CISA Glossary Flashcards Preview

CISA Stuff > CISA Glossary > Flashcards

Flashcards in CISA Glossary Deck (500):

Abend *

An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing.


Acceptable use policy

A policy that establishes an agreement between users and the enterprise and defines for all parties' the ranges of use that are approved before gaining access to a network or the Internet


Access control *

The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises.


Access control list (ACL) *

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals. Also referred to as access control tables.


Access control table *

An internalized computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals.


Access path *

The logical route an end user takes to access computerized information. Typically, it includes a route through the operating system, telecommunications software, selected application software and the access control system.


Access rights *

The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy.


Access servers *

Provides centralized access control for managing remote access dial-up servers.


Access method *

The technique used for selecting records in a file; one at a time, for processing, retrieval or storage. The access method is related to, but distinct from, the file organization, which determines how the records are stored.


Address *

Within computer storage, the code used to designate the location of a specified piece of data.


Address space *

The number of distinct locations that may be referred to with the machine address. For most binary machines it is equal to 2n, where n is the number of bits in the machine address.


Addressing *

The method used to identify the location of a participant in a network. Ideally, adressing specifies where the participant is located rather than who they are (name) or how to get there (routing).


Administrative audit

Verifies that appropriate policies and procedures exist, and that they have been implemented as management intended. This audit focuses on operational effectiveness and efficiency.


Administrative controls *

The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies.


Advanced Encryption Standard (AES)

Symmetric-key encryption system designed by Belgian mathematicians. Also known as the Rijndael, Advanced Encryption Standard (AES) replaces the outdated Data Encryption Standard (DES) previously used by the U.S. government. This is the de facto standard for many applications because AES is approved by the U.S. National Institute of Standards and Technology (NIST) for unclassified and certain classified information.


Adware *

A software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being used. In most cases, this is done without any notification to the user or without the user's consent. The term adware may also refer to software that displays advertisements, whther or not it does so with the user's consent; such programs display advertisements as an alternative to shareware registration fees. These are classified as adware in the sense of advertising supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, an dprovides the user with a specific service.



Changes to data in the database are held in a temporary file called the after-image journal. The transaction can be reversed (discarded) until the program writes the change into the master file. Also see before-image and ACID principle.


Agile development

A micromanagement methodology to force development within a series of short time boxes. Agile is used for the development of prototypes. The focus is on tactile knowledge in a person's mind, rather than the use of formal SDLC design and development documentation.


Alpha *

The use of alphabetic characters or an alphabetic character string.


Alternative routing *

A service that allows the option of having an alternate route to complete a call when the marked destination is not available. In signalling, alternate routing is the process of allocating substitute routes for a given signaling traffic stream in case of failure(s) affecting the normal signalling links or routes of that traffic stream.


American Standard Code for Information Interchange *



Analog *

A transmission signal that varies continuously in amplitude and time, and is generated in wave formation. Analog signals are used in telecommunications.


Antivirus software *

An application software deployed at multiple points in an IT architecture It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been infected.


Applet *

A program written in a portable, platform independent computer language such as Java, JavaScript or Visual Basic. An applet is usually embedded in a Hypertext Markup Langiage (HTML) page downloaded from web servers and then executed by a browser on client mahcines to run any web-based application (e.g. generate web page input forms, run audio/video programs, etc.). Applets can only perform a restricted set of operations, thus preventing, or at least minimizing, the possible security compromise of the host computers. However, applets expose the user's machine to risk if not properly controlled by the browser, which should not allow an applet to access a machine's information without prior authorization of the user.


Application *

A computer program or set of programs that perform the processing of records for a specific function. Contrasts with systems programs, such as an operating system or network control program, and with utility programs, such as copy or sort.


Application controls *

The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved (application). Note: The lowest level of control, usually governing system use or internal program controls. Application controls are easily subverted if higher-level controls governing the operating environment are missing or ineffective. Higher controls include general controls, pervasive controls, and detailed controls.


Application layer *

In the Open Systems Interconnection (OSI) communications model, the application layer provides services for an application program to ensure that effective communication woth another application program in a network is possible. The application layer is not the application that is doing the communication; there is a service layer that provides these services. Anew: the highest layer of the OSI model is layer 7. The Application layer runs problem-solving software for the user. This layer provides the interface between the user and the computer program.


Application program *

A program that processes business data through activities such as data entry, update or query. Contrasts with system programs, such as an operating system or network contorl program, and with utility programs such as copy or sort.


Application programming *

The act or function of developing and maintaining applications programs in production.


Application programming interface (API) *

"A set of routines, protocols and tools referred to as ""building blocks"" used in business application software development. A good API makes it easier to develop a program by providing all of the building blocks related to functional characteristics of an operating system that applications need to specify, for example, when interfacing with the operating system (e.g., provided by Microsoft Windows, different versions of UNIX). A programer utilizes these APIs in developing applications that can operate effectively and efficiently on the platform chosen."


Application service provider (ASP)

See software as a service (SaaS).


Application software tracing and mapping *

Specialized tools that can be used to analyze the flow of data through the processing logic of the application software and document the logic, paths, contorl conditions and processing sequence. Both the command language or job contorl statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons.


Artificial intelligence (AI) *

Advanced computer systems that can simulate human capabilities, such as analysis, based on a predetermined set of rules. Anew: An attempt to simulate human reasoning by using a computer program with a knowledge database and abstract procedures to measure cause-and-effect relationships.


Arythmetic logic unit (ALU) *

The area of the central processing unit that performs mathematical and analytical operations.



Representing 128 characters, the American Standard Code for Information Interchange (ASCII) code normally uses 7 bits. However, some variations of the ASCII code set allow 8 bits. This 8-bit ASCII code allows 256 characters to be represented.


Assembler *

A program that takes as input a program written in assembly language and translates it into machine code or machine language.



A less formal process used to determine value or relevance to the intended use. Assessments may be internal or external. The results of an assessment are of low to moderate value. The results are used for internal purposes only. See audit and independent audit to compare the differences.



Anything of value. May be tangible or intangible in the form of information, skilled people, money, physical goods, products, resources, recipes, or procedures.



A promise with supporting evidence given in a declaration or activity designed to instil confidence.


Asymmetric-key encryption *

A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message (see also public key encryption). Anew: an encryption system using two different keys. Both keys are mathematically related. Asymmetric-key encryption is not time sensitive. The private key is kept secret by the sender, and the public key is freely distributed to anyone who desires to communicate with the owner. Also known as public-key cryptography.


Asynchronous Transfer Mode (ATM) *

A high-bandwidth low-delay switching and multiplexing technology that allows integration of real-time voice and video as well as data. It is a data link layer protocol. ATM is a protocol-independent transport mechanism. It allows high-speed data transfer rates up to 155 Mbit/sec. The acronym ATM should not be confused with the alternate usage for ATM, which refers to an Automated Teller Machine.



A process used for database transaction integrity to ensure that the entire transaction is correctly processed or all the changes are backed out of the database. Anew: if an error or interruption occurs, all changes made up to that point are backed out.



An affirmation by the signer that all statements are true and correct. The purpose is to certify that a declaration is genuine.



In computer programming, an attribute is equivalent to a column in a database table. The attribute refers to a specific characteristic of a database entry.


Attribute sampling *

An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size). Anew: a technique used to estimate the rate of occurrence for a particular attribute within the subject population. In compliance testing, attribute sampling answers the question, "How many?"


