldbetakenintoaccount.
Netreturn Therevenuethataprojectorbusinessmakesaftertaxandotherdeductions;oftenalsoclassifiedas
net profit
netprofit
Netcat AsimpleUNIXutility,whichreadsandwritesdataacrossnetworkconnectionsusingTransmission
ControlProtocol(TCP)orUserDatagramProtocol(UDP).Itisdesignedtobeareliablebackendtool
thatcanbeuseddirectlyoriseasilydrivenbyotherprogramsandscripts.Atthesametime,itisa
featurerichnetworkdebuggingandexplorationtool,becauseitcancreatealmostanykindof
connectionneededandhasseveralinterestingbuiltincapabilities.NetcatisnowpartoftheRed
HatPowerToolscollectionandcomesstandardonSuSELinux,DebianLinux,NetBSDandOpenBSD
distributions.
Netcentric Thecontentsandsecurityofinformationorobjects(softwareanddata)onthenetworkarenowof
technologies primeimportancecomparedwithtraditionalcomputerprocessingthatemphasizesthelocationof
hardwareanditsrelatedsoftwareanddata.
ScopeNote:AnexampleofnetcentrictechnologiesistheInternet,wherethenetworkisits
primaryconcern.
primary concern
Netware Apopularlocalareanetwork(LAN)operatingsystem(OS)developedbytheNovellCorp.
Network Asystemofinterconnectedcomputersandthecommunicationequipmentusedtoconnectthem
Networkaddress AmethodologyofmodifyingnetworkaddressinformationinIPdatagrampacketheaderswhilethey
translation(NAT) areintransitacrossatrafficroutingdeviceforthepurposeofremappingoneIPaddressspaceinto
another
Networkadministrator Responsibleforplanning,implementingandmaintainingthetelecommunicationsinfrastructure;
alsomayberesponsibleforvoicenetworks
ScopeNote:Forsmallerenterprises,thenetworkadministratormayalsomaintainalocalarea
network(LAN)andassistendusers.
Networkattached Utilizesdedicatedstoragedevicesthatcentralizestorageofdata
storage (NAS)
storage(NAS)
ScopeNote:NAstoragedevicesgenerallydonotprovidetraditionalfile/printorapplication
services.
Networkbasic Aprogramthatallowsapplicationsondifferentcomputerstocommunicatewithinalocalarea
input/outputsystem network(LAN).
(NetBIOS)
Term Definition
Networkhop Anattackstrategyinwhichtheattackersuccessivelyhacksintoaseriesofconnectedsystems,
obscuring his/her identify from the victim of the attack
obscuringhis/heridentifyfromthevictimoftheattack
Networkinterfacecard Acommunicationcardthatwheninsertedintoacomputer,allowsittocommunicatewithother
(NIC) computersonanetwork
ScopeNote:MostNICsaredesignedforaparticulartypeofnetworkorprotocol.
Networknewstransfer Usedforthedistribution,inquiry,retrieval,andpostingofNetnewsarticlesusingareliablestream
protocol(NNTP) basedmechanism.Fornewsreadingclients,NNTPenablesretrievalofnewsarticlesthatarestored
inacentraldatabase,givingsubscriberstheabilitytoselectonlythosearticlestheywishtoread.
(RFC3977)
Networksegmentation Acommontechniquetoimplementnetworksecurityistosegmentanorganizationsnetworkinto
separatezonesthatcanbeseparatelycontrolled,monitoredandprotected.
Networktrafficanalysis Identifiespatternsinnetworkcommunications
ScopeNote:Trafficanalysisdoesnotneedtohavetheactualcontentofthecommunicationbut
Scope Note: Traffic analysis does not need to have the actual content of the communication but
analyzeswheretrafficistakingplace,whenandforhowlongcommunicationsoccurandthesizeof
informationtransferred.
Node Pointatwhichterminalsaregivenaccesstoanetwork
Noise Disturbancesindatatransmissions,suchasstatic,thatcausemessagestobemisinterpretedbythe
receiver
Nondisclosure Alegalcontractbetweenatleasttwopartiesthatoutlinesconfidentialmaterialsthattheparties
agreement(NDA) wishtosharewithoneanotherforcertainpurposes,butwishtorestrictfromgeneralizeduse;a
contractthroughwhichthepartiesagreenottodiscloseinformationcoveredbytheagreement
ScopeNote:Alsocalledaconfidentialdisclosureagreement(CDA),confidentialityagreementor
secrecyagreement.AnNDAcreatesaconfidentialrelationshipbetweenthepartiestoprotectany
typeoftradesecret.Assuch,anNDAcanprotectnonpublicbusinessinformation.Inthecaseof
certain governmental entities the confidentiality of information other than trade secrets may be
certaingovernmentalentities,theconfidentialityofinformationotherthantradesecretsmaybe
subjecttoapplicablestatutoryrequirements,andinsomecasesmayberequiredtoberevealedto
anoutsidepartyrequestingtheinformation.Generally,thegovernmentalentitywillincludea
provisioninthecontracttoallowthesellertoreviewarequestforinformationthattheseller
identifiesasconfidentialandthesellermayappealsuchadecisionrequiringdisclosure.NDAsare
commonlysignedwhentwocompaniesorindividualsareconsideringdoingbusinesstogetherand
needtounderstandtheprocessesusedinoneanother sbusinessessolelyforthepurposeof
needtounderstandtheprocessesusedinoneanothersbusinessessolelyforthepurposeof
evaluating the potential business relationship. NDAs can be "mutual," meaning that both parties are
Nonintrusive Theuseoftransportedprobesortracestoassembleinformation,tracktrafficandidentify
monitoring vulnerabilities
Nonrepudiable Transactionthatcannotbedeniedafterthefact
transaction
Nonrepudiation Theassurancethatapartycannotlaterdenyoriginatingdata;provisionofproofoftheintegrityand
origin of the data and that can be verified by a third party
originofthedataandthatcanbeverifiedbyathirdparty
ScopeNote:Adigitalsignaturecanprovidenonrepudiation.
Nonstatistical Methodofselectingaportionofapopulation,bymeansofownjudgementandexperience,forthe
sampling purposeofquicklyconfirmingaproposition.Thismethoddoesnotallowdrawingmathematical
conclusionsontheentirepopulation.
Term Definition
Normalization Theeliminationofredundantdata
Numeric check
Numericcheck An edit check designed to ensure that the data element in a particular field is numeric.
Aneditcheckdesignedtoensurethatthedataelementinaparticularfieldisnumeric.
Obfuscation Thedeliberateactofcreatingsourceormachinecodethatisdifficultforhumanstounderstand
Objectcode Machinereadableinstructionsproducedfromacompilerorassemblerprogramthathasaccepted
andtranslatedthesourcecode
Objectmanagement Aconsortiumwithmorethan700affiliatesfromthesoftwareindustrywhosepurposeistoprovide
group(OMG) acommonframeworkfordevelopingapplicationsusingobjectorientedprogrammingtechniques
ScopeNote:Forexample,OMGisknownprincipallyforpromulgatingtheCommonObjectRequest
BrokerArchitecture(CORBA)specification.
Objectorientation Anapproachtosystemdevelopmentinwhichthebasicunitofattentionisanobject,which
representsanencapsulationofbothdata(anobjectsattributes)andfunctionality(anobjects
methods)
ScopeNote:Objectsusuallyarecreatedusingageneraltemplatecalledaclass.Aclassisthebasis
formostdesignworkinobjects.Aclassanditsobjectscommunicateindefinedways.Aggregate
classesinteractthroughmessages,whicharedirectedrequestsforservicesfromoneclass(the
client)toanotherclass(theserver).Aclassmaysharethestructureormethodsdefinedinoneor
p
moreotherclassesarelationshipknownasinheritance.
Objective Statementofadesiredoutcome
Objectivity Theabilitytoexercisejudgment,expressopinionsandpresentrecommendationswithimpartiality
Objectorientedsystem
Objectoriented system Asystemdevelopmentmethodologythatisorganizedaround
A system development methodology that is organized around "objects"
objects ratherthan
rather than "actions
actions,"and
and
development "data"ratherthan"logic"
ScopeNote:Objectorientedanalysisisanassessmentofaphysicalsystemtodeterminewhich
objectsintherealworldneedtoberepresentedasobjectsinasoftwaresystem.Anyobject
orienteddesignissoftwaredesignthatiscenteredarounddesigningtheobjectsthatwillmakeupa
p g y j p g p j p
program.Anyobjectorientedprogramisonethatiscomposedofobjectsorsoftwareparts.
Offlinefiles Computerfilestoragemediathatarenotphysicallyconnectedtothecomputer;typicalexamples
aretapesortapecartridgesusedforbackuppurposes.
Offsitestorage Afacilitylocatedawayfromthebuildinghousingtheprimaryinformationprocessingfacility(IPF),
usedforstorageofcomputermediasuchasofflinebackupdataandstoragefiles
Onlinedataprocessing Achievedbyenteringinformationintothecomputerviaavideodisplayterminal
ScopeNote:Withonlinedataprocessing,thecomputerimmediatelyacceptsorrejectsthe
informationasitisentered.
OpenSourceSecurity Anopenandfreelyavailablemethodologyandmanualforsecuritytesting
TestingMethodology
Term Definition
Opensystem Systemforwhichdetailedspecificationsofthecompositionofitscomponentarepublishedina
nonproprietary environment, thereby enabling competing enterprises to use these standard
nonproprietaryenvironment,therebyenablingcompetingenterprisestousethesestandard
componentstobuildcompetitivesystems
ScopeNote:Theadvantagesofusingopensystemsincludeportability,interoperabilityand
integration.
OpenSystems Amodelforthedesignofanetwork.Theopensystemsinterconnect(OSI)modeldefinesgroupsof
Interconnect(OSI) functionalityrequiredtonetworkcomputersintolayers.Eachlayerimplementsastandardprotocol
model toimplementitsfunctionality.TherearesevenlayersintheOSImodel.
OpenWebApplication Anopencommunitydedicatedtoenablingorganizationstoconceive,develop,acquire,operate,and
SecurityProject maintainapplicationsthatcanbetrusted
(OWASP)
Operatingsystem(OS) Amastercontrolprogramthatrunsthecomputerandactsasaschedulerandtrafficcontroller
ScopeNote:Theoperatingsystemisthefirstprogramcopiedintothecomputer
Scope Note: The operating system is the first program copied into the computerssmemoryafterthe
memory after the
computeristurnedon;itmustresideinmemoryatalltimes.Itisthesoftwarethatinterfaces
betweenthecomputerhardware(disk,keyboard,mouse,network,modem,printer)andthe
applicationsoftware(wordprocessor,spreadsheet,email),whichalsocontrolsaccesstothe
devicesandispartiallyresponsibleforsecuritycomponentsandsetsthestandardsforthe
applicationprogramsthatruninit.
Operatingsystemaudit Recordofsystemeventsgeneratedbyaspecializedoperatingsystemmechanism
trail
Operationalaudit Anauditdesignedtoevaluatethevariousinternalcontrols,economyandefficiencyofafunctionor
department
Operationalcontrol Dealswiththeeverydayoperationofacompanyorenterprisetoensurethatallobjectivesare
achieved
Operational level
Operationallevel An internal agreement covering the delivery of services that support the IT organization in its
AninternalagreementcoveringthedeliveryofservicesthatsupporttheITorganizationinits
agreement(OLA) deliveryofservices
Operatorconsole Aspecialterminalusedbycomputeroperationspersonneltocontrolcomputerandsystems
operationsfunctions
ScopeNote:Operatorconsoleterminalstypicallyprovideahighlevelofcomputeraccessand
p p y
shouldbeproperlysecured.
Opticalcharacter Usedtoelectronicallyscanandinputwritteninformationfromasourcedocument
recognition(OCR)
Opticalscanner Aninputdevicethatreadscharactersandimagesthatareprintedorpaintedonapaperforminto
thecomputer
Organization Themannerinwhichanenterpriseisstructured;canalsomeantheentity
Organizationfor Aninternationalorganizationhelpinggovernmentstackletheeconomic,socialandgovernance
EconomicCooperation
Economic Cooperation challengesofaglobaleconomy
challenges of a global economy
andDevelopment
(OECD) ScopeNote:TheOECDgroups30membercountriesinauniqueforumtodiscuss,develop,and
refineeconomicandsocialpolicies.
Term Definition
Organizational Anenablerofgovernanceandofmanagement.Includestheenterpriseanditsstructures,
structure hierarchies and dependencies.
hierarchiesanddependencies.
ScopeNote:Example:Steeringcommittee
COBIT5perspective
Outcome Result
Outcomemeasure Representstheconsequencesofactionspreviouslytaken;oftenreferredtoasalagindicator
ScopeNote:Outcomemeasurefrequentlyfocusesonresultsattheendofatimeperiodand
characterizehistoricperformance.Theyarealsoreferredtoasakeygoalindicator(KGI)andused
toindicatewhethergoalshavebeenmet.Thesecanbemeasuredonlyafterthefactand,therefore,
arecalled"lagindicators."
Output analyzer
Outputanalyzer Checks the accuracy of the results produced by a test run
Checkstheaccuracyoftheresultsproducedbyatestrun