Attribute-based access control (ABAC)

The most detailed level of access control, which matches the combined security of subject (user or program), object (data), and context of usage (need or purpose) to determine whether a request should be approved or denied. ABAC is used in mandatory access control, which also requires a centralized control approach.



A formal and systematic process of collecting evidence to test or confirm a statement or to confirm a record of transaction. Also see internal audit and independent audit.


Audit charter

A formal document issued by management to designate audit responsibility, authority, and accountability. The absence of a formal audit charter document would indicate a control weakness.


Audit committee

A committee of the board of directors composed of financially literate executives. The purpose of the audit committee is to challenge the assertions of management by using internal and external auditors.


Audit evidence *

The information used to support the audit opinion. Anew: aamples collected by the auditor to prove or disprove the audit findings. Every audit must use relevant evidence of dependable quality in sufficient quantity to generate a score of success or failure.


Audit objective *

The specific goal(s) of an audit. These often center on substantiating the existence of internal controls to minimize business risk. The audit objective(s) is the reason for the audit.


Audit plan

Detailed project plan containing a list of objectives, specific tasks in proper sequence, skills matrix, written copy of data collection procedures, written audit test procedures, and the forecast illustrating scope time and cost estimates. The audit plan is an essential document to be archived with the resulting audit report for proving integrity of the corresponding results.


Audit program *

A step-by-step set of audit procedures and instructions that should be performed to complete an audit.


Audit risk *

The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occured. Anew: the possibility that material errors may exist that the auditor is unable to detect.


Audit scope

The boundaries and limitations of the individual audit. Normally, particular systems or functions that will be reviewed during the audit.


Audit subject

The target to be audited. The audit subject may be a particular system, process, procedure, or department function.


Audit trail *

A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source. Anew: evidence that can be reassembled in chronological order to retrace a transaction or series of transactions.



The persons and organization being audited.


Auditing standard

The mandatory examination procedures to be executed during an audit to ensure consistency of findings. The auditing standard specifies a minimum level of performance. Any deviations must be well documented, with justification as to why the standard was not followed.



The person(s) performing the audit by gathering evidence, testing, and reporting the findings. Auditors should not be related to the subject of the audit, to prevent bias. Also see independence.


Auditor's opinion

An overall score generated by the sufficient collection of evidence, effective testing, observations, and findings from the test results. It's actually a score based on the relevance of the test results rather than an opinion.


Authentication *

The act of verifying the identity of a user and the user's eligibility to access computerized information. Authentication is designed to protect against fraudulous logon activity. It can also refer to the verification of the correctness of a piece of data. Anew: the process of verifying a user's identity. The user's claim will be tested against a known reference. If a match occurs, the user is authenticated and allowed to proceed. A mismatch will deny the request.


Authentication header (AH)

Used in the IPsec protocol to provide integrity, authentication, and non-repudiation by means of encryption. The authentication header contains the security associations (SAs), which are used for covert tunnelling mode. The AH works with the encapsulated security protocol to both hide the internal IP address and encrypt the data payload.



Microsoft's technique for software developers to digitally sign downloadable ActiveX applets. The authenticode design fails to provide any security from poorly written programs and does not protect the user from malicious programs designed to intentionally cause harm.



The granting of a right or authority.



A term that refers to the accessibility and proper functioning of a system at the time frame required by the user.


Backbone *

The main communication channel of a digital network. The part of a network that handles the major traffic. Employs the highest-speed transmission paths in the network and may also run the longest distances. Smaller networks are attached to the backbone, and networks that connect directly to the end user or customer are called "access networks". A backbone can span a geographical area of any size from a single building to an office complex to an entire country. Or, it can be as small as a backplane in a single cabinet.



A hidden software-access mechanism that will bypass normal security controls to grant access into a program. A root kit is the most powerful type of backdoor because it creates covert access paths into the system. Also see trapdoor.


Backup *

Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service.


Backup and recovery capability

The culmination of software, hardware, procedures, and data files that will permit timely recovery from a failure or disaster.


Badge *

A card or other device that is presented or displayed to obtain access to an otherwise restricted facility, as a symbol of authority (e.g. police) or as a simple means of identification. Also used in advertising and publicity.


Balanced scorecard

Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives. Anew: a management tool that aligns individual activities to the higher-level business objectives.


Bandwidth *

The range between the highest and the lowest transmittable frequencies. It equeates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).


Bar code *

A printed machine-readable code that consists of parrallel bars of varied width and spacing.


Base case *

A standardized body of data created for testing purposes. Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system.


Baseband *

A form of modulation in which data signals are pulsed directly on the transmission medium without frequency division and usually utilize a transceiver. The entire bandwidth of the transmission medium (e.g., coaxial cable) is utilized for a single channel. Anew: a single channel for data transmission. Coax cable is an example of a baseband technology.



An agreed-upon reference point. Also see software baseline.


Bastion host

A gateway host fully exposed to an external connection such as the Internet. Bastion hosts are special-purpose systems designed with their own protection to withstand normal (average) attacks. Examples include a proxy server or firewall. If compromised, the bastion will be shut down.


Batch controls *

Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage. There are two main forms of batch controls: sequence control, which involves consecutively numbering the records in a batch so that the presence of each record can be confirmed, and control total, which is a total of the values in selected fields within the transaction. Anew: used to ensure the accuracy and correct formatting of input data. The batch controls include sequence numbering and run-to-run totals. The batch count will count the number of all the items to ensure that each transaction is processed. Batch totals can be used to verify the values within the transactions.


Batch processing *

The processing of a group of transactions at the same time. Transactions are collected and processed against the master files at a specified time.


Bayesian filter *

A method often employed by antispam software to filter spam based on probabilities. The messag eheader and every word or number are each considered a token and given a probability score. Then the entire message is given a spam probability score. A message with a high score will be flagged as spam and discarded, returned to its sender or put in a spam directory for further review by the independent recipient.



A temporary record of work in progress. This database journal file contains the original data before a new transaction is written. A copy of the original data is retained in this "before" journal file in case the transaction fails. If the transaction fails, the change is discarded and the original data is kept. Related to the ACID principle and after-image transaction journal.


Benchmarking *

A systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting business. Examples include benchmarking of quality, logistic efficiency and various other metrics. Anew: a test to evaluate performance against a known workload or industry accepted standard. Using the Capability Maturity Model (CMM) is a form of benchmarking.


Best evidence

Refers to evidence that specifically proves or disproves a particular point. The best evidence is both independent and objective. The worst evidence is subjective or circumstantial evidence.


Binary code *

A code whose representation is limited to 0 and 1.


Biometric management

Management isn't a policy; management is the enforcement/ overseeing of the policy concerning the intended use of biometric data with corresponding standards and procedures. Management includes identifying how data is collected, stored, protected, transmitted, used, and disposed of.


Biometric sensor

Special acquisition device used to create unique minutiae data representing an individual user. Sensors convert physical attributes into electrical signals, which are recorded as attribute scores for each individual user.


Biometric system

A combined assembly of hardware and software that uses biometric templates, acquisition sensors, a biometric template generator, an encrypted database of biometric template data, and a complete matcher to determine whether an individual is actually a legitimate authorized user.


Biometric template

Minutiae data created by the biometric system's acquisition sensor, it represents unique characteristics of the legitimate authorized user that are trustworthy enough to be used for authentication.


Biometric template generator

The system sensor that acquires a biometric image and converts it into biometric minutiae for digital storage or comparison.


Biometric template matcher

Compares a biometric image template just acquired by the sensor to the biometric minutiae already stored inside the biometrics database. A match between the two templates will authenticate the individual, allowing access through the physical door or barrier.


Biometrics *

A security technique that verifies an individual's identity by analyzing a unique physical attribute, such as a handprint. Anew: a technical process to verify a user's identity based on unique physical characteristics.


Bitstream imaging

A special bit-by-bit backup of physical media, which records all the contents, including deleted files and current contents of swap space or slack space. Also known as physical backup. Bitstream backups are used in forensic analysis and may be used in electronic discovery. Also see logical backup.


Black-box testing *

A testing approach thatfocuses on the functionality of the application or product and does not require knowledge of the code of intervals. Anew: tests the functionality of compiled software by comparing the input and output, without understanding the internal process that creates the output. The internal logic is hidden from the tester. The term black box refers to the software being in non-readable machine format (compiled code). Almost all commercially available software is tested by using the black-box technique.



The complete failure of electrical power.


Boot strapping (boot)

The initial loading of software to start a computer. Also see initial program load (IPL).



Remote-controlled robot network created from compromised computers owned by unsuspecting users. Unsuspecting victims may even be located behind a firewall on a corporate network. This bot-net operates a distributed attack against other systems or delivers email spam messages against other systems. Bot-nets are known to be as large as hundreds of thousands or even millions of systems.


Bridge *

A device that connects two similar networks together. Anew: a network device or software process that connects similar networks together. Network switching is based on a bridging process to join users into logical network segments. A standard bridge will forward all data packets to the other users in the subnet. A bridge operates at the OSI Data-Link layer (layer 2).


Broadband *

Multiple channels are formed by dividing the transmission medium into discrete frequency segments. Broadband generally requires the use of a modem. Anew: aultiple communication channels that are multiplexed over a single cable. DSL is an example of broadband transmitted on a different frequency and sharing the same physical wire with the voice telephone circuit.



A network transmission by one computer to all computers on the network. Ethernet uses broadcast technology to transmit data packets, which are seen by all the computers on the network.


Brouters *

Devices that perform the functions of both bridge and a router. A brouter operates at both the data link and the network layers. It connects same data link type local area network (LAN) segments as well as different data link ones, which is a significant advantage. Like a bridge, it forwards packets based on the data link layer address to a different network of the same type. Also, whenever required, it processes and forwards messages to a different data link type network based on the network protocol address. When connecting same data link type networks, it is as fast as a bridge and is able to connect different data link type networks.



Low voltage for an extended period of time.


Brute force attack

An attempt to overpower the system or to try every possible combination until access is granted.


Buffer *

Memory reserved to temporarily hold data to offset differences between the operating speeds of different devices, such as a printer and a computer. In a program, buffers are reserved areas of random access memory (RAM) that hold data while they are being processed. Anew: a temporary memory location used to stage data before or after processing.


Bus *

Common path or channel between hardware devices. Can be located between computers internal to a computer or between external computers in a communications network. Anew: a shared connection used in common by other devices. Examples include the power bus and the computer data bus.


Bus configuration *

All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes. This architecture is reliable in very small networks, as well as easy to use and understand. This configuration requires the least amount of cable to connect the computers together and, therefore, is less expensive than other cabling arrangements. It is also easy to extend, and two cables can be easily joined with a computer to make a longer cable for more computers to join the network. A repeater can also be used to extend a bus configuration.


Bus topology

An early type of networking in which all the computers were connected on a single cable in a linear fashion.


Business case *

Documentation of the rationale for making a business investment, used both to support a business decision on whther to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle.


Business continuity (BC) manager

A specific manager with the authority of a vice president or director assigned to lead planning and exercises. Usually this person reports to the chief executive officer (CEO), chief operating officer (COO), or holds a leadership position in the program management office. Unlike departmental managers, the BC manager has authority across departmental boundaries.


Business continuity plan (BCP) *

A plan used by an organization to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems. Anew: an organizational plan to continue core revenue-generating operations following a crisis or disaster. The objective of business continuity planning is to ensure uninterrupted revenue for business survival.


Business impact analysis (BIA) *

A process to determine the impact of losing the support of any resource. The BIA assessment study will establish the escalation of that loss over time. It is predicated on the fact that senior management, when provided reliable data to document the potential impact of a lost resource, can make the appropriate decision. Anew: the process of determining the actual steps to produce the desired product or service, as in use by the organization. The intention is to provide management with accurate information about how the business processes are performed.


Business performance indicators

Business performance can be measured by a variety of indicators, including return on investment (ROI), gross profit margin (GPM), capital gains, market share, production cost, and debt ratio.


Business process reengineering (BPR) *

The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings. Anew: the process of streamlining existing operations in an effort to improve efficiency and reduce cost. Benefits may be derived by eliminating unnecessary steps as the organization has progressed through the learning curve, or by expanding capability for more work.


Business risk *

A probable situation with uncertain frequency and magnitude of loss (or gain). Anew: the inherent potential for harm in the business or industry itself, as the organization attempts to fulfil its objectives. Business risks may be regulatory, contractual, or financial.


Bypass label processing (BLP) *

A technique of reading a computer file while bypassing the internal file/data set label. This process could result in bypassing of the security access control system. Anew: an attempt to circumvent mandatory access controls by bypassing the electronic security control label. Examples include writing data to a read-only file, or accessing a file that would be off-limits because of its higher security rating.



See pseudo-code.


Cable plant

A physical collection of network cables contained inside the building.



A high-speed buffer used to temporarily stage data before or after processing.


Candidate key

Rows of data used with search attributes to find all matching records within the database. For example, searching the database to find the name of every hotel in Grapevine, Texas.


Capability Maturity Model (CMM) *

CMM for software, from the Software Engineering Institute (SEI), is a model used by many organizations to identify best practices useful in helping them assess and increase the maturity of their software development processess. Anew: developed by the Software Engineering Institute to benchmark the maturity of systems and management processes. Maturity levels range from 0 to 5. Level 5 is completely documented and optimized for continuous improvement.


Capacity monitoring

The process of continuously monitoring utilization in the environment against existing resource capacity. The objective is to ensure optimum use and expansion of services before an outage occurs.


Capacity stress testing

Testing an application with large quantities of data to evaluate its performance during peak periods. Also called volume testing.


Central processing unit (CPU) *

Computer hardware that houses the electronic circuits that contorl/direct all operations of the computer system.



A written assurance or official record representing that an event has or has not occurred. Certificates can be stored as electronic records or physical documents, signed by the party providing a declaration of authenticity.


Certificate authority (CA) *

A trusted third party that serves authentication infrastructures or organizations and registers entities and issues them certificates. Anew: the trusted issuer of digital certificates using public- and private-key pairs. The certificate authority is responsible for verifying the authenticity of the user's identity.


Certificate revocation list (CRL) *

An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility. The CRL details digital certificates that are no longer valid. The time gap between two updates is very critical and is also a risk in digital certification. Anew: a list maintained by the certificate authority, of certificates that are revoked or expired.



A comprehensive technical evaluation process to establish compliance to a minimum requirement.


Certification practice statement (CPS)

A detailed set of procedures specifying how the certificate authority governs its operation. It provides an understanding of the value and set certificate authority's value trustworthiness of certificates issued by a given certificate authority (CA).


Chain of custody

Refers to the mandatory security and integrity requirements used in the evidence life cycle. The custodian of evidence must prove that the evidence has been kept secure with a high degree of integrity and has not been tampered with.