ScopeNote:Therearethreetypesofchecksthatanoutputanalyzercanperform.First,ifa
standardsetoftestdataandtestresultsexistforaprogram,theoutputofatestrunafterprogram
maintenancecanbecomparedwiththesetofresultsthatshouldbeproduced.Second,as
programmerspreparetestdataandcalculatetheexpectedresults,theseresultscanbestoredina
fileandtheoutputanalyzercomparestheactualresultsofatestrunwiththeexpectedresults.
Third,theoutputanalyzercanactasaquerylanguage;itacceptsqueriesaboutwhethercertain
relationshipsexistinthefileofoutputresultsandreportscomplianceornoncompliance.
Outsourcing AformalagreementwithathirdpartytoperformISorotherbusinessfunctionsforanenterprise
Owner Individualorgroupthatholdsorpossessestherightsofandtheresponsibilitiesforanenterprise,
entity or asset
entityorasset.
ScopeNote:Examples:processowner,systemowner
COBIT5perspective
Packet Dataunitthatisroutedfromsourcetodestinationinapacketswitchednetwork
ScopeNote:Apacketcontainsbothroutinginformationanddata.TransmissionControl
Protocol/InternetProtocol(TCP/IP)issuchapacketswitchednetwork.
Packetfiltering Controllingaccesstoanetworkbyanalyzingtheattributesoftheincomingandoutgoingpackets
andeitherlettingthempass,ordenyingthem,basedonalistofrules
Term Definition
Packetinternetgroper AnInternetprogram(InternetControlMessageProtocol[ICMP])usedtodeterminewhethera
(PING) specific IP address is accessible or online
specificIPaddressisaccessibleoronline
ItisanetworkapplicationthatusesUserDatagramProtocol(UDP)toverifyreachabilityofanother
hostontheconnectednetwork.
ScopeNote:Itworksbysendingapackettothespecifiedaddressandwaitingforareply.PINGis
usedprimarilytotroubleshootInternetconnections.Inaddition,PINGreportsthenumberofhops
requiredtoconnecttwoInternethosts.TherearebothfreewareandsharewarePINGutilities
availableforpersonalcomputers(PCs).
Packetswitching Theprocessoftransmittingmessagesinconvenientpiecesthatcanbereassembledatthe
destination
Papertest Awalkthroughofthestepsofaregulartest,butwithoutactuallyperformingthesteps
ScopeNote:Usuallyusedindisasterrecoveryandcontingencytesting;teammembersreviewand
Scope Note: Usually used in disaster recovery and contingency testing; team members review and
becomefamiliarwiththeplansandtheirspecificrolesandresponsibilities
Parallelsimulation InvolvesanISauditorwritingaprogramtoreplicatethoseapplicationprocessesthatarecriticalto
anauditopinionandusingthisprogramtoreprocessapplicationsystemdata
ScopeNote:Theresultsproducedbyparallelsimulationarecomparedwiththeresultsgenerated
bytheapplicationsystemandanydiscrepanciesareidentified.
Paralleltesting Theprocessoffeedingtestdataintotwosystems,themodifiedsystemandanalternativesystem
(possiblytheoriginalsystem),andcomparingresultstodemonstratetheconsistencyand
inconsistencybetweentwoversionsoftheapplication
Paritycheck Ageneralhardwarecontrolthathelpstodetectdataerrorswhendataarereadfrommemoryor
communicatedfromonecomputertoanother
ScopeNote:A1bitdigit(either0or1)isaddedtoadataitemtoindicatewhetherthesumofthat
Scope Note: A 1bit digit (either 0 or 1) is added to a data item to indicate whether the sum of that
dataitemsbitisoddoreven.Whentheparitybitdisagreeswiththesumoftheotherbits,the
computerreportsanerror.Theprobabilityofaparitycheckdetectinganerroris50percent.
Partitionedfile Afileformatinwhichthefileisdividedintomultiplesubfilesandadirectoryisestablishedtolocate
eachsubfile
Passiveassault Intrudersattempttolearnsomecharacteristicofthedatabeingtransmitted
ScopeNote:Withapassiveassault,intrudersmaybeabletoreadthecontentsofthedatasothe
privacyofthedataisviolated.Alternatively,althoughthecontentofthedataitselfmayremain
secure,intrudersmayreadandanalyzetheplaintextsourceanddestinationidentifiersattachedtoa
messageforroutingpurposes,ortheymayexaminethelengthsandfrequencyofmessagesbeing
transmitted.
Passive response
Passiveresponse A response option in intrusion detection in which the system simply reports and records the
Aresponseoptioninintrusiondetectioninwhichthesystemsimplyreportsandrecordsthe
problemdetected,relyingontheusertotakesubsequentaction
Password Aprotected,generallycomputerencryptedstringofcharactersthatauthenticateacomputeruser
tothecomputersystem
Term Definition
Passwordcracker Atoolthatteststhestrengthofuserpasswordsbysearchingforpasswordsthatareeasytoguess
Itrepeatedlytrieswordsfromspeciallycrafteddictionariesandoftenalsogeneratesthousands(and
insomecases,evenmillions)ofpermutationsofcharacters,numbersandsymbols.
Patch Fixestosoftwareprogrammingerrorsandvulnerabilities
Patchmanagement Anareaofsystemsmanagementthatinvolvesacquiring,testingandinstallingmultiplepatches
(codechanges)toanadministeredcomputersysteminordertomaintainuptodatesoftwareand
oftentoaddresssecurityrisk
ScopeNote:Patchmanagementtasksincludethefollowing:maintainingcurrentknowledgeof
availablepatches;decidingwhatpatchesareappropriateforparticularsystems;ensuringthat
patchesareinstalledproperly;testingsystemsafterinstallation;anddocumentingallassociated
procedures such as specific configurations required A number of products are available to
procedures,suchasspecificconfigurationsrequired.Anumberofproductsareavailableto
automatepatchmanagementtasks.Patchesaresometimesineffectiveandcansometimescause
moreproblemsthantheyfix.Patchmanagementexpertssuggestthatsystemadministratorstake
simplestepstoavoidproblems,suchasperformingbackupsandtestingpatchesonnoncritical
systemspriortoinstallations.Patchmanagementcanbeviewedaspartofchangemanagement.
Paybackperiod Thelengthoftimeneededtorecoupthecostofcapitalinvestment
ScopeNote:Financialamountsinthepaybackformulaarenotdiscounted.Notethatthepayback
perioddoesnottakeintoaccountcashflowsafterthepaybackperiodandthereforeisnota
measureoftheprofitabilityofaninvestmentproject.Thescopeoftheinternalrateofreturn(IRR),
netpresentvalue(NPV)andpaybackperiodistheusefuleconomiclifeoftheprojectuptoa
maximumoffiveyears.
Payload The section of fundamental data in a transmission In malicious software this refers to the section
Thesectionoffundamentaldatainatransmission.Inmalicioussoftwarethisreferstothesection
containingtheharmfuldata/code.
Paymentsystem Afinancialsystemthatestablishesthemeansfortransferringmoneybetweensuppliersandusersof
funds,ordinarilybyexchangingdebitsorcreditsbetweenbanksorfinancialinstitutions
Payrollsystem Anelectronicsystemforprocessingpayrollinformationandtherelatedelectronic(e.g.,electronic
timekeepingand/orhumanresources[HR]system),human(e.g.,payrollclerk),andexternalparty
(e.g.,bank)interfaces
Inamorelimitedsense,itistheelectronicsystemthatperformstheprocessingforgenerating
payrollchecksand/orbankdirectdepositstoemployees.
Penetrationtesting Alivetestoftheeffectivenessofsecuritydefensesthroughmimickingtheactionsofreallife
attackers
Performance In IT the actual implementation or achievement of a process
InIT,theactualimplementationorachievementofaprocess
Term Definition
Performancedriver Ameasurethatisconsideredthe"driver"ofalagindicator
Itcanbemeasuredbeforetheoutcomeisclearand,therefore,iscalleda"leadindicator."
ScopeNote:Thereisanassumedrelationshipbetweenthetwothatsuggeststhatimproved
performanceinaleadingindicatorwilldrivebetterperformanceinthelaggingindicator.Theyare
alsoreferredtoaskeyperformanceindicators(KPIs)andareusedtoindicatewhethergoalsare
likelytobemet.
Performanceindicators Asetofmetricsdesignedtomeasuretheextenttowhichperformanceobjectivesarebeing
achievedonanongoingbasis
ScopeNote:Performanceindicatorscanincludeservicelevelagreements(SLAs),criticalsuccess
factors(CSFs),customersatisfactionratings,internalorexternalbenchmarks,industrybestpractices
andinternationalstandards.
Performance
Performance In IT the ability to manage any type of measurement including employee team process
InIT,theabilitytomanageanytypeofmeasurement,includingemployee,team,process,
management operationalorfinancialmeasurements
Thetermconnotesclosedloopcontrolandregularmonitoringofthemeasurement.
Performancetesting Comparingthesystemsperformancetootherequivalentsystems,usingwelldefinedbenchmarks
Peripherals Auxiliarycomputerhardwareequipmentusedforinput,outputanddatastorage
ScopeNote:Examplesofperipheralsincludediskdrivesandprinters.
Personaldigital Alsocalledpalmtopandpocketcomputer,PDAisahandhelddevicethatprovidecomputing,
assistant(PDA) Internet,networkingandtelephonecharacteristics.
Personalidentification Atypeofpassword(i.e.,asecretnumberassignedtoanindividual)that,inconjunctionwithsome
number(PIN) meansofidentifyingtheindividual,servestoverifytheauthenticityoftheindividual
ScopeNote:PINshavebeenadoptedbyfinancialinstitutionsastheprimarymeansofverifying
customersinanelectronicfundstransfer(EFT)system.
PervasiveIScontrol GeneralcontroldesignedtomanageandmonitortheISenvironmentandwhich,therefore,affects
allISrelatedactivities
PhaseofBCP Astepbystepapproachconsistingofvariousphases
ScopeNote:PhaseofBCPisusuallycomprisedofthefollowingphases:preimplementationphase,
implementationphase,testingphase,andpostimplementationphase.
Phishing Thisisatypeofelectronicmail(email)attackthatattemptstoconvinceauserthattheoriginatoris
genuine,butwiththeintentionofobtaininginformationforuseinsocialengineering
ScopeNote:Phishingattacksmaytaketheformofmasqueradingasalotteryorganizationadvising
Scope Note: Phishing attacks may take the form of masquerading as a lottery organization advising
therecipientortheuser'sbankofalargewin;ineithercase,theintentistoobtainaccountand
personalidentificationnumber(PIN)details.Alternativeattacksmayseektoobtainapparently
innocuousbusinessinformation,whichmaybeusedinanotherformofactiveattack.
Term Definition
Phreakers Thosewhocracksecurity,mostfrequentlytelephoneandothercommunicationnetworks
Piggybacking 1. Following an authorized person into a restricted access area
1.Followinganauthorizedpersonintoarestrictedaccessarea
2.Electronicallyattachingtoanauthorizedtelecommunicationslinktointerceptandpossiblyalter
transmissions
Plainoldtelephone Awiredtelecommunicationssystem.
service(POTS)
Plaintext Digitalinformation,suchascleartext,thatisintelligibletothereader
PlatformasaService Offersthecapabilitytodeployontothecloudinfrastructurecustomercreatedoracquired
(PaaS) applicationsthatarecreatedusingprogramminglanguagesandtoolssupportedbytheprovider
PMBOK(Project AprojectmanagementstandarddevelopedbytheProjectManagementInstitute(PMI)
ManagementBodyof
Knowledge)
Pointofpresence
Pointofpresence AtelephonenumberthatrepresentstheareainwhichthecommunicationproviderorInternet
A telephone number that represents the area in which the communication provider or Internet
(POP) serviceprovider(ISP)providesservice
Pointofsale(POS) Enablesthecaptureofdataatthetimeandplaceoftransaction
systems
ScopeNote:POSterminalsmayincludeuseofopticalscannersforusewithbarcodesormagnetic
cardreadersforusewithcreditcards.POSsystemsmaybeonlinetoacentralcomputerormayuse
standaloneterminalsormicrocomputersthatholdthetransactionsuntiltheendofaspecified
periodwhentheyaresenttothemaincomputerforbatchprocessing.
PointtopointProtocol Aprotocolusedfortransmittingdatabetweentwoendsofaconnection
(PPP)
Pointtopoint Aprotocolusedtotransmitdatasecurelybetweentwoendpointstocreateavirtualprivate
TunnelingProtocol network(VPN).
(PPTP)
Policy 1.Generally,adocumentthatrecordsahighlevelprincipleorcourseofactionthathasbeen
decidedon
Theintendedpurposeistoinfluenceandguidebothpresentandfuturedecisionmakingtobein
linewiththephilosophy,objectivesandstrategicplansestablishedbytheenterprisesmanagement
teams.
ScopeNote:Inadditiontopolicycontent,policiesneedtodescribetheconsequencesoffailingto
complywiththepolicy,themeansforhandlingexceptions,andthemannerinwhichcompliance
withthepolicywillbecheckedandmeasured.
2.Overallintentionanddirectionasformallyexpressedbymanagement