Change control board (CCB)

A management review process to ensure awareness and control of changes in the IT environment. A change control board provides separation of duties.


Change control process (CCP)

A formal review of proposed changes using a systematic methodology.


Change management

"A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or ""soft"" elements of change."


Channel Service Unit/Digital Service Unit (CSU/DSU) *

Interfaces at the physical layer of the open systems interconnection (OSI) reference model, data terminal equipment (DTE) to data circuit terminating equipment (DCE), for switched carrier networks.


Check digit *

A numeric value, which has been calculated mathematically, is added to data to ensure that original data have not been altered or that an incorrect, but valid match has occurred. Check digit control is effective in detecting transposition and transcription errors.


Checklist *

A list of items that is used to verify the completeness of a task or goal. Used in quality assurance (and, in general, in information systems audit) to check process compliance, code standardization and error prevention, and other items for which consistency processes or standards have been defined.


Checksum *

"A mathematical value that is assigned to a file and used to ""test"" the ffile at a later date to verify that the data contained in the file have not been maliciously changed. A cryptographic checksum is created by performing a complicated series of mathematical operations (known as a cryptographic algorithm) that translates the data in the file into a fixed string of digits called a hash value, which is then used as the checksum. Without knowing which cryptographic algorithm was used to create the hash value, it is highly unlikely that an authorized person would be able to change data without inadvertently changing the corrosponding checksum. Cryptographic checksums are used in data transmission and data storage. Cryptographic checksums are also known as message authentication codes, integrity check-values, modification detection codes or message integrity codes."


Ciphertext *

Information generated by an encryption algorithm to protect the plaintext and that is unintelligible to the unauthorized reader. Anew: an encrypted message displayed in unreadable text that appears as gibberish. The message is displayed in cipher form.


Circuit switching

All communications are transmitted over a dedicated circuit such as a T1 leased line telephone circuit. Circuit switching is the opposite of packet switching.


Circuit-level gateway

Refers to a proxy firewall. No data packets are forwarded between the internal and external network, except by the proxy application. The proxy application is required to complete the data transmission circuit.


Classified information

Data is ranked somewhere in a protection scheme (aka protection plan) that has been clearly identified to the users and includes handling procedures on how the information should be controlled. Also see unclassified information.


Clear text

A message that is completely readable to a human. The message can be clearly read.



A person or organization with the authority to request an audit. The auditor's report of findings is presented to the client at the conclusion of the audit. The client may be internal or external to the auditee.


Client-server *

A group of computers connected by a communication network, in which the client is the requesting machine and the server is the supplying machine the supplying machine. Software is specialized at both ends. Processing may take place on either the client or the server, but it is transparenct to the user.


Closed system

Software containing methods and programming of a proprietary design, which remains the property of the software creator. Most commercial software is closed system. Closed systems can exchange data to other programs by using a specific application programming interface (API). Microsoft Windows is an example of a closed system containing proprietary design.


Cloud computing *

A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned nd released with minimal management effort or service provider interaction. Anew: application software hosted by remote vendor and offered across the Internet to subscribers. Cloud computing is a variation of the application service provider (ASP) and software as a service (SaaS) models. Security issues are a major concern because specific details of the communications network, network servers, internal software application, and vendor's operation may not be known by the user. Auditors need to remain aware that cloud computing may cut operating expense, bypass IT controls, fuel an individual's political agenda, circumvent management, or violate data control requirements.


Coaxial cable *

Composed of an insulated wirre that runs through the middle of each cable, a second wire that surrounds the insulation of the inner wire like a sheath, and the outer insulation which wraps the second wire. Has a greater transmission capacity that standard twisted-pair cables, but has a limited range of effective distance.


Cohesion *

The extent to which a system unit--subroutine, program, module, component, subsystem--performs a single dedicated function. Generally, the more cohesive are units, the easier it is to maintain and enhance a system because it is easier to determine where and how to apply a change.


Cold site *

An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the facility that physical components of the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the users have to move from their main computing location to the alternative computer facility. Anew: a physical location that can be used for disaster recovery of non-critical processes. The cold site is no more than a building with basic utility service. The entire computing environment must be shipped in and then assembled. The cold site will be ready for production use in weeks or months.


Committee of Sponsoring Organizations (COSO)

A voluntary association of governments (members) engaged in regulating the integrity of financial transactions worldwide. COSO is based on London's banking system for investment, stock trading, and transaction controls. COSO represents the foundation of auditing laws and audit controls worldwide. ISACA represents a narrow derivative of IT-specific controls attempting to implement an IT-only portion of the COSO control model. COSO controls are used in conjunction with those of the International Organization for Standardization (ISO) and the Organization for Economic Cooperation and Development (OECD), which specify the details and interpretation of laws each country needs to adopt in support of world trade.


Common Criteria

An international standard (ISO 15408) for testing criteria of computer security controls. All ISO member countries are expected to use the Common Criteria standard with testing performed by an ISO 17025-certified laboratory testing facility. Common Criteria is currently in use by Canada, France, Germany, the Netherlands, the United Kingdom, and the United States.


Communication processor *

A computer embedded in a communications system that generally performs basic tasks of classifying network traffic and enforcing network polic functions. An example is the message data processor of a digital divide network (DDN) switching center. More advanced communications processors may perform additional functions.


Comparison program *

A program for the examination of data, using logical or conditional tests to determine or to identify similarities or differences.


Compensating control *

An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions. Anew: an internal control that reduces the potential for loss by error or omission. Supervisory review and audit trails are compensating controls for a lack of separation of duties.



An automated process used by software developers to convert human-readable computer programs into executable machine language. Compiled computer software runs faster than interpreted program scripts. Compiled computer programs cannot be read by humans.


Compiler *

A program that translates programming languge (source code) into machine executable instructions (object code).


Completed connected (mesh) configuration *

A network topology in which devices are connected with many redundant interconnections between network nodes (primarily used for backbone networks).


Completeness check *

A procedure designed to ensure that no fields are missing from a record.


Compliance audit

A type of audit that determines whether internal controls are present and functioning effectively.


Compliance testing *

Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period. Anew: the testing of internal controls to determine whether they are functioning correctly.


Components (as in component-based development) *

Cooperating packages of executable software that make their services available through defined interfaces. Components used in developing systems may be commercial off-the-shelf software (COTS) or may be purposely built. However, the goal of component-based development is to ultimately use as many predeveloped, pretested components as possible.


Compouter Emergency Response Team (CERT) *

A group of people integrated at the organization with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems.


Comprehensive audit *

An audit designed to determine the accuracy of financial records as well as to evaluate the internal controls of a function or department.


Computer console

Physical access to the computer's primary input/output terminal, usually the video display and keyboard. Access to the computer console is a security risk that must be controlled.


Computer forensics *

The application of the scientific method to digital media to establish factual information for judicial review. This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. As a discipline, it combines elements of law and computer science to collect and analyze data from information systems (e.g., personal computers, networks, wireless communications and digital storage devices) in a way that is admissible as evidence in a court of law.


Computer sequence checking

Verifies that the control number follows sequentially and that any control numbers out of sequence are rejected or noted on an exception report for further research.


Computer-aided software engineering (CASE) *

The use of software packages that aid in the development of all phases of an information system. System analysis, design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access.


Computer-assisted audit tools (CAAT) *

Any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities. Anew: the family of automated test software using a computerized audit procedure with specialized utilities.


Concurrency control *

Refers to a class of controls used in a database management system (DBMS) to ensure that transactions are processed in an atomic, consistent, isolated and durable manner (ACID). This implies that only serial and reciverable schedules are permitted, and that committed transactions are not discarded when undoing aborted transactions.


Confidence coefficient

The quantified probability of error. A confidence coefficient of 95 percent is considered a high level of confidence in IS auditing.



The protection of information held in secret for the benefit of authorized users.


Configuration management *

The control of changes to a set of configuration items over a system life cycle. Anew: an administrative process of being able to prove the documented design as built, by verifying the correct version of all the individual components used in final construction. The three elements of configuration management are control, accounting, and reporting.


Console log *

An automated detail report of computer system activity.


Constructive Cost Model (COCOMO)

An early software project estimation technique used to forecast the time and effort required to develop a software program based on size and complexity.


Contingency planning

Process of developing advance arrangements and procedures that enable an enterprise tto rrespond to an event that could occur of arrangements an o espond occur by chance or unforeseen circumstances.


Continuity *

"Preventing, mitigating and recovering from disruption. The terms ""business resumption planning,"" ""disaster recovery planning"" and ""contingency planning"" also may be used in this context; they all concentrate on the recovery aspects of continuity."


Continuity of operations

Pre-emptive activities designed to ensure the continuous operation of core processes, utilities, and lifeline services. Vendors involved in lifeline medical services, power utilities, communications, national infrastructure supply-chains, or food and water are expected to provide their services without interruption regardless of whether they generate revenue or not.


Continuous auditing approach

This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.


Continuous improvement *

The goals of continuous improvement (Kaizen) include the elimination of waste, defined as "activities that add cost, but do not add value;" just-in-time delivery; production load leveling of amounts and types; standardized work; paced moving lines; right-sized equipment. A closer definition of the Japanese usage of Kaizen is "to take it apart and put back together in a better way." What is taken apart is usually a process, system, product or service. Kaizen is a daily activity whose purpose goes beyond improvement. It is also a process that, when done correctly, humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how to do rapid experiments using the scientific method and how to learn to see and eliminate waste in business processes.


Contraband software

Any system utility or special software not required in the specific performance of a person's job duties. A tightly controlled software policy prevents any excuses for violating separation of duties. Examples of contraband software include password crackers, network discovery tools, CAAT software, traffic generators, disk-wiping utilities, or known hacking software. Violations should be grounds for immediate termination following the conclusion of an investigation.



The power to regulate or restrict activities. IS controls are used as a safeguard to prevent loss, error, or omission.


Control environment

A space designed to protect assets by using sufficient physical and technical controls to prevent unauthorized access or compromise. The computer room is a control environment.


Control group *

Members of the operations area that are responsible for the collection, logging and submission of input for the various user groups.


Control objective

A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process.


Control risk *

The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Anew: the risk that errors may be introduced, or not identified and corrected in a timely manner. The risk of losing control.


Control section *

The area of the central processing unit (CPU) that executes sofwtare, allocates internal memory and transfers operations between the arithmetic-logic, internal storage and output sections of the computer.


Control self-assessment

A formal review executed by the user to assess the effectiveness of controls. The purpose of the control self-assessment is to induce ownership by the user and to facilitate improvement.


Cookie *

A message kept in the web browser for the purpose of identifying users and possibly preparing customized web pages for them. The first time a cookie is set, a user may be required to go through a registration process. Subsequent to this, whenever the cookie's message is sent to the server, a customized view based on that user's preferences can be produced. The browser's implementation of cookie's has, however, brought several security concerns, allowing breaches of security and the theft of personal information (e.g., user passwords that validate the user's identity and enable restricted web services).


Corporate governance *

The system by which enterprises are directed and controlled. The board of directors are responsible for the governance of their organization. It consists of the leadership and organizational structures and processes that ensure the organization sustains and extends strategies and objectives.


Corrective control *

Designed to correct errors, omissions and unauthorized uses and intrusions, once they are detected. Anew: a control designed to minimize the impact of an error by repairing the condition or executing an alternative procedure. Examples of corrective controls include data restoration from tape backup, hot sites, and automated fail-over systems.


Cost of asset

The capital expense of an asset may be measured as total ownership cost (TOC). The cost of the asset is the cumulative total expense based on purchase price, delivery cost, implementation cost, and effective downtime.


Countermeasure *

Any process that directly reduces a threat or vulnerability.


Coupling *

Measure of interconnectivity among structure of software programs. Coupling depends on the interface complexity between modules. This can be defined as the point at which entry or reference is made to a module, and what data pass across the interface. In application software design, it is preferable to strive for the lowest possible coupling between modules. Simple connectivity among modules results in software that is easier to understand and maintain, and less prone to a ripple or domino effect caused when errors occur at one location and propagate through the system.



A malicious computer attacker who attempts to break into a system. Synonymous with the term malicious hacker.


Crash dump

A special diagnostic file created when a computer system crashes. The contents represent the data being processed at the time of the crash, including contents of the memory registers and tasks running when the crash occurred. Crash dump files vary according to the operating system. Contents of this file are extremely valuable in forensic analysis.


Critical infrastructure

Systems whose incapacity or destruction would have a debilitating effect on the economic security of an enterprise, community or nation.


Critical Path Methodology (CPM)

The path of execution that accomplishes the minimum, yet most important objectives of the project. The critical path is the longest single route through a network diagram and the shortest time to accomplish the main objectives. Critical path items represent mandatory tasks that, if not accomplished, would wreck the project.


Critical success factor (CSF)

A process that must occur perfectly every single time in order to be successful. To fail a critical success factor would be a show stopper. Anew: The most important issue or action for management to achieve control over and within its IT processes.


Cross-site scripting (XSS)

Very common programming technique that allows one program, such as a shopping cart, to drive another website. The shopping cart sends a transaction approval message to a different website, which provides access or a file to download. XSS creates a serious vulnerability unless strong cryptographic controls are used to authenticate that the request is actually valid. Static passwords will not protect against XSS attacks.


Crossover error rate (CER)

In biometrics, crossover error rate refers to adjusting sensitivity of the system to specifically favour either speed or increased accuracy. The most common error in biometrics is false rejection (type 1 error, aka. FRR), which poses little risk to an organization's security requirements. The greater risk of breach occurs when an illegitimate user is accepted in error (type 2 error, aka FAR, or false acceptance rate). The crossover rate indicates the level of favouritism protecting against either FRR or FAR. Also see equal error rate. Note that ISACA may confuse the terminology of CER and EER in documentation and on exam questions. These are definitely different settings.


Cryptographic system

The implementation of a computer program using a cryptographic algorithm and keys to encrypt and decrypt messages.



The theories and methods of converting readable text into undecipherable gibberish and later reversing the process to create readable text. The purpose of cryptography


Crystal-box testing

See white-box testing.


Customer relationship management (CRM) *

A way to identify, acquire and retain customers. CRM is also an industry term for software solutions that help an organization manage customer relationships in an organized manner.


Cyclic redundancy check (CRC)

A simple error-detection process whereby the contents are divided by a number prior to transmission. After transmission, the process is rerun to determine whether an error occurred. A value of zero indicates that the transmission was successful.


Data classification

A process of ranking information based on its value or requirements for secrecy.


Data communication *

The transfer of data between seperate computer processing sites/devices using telephone lines, microwave and/or satellite links.


Data custodian *

Individual(s) and department(s) responsible for the stprage and safeguarding of computerized information. This typically is within the IS organization. Anew: the individual charged with protecting data from a loss of availability, loss of integrity, or loss of confidentiality. The data custodian implements controls appropriate to the desires of the data owner and data classification.