Polymorphism Polymorphismreferstodatabasestructuresthatsendthesamecommandtodifferentchildobjects
(Objects) thatcanproducedifferentresultsdependingontheirfamilyhierarchicaltreestructure
Term Definition
Population TheentiresetofdatafromwhichasampleisselectedandaboutwhichanISauditorwishestodraw
conclusions
Port(Portnumber) Aprocessorapplicationspecificsoftwareelementservingasacommunicationendpointforthe
TransportLayerIPprotocols(UDPandTCP)
Portscanning Theactofprobingasystemtoidentifyopenports
Portfolio Agroupingof"objectsofinterest"(investmentprograms,ITservices,ITprojects,otherITassetsor
resources)managedandmonitoredtooptimizebusinessvalue
(TheinvestmentportfolioisofprimaryinteresttoValIT.ITservice,project,assetandotherresource
portfoliosareofprimaryinteresttoCOBIT.)
Posting Theprocessofactuallyenteringtransactionsintocomputerizedormanualfiles
ScopeNote:Postingtransactionsmightimmediatelyupdatethemasterfilesormayresultinmemo
posting,inwhichthetransactionsareaccumulatedoveraperiodoftimeandthenappliedtomaster
file updating
fileupdating.
Preventiveapplication Applicationcontrolthatisintendedtopreventanerrorfromoccurring
control
Preventiveapplicationcontrolsaretypicallyexecutedatthetransactionlevel,beforeanactionis
performed.
Preventivecontrol Aninternalcontrolthatisusedtoavoidundesirableevents,errorsandotheroccurrencesthatan
enterprisehasdeterminedcouldhaveanegativematerialeffectonaprocessorendproduct
Primenumber Anaturalnumbergreaterthan1thatcanonlybedividedby1anditself.
PRINCE2(Projectsina DevelopedbytheOfficeofGovernmentCommerce(OGC),PRINCE2isaprojectmanagement
Controlled methodthatcoversthemanagement,controlandorganizationofaproject.
Environment)
Principle Anenablerofgovernanceandofmanagement.Comprisesthevaluesandfundamentalassumptions
held by the enterprise the beliefs that guide and put boundaries around the enterprisessdecision
heldbytheenterprise,thebeliefsthatguideandputboundariesaroundtheenterprise decision
making,communicationwithinandoutsidetheenterprise,andstewardshipcaringforassets
ownedbyanother.
ScopeNote:Examples:Ethicscharter,socialresponsibilitycharter.
p p
COBIT5perspective
Principleofleast Controlsusedtoallowtheleastprivilegeaccessneededtocompleteatask
privilege/access
Privacy Freedomfromunauthorizedintrusionordisclosureofinformationaboutanindividual
Privatebranch Atelephoneexchangethatisownedbyaprivatebusiness,asopposedtooneownedbyacommon
exchange(PBX) carrierorbyatelephonecompany
Privatekey Amathematicalkey(keptsecretbytheholder)usedtocreatedigitalsignaturesand,dependingon
the algorithm to decrypt messages or files encrypted (for confidentiality) with the corresponding
thealgorithm,todecryptmessagesorfilesencrypted(forconfidentiality)withthecorresponding
publickey
Term Definition
Privatekey Usedindataencryption,itutilizesasecretkeytoencrypttheplaintexttotheciphertext.Privatekey
cryptosystems cryptosystems also use the same key to decrypt the ciphertext to the corresponding plaintext.
cryptosystemsalsousethesamekeytodecrypttheciphertexttothecorrespondingplaintext.
ScopeNote:Inthiscase,thekeyissymmetricsuchthattheencryptionkeyisequivalenttothe
decryptionkey.
Privilege Theleveloftrustwithwhichasystemobjectisimbued
Probe Inspectanetworkorsystemtofindweakspots
Problem InIT,theunknownunderlyingcauseofoneormoreincidents
Problemescalation Theprocessofescalatingaproblemupfromjuniortoseniorsupportstaff,andultimatelytohigher
procedure levelsofmanagement
ScopeNote:Problemescalationprocedureisoftenusedinhelpdeskmanagement,whenan
unresolvedproblemisescalatedupthechainofcommand,untilitissolved.
Procedure A document containing a detailed description of the steps necessary to perform specific operations
Adocumentcontainingadetaileddescriptionofthestepsnecessarytoperformspecificoperations
inconformancewithapplicablestandards.Proceduresaredefinedaspartofprocesses.
Process Generally,acollectionofactivitiesinfluencedbytheenterprisespoliciesandproceduresthattakes
inputsfromanumberofsources,(includingotherprocesses),manipulatestheinputsandproduces
outputs
ScopeNote:Processeshaveclearbusinessreasonsforexisting,accountableowners,clearrolesand
responsibilitiesaroundtheexecutionoftheprocess,andthemeanstomeasureperformance.
Processgoals Astatementdescribingthedesiredoutcomeofaprocess.
ScopeNote:Anoutcomecanbeanartifact,asignificantchangeofastateorasignificantcapability
improvementofotherprocesses.
improvement of other processes
COBIT5perspective
Processmaturity AsubjectiveassessmenttechniquederivedfromtheSoftwareEngineeringInstitute(SEI)capability
assessment maturitymodelintegration(CMMI)conceptsanddevelopedasaCOBITmanagementtool
p g p p g p
ItprovidesmanagementwithaprofileofhowwelldevelopedtheITmanagementprocessesare.
ScopeNote:Itenablesmanagementtoeasilyplaceitselfonascaleandappreciatewhatisrequired
ifimprovedperformanceisneeded.Itisusedtosettargets,raiseawareness,capturebroad
consensus,identifyimprovementsandpositivelymotivatechange.
Processmaturity
Process maturity The different aspects of a process covered in an assurance initiative
Thedifferentaspectsofaprocesscoveredinanassuranceinitiative
attribute
Productionprogram Programusedtoprocessliveoractualdatathatwerereceivedasinputintotheproduction
environment
Term Definition
Productionsoftware Softwarethatisbeingusedandexecutedtosupportnormalandauthorizedorganizational
operations
ScopeNote:Productionsoftwareistobedistinguishedfromtestsoftware,whichisbeing
developedormodified,buthasnotyetbeenauthorizedforusebymanagement.
Professional Provenlevelofability,oftenlinkedtoqualificationsissuedbyrelevantprofessionalbodiesand
competence compliancewiththeircodesofpracticeandstandards
Professionaljudgement Theapplicationofrelevantknowledgeandexperienceinmakinginformeddecisionsaboutthe
coursesofactionthatareappropriateinthecircumstancesoftheISauditandassurance
engagement
Professionalskepticism Anattitudethatincludesaquestioningmindandacriticalassessmentofauditevidence
ScopeNote:Source:AmericanInstituteofCertifiedPublicAccountants(AICPA)AU230.07
Professionalstandards ReferstostandardsissuedbyISACA.
Thetermmayextendtorelatedguidelinesandtechniquesthatassisttheprofessionalin
implementingandcomplyingwithauthoritativepronouncementsofISACA.Incertaininstances,
standardsofotherprofessionalorganizationsmaybeconsidered,dependingonthecircumstances
andtheirrelevanceandappropriateness.
Program Astructuredgroupingofinterdependentprojectsthatisbothnecessaryandsufficienttoachievea
desiredbusinessoutcomeandcreatevalue
Theseprojectscouldinclude,butarenotlimitedto,changesinthenatureofthebusiness,business
processesandtheworkperformedbypeopleaswellasthecompetenciesrequiredtocarryoutthe
work,theenablingtechnology,andtheorganizationalstructure.
Programandproject Thefunctionresponsibleforsupportingprogramandprojectmanagers,andgathering,assessing
managementoffice andreportinginformationabouttheconductoftheirprogramsandconstituentprojects
(PMO)
ProgramEvaluation Aprojectmanagementtechniqueusedintheplanningandcontrolofsystemprojects
andReviewTechnique
(PERT)
Programflowchart Showsthesequenceofinstructionsinasingleprogramorsubroutine
ScopeNote:Thesymbolsusedinprogramflowchartsshouldbetheinternationallyaccepted
standard.Programflowchartsshouldbeupdatedwhennecessary.
Programnarrative Providesadetailedexplanationofprogramflowcharts,includingcontrolpointsandanyexternal
input
Project Astructuredsetofactivitiesconcernedwithdeliveringadefinedcapability(thatisnecessarybutnot
sufficient,toachievearequiredbusinessoutcome)totheenterprisebasedonanagreedon
scheduleandbudget
Projectmanagement
Project management The individual function responsible for the implementation of a specified initiative for supporting
Theindividualfunctionresponsiblefortheimplementationofaspecifiedinitiativeforsupporting
officer(PMO) theprojectmanagementroleandadvancingthedisciplineofprojectmanagement
Term Definition
Projectportfolio Thesetofprojectsownedbyacompany
ScopeNote:Itusuallyincludesthemainguidelinesrelativetoeachproject,includingobjectives,
costs,timelinesandotherinformationspecifictotheproject.
Projectteam Groupofpeopleresponsibleforaproject,whosetermsofreferencemayincludethedevelopment,
acquisition,implementationormaintenanceofanapplicationsystem
ScopeNote:Theprojectteammembersmayincludelinemanagement,operationallinestaff,
externalcontractorsandISauditors.
Promiscuousmode Allowsthenetworkinterfacetocaptureallnetworktrafficirrespectiveofthehardwaredeviceto
whichthepacketisaddressed
Protectiondomain Theareaofthesystemthattheintrusiondetectionsystem(IDS)ismeanttomonitorandprotect
Protocol Therulesbywhichanetworkoperatesandcontrolstheflowandpriorityoftransmissions
Protocolconverter
Protocol converter Hardwaredevices,suchasasynchronousandsynchronoustransmissions,thatconvertbetweentwo
Hardware devices such as asynchronous and synchronous transmissions that convert between two
differenttypesoftransmission
Protocolstack Asetofutilitiesthatimplementaparticularnetworkprotocol
ScopeNote:Forinstance,inWindowsmachinesaTransmissionControlProtocol/InternetProtocol
(TCP/IP)stackconsistsofTCP/IPsoftware,socketssoftwareandhardwaredriversoftware.
Prototyping Theprocessofquicklyputtingtogetheraworkingmodel(aprototype)inordertotestvarious
aspectsofadesign,illustrateideasorfeaturesandgatherearlyuserfeedback
ScopeNote:Prototypingusesprogrammedsimulationtechniquestorepresentamodelofthefinal
systemtotheuserforadvisementandcritique.Theemphasisisonenduserscreensandreports.
Internalcontrolsarenotapriorityitemsincethisisonlyamodel.
Proxy server
Proxyserver A server that acts on behalf of a user
Aserverthatactsonbehalfofauser
ScopeNote:Typicalproxiesacceptaconnectionfromauser,makeadecisionastowhetherthe
userorclientIPaddressispermittedtousetheproxy,perhapsperformadditionalauthentication,
andcompleteaconnectiontoaremotedestinationonbehalfoftheuser.
Publickey Inanasymmetriccryptographicscheme,thekeythatmaybewidelypublishedtoenablethe
operationofthescheme
Publickey Usedindataencryption,itusesanencryptionkey,asapublickey,toencrypttheplaintexttothe
cryptosystem ciphertext.Itusesthedifferentdecryptionkey,asasecretkey,todecrypttheciphertexttothe
correspondingplaintext.
ScopeNote:Incontrasttoaprivatekeycryptosystem,thedecryptionkeyshouldbesecret;
however the encryption key can be known to everyone In a public key cryptosystem two keys are
however,theencryptionkeycanbeknowntoeveryone.Inapublickeycryptosystem,twokeysare
asymmetric,suchthattheencryptionkeyisnotequivalenttothedecryptionkey.
Term Definition
Publickeyencryption Acryptographicsystemthatusestwokeys:oneisapublickey,whichisknowntoeveryone,andthe
second is a private or secret key, which is only known to the recipient of the message
secondisaprivateorsecretkey,whichisonlyknowntotherecipientofthemessage
SeealsoAsymmetricKey.
Publickey Aseriesofprocessesandtechnologiesfortheassociationofcryptographickeyswiththeentityto
infrastructure(PKI) whomthosekeyswereissued
Publicswitched Acommunicationssystemthatsetsupadedicatedchannel(orcircuit)betweentwopointsforthe
telephonenetwork durationofthetransmission.
(PSTN)
Quality Beingfitforpurpose(achievingintendedvalue)
Qualityassurance(QA) Aplannedandsystematicpatternofallactionsnecessarytoprovideadequateconfidencethatan
item or product conforms to established technical requirements (ISO/IEC 24765)
itemorproductconformstoestablishedtechnicalrequirements.(ISO/IEC24765)
Qualitymanagement Asystemthatoutlinesthepoliciesandproceduresnecessarytoimproveandcontrolthevarious
system(QMS) processesthatwillultimatelyleadtoimprovedenterpriseperformance
Queue Agroupofitemsthatiswaitingtobeservicedorprocessed
Quickship Arecoverysolutionprovidedbyrecoveryand/orhardwarevendorsandincludesapreestablished
contracttodeliverhardwareresourceswithinaspecifiednumberamountofhoursafteradisaster
occurs
ScopeNote:Thequickshipsolutionusuallyprovidesenterpriseswiththeabilitytorecoverwithin
72ormorehours.
RACIchart IllustrateswhoisResponsible,Accountable,ConsultedandInformedwithinanorganizational
framework
Radiowave Thesuperpositionoftwoormoreradiowavesresultinginadifferentradiowavepatternthatis
interference more difficult to intercept and decode properly
moredifficulttointerceptanddecodeproperly
Randomaccess Thecomputersprimaryworkingmemory
memory(RAM)
ScopeNote:EachbyteofRAMcanbeaccessedrandomlyregardlessofadjacentbytes.
Rangecheck Rangechecksensurethatdatafallwithinapredeterminedrange
Ransomware Malwarethatrestrictsaccesstothecompromisedsystemsuntilaransomdemandissatisfied
Rapidapplication Amethodologythatenablesenterprisestodevelopstrategicallyimportantsystemsfaster,while
development reducingdevelopmentcostsandmaintainingqualitybyusingaseriesofprovenapplication
developmenttechniques,withinawelldefinedmethodology
Realtimeanalysis Analysisthatisperformedonacontinuousbasis,withresultsgainedintimetoaltertheruntime
system
Realtimeprocessing Aninteractiveonlinesystemcapabilitythatimmediatelyupdatescomputerfileswhentransactions
are initiated through a terminal
areinitiatedthroughaterminal
Reasonableassurance Alevelofcomfortshortofaguarantee,butconsideredadequategiventhecostsofthecontroland
thelikelybenefitsachieved
Reasonablenesscheck Comparesdatatopredefinedreasonabilitylimitsoroccurrenceratesestablishedforthedata
Term Definition
Reciprocalagreement Emergencyprocessingagreementbetweentwoormoreenterpriseswithsimilarequipmentor
applications
ScopeNote:Typically,participantsofareciprocalagreementpromisetoprovideprocessingtimeto
eachotherwhenanemergencyarises.
Record Acollectionofrelatedinformationthatistreatedasaunit
ScopeNote:Separatefieldswithintherecordareusedforprocessingoftheinformation.
Record,screenand Recordlayoutsprovideinformationregardingthetypeofrecord,itssizeandthetypeofdata
reportlayouts containedintherecord.Screenandreportlayoutsdescribewhatinformationisprovidedand
necessaryforinput.
Recovery Thephaseintheincidentresponseplanthatensuresthataffectedsystemsorservicesarerestored
toaconditionspecifiedintheservicedeliveryobjectives(SDOs)orbusinesscontinuityplan(BCP)
Recoveryaction
Recovery action Execution of a response or task according to a written procedure
Executionofaresponseortaskaccordingtoawrittenprocedure
Recoverypoint Determinedbasedontheacceptabledatalossincaseofadisruptionofoperations
objective(RPO)
Itindicatestheearliestpointintimethatisacceptabletorecoverthedata.TheRPOeffectively
quantifiesthepermissibleamountofdatalossincaseofinterruption.
Recoverystrategy Anapproachbyanenterprisethatwillensureitsrecoveryandcontinuityinthefaceofadisasteror
othermajoroutage
ScopeNote:Plansandmethodologiesaredeterminedbytheenterprise'sstrategy.Theremaybe
morethanonemethodologyorsolutionforanenterprise'sstrategy.
Examplesofmethodologiesandsolutionsinclude:contractingforhotsiteorcoldsite,buildingan
internalhotsiteorcoldsite,identifyinganalternateworkarea,aconsortiumorreciprocal
agreement contracting for mobile recovery or crate and ship and many others
agreement,contractingformobilerecoveryorcrateandship,andmanyothers.
Recoverytesting Atesttocheckthesystemsabilitytorecoverafterasoftwareorhardwarefailure
Recoverytime Theamountoftimeallowedfortherecoveryofabusinessfunctionorresourceafteradisaster
objective(RTO) occurs
Redologs Filesmaintainedbyasystem,primarilyadatabasemanagementsystem(DBMS),forthepurposeof
reapplyingchangesfollowinganerrororoutagerecovery
Redundancycheck Detectstransmissionerrorsbyappendingcalculatedbitsontotheendofeachsegmentofdata