Data dictionary *

A database that contains the name, type, range of values, source and authorization for access for each data element in a database. It also indicates which application programs use those data so that when a data structure is contemplated, a list of the affected programs can be generated. May be a stand-alone information system used for management or documentation purposes, or it may control the operation of a database. Anew: a standardized reference listing of all the programmer's data descriptions and files used in a computer program.


Data diddling

Changing data with malicious intent before or during input into the system.


Data Encryption Standard (DES) *

An algorithm for encoding binary data. It is a secret key cryptosystem published by the National Bureau of Standards (NBS), the predecessor of the US National Institute of Standards and Technology (NIST). DES was defined as a Federal Information Processing Standard (FIPS) in 1976 and has been used commonly for data encryption in the forms of software and hardware implementation (See private key cryptosystems). Anew: A cryptographic symmetric-key algorithm implemented by the U.S. government from 1972 to 1993. The DES standard was modified to use a triple process of encryption and decryption in an attempt to improve confidentiality (triple DES). DES was replaced by the Advanced Encryption Standard (AES). DES is commonly used in older devices.


Data integrity controls

Procedures to ensure the appropriateness and accuracy of information.


Data leakage *

Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes.


Data mart

A group of data selected from a data warehouse for analysis. The data selected is of particular interest to a group of people.


Data mining

The process of analyzing volumes of data to determine correlations that may be useful.


Data owner *

Individual(s), normally a manager or director, who has responsibility for the integrity, accurate reporting and use of computerized data. Anew: the individual or executive responsible for the integrity of information. The duties of the owner include specifying appropriate controls, identifying authorized users, and appointing a custodian.


Data retention

See records management.


Data security *

Those controls that seek to maintain confidentiality, integrity and availability of information.


Data set

A set of related data files.


Data structure *

the relationships among files in a database and among data within each file.


Data-Link layer

The transmit-and-receive protocol between networked devices. Data-Link operates on OSI layer 2.


Data-oriented database (DODB)

A data collection designed around relevant information in a known format. The database and the program methods operate separately from each other.


Data-oriented systems development

Focuses on providing ad hoc reporting for users by developing a suitable accessible database of information and to provide useable data rather than a function.


Database *

A stored collection of related data needed by organizations and individuals to meet their information processing and retrieval requirements. Anew: a collection of persistence data items that are maintained in a grouping.


Database administrator (DBA) *

An individual or department responsible for tthe security and information classification of the shared data stored on a database he classification shared stored on system This responsibility includes the design, definition and maintenance of the database.


Database management system (DBMS) *

A software system that controls the organization, storage and retrieval of data in a database.


Database replication

The process of creating and managing duplicate versions of a database. Replication not only copies a database but also synchronizes a set of replicas so that changes made to one replica are reflected in all of the others.


Database schema

The data structure and design of the database that represents a logical layout or schema.


Database specifications *

These are the requirements for establishing a database application. They include field definitions, field requirements, and reporting requirements for the individual information in the database.


Decentralization *

The process of distributing computer processing to different locations within an organization.


Decision support system (DSS) *

An interactive system that provides the user with easy access to decision models and data, to support semistructured decision- making tasks. Anew: a database information system with scenario models designed to convey important facts and details to aid the decision process.


Decryption *

A technique used to recover the original plaintext from the ciphertext so that it is intelligible to the reader. The decryption is a reverse process of the encryption. Anew: the process of reversing encryption to convert unintelligible cipher-text into human-readable clear text.


Decryption key *

A piece of information used to recover the plaintext from the corrosponding ciphertext by decryption.


Default gateway

The address of a router used to communicate with systems located on a different subnet or different network.


Defense-in-depth (DID)

A process of building layers of defensive controls for protective assurance. Also known as a layered defense strategy.



To sharpen the details of an average population by using a stratified mean (for example, demographics) to further define the data into small units.



The application of variable levels of alternating current for the purpose of demagnetizing magnetic recording media.


Deleted files

Computer files remain on the hard disk after deletion. To conserve processing, space occupied by deleted files is simply marked as eligible for overwriting. Deleted files that have not been overwritten may be recovered by using a simple recovery utility or forensic analysis. Use of an overwriting utility or physical destruction is necessary to prevent unauthorized disclosure of deleted files.


Demilitarized zone (DMZ)

See screened subnet.


Denial of service (DoS)

An attack designed to prevent the user from accessing the computer system.


Detailed controls

Lower-level controls placed on specific procedures.


Detection risk *

The risk that material errors or misstatements that have occured will not be detected by the IS auditor. Anew: the risk that an auditor will not be able to detect material error conditions (faults) that exist.


Detective control *

Exists to detect and report when errors, omissions and unauthorized ues of entries occur. Anew: a control designed to report items of concern including errors, omissions, and unauthorized access.


Dial back *

Used as a control over dial-up telecommunications lines. The telecommunications link established through dial-up into the computer from a remote location is interrupted so the computer can dial back to the caller. The link is permitted only if the caller is from a valid phone number or telecommunications channel.


Dial-in access control

Prevents unauthorized access from remote users who attempt to access a secured environment. Ranges from a dial-back control to remote user authentication.


Dictionary attack

An attack used to discover system passwords by loading all the words found in a language dictionary into a password-cracking utility. The password-cracking utility will encrypt each word by using the same method as the operating system. Matching encrypted passwords are identified, and the originating word is displayed to the attacker as the unencrypted password.


Differential backup

A file backup method that copies every file that has been added or changed since the last full backup. A differential backup does not set the final archive bit flag.


Digital certificate

An encrypted computer file containing unique information about the identity of the individual and the issuer of the certificate. Digital certificates are used to verify the authenticity of a remote system. Digital certificates are required to enable Secure Shell (SSH) and Secure Sockets Layer (SSL).


Digital rights management (DRM)

Uses encryption and/or digital certificates to enforce licensing of electronic files (music, movies, e-books, and so forth). DRM is used to help prevent bootlegging of illegal copies. The electronic file contains a special DRM interface that uses the vendor's public key to unlock the product for authorized users. Depending on the vendor's implementation, DRM may or may not use digital certificates as part of the protection mechanism.


Digital signature *

A piece of information, a digitized form of signature, that provides sender authenticity, message integrity and non-repudiation. A digital signature is generated using the sender\s private key or applying a one-way hash function. Anew: an encrypted hash of an electronic file. The subject file is processed by using a hash algorithm such as MD5 or SHA-256. The resulting hash output file is encrypted with the sender's private key. This encrypted hash file is known as a digital signature that is related to both the sender and the subject file. The signature is verified by using the sender's public key to decrypt the hash.


Disaster recovery plan (DRP) *

A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster. Anew: a set of procedures for providing an emergency response following a disaster. The objective is to rebuild the organization to a state equal to that prior to the disaster. Disaster recovery does not provide for losses of market share and revenue. Business continuity is the next step above disaster recovery.


Disaster tolerance *

The time gap during which the business can accept the non-availability of IT facilities.


Discovery sampling *

A form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population. Anew: the process of searching 100 percent of the available records for specific attributes to determine the probability of occurrence. Used when the likelihood of evidence is low or extreme accuracy is required. The intention is to discover whether a particular situation has occurred. Common examples include fraud, forensic investigations, and identifying correlations from unexpected events.


Discretionary access control (DAC) *

A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to another subject. Anew: a type of access control in which a person of authority decides to grant or revoke access for an individual. The decision may be based on need or desire.


Disk imaging

See bitstream imaging.


Disk mirroring

See mirrored.


Disk strings

The orderly connection of multiple disk drives in a storage array. Strings of individual disks are connected for use in RAID subsystems.


Diskless workstations *

A workstation or PC on a network that does not have its own disk, but instead stores files on a network file server.


Disposal (SDLC phase 7)

The manner in which hardware and software assets are authorized for retirement without the loss of data records. Data must be archived according to legal commitments and regulations. No one in the organization should profit from the disposal process.


Distributed data processing network *

A system of computers connected together by a communication network. Each computer processes its data and the network supports the system as a whole. Such a network enhances communication among the linked computers and allows access to shared files.


Distributed denial-of-service attack (DDoS)

A particularly vicious form of denial-of-service attack that is launched concurrently from multiple systems.


Diverse routing *

The method of routing traffic through split cable facilities or duplicate cable facilities. This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual entrance facilities. However, acquiring this type of access is time-consuming and costly. Most carriers provide facilities for alternate and diverse routing, although the majority of services are transmitted over terrestrial media. These cable facilities are usually located in the ground or basement. Ground-based facilities are at great risk due to the aging infrastructures of cities. In addition, cable-based facilities usually share room with mechanical and electrical systems that can impose great risks due to human error and disastrous events.



A kingdom or political territory of direct influence.


Domain Name System (DNS) *

A hierarchical database that is distributed across the internet that allows names to be resolved into IP addresses (and vice versa) to locate services such as web and email servers. Anew: an Internet protocol that looks up the server's IP address by using the server hostname, such as . The Internet domain names and IP addresses are loaded into a server running the domain name service.


Domain Name System (DNS) poisining *

Corrupts the table of an Internet server's DNS, replacing an Internet address with the address of another vagrant or scoundrel address. If a web user looks for the page with that address, the request is redirected by the scoundrel entry in the table to a different address. Cache poisining differs from another form of DNS poisining in which the attacker spoofs valid email accounts and floods the "n" boxes of administrative and technical contacts. Cache poisining is related to URL poisining or location poisining, in which an internet user behavior is tracked by adding an identification number to the location line of the browser that can be recorded as the user visits successive pages on the site. It is also called DNS cache poisining or cache poisining.


Downloading *

The act of transferring computerized information from one computer to another computer.



A resource or system being unavailable to the user for any reason whatsoever. Downtime may be the result of a planned outage for maintenance or backups, or an unplanned outage due to a failure.


Downtime report *

A report that identifies the elapsed time when a computer is not operating correctly because of machine failure.


Dry pipe

A type of fire-suppression system in which the pipes remain dry until seconds after the release is required. Most dry-pipe systems utilize compressed gas to minimize the chance of leakage due to corrosion or freezing conditions.


Dry-pipe fire extinguisher system

Refers to a sprinkler system that does not have water in the pipes during idle usage, unlike a fully charged fire extinguisher system that has water in the pipes at all times. The dry-pipe system is activated at the time of the fire.


Due care

The level of care that a normal, prudent individual would give in the same situation.


Dumb terminal *

A display terminal without processing capability. Dumb terminals are dependent on the main computer for processing. All entered data are accepted without further editing or processing.


Dumpster diving

The process of digging through trash in a dumpster to recover evidence or improperly disposed-of records. The same process is frequently used by government agents and law enforcement to gather evidence; therefore, it's legal unless the person is trespassing. Trespassing is unnecessary if the refuse is going to be unloaded at the public waste dump. A hacker or investigator can pick through the trash after it's unloaded at the dump or recycler.


Duplex routing

The method or communication mode of routing data over the communication network.


Dynamic Host Configuration Protocol (DHCP) *

A protocol used by networked computers (clients) to obtain IP addresses and other parameters such as the default gateway, subnet mask and IP addresses of domain name system (DNS) servers from a DHCP server. The DHCP server ensures that all IP addresses are unique (e.g., no IP adress is assigned to a second client while the first client's assignment is valid [it's lease has not expired]). Thus, IP address poll management is done by the server and not by a human network administrator.


Echo checks

Detects line errors by retransmitting data back to the sending device for comparison with the original transmission.


Edit control *

Detects errors in the input portion of information that is sent to the computer for processing. May be manual or automated, and allow the user to edit data errors before processing.


Editing *

Ensures that data conform to predetermined criteria and enable early identification of potential errors.


Electromagnetic interference (EMI)

Magnetic waves of interference generated by electricity.


Electronic Data Interchange (EDI) *

The electronic transmission of transactions (information) between two organizations. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents, including invoices or purchase orders. Anew: used for e-commerce between two organizations for communicating purchases and payment. EDI mapping converts the names of data elements (data fields) between two trading organizations. Traditional EDI transmits data through a value-added network (VAN) operated by a service provider. Web-based EDI transmits data across the Internet.


Electronic discovery (e-discovery)

The process of searching electronic records to gather evidence. The legal discovery process allows another party the right to investigate records for the purpose of compiling evidence relevant to their claim. Electronic discovery may include recovery of deleted files and the search of standing data on offline media, including backup tapes. Persons accused of obstructing the discovery process face serious criminal charges.


Electronic funds transfer (EFT) *

The exchange of money via telecommunications. EFT refers to any financial transaction that originates at a terminal and transfers a sum of money from one account to another.


Electronic vaulting

A process of transmitting data to a remote backup site. This ensures that the most recent files are available in the event of a disaster. A common implementation is to transmit live data files to a remote server.


Elliptic curve cryptography

A new type of encryption using specific points on a three-dimensional random curve as the encryption key.


Email/interpersonal messaging *

An individual using a terminal, PC or an application can access a network to send an unstructured message to another individual or group of people.


Embedded audit module (EAM) *

Integral part of an application system that is designed to identify and report specific transactions or other information based on predetermined criteria. Identification of reportable items occurs as part of real-time processing. Reporting may be real-time online or may use store and forward methods. Also known a sintegrated test facility or continuous auditing module.


Emergency management (EM)

Provides organizational control for evacuation and rescue assistance during an emergency, crisis, or disaster. The focus of emergency management is to preserve life regardless of the disruption it will create to the business, disruption to the economy, or inconvenience to an individual's objective. Saving lives or preservation of life is always the exclusive top priority.


Emergency management team (EMT)

Senior executives with full delegation of authority to make decisions on behalf of the entire organization without additional delays or approval by other executives. During business continuity events or disaster recovery, this team will make the best possible decisions necessary for the survival of the organization.


Emergency Operations Center (EOC)

Alternate command post that houses the emergency management team (EMT) during business continuity events or disaster recovery.


Emergency power off (EPO)

A switch that shuts off computer room power in an emergency. The national fire protection act requires an emergency power disconnect to protect human life from electrocution. The EPO switch is located near the exit door.


Encapsulation (objects) *

The technique used by layered protocols in which a lower-layer protocol accepts a message from a higher-layer protocol and places it in the data portion of a frame in the lower layer.


Encryption *

The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext). Anew: the process of converting human-readable clear text into decipherable gibberish. The objective is to hide the contents of the file from other people.


Encryption algorithm

A mathematical transformation procedure used to encrypt and decrypt files.


Encryption key *

A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertext. Anew: a unique randomizer used by the encryption algorithm to ensure confidentiality. Strength of symmetric-key encryption and the PKI private key is based on the absolute secrecy of the secret/private key. Secrecy is dependent on limiting use of the key, isolating the key, and regular rotation (changing the key). Also see key wrapping.