RedundantArrayof Providesperformanceimprovementsandfaulttolerantcapabilitiesviahardwareorsoftware
InexpensiveDisks solutions,bywritingtoaseriesofmultiplediskstoimproveperformanceand/orsavelargefiles
(RAID) simultaneously
Redundantsite ArecoverystrategyinvolvingtheduplicationofkeyITcomponents,includingdataorotherkey
businessprocesses,wherebyfastrecoverycantakeplace
Term Definition
Reengineering Aprocessinvolvingtheextractionofcomponentsfromexistingsystemsandrestructuringthese
components to develop new systems or to enhance the efficiency of existing systems
componentstodevelopnewsystemsortoenhancetheefficiencyofexistingsystems
ScopeNote:Existingsoftwaresystemscanbemodernizedtoprolongtheirfunctionality.An
exampleisasoftwarecodetranslatorthatcantakeanexistinghierarchicaldatabasesystemand
transposeittoarelationaldatabasesystem.Computeraidedsoftwareengineering(CASE)includes
asourcecodereengineeringfeature.
Registeredports Registeredports1024through49151:ListedbytheIANAandonmostsystemscanbeusedby
ordinaryuserprocessesorprogramsexecutedbyordinaryusers
Registrationauthority Theindividualinstitutionthatvalidatesanentity'sproofofidentityandownershipofakeypair
(RA)
Regressiontesting Atestingtechniqueusedtoretestearlierprogramabendsorlogicalerrorsthatoccurredduringthe
initialtestingphase
Regulation Rulesorlawsdefinedandenforcedbyanauthoritytoregulateconduct
Regulatory
Regulatory Rules or laws that regulate conduct and that the enterprise must obey to become compliant
Rulesorlawsthatregulateconductandthattheenterprisemustobeytobecomecompliant
requirements
Relationaldatabase Thegeneralpurposeofadatabaseistostoreandretrieverelatedinformation.
managementsystem
(RDBMS) ScopeNote:Databasemanagementsystemshaveevolvedfromhierarchaltonetworktorelational
models.Today,themostwidelyaccepteddatabasemodelistherelationalmodel.Therelational
modelhasthreemajoraspects:structures,operationsandintegrityrules.AnOracledatabaseisa
collectionofdatathatistreatedasaunit.
Relevantaudit Auditevidenceisrelevantifitpertainstotheauditobjectivesandhasalogicalrelationshiptothe
evidence findingsandconclusionsitisusedtosupport.
Relevantinformation Relatingtocontrols,tellstheevaluatorsomethingmeaningfulabouttheoperationoftheunderlying
controlsorcontrolcomponent.Informationthatdirectlyconfirmstheoperationofcontrolsismost
relevant.Informationthatrelatesindirectlytotheoperationofcontrolscanalsoberelevant,butis
less relevant than direct information
lessrelevantthandirectinformation.
ScopeNote:RefertoCOBIT5informationqualitygoals
Reliableauditevidence Auditevidenceisreliableif,intheISauditor'sopinion,itisvalid,factual,objectiveandsupportable.
Reliableinformation Informationthatisaccurate,verifiableandfromanobjectivesource
Remediation Aftervulnerabilitiesareidentifiedandassessed,appropriateremediationcantakeplacetomitigate
oreliminatethevulnerability
Remoteaccessservice Referstoanycombinationofhardwareandsoftwaretoenabletheremoteaccesstotoolsor
(RAS) informationthattypicallyresideonanetworkofITdevices
ScopeNote:OriginallycoinedbyMicrosoftwhenreferringtotheirbuiltinNTremoteaccesstools,
Scope Note: Originally coined by Microsoft when referring to their built in NT remote access tools
RASwasaserviceprovidedbyWindowsNTwhichallowedmostoftheservicesthatwouldbe
availableonanetworktobeaccessedoveramodemlink.Overtheyears,manyvendorshave
providedbothhardwareandsoftwaresolutionstogainremoteaccesstovarioustypesofnetworked
information.Infact,mostmodernroutersincludeabasicRAScapabilitythatcanbeenabledforany
dialupinterface.
Term Definition
RemoteAuthentication Atypeofserviceprovidinganauthenticationandaccountingsystemoftenusedfordialupand
Dialin User Service
DialinUserService remote access security
remoteaccesssecurity
(RADIUS)
Remotejobentry(RJE) Thetransmissionofjobcontrollanguage(JCL)andbatchesoftransactionsfromaremoteterminal
location
Remoteprocedurecall ThetraditionalInternetserviceprotocolwidelyusedformanyyearsonUNIXbasedoperating
(RPC) systemsandsupportedbytheInternetEngineeringTaskForce(IETF)thatallowsaprogramonone
computertoexecuteaprogramonanother(e.g.,server)
ScopeNote:Theprimarybenefitderivedfromitsuseisthatasystemdeveloperneednotdevelop
specificproceduresforthetargetedcomputersystem.Forexample,inaclientserverarrangement,
theclientprogramsendsamessagetotheserverwithappropriatearguments,andtheserver
returnsamessagecontainingtheresultsoftheprogramexecuted.CommonObjectRequestBroker
Architecture (CORBA) and Distributed Component Object Model (DCOM) are two newer object
Architecture(CORBA)andDistributedComponentObjectModel(DCOM)aretwonewerobject
orientedmethodsforrelatedRPCfunctionality.
Removablemedia Anytypeofstoragedevicethatcanberemovedfromthesystemwhileisrunning
Repeaters Aphysicallayerdevicethatregeneratesandpropagateselectricalsignalsbetweentwonetwork
segments
ScopeNote:Repeatersreceivesignalsfromonenetworksegmentandamplify(regenerate)the
signaltocompensateforsignals(analogordigital)distortedbytransmissionlossduetoreductionof
signalstrengthduringtransmission(i.e.,attenuation)
Replay Theabilitytocopyamessageorstreamofmessagesbetweentwopartiesandreplay(retransmit)
themtooneormoreoftheparties
Replication Initsbroadcomputingsense,involvestheuseofredundantsoftwareorhardwareelementsto
provide availability and faulttolerant capabilities
provideavailabilityandfaulttolerantcapabilities
Inadatabasecontext,replicationinvolvesthesharingofdatabetweendatabasestoreduce
workloadamongdatabaseservers,therebyimprovingclientperformancewhilemaintaining
consistencyamongallsystems.
Repository Anenterprisedatabasethatstoresandorganizesdata
Representation Asignedororalstatementissuedbymanagementtoprofessionals,wheremanagementdeclares
thatacurrentorfuturefact(e.g.,process,system,procedure,policy)isorwillbeinacertainstate,
tothebestofmanagementsknowledge.
Repudiation Thedenialbyoneofthepartiestoatransaction,orparticipationinallorpartofthattransaction,or
ofthecontentofcommunicationrelatedtothattransaction
Term Definition
Reputationrisk Thecurrentandprospectiveeffectonearningsandcapitalarisingfromnegativepublicopinion
ScopeNote:Reputationriskaffectsabanksabilitytoestablishnewrelationshipsorservices,orto
continueservicingexistingrelationships.Itmayexposethebanktolitigation,financiallossora
declineinitscustomerbase.AbanksreputationcanbedamagedbyInternetbankingservicesthat
areexecutedpoorlyorotherwisealienatecustomersandthepublic.AnInternetbankhasagreater
reputationriskascomparedtoatraditionalbrickandmortarbank,becauseitiseasierforits
customerstoleaveandgotoadifferentInternetbankandsinceitcannotdiscussanyproblemsin
personwiththecustomer.
Requestforcomments AdocumentthathasbeenapprovedbytheInternetEngineeringTaskForce(IETF)becomesanRFC
(RFC) andisassignedauniquenumberoncepublished
ScopeNote:IftheRFCgainsenoughinterest,itmayevolveintoanInternetstandard.
Requestforproposal
Request for proposal A document distributed to software vendors requesting them to submit a proposal to develop or
Adocumentdistributedtosoftwarevendorsrequestingthemtosubmitaproposaltodevelopor
(RFP) provideasoftwareproduct
Requirements Atechniqueusedinwhichtheaffectedusergroupsdefinetherequirementsofthesystemfor
definition meetingthedefinedneeds
ScopeNote:Someofthesearebusiness,regulatory,andsecurityrelatedrequirementsaswellas
developmentrelatedrequirements.
Residualrisk Theremainingriskaftermanagementhasimplementedariskresponse
Resilience Theabilityofasystemornetworktoresistfailureortorecoverquicklyfromanydisruption,usually
withminimalrecognizableeffect
Resource Anyenterpriseassetthatcanhelptheorganizationachieveitsobjectives
Resource optimization Oneofthegovernanceobjectives.Involveseffective,efficientandresponsibleuseofall
Resourceoptimization One of the governance objectives Involves effective efficient and responsible use of all
resourceshuman,financial,equipment,facilities,etc.
Responsible InaResponsible,Accountable,Consulted,Informed(RACI)chart,referstothepersonwhomust
ensurethatactivitiesarecompletedsuccessfully
Returnoninvestment Ameasureofoperatingperformanceandefficiency,computedinitssimplestformbydividingnet
(ROI) incomebythetotalinvestmentovertheperiodbeingconsidered
Returnoriented Anexploittechniqueinwhichtheattackerusescontrolofthecallstacktoindirectlyexecutecherry
attacks pickedmachineinstructionsimmediatelypriortothereturninstructioninsubroutineswithinthe
existingprogramcode
Reverseengineering Asoftwareengineeringtechniquewherebyanexistingapplicationsystemcodecanberedesigned
andcodedusingcomputeraidedsoftwareengineering(CASE)technology
Term Definition
Ringconfiguration Usedineithertokenringorfiberdistributeddatainterface(FDDI)networks,allstations(nodes)are
connected to a multistation access unit (MSAU), that physically resembles a startype topology.
connectedtoamultistationaccessunit(MSAU),thatphysicallyresemblesastartypetopology.
ScopeNote:AringconfigurationiscreatedwhenMSAUsarelinkedtogetherinforminganetwork.
Messagesinthenetworkaresentinadeterministicfashionfromsenderandreceiverviaasmall
frame,referredtoasatokenring.Tosendamessage,asenderobtainsthetokenwiththeright
priorityasthetokentravelsaroundthering,withreceivingnodesreadingthosemessages
addressedtoit.
Ringtopology Atypeoflocalareanetwork(LAN)architectureinwhichthecableformsaloop,withstations
attachedatintervalsaroundtheloop
ScopeNote:Inringtopology,signalstransmittedaroundtheringtaketheformofmessages.Each
stationreceivesthemessagesandeachstationdetermines,onthebasisofanaddress,whetherto
accept or process a given message However after receiving a message each station acts as a
acceptorprocessagivenmessage.However,afterreceivingamessage,eachstationactsasa
repeater,retransmittingthemessageatitsoriginalsignalstrength.
Risk Thecombinationoftheprobabilityofaneventanditsconsequence.(ISO/IEC73)
Riskacceptance Iftheriskiswithintheenterprise'srisktoleranceorifthecostofotherwisemitigatingtheriskis
higherthanthepotentialloss,theenterprisecanassumetheriskandabsorbanylosses
Riskaggregation Theprocessofintegratingriskassessmentsatacorporateleveltoobtainacompleteviewonthe
overallriskfortheenterprise
Riskanalysis 1.AprocessbywhichfrequencyandmagnitudeofITriskscenariosareestimated
2.Theinitialstepsofriskmanagement:analyzingthevalueofassetstothebusiness,identifying
threatstothoseassetsandevaluatinghowvulnerableeachassetistothosethreats
ScopeNote:Itofteninvolvesanevaluationoftheprobablefrequencyofaparticularevent,aswell
astheprobableimpactofthatevent.
Riskappetite Theamountofrisk,onabroadlevel,thatanentityiswillingtoacceptinpursuitofitsmission
Riskassessment Aprocessusedtoidentifyandevaluateriskanditspotentialeffects
ScopeNote:Riskassessmentsareusedtoidentifythoseitemsorareasthatpresentthehighestrisk,
vulnerabilityorexposuretotheenterpriseforinclusionintheISannualauditplan.
Riskassessmentsarealsousedtomanagetheprojectdeliveryandprojectbenefitrisk.
Riskavoidance
Risk avoidance Theprocessforsystematicallyavoidingrisk,constitutingoneapproachtomanagingrisk
The process for systematically avoiding risk constituting one approach to managing risk
Riskculture Thesetofsharedvaluesandbeliefsthatgovernsattitudestowardrisktaking,careandintegrity,
anddetermineshowopenlyriskandlossesarereportedanddiscussed
Riskevaluation Theprocessofcomparingtheestimatedriskagainstgivenriskcriteriatodeterminethesignificance
oftherisk.[ISO/IECGuide73:2002]
Term Definition
Riskfactor Aconditionthatcaninfluencethefrequencyand/ormagnitudeand,ultimately,thebusinessimpact
of ITrelated events/scenarios
ofITrelatedevents/scenarios
Riskindicator Ametriccapableofshowingthattheenterpriseissubjectto,orhasahighprobabilityofbeing
subjectto,ariskthatexceedsthedefinedriskappetite
Riskmanagement 1.Thecoordinatedactivitiestodirectandcontrolanenterprisewithregardtorisk
ScopeNote:IntheInternationalStandard,theterm"control"isusedasasynonymfor"measure."
(ISO/IECGuide73:2002)
2.Oneofthegovernanceobjectives.Entailsrecognizingrisk;assessingtheimpactandlikelihoodof
thatrisk;anddevelopingstrategies,suchasavoidingtherisk,reducingthenegativeeffectoftherisk
and/ortransferringtherisk,tomanageitwithinthecontextoftheenterprisesriskappetite.
Riskmap A(graphic)toolforrankinganddisplayingriskbydefinedrangesforfrequencyandmagnitude
Riskmitigation Themanagementofriskthroughtheuseofcountermeasuresandcontrols
Riskowner Thepersoninwhomtheorganizationhasinvestedtheauthorityandaccountabilityformakingrisk
baseddecisionsandwhoownsthelossassociatedwitharealizedriskscenario
ScopeNote:Theriskownermaynotberesponsiblefortheimplementationofrisktreatment.
Riskportfolioview 1.Amethodtoidentifyinterdependenciesandinterconnectionsamongrisk,aswellastheeffectof
riskresponsesonmultipletypesofrisk
2.Amethodtoestimatetheaggregateimpactofmultipletypesofrisk(e.g.,cascadingand
coincidentalthreattypes/scenarios,riskconcentration/correlationacrosssilos)andthepotential
coincidental threat types/scenarios risk concentration/correlation across silos) and the potential
effectofriskresponseacrossmultipletypesofrisk
Riskreduction Theimplementationofcontrolsorcountermeasurestoreducethelikelihoodorimpactofarisktoa
levelwithintheorganizationsrisktolerance.
Riskresponse Riskavoidance,riskacceptance,risksharing/transfer,riskmitigation,leadingtoasituationthatas
muchfutureresidualrisk(currentriskwiththeriskresponsedefinedandimplemented)aspossible
(usuallydependingonbudgetsavailable)fallswithinriskappetitelimits
Riskscenario Thetangibleandassessablerepresentationofrisk
ScopeNote:Oneofthekeyinformationitemsneededtoidentify,analyzeandrespondtorisk
(COBIT5ProcessAPO12)
Risksharing ScopeNote:SeeRisktransfer
Term Definition
Riskstatement Adescriptionofthecurrentconditionsthatmayleadtotheloss;andadescriptionoftheloss
Source: Software Engineering Institute (SEI)
Source:SoftwareEngineeringInstitute(SEI)
ScopeNote:Forarisktobeunderstandable,itmustbeexpressedclearly.Suchatreatmentmust
includeadescriptionofthecurrentconditionsthatmayleadtotheloss;andadescriptionofthe
loss.
Risktolerance Theacceptablelevelofvariationthatmanagementiswillingtoallowforanyparticularriskasthe
enterprisepursuesitsobjectives
Risktransfer Theprocessofassigningrisktoanotherenterprise,usuallythroughthepurchaseofaninsurance
policyorbyoutsourcingtheservice
ScopeNote:Alsoknownasrisksharing
Risktreatment Theprocessofselectionandimplementationofmeasurestomodifyrisk(ISO/IECGuide73:2002)
Rootcauseanalysis Aprocessofdiagnosistoestablishtheoriginsofevents,whichcanbeusedforlearningfrom
consequences,typicallyfromerrorsandproblems
Rootkit Asoftwaresuitedesignedtoaidanintruderingainingunauthorizedadministrativeaccesstoa
computersystem
Rotatingstandby Afailoverprocessinwhichtherearetwonodes(asinidlestandbybutwithoutpriority)
ScopeNote:Thenodethatenterstheclusterfirstownstheresourcegroup,andthesecondwilljoin
asastandbynode.
Roundingdown Amethodofcomputerfraudinvolvingacomputercodethatinstructsthecomputertoremovesmall
amountsofmoneyfromanauthorizedcomputertransactionbyroundingdowntothenearest
wholevaluedenominationandreroutingtheroundedoffamounttotheperpetratorsaccount
Router Anetworkingdevicethatcansend(route)datapacketsfromonelocalareanetwork(LAN)orwide
A networking device that can send (route) data packets from one local area network (LAN) or wide
areanetwork(WAN)toanother,basedonaddressingatthenetworklayer(Layer3)intheopen
systemsinterconnection(OSI)model
ScopeNote:Networksconnectedbyrouterscanusedifferentorsimilarnetworkingprotocols.
Routersusuallyarecapableoffilteringpacketsbasedonparameters,suchassourceaddresses,
,p pp (p )
destinationaddresses,protocolandnetworkapplications(ports).
RS232interface Aninterfacebetweendataterminalequipmentanddatacommunicationsequipmentemploying
serialbinarydatainterchange
RSA ApublickeycryptosystemdevelopedbyR.Rivest,A.ShamirandL.Adlemanusedforboth
encryptionanddigitalsignatures
ScopeNote:TheRSAhastwodifferentkeys,thepublicencryptionkeyandthesecretdecryption
key The strength of the RSA depends on the difficulty of the prime number factorization For
key.ThestrengthoftheRSAdependsonthedifficultyoftheprimenumberfactorization.For
applicationswithhighlevelsecurity,thenumberofthedecryptionkeybitsshouldbegreaterthan
512bits.
Rulebase Thelistofrulesand/orguidancethatisusedtoanalyzeeventdata
Term Definition
Runinstructions Computeroperatinginstructionswhichdetailthestepbystepprocessesthataretooccursoan
application system can be properly executed; also identifies how to address problems that occur
applicationsystemcanbeproperlyexecuted;alsoidentifieshowtoaddressproblemsthatoccur
duringprocessing
Runtoruntotals Provideevidencethataprogramprocessesallinputdataandthatitprocessedthedatacorrectly
Safeguard Apractice,procedureormechanismthatreducesrisk
Salamitechnique Amethodofcomputerfraudinvolvingacomputercodethatinstructsthecomputertosliceoffsmall
amountsofmoneyfromanauthorizedcomputertransactionandreroutethisamounttothe
perpetratorsaccount
Samplingrisk TheprobabilitythatanISauditorhasreachedanincorrectconclusionbecauseanauditsample,
ratherthantheentirepopulation,wastested
ScopeNote:Whilesamplingriskcanbereducedtoanacceptablylowlevelbyusinganappropriate
samplesizeandselectionmethod,itcanneverbeeliminated.
Sampling stratification Theprocessofdividingapopulationintosubpopulationswithsimilarcharacteristicsexplicitly
Samplingstratification The process of dividing a population into subpopulations with similar characteristics explicitly
defined,sothateachsamplingunitcanbelongtoonlyonestratum
Scheduling Amethodusedintheinformationprocessingfacility(IPF)todetermineandestablishthesequence
ofcomputerjobprocessing
Scopecreep Alsocalledrequirementcreep,thisreferstouncontrolledchangesinaprojectsscope.
ScopeNote:Scopecreepcanoccurwhenthescopeofaprojectisnotproperlydefined,
documentedandcontrolled.Typically,thescopeincreaseconsistsofeithernewproductsornew
featuresofalreadyapprovedproducts.Hence,theprojectteamdriftsawayfromitsoriginal
purpose.Becauseofonestendencytofocusononlyonedimensionofaproject,scopecreepcan
alsoresultinaprojectteamoverrunningitsoriginalbudgetandschedule.Forexample,scopecreep
canbearesultofpoorchangecontrol,lackofproperidentificationofwhatproductsandfeatures
arerequiredtobringabouttheachievementofprojectobjectivesinthefirstplace,oraweak
project manager or executive sponsor
projectmanagerorexecutivesponsor.
Scopingprocess Identifyingtheboundaryorextenttowhichaprocess,procedure,certification,contract,etc.,
applies
Screeningrouters Arouterconfiguredtopermitordenytrafficbasedonasetofpermissionrulesinstalledbythe
administrator
SecureElectronic Astandardthatwillensurethatcreditcardandassociatedpaymentorderinformationtravelssafely
Transaction(SET) andsecurelybetweenthevariousinvolvedpartiesontheInternet.
SecureMultipurpose Providescryptographicsecurityservicesforelectronicmessagingapplications:authentication,
InternetMail messageintegrityandnonrepudiationoforigin(usingdigitalsignatures)andprivacyanddata
Extensions(S/MIME) security(usingencryption)toprovideaconsistentwaytosendandreceiveMIMEdata.(RFC2311)
SecureShell(SSH) Networkprotocolthatusescryptographytosecurecommunication,remotecommandlineloginand
remotecommandexecutionbetweentwonetworkedcomputers
SecureSocketsLayer
Secure Sockets Layer A protocol that is used to transmit private documents through the Internet
AprotocolthatisusedtotransmitprivatedocumentsthroughtheInternet
(SSL)
ScopeNote:TheSSLprotocolusesaprivatekeytoencryptthedatathataretobetransferred
throughtheSSLconnection.
Securityadministrator Thepersonresponsibleforimplementing,monitoringandenforcingsecurityrulesestablishedand
authorizedbymanagement
Term Definition
SecurityasaService Thenextgenerationofmanagedsecurityservicesdedicatedtothedelivery,overtheInternet,of
(SecaaS) specialized informationsecurity services.
specializedinformationsecurityservices.
Securityawareness Theextenttowhicheverymemberofanenterpriseandeveryotherindividualwhopotentiallyhas
accesstotheenterprise'sinforma onunderstand:
Securityandthelevelsofsecurityappropriatetotheenterprise
Theimportanceofsecurityandconsequencesofalackofsecurity
Theirindividualresponsibilitiesregardingsecurity(andactaccordingly)
ScopeNote:ThisdefinitionisbasedonthedefinitionforITsecurityawarenessasdefinedin
ImplementationGuide:HowtoMakeYourOrganizationAwareofITSecurity,EuropeanSecurity
Forum(ESF),London,1993
Securityawareness Apredefined,organizednumberofactionsaimedatimprovingthesecurityawarenessofaspecial
campaign targetaudienceaboutaspecificsecurityproblem
Eachsecurityawarenessprogramconsistsofanumberofsecurityawarenesscampaigns.
Each security awareness program consists of a number of security awareness campaigns
Securityawareness Theindividualresponsibleforsettingupandmaintainingthesecurityawarenessprogramand
coordinator coordinatingthedifferentcampaignsandeffortsofthevariousgroupsinvolvedintheprogram
He/sheisalsoresponsibleformakingsurethatallmaterialsareprepared,advocates/trainersare
trained,campaignsarescheduled,eventsarepublicizedandtheprogramasawholemoves
forward.
Securityawareness Aclearlyandformallydefinedplan,structuredapproach,andsetofrelatedactivitiesand
program procedureswiththeobjectiveofrealizingandmaintainingasecurityawareculture
ScopeNote:Thisdefinitionclearlystatesthatitisaboutrealizingandmaintainingasecurityaware
culture,meaningattainingandsustainingsecurityawarenessatalltimes.Thisimpliesthatasecurity
awareness program is not a one time effort but a continuous process
awarenessprogramisnotaonetimeeffort,butacontinuousprocess.
Securityforum Responsibleforinformationsecuritygovernancewithintheenterprise
ScopeNote:Asecurityforumcanbepartofanexistingmanagementbody.Becauseinformation
securityisabusinessresponsibilitysharedbyallmembersoftheexecutivemanagementteam,the
forumneedstoinvolveexecutivesfromallsignificantpartsoftheenterprise.Typically,asecurity
g p p yp y y
forumhasthefollowingtasksandresponsibilities:
Definingasecuritystrategyinlinewiththebusinessstrategy
Identifyingsecurityrequirements
Establishingasecuritypolicy
Drawingupanoverallsecurityprogramorplan
Approvingmajorinitiativestoenhanceinformationsecurity
Reviewingandmonitoringinformationsecurityincidents
R i i d it i i f ti it i id t
Monitoringsignificantchangesintheexposureofinformationassetstomajorthreats
Term Definition
Securityincident Aseriesofunexpectedeventsthatinvolvesanattackorseriesofattacks(compromiseand/or
breach of security) at one or more sites
breachofsecurity)atoneormoresites
Asecurityincidentnormallyincludesanestimationofitslevelofimpact.Alimitednumberofimpact
levelsaredefinedand,foreach,thespecificactionsrequiredandthepeoplewhoneedtobe
notifiedareidentified.
Securitymanagement Theprocessofestablishingandmaintainingsecurityforacomputerornetworksystem
ScopeNote:Thestagesoftheprocessofsecuritymanagementincludepreventionofsecurity
problems,detectionofintrusions,andinvestigationofintrusionsandresolution.Innetwork
management,thestagesare:controllingaccesstothenetworkandresources,findingintrusions,
identifyingentrypointsforintrudersandrepairingorotherwiseclosingthoseavenuesofaccess.
Securitymetrics Astandardofmeasurementusedinmanagementofsecurityrelatedactivities
Security perimeter
Securityperimeter The boundary that defines the area of security concern and security policy coverage
Theboundarythatdefinestheareaofsecurityconcernandsecuritypolicycoverage
Securitypolicy Ahighleveldocumentrepresentinganenterprisesinformationsecurityphilosophyand
commitment
Securityprocedures Theformaldocumentationofoperationalstepsandprocessesthatspecifyhowsecuritygoalsand
objectivessetforwardinthesecuritypolicyandstandardsaretobeachieved
Securitysoftware Softwareusedtoadministersecurity,whichusuallyincludesauthenticationofusers,accessgranting
accordingtopredefinedrules,monitoringandreportingfunctions
Securitystandards Practices,directives,guidelines,principlesorbaselinesthatstatewhatneedstobedoneandfocus
areasofcurrentrelevanceandconcern;theyareatranslationofissuesalreadymentionedinthe
securitypolicy
Securitytesting Ensuringthatthemodifiedornewsystemincludesappropriatecontrolsanddoesnotintroduceany
securityholesthatmightcompromiseothersystemsormisusesofthesystemoritsinformation
Security/transaction
Security/transaction Thecurrentandprospectiverisktoearningsandcapitalarisingfromfraud,errorandtheinabilityto
The current and prospective risk to earnings and capital arising from fraud error and the inability to
risk deliverproductsorservices,maintainacompetitiveposition,andmanageinformation
ScopeNote:Securityriskisevidentineachproductandserviceoffered,anditencompasses
productdevelopmentanddelivery,transactionprocessing,systemsdevelopment,computing
systems,complexityofproductsandservicesandtheinternalcontrolenvironment.Ahighlevelof
y y gp ,p y
securityriskmayexistwithInternetbankingproducts,particularlyifthoselinesofbusinessarenot
adequatelyplanned,implementedandmonitored.
Segregation/separation Abasicinternalcontrolthatpreventsordetectserrorsandirregularitiesbyassigningtoseparate
ofduties(SoD) individualstheresponsibilityforinitiatingandrecordingtransactionsandforthecustodyofassets
ScopeNote:Segregation/separationofdutiesiscommonlyusedinlargeITorganizationssothatno
Scope Note: Segregation/separation of duties is commonly used in large IT organizations so that no
singlepersonisinapositiontointroducefraudulentormaliciouscodewithoutdetection.
Sensitivity Ameasureoftheimpactthatimproperdisclosureofinformationmayhaveonanenterprise
Term Definition
Sequencecheck Verificationthatthecontrolnumberfollowssequentiallyandanycontrolnumbersoutofsequence
are rejected or noted on an exception report for further research
arerejectedornotedonanexceptionreportforfurtherresearch
ScopeNote:Canbealphaornumericandusuallyutilizesakeyfield
Sequentialfile Acomputerfilestorageformatinwhichonerecordfollowsanother
ScopeNote:Recordscanbeaccessedsequentiallyonly.Itisrequiredwithmagnetictape.
Servicebureau Acomputerfacilitythatprovidesdataprocessingservicestoclientsonacontinualbasis
Servicecatalogue StructuredinformationonallITservicesavailabletocustomers
Servicedelivery Directlyrelatedtothebusinessneeds,SDOisthelevelofservicestobereachedduringthealternate
objective(SDO) processmodeuntilthenormalsituationisrestored
Servicedesk ThepointofcontactwithintheITorganizationforusersofITservices
Service level
Servicelevel An agreement preferably documented between a service provider and the customer(s)/user(s) that
Anagreement,preferablydocumented,betweenaserviceproviderandthecustomer(s)/user(s)that
agreement(SLA) definesminimumperformancetargetsforaserviceandhowtheywillbemeasured
Serviceprovider Anorganizationsupplyingservicestooneormore(internalorexternal)customers
ServiceSetIdentifier A32characteruniqueidentifierattachedtotheheaderofpacketssentoverawirelesslocalarea
(SSID) network(WLAN)thatactsasapasswordwhenamobiledevicetriestoconnecttothebasestation
subsystem(BSS).
ScopeNote:TheSSIDdifferentiatesoneWLANfromanothersoallaccesspointsandalldevices
attemptingtoconnecttoaspecificWLANmustusethesameSSID.Adevicewillnotbepermittedto
jointheBSSunlessitcanprovidetheuniqueSSID.BecauseanSSIDcanbesniffedinplaintextfroma
packet,itdoesnotsupplyanysecuritytothenetwork.AnSSIDisalsoreferredtoasanetwork
name,becauseitisanamethatidentifiesawirelessnetwork.
Serviceuser
Service user The organization using the outsourced service
Theorganizationusingtheoutsourcedservice.
Serviceoriented Acloudbasedlibraryofproven,functionalsoftwareappletsthatareabletobeconnectedtogether
architecture(SOA) tobecomeausefulonlineapplication
Servlet AJavaappletorasmallprogramthatrunswithinawebserverenvironment
ScopeNote:AJavaservletissimilartoacommongatewayinterface(CGI)program,butunlikeaCGI
program,oncestarted,itstaysinmemoryandcanfulfillmultiplerequests,therebysavingserver
executiontimeandspeedinguptheservices.
Sessionborder ProvidesecurityfeaturesforvoiceoverIP(VoIP)trafficsimilartothatprovidedbyfirewalls
controller(SBC)
ScopeNote:SBCscanbeconfiguredtofilterspecificVoIPprotocols,monitorfordenialofservice
(DOS)attacks,andprovidenetworkaddressandprotocoltranslationfeatures.
Shell Theinterfacebetweentheuserandthesystem
Term Definition
Shellprogramming Ascriptwrittenfortheshell,orcommandlineinterpreter,ofanoperatingsystem;itisoften
considered a simple domainspecific programming language
consideredasimpledomainspecificprogramminglanguage
ScopeNote:Typicaloperationsperformedbyshellscriptsincludefilemanipulation,program
executionandprintingtext.Usually,shellscriptreferstoscriptswrittenforaUNIXshell,while
command.com(DOS)andcmd.exe(Windows)commandlinescriptsareusuallycalledbatchfiles.
ManyshellscriptinterpretersdoubleasacommandlineinterfacesuchasthevariousUNIXshells,
WindowsPowerShellortheMSDOScommand.com.Others,suchasAppleScript,addscripting
capabilitytocomputingenvironmentslackingacommandlineinterface.Otherexamplesof
programminglanguagesprimarilyintendedforshellscriptingincludedigitalcommandlanguage
(DCL)andjobcontrollanguage(JCL).
Significantdeficiency Adeficiencyoracombinationofdeficiencies,ininternalcontrol,thatislessseverethanamaterial
weakness,yetimportantenoughtomeritattentionbythoseresponsibleforoversight
ScopeNote:Amaterialweaknessisasignificantdeficiencyoracombinationofsignificant
Scope Note: A material weakness is a significant deficiency or a combination of significant
deficienciesthatresultsinmorethanaremotelikelihoodofanundesirableevent(s)notbeing
preventedordetected.
Signonprocedure Theprocedureperformedbyausertogainaccesstoanapplicationoroperatingsystem
ScopeNote:Iftheuserisproperlyidentifiedandauthenticatedbythesystemssecurity,theywill
beabletoaccessthesoftware.
Simplefailover Afailoverprocessinwhichtheprimarynodeownstheresourcegroup
ScopeNote:Thebackupnoderunsanoncriticalapplication(e.g.,adevelopmentortest
environment)andtakesoverthecriticalresourcegroup,butnotviceversa.
SimpleMailTransfer Thestandardelectronicmail(email)protocolontheInternet
Protocol (SMTP)
Protocol(SMTP)
SimpleObjectAccess Aplatformindependentformattedprotocolbasedonextensiblemarkuplanguage(XML)enabling
Protocol(SOAP) applicationstocommunicatewitheachotherovertheInternet
ScopeNote:UseofSOAPmayprovideasignificantsecurityrisktowebapplicationoperations
becauseuseofSOAPpiggybacksontoawebbaseddocumentobjectmodelandistransmittedvia
yp ( ) (p ) p , y
HyperTextTransferProtocol(HTTP)(port80)topenetrateserverfirewalls,whichareusually
configuredtoacceptport80andport21FileTransferProtocol(FTP)requests.Webbased
documentmodelsdefinehowobjectsonawebpageareassociatedwitheachotherandhowthey
canbemanipulatedwhilebeingsentfromaservertoaclientbrowser.SOAPtypicallyreliesonXML
forpresentationformattingandalsoaddsappropriateHTTPbasedheaderstosendit.SOAPforms
thefoundationlayerofthewebservicesstack,providingabasicmessagingframeworkonwhich
moreabstractlayerscanbuild.ThereareseveraldifferenttypesofmessagingpatternsinSOAP,but
b f th
byfarthemostcommonistheRemoteProcedureCall(RPC)pattern,inwhichonenetworknode
t i th R t P d C ll (RPC) tt i hi h t k d
(the client) sends a request message to another node (the server), and the server immediately sends
Singlefactor AuthenticationprocessthatrequiresonlytheuserIDandpasswordtograntaccess
authentication(SFA)
Singlepointoffailure Aresourcewhoselosswillresultinthelossofserviceorproduction
Term Definition
Skill Thelearnedcapacitytoachievepredeterminedresults
Slacktime(float) Timeintheprojectschedule,theuseofwhichdoesnotaffecttheprojectscriticalpath;the
minimumtimetocompletetheprojectbasedontheestimatedtimeforeachprojectsegmentand
theirrelationships
ScopeNote:Slacktimeiscommonlyreferredtoas"float"andgenerallyisnot"owned"byeither
partytothetransaction.
SMART Specific,measurable,attainable,realisticandtimely,generallyusedtodescribeappropriatelyset
goals
Smartcard Asmallelectronicdevicethatcontainselectronicmemory,andpossiblyanembeddedintegrated
circuit
ScopeNote:Smartcardscanbeusedforanumberofpurposesincludingthestorageofdigital
Scope Note: Smart cards can be used for a number of purposes including the storage of digital
certificatesordigitalcash,ortheycanbeusedasatokentoauthenticateusers.
Sniff Theactofcapturingnetworkpackets,includingthosenotnecessarilydestinedforthecomputer
runningthesniffingsoftware
Sniffing Theprocessbywhichdatatraversinganetworkarecapturedormonitored
Socialengineering Anattackbasedondeceivingusersoradministratorsatthetargetsiteintorevealingconfidentialor
sensitiveinformation
Software Programsandsupportingdocumentationthatenableandfacilitateuseofthecomputer
ScopeNote:Softwarecontrolstheoperationofthehardwareandtheprocessingofdata.
Softwareasaservice Offersthecapabilitytousetheprovidersapplicationsrunningoncloudinfrastructure.The
(SaaS) applicationsareaccessiblefromvariousclientdevicesthroughathinclientinterfacesuchasaweb
browser(e.g.,webbasedemail).
Softwareasaservice,
Software as a service Theacronymusedtorefertothethreeclouddeliverymodels
The acronym used to refer to the three cloud delivery models
platformasaservice
andinfrastructureasa
service(SPI)
Sourcecode Thelanguageinwhichaprogramiswritten
ScopeNote:Sourcecodeistranslatedintoobjectcodebyassemblersandcompilers.Insomecases,
sourcecodemaybeconvertedautomaticallyintoanotherlanguagebyaconversionprogram.
Sourcecodeisnotexecutablebythecomputerdirectly.Itmustfirstbeconvertedintoamachine
language.
Sourcecodecompare Providesassurancethatthesoftwarebeingauditedisthecorrectversionofthesoftware,by
program providingameaningfullistingofanydiscrepanciesbetweenthetwoversionsoftheprogram
Sourcedocument Theformusedtorecorddatathathavebeencaptured
ScopeNote:Asourcedocumentmaybeapieceofpaper,aturnarounddocumentoranimage
displayedforonlinedatainput.
Term Definition
Sourcelinesofcode Oftenusedinderivingsinglepointsoftwaresizeestimations
(SLOC)
Sourcerouting Atransmissiontechniquewherethesenderofapacketcanspecifytheroutethatpacketshould
specification followthroughthenetwork
Spam Computergeneratedmessagessentasunsolicitedadvertising
Spanningport Aportconfiguredonanetworkswitchtoreceivecopiesoftrafficfromoneormoreotherportson
theswitch
Spearphishing Anattackwheresocialengineeringtechniquesareusedtomasqueradeasatrustedpartytoobtain
importantinformationsuchaspasswordsfromthevictim
Splitdatasystems Aconditioninwhicheachofanenterprisesregionallocationsmaintainsitsownfinancialand
operationaldatawhilesharingprocessingwithanenterprisewide,centralizeddatabase
ScopeNote:Splitdatasystemspermiteasysharingofdatawhilemaintainingacertainlevelof
autonomy.
Splitdomainname
Split domain name An implementation of DNS that is intended to secure responses provided by the server such that
AnimplementationofDNSthatisintendedtosecureresponsesprovidedbytheserversuchthat
system(DNS) differentresponsesaregiventointernalvs.externalusers
Splitknowledge/split Asecuritytechniqueinwhichtwoormoreentitiesseparatelyholddataitemsthatindividually
key conveynoknowledgeoftheinformationthatresultsfromcombiningtheitems;aconditionunder
whichtwoormoreentitiesseparatelyhavekeycomponentsthatindividuallyconveynoknowledge
oftheplaintextkeythatwillbeproducedwhenthekeycomponentsarecombinedinthe
cryptographicmodule
Spoofing Fakingthesendingaddressofatransmissioninordertogainillegalentryintoasecuresystem
SPOOL(simultaneous Anautomatedfunctionthatcanbebasedonanoperatingsystemorapplicationinwhichelectronic
peripheraloperations databeingtransmittedbetweenstorageareasarespooledorstoreduntilthereceivingdeviceor
online) storageareaispreparedandabletoreceivetheinformation
ScopeNote:Spoolallowsmoreefficientelectronicdatatransfersfromonedevicetoanotherby
Scope Note: Spool allows more efficient electronic data transfers from one device to another by
permittinghigherspeedsendingfunctions,suchasinternalmemory,tocontinueonwithother
operationsinsteadofwaitingontheslowerspeedreceivingdevice,suchasaprinter.
Spyware Softwarewhosepurposeistomonitoracomputerusersactions(e.g.,websitesvisited)andreport
theseactionstoathirdparty,withouttheinformedconsentofthatmachinesownerorlegitimate
user
ScopeNote:Aparticularlymaliciousformofspywareissoftwarethatmonitorskeystrokestoobtain
passwordsorotherwisegatherssensitiveinformationsuchascreditcardnumbers,whichitthen
transmitstoamaliciousthirdparty.Thetermhasalsocometorefermorebroadlytosoftwarethat
subvertsthecomputersoperationforthebenefitofathirdparty.
SQL injection
SQLinjection Resultsfromfailureoftheapplicationtoappropriatelyvalidateinput.Whenspeciallycrafteduser
Results from failure of the application to appropriately validate input When specially crafted user
controlledinputconsistingofSQLsyntaxisusedwithoutpropervalidationaspartofSQLqueries,it
ispossibletogleaninformationfromthedatabaseinwaysnotenvisagedduringapplicationdesign.
(MITRE)
Term Definition
Stagegate Apointintimewhenaprogramisreviewedandadecisionismadetocommitexpenditurestothe
next set of activities on a program or project, to stop the work altogether, or to put a hold on
nextsetofactivitiesonaprogramorproject,tostoptheworkaltogether,ortoputaholdon
executionoffurtherwork
Stakeholder Anyonewhohasaresponsibilityfor,anexpectationfromorsomeotherinterestintheenterprise.
ScopeNote:Examples:shareholders,users,government,suppliers,customersandthepublic
Standard Amandatoryrequirement,codeofpracticeorspecificationapprovedbyarecognizedexternal
standardsorganization,suchasInternationalOrganizationforStandardization(ISO)
Standingdata Permanentreferencedatausedintransactionprocessing
ScopeNote:Thesedataarechangedinfrequently,suchasaproductpricefileoranameand
addressfile.
Star topology
Startopology A type of local area network (LAN) architecture that utilizes a central controller to which all nodes
Atypeoflocalareanetwork(LAN)architecturethatutilizesacentralcontrollertowhichallnodes
aredirectlyconnected
ScopeNote:Withstartopology,alltransmissionsfromonestationtoanotherpassthroughthe
centralcontrollerwhichisresponsibleformanagingandcontrollingallcommunication.Thecentral
controlleroftenactsasaswitchingdevice.
Statefulinspection Afirewallarchitecturethattrackseachconnectiontraversingallinterfacesofthefirewallandmakes
suretheyarevalid.
Staticanalysis Analysisofinformationthatoccursonanoncontinuousbasis;alsoknownasintervalbasedanalysis
Statisticalsampling Amethodofselectingaportionofapopulation,bymeansofmathematicalcalculationsand
probabilities,forthepurposeofmakingscientificallyandmathematicallysoundinferences
regardingthecharacteristicsoftheentirepopulation
Statutory requirements Lawscreatedbygovernmentinstitutions
Statutoryrequirements Laws created by government institutions
Storageareanetworks Avariationofalocalareanetwork(LAN)thatisdedicatedfortheexpresspurposeofconnecting
(SANs) storagedevicestoserversandothercomputingdevices
ScopeNote:SANscentralizetheprocessforthestorageandadministrationofdata.
Strategicplanning Theprocessofdecidingontheenterprisesobjectives,onchangesintheseobjectives,andthe
policiestogoverntheiracquisitionanduse
Strengths,weaknesses, Acombinationofanorganizationalauditlistingtheenterprisesstrengthsandweaknessesandan
opportunitiesand environmentalscanoranalysisofexternalopportunitiesandthreats
threats(SWOT)
Structured Atopdowntechniqueofdesigningprogramsandsystemsthatmakesprogramsmorereadable,
programming more reliable and more easily maintained
morereliableandmoreeasilymaintained
StructuredQuery Theprimarylanguageusedbybothapplicationprogrammersandendusersinaccessingrelational
Language(SQL) databases
Subjectmatter ThespecificinformationsubjecttoanISauditorsreportandrelatedprocedures,whichcaninclude
thingssuchasthedesignoroperationofinternalcontrolsandcompliancewithprivacypracticesor
standardsorspecifiedlawsandregulations(areaofactivity)
Term Definition
Substantivetesting Obtainingauditevidenceonthecompleteness,accuracyorexistenceofactivitiesortransactions
during the audit period
duringtheauditperiod
Sufficientaudit Auditevidenceissufficientifitisadequate,convincingandwouldleadanotherISauditortoform
evidence thesameconclusions.
Sufficientevidence Themeasureofthequantityofauditevidence;supportsallmaterialquestionstotheauditobjective
andscope
ScopeNote:Seeevidence
Sufficientinformation Informationissufficientwhenevaluatorshavegatheredenoughofittoformareasonable
conclusion.Forinformationtobesufficient,however,itmustfirstbesuitable.
Suitableinformation Relevant(i.e.,fitforitsintendedpurpose),reliable(i.e.,accurate,verifiableandfromanobjective
source)andtimely(i.e.,producedandusedinanappropriatetimeframe)information
Supervisorycontrol Systemsusedtocontrolandmonitorindustrialandmanufacturingprocesses,andutilityfacilities
anddataacquisition
(SCADA)
Supplychain Aconceptthatallowsanenterprisetomoreeffectivelyandefficientlymanagetheactivitiesof
management(SCM) design,manufacturing,distribution,serviceandrecyclingofproductsandserviceitscustomers
Surgesuppressor Filtersoutelectricalsurgesandspikes
Suspensefile Acomputerfileusedtomaintaininformation(transactions,paymentsorotherevents)untilthe
properdispositionofthatinformationcanbedetermined
ScopeNote:Oncetheproperdispositionoftheitemisdetermined,itshouldberemovedfromthe
Scope Note: Once the proper disposition of the item is determined it should be removed from the
suspensefileandprocessedinaccordancewiththeproperproceduresforthatparticular
transaction.Twoexamplesofitemsthatmaybeincludedinasuspensefilearereceiptofapayment
fromasourcethatisnotreadilyidentifiedordatathatdonotyethaveanidentifiedmatchduring
migrationtoanewapplication.
Switches Typicallyassociatedasadatalinklayerdevice,switchesenablelocalareanetwork(LAN)segments
tobecreatedandinterconnected,whichhastheaddedbenefitofreducingcollisiondomainsin
Ethernetbasednetworks.
Symmetrickey Systeminwhichadifferentkey(orsetofkeys)isusedbyeachpairoftradingpartnerstoensure
encryption thatnooneelsecanreadtheirmessages
Thesamekeyisusedforencryptionanddecryption.SeealsoPrivateKeyCryptosystem.
Synchronize(SYN) Aflagsetintheinitialsetuppacketstoindicatethatthecommunicatingpartiesaresynchronizing
the sequence numbers used for the data transmission
thesequencenumbersusedforthedatatransmission
Synchronous Blockatatimedatatransmission
transmission
Term Definition
Systemdevelopment Thephasesdeployedinthedevelopmentoracquisitionofasoftwaresystem
life cycle (SDLC)
lifecycle(SDLC)
ScopeNote:SDLCisanapproachusedtoplan,design,develop,testandimplementanapplication
systemoramajormodificationtoanapplicationsystem.TypicalphasesofSDLCincludethe
feasibilitystudy,requirementsstudy,requirementsdefinition,detaileddesign,programming,
testing,installationandpostimplementationreview,butnottheservicedeliveryorbenefits
realizationactivities.
Systemexit Specialsystemsoftwarefeaturesandutilitiesthatallowtheusertoperformcomplexsystem
maintenance
ScopeNote:Useofsystemexitsoftenpermitstheusertooperateoutsideofthesecurityaccess
controlsystem.
Systemflowchart Graphicrepresentationsofthesequenceofoperationsinaninformationsystemorprogram
ScopeNote:Informationsystemflowchartsshowhowdatafromsourcedocumentsflowthrough
Scope Note: Information system flowcharts show how data from source documents flow through
thecomputertofinaldistributiontousers.Symbolsusedshouldbetheinternationallyaccepted
standard.Systemflowchartsshouldbeupdatedwhennecessary.
Systemhardening Aprocesstoeliminateasmanysecurityrisksaspossiblebyremovingallnonessentialsoftware
programs,protocols,servicesandutilitiesfromthesystem
Systemnarrative Providesanoverviewexplanationofsystemflowcharts,withexplanationofkeycontrolpointsand
systeminterfaces
Systemofinternal Thepolicies,standards,plansandprocedures,andorganizationalstructuresdesignedtoprovide
control reasonableassurancethatenterpriseobjectiveswillbeachievedandundesiredeventswillbe
preventedordetectedandcorrected
Systemsoftware Acollectionofcomputerprogramsusedinthedesign,processingandcontrolofallapplications
ScopeNote:Theprogramsandprocessingroutinesthatcontrolthecomputerhardware,including
theoperatingsystemandutilityprograms
Systemtesting Testingconductedonacomplete,integratedsystemtoevaluatethesystem'scompliancewithits
specifiedrequirements
ScopeNote:Systemtestprocedurestypicallyareperformedbythesystemmaintenancestaffin
theirdevelopmentlibrary.
Systemsacquisition Proceduresestablishedtopurchaseapplicationsoftware,oranupgrade,includingevaluationofthe
process supplier'sfinancialstability,trackrecord,resourcesandreferencesfromexistingcustomers
Systemsanalysis Thesystemsdevelopmentphaseinwhichsystemsspecificationsandconceptualdesignsare
developed based on end user needs and requirements
developedbasedonenduserneedsandrequirements
Tablelookup Usedtoensurethatinputdataagreewithpredeterminedcriteriastoredinatable
Tangibleasset Anyassetsthathasphysicalform
Tapemanagement Asystemsoftwaretoolthatlogs,monitorsanddirectscomputertapeusage
system(TMS)
Term Definition
Taps Wiringdevicesthatmaybeinsertedintocommunicationlinksforusewithanalysisprobes,local
area network (LAN) analyzers and intrusion detection security systems
areanetwork(LAN)analyzersandintrusiondetectionsecuritysystems
Target Personorassetselectedastheaimofanattack
Tcpdump Anetworkmonitoringanddataacquisitiontoolthatperformsfiltertranslation,packetacquisition
andpacketdisplay
Technical Referstothesecurityoftheinfrastructurethatsupportstheenterpriseresourceplanning(ERP)
infrastructuresecurity networkingandtelecommunications,operatingsystems,anddatabases
Technology Technology,humanresources(HR)andfacilitiesthatenabletheprocessinganduseofapplications
infrastructure
Technology Aplanforthetechnology,humanresourcesandfacilitiesthatenablethecurrentandfuture
infrastructureplan processinganduseofapplications
Telecommunications Electroniccommunicationbyspecialdevicesoverdistancesorarounddevicesthatprecludedirect
interpersonalexchange
Teleprocessing Using telecommunications facilities for handling and processing of computerized information
Usingtelecommunicationsfacilitiesforhandlingandprocessingofcomputerizedinformation
Telnet Networkprotocolusedtoenableremoteaccesstoaservercomputer
ScopeNote:Commandstypedarerunontheremoteserver.
TerminalAccess Anauthenticationprotocol,oftenusedbyremoteaccessservers
ControllerAccess
ControlSystemPlus
(TACACS+)
Termsofreference Adocumentthatconfirmsaclient'sandanISauditor'sacceptanceofareviewassignment
Testdata Simulatedtransactionsthatcanbeusedtotestprocessinglogic,computationsandcontrolsactually
programmedincomputerapplications
Individual programs or an entire system can be tested

Individualprogramsoranentiresystemcanbetested.
ScopeNote:ThistechniqueincludesIntegratedTestFacilities(ITFs)andBaseCaseSystem
Evaluations(BCSEs).
Testgenerators Softwareusedtocreatedatatobeusedinthetestingofcomputerprograms
Testprograms Programsthataretestedandevaluatedbeforeapprovalintotheproductionenvironment
ScopeNote:Testprograms,throughaseriesofchangecontrolmoves,migratefromthetest
environmenttotheproductionenvironmentandbecomeproductionprograms.
Testtypes Testtypesinclude:
ChecklisttestCopiesofthebusinesscontinuityplan(BCP)aredistributedtoappropriatepersonnel
forreview
StructuredwalkthroughIdentifiedkeypersonnelwalkthroughtheplantoensurethattheplan
accurately reflects the enterprise's ability to recover successfully
accuratelyreflectstheenterprise'sabilitytorecoversuccessfully
SimulationtestAlloperationalandsupportpersonnelareexpectedtoperformasimulated
emergencyasapracticesession
ParallelTestCriticalsystemsarerunatalternatesite(hot,cold,warmorreciprocal)
CompleteinterruptiontestDisasterisreplicated,normalproductionisshutdownwithrealtime
recoveryprocess
Term Definition
Testing Theexaminationofasamplefromapopulationtoestimatecharacteristicsofthepopulation
Thirdparty review
Thirdpartyreview An independent audit of the control structure of a service organization, such as a service bureau,
Anindependentauditofthecontrolstructureofaserviceorganization,suchasaservicebureau,
withtheobjectiveofprovidingassurancetotheusersoftheserviceorganizationthattheinternal
controlstructureisadequate,effectiveandsound
Threat Anything(e.g.,object,substance,human)thatiscapableofactingagainstanassetinamannerthat
canresultinharm
ScopeNote:Apotentialcauseofanunwantedincident(ISO/IEC13335)
Threatagent Methodsandthingsusedtoexploitavulnerability
ScopeNote:Examplesincludedetermination,capability,motiveandresources.
Threatanalysis Anevaluationofthetype,scopeandnatureofeventsoractionsthatcanresultinadverse
consequences;identificationofthethreatsthatexistagainstenterpriseassets
ScopeNote:Thethreatanalysisusuallydefinesthelevelofthreatandthelikelihoodofit
Scope Note: The threat analysis usually defines the level of threat and the likelihood of it
materializing.
Threatevent Anyeventduringwhichathreatelement/actoractsagainstanassetinamannerthathasthe
potentialtodirectlyresultinharm
Threatvector Thepathorrouteusedbytheadversarytogainaccesstothetarget
Throughput Thequantityofusefulworkmadebythesystemperunitoftime.Throughputcanbemeasuredin
instructionspersecondorsomeotherunitofperformance.Whenreferringtoadatatransfer
operation,throughputmeasurestheusefuldatatransferrateandisexpressedinkbps,Mbpsand
Gbps.
Timelines Chronologicalgraphswhereeventsrelatedtoanincidentcanbemappedtolookforrelationshipsin
complexcases
ScopeNote:Timelinescanprovidesimplifiedvisualizationforpresentationtomanagementand
othernontechnicalaudiences.
other non technical audiences
Timelyinformation Producedandusedinatimeframethatmakesitpossibletopreventordetectcontroldeficiencies
beforetheybecomematerialtoanenterprise
Token Adevicethatisusedtoauthenticateauser,typicallyinadditiontoausernameandpassword
ScopeNote:Atokenisusuallyadevicethesizeofacreditcardthatdisplaysapseudorandom
numberthatchangeseveryfewminutes.
Tokenringtopology Atypeoflocalareanetwork(LAN)ringtopologyinwhichaframecontainingaspecificformat,called
thetoken,ispassedfromonestationtothenextaroundthering
ScopeNote:Whenastationreceivesthetoken,itisallowedtotransmit.Thestationcansendas
Scope Note: When a station receives the token it is allowed to transmit The station can send as
manyframesasdesireduntilapredefinedtimelimitisreached.Whenastationeitherhasnomore
framestosendorreachesthetimelimit,ittransmitsthetoken.Tokenpassingpreventsdata
collisionsthatcanoccurwhentwocomputersbegintransmittingatthesametime.
Term Definition
Tolerableerror Themaximumerrorinthepopulationthatprofessionalsarewillingtoacceptandstillconcludethat
the test objective has been achieved. For substantive tests, tolerable error is related to
thetestobjectivehasbeenachieved.Forsubstantivetests,tolerableerrorisrelatedto
professionalsjudgementaboutmateriality.Incompliancetests,itisthemaximumrateofdeviation
fromaprescribedcontrolprocedurethattheprofessionalsarewillingtoaccept
Toplevelmanagement Thehighestlevelofmanagementintheenterprise,responsiblefordirectionandcontrolofthe
enterpriseasawhole(suchasdirector,generalmanager,partner,chiefofficerandexecutive
manager)
Topology Thephysicallayoutofhowcomputersarelinkedtogether
ScopeNote:Examplesoftopologyincludering,starandbus.
Totalcostofownership Includestheoriginalcostofthecomputerplusthecostof:software,hardwareandsoftware
(TCO) upgrades,maintenance,technicalsupport,training,andcertainactivitiesperformedbyusers
Transaction Business events or information grouped together because they have a single or similar purpose
Businesseventsorinformationgroupedtogetherbecausetheyhaveasingleorsimilarpurpose
ScopeNote:Typically,atransactionisappliedtoacalculationoreventthatthenresultsinthe
updatingofaholdingormasterfile.
Transactionlog Amanualorautomatedlogofallupdatestodatafilesanddatabases
Transactionprotection Alsoknownas"automatedremotejournalingofredologs,"adatarecoverystrategythatissimilar
toelectronicvaultingexceptthatinsteadoftransmittingseveraltransactionbatchesdaily,the
archivelogsareshippedastheyarecreated
TransmissionControl AconnectionbasedInternetprotocolthatsupportsreliabledatatransferconnections
Protocol(TCP)
ScopeNote:Packetdataareverifiedusingchecksumsandretransmittediftheyaremissingor
corrupted.Theapplicationplaysnopartinvalidatingthetransfer.
Transmission Control ProvidesthebasisfortheInternet;asetofcommunicationprotocolsthatencompassmediaaccess,
TransmissionControl Provides the basis for the Internet; a set of communication protocols that encompass media access
Protocol/Internet packettransport,sessioncommunication,filetransfer,electronicmail(email),terminalemulation,
Protocol(TCP/IP) remotefileaccessandnetworkmanagement
Transparency Referstoanenterprisesopennessaboutitsactivitiesandisbasedonthefollowingconcepts:
Howthemechanismfunctionsiscleartothosewhoareaffectedbyorwanttochallenge
ggovernancedecisions.
Acommonvocabularyhasbeenestablished.
Relevantinformationisreadilyavailable.
ScopeNote:Transparencyandstakeholdertrustaredirectlyrelated;themoretransparencyinthe
governanceprocess,themoreconfidenceinthegovernance.
Term Definition
TransportLayer AprotocolthatprovidescommunicationsprivacyovertheInternet.Theprotocolallows
Security (TLS)
Security(TLS) client/server applications to communicate in a way that is designed to prevent eavesdropping,
client/serverapplicationstocommunicateinawaythatisdesignedtopreventeavesdropping,
tampering,ormessageforgery.(RFC2246)
ScopeNote:TransportLayerSecurity(TLS)iscomposedoftwolayers:theTLSRecordProtocoland
theTLSHandshakeProtocol.TheTLSRecordProtocolprovidesconnectionsecuritywithsome
encryptionmethodsuchastheDataEncryptionStandard(DES).TheTLSRecordProtocolcanalsobe
usedwithoutencryption.TheTLSHandshakeProtocolallowstheserverandclienttoauthenticate
eachotherandtonegotiateanencryptionalgorithmandcryptographickeysbeforedatais
exchanged.
Trapdoor Unauthorizedelectronicexit,ordoorway,outofanauthorizedcomputerprogramintoasetof
maliciousinstructionsorprograms
TripleDES(3DES) AblockciphercreatedfromtheDataEncryptionStandard(DES)cipherbyusingitthreetimes
Trojan horse
Trojanhorse Purposefully hidden malicious or damaging code within an authorized computer program
Purposefullyhiddenmaliciousordamagingcodewithinanauthorizedcomputerprogram
ScopeNote:Unlikeviruses,theydonotreplicatethemselves,buttheycanbejustasdestructiveto
asinglecomputer.
Trustedprocess Aprocesscertifiedassupportingasecuritygoal
Trustedsystem Asystemthatemployssufficienthardwareandsoftwareassurancemeasurestoallowtheirusefor
processingarangeofsensitiveorclassifiedinformation
Tunnel ThepathsthattheencapsulatedpacketsfollowinanInternetvirtualprivatenetwork(VPN)
Tunnelmode Usedtoprotecttrafficbetweendifferentnetworkswhentrafficmusttravelthroughintermediateor
untrustednetworks.TunnelmodeencapsulatestheentireIPpacketwithandAHorESPheaderand
anadditionalIPheader.
Tunneling Commonlyusedtobridgebetweenincompatiblehosts/routersortoprovideencryption,amethod
bywhichonenetworkprotocolencapsulatesanotherprotocolwithinitself
ScopeNote:WhenprotocolAencapsulatesprotocolB,aprotocolAheaderandoptionaltunneling
headersareappendedtotheoriginalprotocolBpacket.ProtocolAthenbecomesthedatalinklayer
ofprotocolB.ExamplesoftunnelingprotocolsincludeIPSec,PointtopointProtocolOverEthernet
(PPPoE)andLayer2TunnelingProtocol(L2TP).
Tuple Aroworrecordconsistingofasetofattributevaluepairs(columnorfield)inarelationaldata
structure
Twistedpair Alowcapacitytransmissionmedium;apairofsmall,insulatedwiresthataretwistedaroundeach
othertominimizeinterferencefromotherwiresinthecable
Twofactor Theuseoftwoindependentmechanismsforauthentication,(e.g.,requiringasmartcardanda
authentication password)typicallythecombinationofsomethingyouknow,areorhave
Uncertainty Thedifficultyofpredictinganoutcomeduetolimitedknowledgeofallcomponents
Unicode Astandardforrepresentingcharactersasintegers
ScopeNote:Unicodeuses16bits,whichmeansthatitcanrepresentmorethan65,000unique
characters;thisisnecessaryforlanguagessuchasChineseandJapanese.
Uniformresource Thestringofcharactersthatformawebaddress
locator(URL)
Term Definition
Unittesting Atestingtechniquethatisusedtotestprogramlogicwithinaparticularprogramormodule
ScopeNote:Thepurposeofthetestistoensurethattheinternaloperationoftheprogram
performsaccordingtospecification.Itusesasetoftestcasesthatfocusonthecontrolstructureof
theproceduraldesign.
Universaldescription, Awebbasedversionofthetraditionaltelephonebook'syellowandwhitepagesenabling
discoveryand businessestobepubliclylistedinpromotinggreaterecommerceactivities
integration(UDDI)
UniversalSerialBUS Anexternalbusstandardthatprovidescapabilitiestotransferdataatarateof12Mbps
(USB)
ScopeNote:AUSBportcanconnectupto127peripheraldevices.
UNIX Amultiuser,multitaskingoperatingsystemthatisusedwidelyasthemastercontrolprogramin
workstationsandespeciallyservers
Untrustworthyhost Ahostisreferredtoasuntrustworthybecauseitcannotbeprotectedbythefirewall;therefore,
hosts on trusted networks can place only limited trust in it
hostsontrustednetworkscanplaceonlylimitedtrustinit.
ScopeNote:Tothebasicborderfirewall,addahostthatresidesonanuntrustednetworkwhere
thefirewallcannotprotectit.Thathostisminimallyconfiguredandcarefullymanagedtobeas
secureaspossible.Thefirewallisconfiguredtorequireincomingandoutgoingtraffictogothrough
theuntrustworthyhost.
Uploading Theprocessofelectronicallysendingcomputerizedinformationfromonecomputertoanother
computer
ScopeNote:Whenuploading,mostoftenthetransferisfromasmallercomputertoalargerone.
Userawareness Atrainingprocessinsecurityspecificissuestoreducesecurityproblems;usersareoftenthe
weakestlinkinthesecuritychain.
UserDatagram
User Datagram A connectionless Internet protocol that is designed for network efficiency and speed at the expense
AconnectionlessInternetprotocolthatisdesignedfornetworkefficiencyandspeedattheexpense
Protocol(UDP) ofreliability
ScopeNote:Adatarequestbytheclientisservedbysendingpacketswithouttestingtoverify
whethertheyactuallyarriveatthedestination,notwhethertheywerecorruptedintransit.Itisup
totheapplicationtodeterminethesefactorsandrequestretransmissions.
Userinterface Canbeapopupadthatimpersonatesasystemdialog,anadthatimpersonatesasystemwarning,
impersonation oranadthatimpersonatesanapplicationuserinterfaceinamobiledevice.
Usermode Usedfortheexecutionofnormalsystemactivities
Userprovisioning Aprocesstocreate,modify,disableanddeleteuseraccountsandtheirprofilesacrossIT
infrastructureandbusinessapplications
Utilityprograms Specializedsystemsoftwareusedtoperformparticularcomputerizedfunctionsandroutinesthat
arefrequentlyrequiredduringnormalprocessing
ScopeNote:Examplesofutilityprogramsincludesorting,backingupanderasingdata.
Utilityscript Asequenceofcommandsinputintoasinglefiletoautomatearepetitiveandspecifictask
ScopeNote:Theutilityscriptisexecuted,eitherautomaticallyormanually,toperformthetask.In
UNIX,theseareknownasshellscripts.
Term Definition
Utilitysoftware Computerprogramsprovidedbyacomputerhardwaremanufacturerorsoftwarevendorandused
in running the system
inrunningthesystem
ScopeNote:Thistechniquecanbeusedtoexamineprocessingactivities;totestprograms,system
activitiesandoperationalprocedures;toevaluatedatafileactivity;and,toanalyzejobaccounting
data.
Vaccine Aprogramdesignedtodetectcomputerviruses
ValIT ThestandardframeworkforenterprisestoselectandmanageITrelatedbusinessinvestmentsand
ITassetsbymeansofinvestmentprogramssuchthattheydelivertheoptimalvaluetothe
enterprise
BasedonCOBIT.
Validitycheck Programmedcheckingofdatavalidityinaccordancewithpredeterminedcriteria
Value Therelativeworthorimportanceofaninvestmentforanenterprise,asperceivedbyitskey
stakeholders expressed as total life cycle benefits net of related costs adjusted for risk and (in the
stakeholders,expressedastotallifecyclebenefitsnetofrelatedcosts,adjustedforriskand(inthe
caseoffinancialvalue)thetimevalueofmoney
Valuecreation Themaingovernanceobjectiveofanenterprise,achievedwhenthethreeunderlyingobjectives
(benefitsrealization,riskoptimizationandresourceoptimization)areallbalanced
Valueaddednetwork Adatacommunicationnetworkthataddsprocessingservicessuchaserrorcorrection,data
(VAN) translationand/orstoragetothebasicfunctionoftransportingdata
Variablesampling Asamplingtechniqueusedtoestimatetheaverageortotalvalueofapopulationbasedona
sample;astatisticalmodelusedtoprojectaquantitativecharacteristic,suchasamonetaryamount
Verification Checksthatdataareenteredcorrectly
Vertical defense in
Verticaldefensein Controls are placed at different system layers: hardware operating system application database or
Controlsareplacedatdifferentsystemlayers:hardware,operatingsystem,application,databaseor
depth userlevels
Virtuallocalarea LogicalsegmentationofaLANintodifferentbroadcastdomains
network(VLAN)
ScopeNote:AVLANissetupbyconfiguringportsonaswitch,sodevicesattachedtotheseports
maycommunicateasiftheywereattachedtothesamephysicalnetworksegment,althoughthe
g g p y
devicesarelocatedondifferentLANsegments.AVLANisbasedonlogicalratherthanphysical
connections.
Virtualorganizations Organizationthathasnoofficialphysicalsitepresenceandismadeupofdiverse,geographically
dispersedormobileemployees
Virtualprivatenetwork Asecureprivatenetworkthatusesthepublictelecommunicationsinfrastructuretotransmitdata
(VPN)
ScopeNote:Incontrasttoamuchmoreexpensivesystemofownedorleasedlinesthatcanonlybe
used by one company VPNs are used by enterprises for both extranets and wide areas of intranets
usedbyonecompany,VPNsareusedbyenterprisesforbothextranetsandwideareasofintranets.
Usingencryptionandauthentication,aVPNencryptsalldatathatpassbetweentwoInternetpoints,
maintainingprivacyandsecurity.
Term Definition
Virtualprivatenetwork AsystemusedtoestablishVPNtunnelsandhandlelargenumbersofsimultaneousconnections.This
(VPN) concentrator
(VPN)concentrator system provides authentication, authorization and accounting services.
systemprovidesauthentication,authorizationandaccountingservices.
Virtualization Theprocessofaddinga"guestapplication"anddataontoa"virtualserver,"recognizingthatthe
guestapplicationwillultimatelypartcompanyfromthisphysicalserver
Virus Aprogramwiththeabilitytoreproducebymodifyingotherprogramstoincludeacopyofitself
ScopeNote:Avirusmaycontaindestructivecodethatcanmoveintomultipleprograms,datafiles
ordevicesonasystemandspreadthroughmultiplesystemsinanetwork.
Virussignaturefile Thefileofviruspatternsthatarecomparedwithexistingfilestodeterminewhethertheyare
infectedwithavirusorworm
Voicemail Asystemofstoringmessagesinaprivaterecordingmediumwhichallowsthecalledpartytolater
retrievethemessages
VoiceoverInternet
Voiceover Internet Also called IP Telephony Internet Telephony and Broadband Phone a technology that makes it
AlsocalledIPTelephony,InternetTelephonyandBroadbandPhone,atechnologythatmakesit
Protocol(VoIP) possibletohaveavoiceconversationovertheInternetoroveranydedicatedInternetProtocol(IP)
networkinsteadofoverdedicatedvoicetransmissionlines
Volatiledata Datathatchangesfrequentlyandcanbelostwhenthesystem'spowerisshutdown
Vulnerability Aweaknessinthedesign,implementation,operationorinternalcontrolofaprocessthatcould
exposethesystemtoadversethreatsfromthreatevents
Vulnerabilityanalysis Aprocessofidentifyingandclassifyingvulnerabilities
Vulnerabilityevent Anyeventduringwhichamaterialincreaseinvulnerabilityresults
Notethatthisincreaseinvulnerabilitycanresultfromchangesincontrolconditionsorfromchanges
inthreatcapability/force.
ScopeNote:FromJones,J.;"FAIRTaxonomy,"RiskManagementInsight,USA,2008
Vulnerability scanning An
Vulnerabilityscanning Anautomatedprocesstoproactivelyidentifysecurityweaknessesinanetworkorindividualsystem
automated process to proactively identify security weaknesses in a network or individual system
Walkthrough Athoroughdemonstrationorexplanationthatdetailseachstepofaprocess
Wardialer Softwarepackagesthatsequentiallydialtelephonenumbers,recordinganynumbersthatanswer
Warmsite Similartoahotsitebutnotfullyequippedwithallofthenecessaryhardwareneededforrecovery
Waterfalldevelopment Alsoknownastraditionaldevelopment,aprocedurefocuseddevelopmentcyclewithformalsign
offatthecompletionofeachlevel
Webhosting Thebusinessofprovidingtheequipmentandservicesrequiredtohostandmaintainfilesforoneor
morewebsitesandprovidefastInternetconnectionstothosesites
ScopeNote:Mosthostingis"shared,"whichmeansthatwebsitesofmultiplecompaniesareonthe
same server to share/reduce costs
sameservertoshare/reducecosts.
Term Definition
Webpage Aviewablescreendisplayinginformation,presentedthroughawebbrowserinasingleview,
sometimes requiring the user to scroll to review the entire page
sometimesrequiringtheusertoscrolltoreviewtheentirepage
ScopeNote:Anenterprise'swebpagemaydisplaytheenterpriseslogo,provideinformationabout
theenterprise'sproductsandservices,orallowacustomertointeractwiththeenterpriseorthird
partiesthathavecontractedwiththeenterprise.
Webserver UsingtheclientservermodelandtheWorldWideWeb'sHyperTextTransferProtocol(HTTP),Web
Serverisasoftwareprogramthatserveswebpagestousers.
WebServices Alanguageformattedwithextensiblemarkuplanguage(XML)
DescriptionLanguage
(WSDL) Usedtodescribethecapabilitiesofawebserviceascollectionsofcommunicationendpoints
capableofexchangingmessages;WSDListhelanguageusedbyUniversalDescription,Discoveryand
Integration(UDDI).SeealsoUniversalDescription,DiscoveryandIntegration(UDDI).
Web site
Website Consists of one or more web pages that may originate at one or more web server computers
Consistsofoneormorewebpagesthatmayoriginateatoneormorewebservercomputers
ScopeNote:Apersoncanviewthepagesofawebsiteinanyorder,ashe/shewouldreada
magazine.
Wellknowports Wellknownports0through1023:ControlledandassignedbytheInternetAssignedNumbers
Authority(IANA),andonmostsystemscanbeusedonlybysystem(orroot)processesorby
programsexecutedbyprivilegedusers.Theassignedportsusethefirstportionofthepossibleport
numbers.Initially,theseassignedportswereintherange0255.Currently,therangeforassigned
portsmanagedbytheIANAhasbeenexpandedtotherange01023.
Whiteboxtesting Atestingapproachthatusesknowledgeofaprogram/modulesunderlyingimplementationand
codeintervalstoverifyitsexpectedbehavior
Wideareanetwork Acomputernetworkconnectingdifferentremotelocationsthatmayrangefromshortdistances,
(WAN) such as a floor or building to extremely long transmissions that encompass a large region or several
suchasafloororbuilding,toextremelylongtransmissionsthatencompassalargeregionorseveral
countries
Wideareanetwork AdatalinklayerdeviceusedforimplementingvariousWANtechnologiessuchasasynchronous
(WAN)switch transfermode,pointtopointframerelaysolutions,andintegratedservicesdigitalnetwork(ISDN).
ScopeNote:WANswitchesaretypicallyassociatedwithcarriernetworksprovidingdedicatedWAN
switchingandrouterservicestoenterprisesviaT1orT3connections.
g p
Term Definition
WiFiProtectedAccess Aclassofsystemsusedtosecurewireless(WiFi)computernetworks
(WPA)
ScopeNote:WPAwascreatedinresponsetoseveralseriousweaknessesthatresearchersfoundin
theprevioussystem,WiredEquivalentPrivacy(WEP).WPAimplementsthemajorityoftheIEEE
802.11istandard,andwasintendedasanintermediatemeasuretotaketheplaceofWEPwhile
802.11iwasprepared.WPAisdesignedtoworkwithallwirelessnetworkinterfacecards,butnot
necessarilywithfirstgenerationwirelessaccesspoints.WPA2implementsthefullstandard,butwill
notworkwithsomeoldernetworkcards.Bothprovidegoodsecuritywithtwosignificantissues.
First,eitherWPAorWPA2mustbeenabledandchoseninpreferencetoWEP;WEPisusually
presentedasthefirstsecuritychoiceinmostinstallationinstructions.Second,inthe"personal"
mode,themostlikelychoiceforhomesandsmalloffices,apassphraseisrequiredthat,forfull
security,mustbelongerthanthetypicalsixtoeightcharacterpasswordsusersaretaughtto
employ.
WiFiprotectedaccess Aclassofsystemsusedtosecurewireless(WiFi)computernetworks.
(WPA)
ScopeNote:WPAwascreatedinresponsetoseveralseriousweaknessesthatresearchersfoundin
theprevioussystem,WiredEquivalentPrivacy(WEP).WPAimplementsthemajorityoftheIEEE
802.11istandard,andwasintendedasanintermediatemeasuretotaketheplaceofWEPwhile
802.11iwasprepared.WPAisdesignedtoworkwithallwirelessnetworkinterfacecards,butnot
necessarilywithfirstgenerationwirelessaccesspoints.WPA2implementsthefullstandard,butwill
p g y g
notworkwithsomeoldernetworkcards.Bothprovidegoodsecuritywithtwosignificantissues.
First,eitherWPAorWPA2mustbeenabledandchoseninpreferencetoWEP;WEPisusually
presentedasthefirstsecuritychoiceinmostinstallationinstructions.Second,inthe"personal"
mode,themostlikelychoiceforhomesandsmalloffices,apassphraseisrequiredthat,forfull
security,mustbelongerthanthetypicalsixtoeightcharacterpasswordsusersaretaughtto
employ.
WiFiprotectedaccess Wirelesssecurityprotocolthatsupports802.11iencryptionstandardstoprovidegreatersecurity.
II (WPA2)
II(WPA2) This protocol uses Advanced Encryption Standards (AES) and Temporal Key Integrity Protocol (TKIP)
ThisprotocolusesAdvancedEncryptionStandards(AES)andTemporalKeyIntegrityProtocol(TKIP)
forstrongerencryption.
WindowsNT AversionoftheWindowsoperatingsystemthatsupportspreemptivemultitasking
WiredEquivalent AschemethatispartoftheIEEE802.11wirelessnetworkingstandardtosecureIEEE802.11wireless
Privacy(WEP) networks(alsoknownasWiFinetworks)
ScopeNote:Becauseawirelessnetworkbroadcastsmessagesusingradio,itisparticularly
p g g p y
susceptibletoeavesdropping.WEPwasintendedtoprovidecomparableconfidentialitytoa
traditionalwirednetwork(inparticular,itdoesnotprotectusersofthenetworkfromeachother),
hencethename.Severalseriousweaknesseswereidentifiedbycryptanalysts,andWEPwas
supersededbyWiFiProtectedAccess(WPA)in2003,andthenbythefullIEEE802.11istandard
(alsoknownasWPA2)in2004.Despitetheweaknesses,WEPprovidesalevelofsecuritythatcan
detercasualsnooping.
Wireless computing
Wirelesscomputing The ability of computing devices to communicate in a form to establish a local area network (LAN)
Theabilityofcomputingdevicestocommunicateinaformtoestablishalocalareanetwork(LAN)
withoutcablinginfrastructure(wireless),andinvolvesthosetechnologiesconvergingaroundIEEE
802.11and802.11bandradiobandservicesusedbymobiledevices
Wirelesslocalarea Twoormoresystemsnetworkedusingawirelessdistributionmethod
network(WLAN)
Term Definition
Wiretapping Thepracticeofeavesdroppingoninformationbeingtransmittedovertelecommunicationslinks
WorldWideWeb AsubnetworkoftheInternetthroughwhichinformationisexchangedbytext,graphics,audioand
(WWW) video
WorldWideWeb Aninternationalconsortiumfoundedin1994ofaffiliatesfrompublicandprivateorganizations
Consortium(W3C) involvedwiththeInternetandtheweb
ScopeNote:TheW3C'sprimarymissionistopromulgateopenstandardstofurtherenhancethe
economicgrowthofInternetwebservicesglobally.
Worm Aprogrammednetworkattackinwhichaselfreplicatingprogramdoesnotattachitselfto
programs,butratherspreadsindependentlyofusersaction
Writeblocker Adevicesthatallowstheacquisitionofinformationonadrivewithoutcreatingthepossibilityof
accidentallydamagingthedrive
Writeprotect Theuseofhardwareorsoftwaretopreventdatatobeoverwrittenordeleted
X.25
X 25 A protocol for packetswitching networks
Aprotocolforpacketswitchingnetworks
X.25Interface Aninterfacebetweendataterminalequipment(DTE)anddatacircuitterminatingequipment(DCE)
forterminalsoperatinginthepacketmodeonsomepublicdatanetworks
X.500 Astandardthatdefineshowglobaldirectoriesshouldbestructured
ScopeNote:X.500directoriesarehierarchicalwithdifferentlevelsforeachcategoryofinformation,
suchascountry,stateandcity.
Zerodayexploit Avulnerabilitythatisexploitedbeforethesoftwarecreator/vendorisevenawareofit'sexistence

Glossary All PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Glossary All PDF

Uploaded by

Copyright:

Available Formats

ISACAGlossaryofTerms

Scope Note: A circuitswitched data transmission service uses a connection network

See also Internal control

Double loop step

Scope Note: COBIT 5 perspective

Scope Note: See also Risk Indicator

Scope Note: COBIT 5 perspective

Individual programs or an entire system can be tested

You might also like