End state

A description of the anticipated final outcome. The end state explains the attributes of the finished product.


End-user computing *

The ability of end users to design and implement their own information system utilizing computer software products.


Enterprise resource planning (ERP) *

A packaged business software system that allows an organization to automate and integrate the majority of its business processes, share common data and practices across the entire organization, and produce and access information in a real-time environment. Example sof ERP include SAP, Oracle Financials and J.D. Edwards. Anew: an integrated database used for planning resource requirements of multiple departments.


Entity-relationship diagram (ERD)

A diagram of data elements and their relationship to other data. The ERD specifies data names and data attributes to be used by the software program being developed. The ERD is created in the requirements and design phase to build a database schema.


Equal error rate (EER)

A setting used in biometrics, when adjusting sensitivity of the system, that creates a 50/50 compromise between the false acceptance rate (FAR), authorized user is refused, and authorized user is refused) and the false rejection rate (FRR, illegitimate user is accepted ). Also see the opposing definition of crossover error rate (CER). Note that some ISACA documents and exam questions may mistakenly confuse EER and CER as synonyms. EER and CER are very different settings.


Escrow agent *

A person, agency or organization that is authorized to act on behalf of another to create a legal relationship with a third party in regards to an escrow agreement; the custodian of an asset according to an escrow agreement. As it relates to a cryptographic key, an escrow agent is the agency or organization charged with the responsibility for safeguarding the key components of the unique key.


Escrow agreement *

A legal arrangement whereby an asset (often money, but sometimes other property such as art, a deed of title, web site, software source code or a cryptographic key) is delivered to a third party (called an escrow agent) to be held in trust or otherwise pending a contingency or the fullfillment of a condition or conditions in a contract. Upon the occurence of the escrow agreement, the escrow agent will deliver the asset to the proper recipient; otherwise the escrow agent is bound by his/her fiduciary duty to maintain the escrow account. Source code escrow menas deposit of the source code for the software into an account held by an escrow agent. Escrow is typically requested by a party licensing sofwtare (e.g., license or buyer) to ensure maintenance of the software. The sofwtare source code is released by the escrow agent to the licensee if the licensor (e.g., seller or contractor) file sfor bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.


Ethernet *

A popular network protocol and cabling scheme that uses a bus topology and carrier sense multiple access/collision detection (CSMA/CD) to prevent network failures or collisions when two devices try to access the network at the same time.



Discipline of following forthright and honest conduct without impropriety, deceit, or conflicting agenda.


Evidence *

The information an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support. Anew: a collection of verifiable information that is used to prove or disprove a point. The best evidence is both independent and objective.


Evidence timing

The timely disclosure of evidence relevant to the situation. Evidence timing in computer systems also refers to the time window in which data is available before being lost or overwritten during normal processing.


Evolutionary development

See iterative development.


Exception report *

An exception report is generated by a program that identifies transactions or data that appear to be incorrect. Exception reports may be outside a predetermined range or may not conform to specified criteria. Anew: a report identifying data and transactions that may be incorrect and may warrant additional attention. Exception reports can be manual or automated.


Exclusive-OR (XOR) *

The exclusive-OR operator returns a value of TRUE only if just one of its operands is TRUE. The XOR operation is a Boolean operation that produces a 0 if its two Boolean inputs are the same (0 and 0 or 1 and 1) and it produces a 1 if its two inputs are different (1 and 0). In contrast, an inclusive-OR operator returns a value of TRUE if either or both of its operands are TRUE.


Executable code *

The machine language code that is generally referred to as the object or load module.



An individual with a significant amount of direct experience, or special training with direct experience, and the ability to deduce a correct conclusion when everyone else would form an incorrect conclusion.


Expert system *

The most prevalent type of computer system that arises from the research of artificial intelligence. An expert system has a built in hierarchy of rules, which are acquired from human experts in the appropriate field. Once input is provided, the system should be able to define the nature of the problem and provide recommendations to solve the problem. Anew: specialized computer database software used to provide a recommendation based on the knowledge recorded from an expert. Expert systems possess between 50,000 and 100,000 discrete points of information. The system uses an inference engine to identify possible conditions relating to the problem and their meaning.


Exposure *

The potential loss to an area due to the occurrence of an adverse event. Anew: the adverse consequence that will occur if a potential threat becomes reality.


Extended Binary-coded Decimal Interchange Code (EBCDID) *

A 8-bit code representing 256 characters; used in most large computer systems.


Extensible Authentication Protocol (EAP)

A newer security protocol used in wireless networks with automatic encryption-key generation and authentication. EAP is a component of the new 802.11i standard known as Robust Security Network (RSN). EAP replaces the seriously insecure method of using a pre-shared encryption key in the outdated Wired Equivalent Privacy (WEP) protocol.


Extensible Markup Language (XML) *

Promulgated through the World Wide Web Consortium, XML is a web-based application development technique that allows designers to create their own customized tags, thus, enabling the definition, transmission, validation and interpretation of data between applications and organizations. Anew: a universal program architecture designed to share information between different programming languages. XML uses three underlying programming specifications: SOAP (originally called Simple Object Access Protocol) is used to define APIs; Web Services Description Language (WSDL) identifies the format to use; and Universal Description, Discovery, and Integration protocol (UDDI) acts as an online directory of available web services.


External audit

An audit performed by an external party, including business partners. External audits may be biased if the auditor is related to the auditee through a trading partner relationship (client, vendor, and subcontractor). Also see independent audit.


Extranet *

A private network that resides on the Internet and allows a company to securely share business information with customers, suppliers or other businesses as well as to execute electronic transactions. Different from an Intranet in that it is located beyond the company's firewall. Therefore, an extranet relies on the use os securely issued digital certificates (or alternative methods of user authentication) and ecnryption of messages. A virtual private network (VPN) and tunneling are often used to implement extranets, to ensure security and privacy.


Failure to enroll (FTE)

An error in the collection of biometric data that prevents the information from being recorded.


Fallback procedures *

A plan of action or set of procedures to be performed if a system implementation, upgrade or modification does not work as intended. May involve restoring the system to its state prior to the implementation or change. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and should always be considered in system migration or implementation.


False acceptance rate (FAR), type 2 error

An error condition in biometrics that grants an unwanted user with permission to access the system by mistake. This is a less common error since falsely granting access to an unauthorized person is supposed to be rare.


False authorization *

Also called false acceptance, occurs when an unauthorized person is identified as an authorized person by the biometric system.


False enrollment *

Occurs when an unauthorized person manages to enroll into the biometric system. Enrollment is the initial process of acquiring a biometric feature and saving it as a personal reference on a smart card, a PC or in a central database.


False positive

Generating an alert by mistake or error.


False rejection rate (FRR), type 1 error

Used in biometrics, false rejection means to reject access to an authorized user by mistake. This is the most common type of biometric authentication error.



A system that can continue to operate after a single failure condition has occurred. RAID systems are designed to be tolerant of individual disk failures. The success of the fault-tolerant system depends on the system being able to identify that the fault has occurred.


Feasibility study (SDLC phase 1) *

A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need. Anew: an initial study to determine the benefits that will be derived from a new system and the payback schedule for the investment required.


Fiber-optic cable *

Glass fibers that transmit binary signals over a telecommunications network. Fiber-optic systems have low transmission losses as compared to twisted-pair cables. They do not radiate energy or conduct electricity. They are free from corruption and lightning-induced interference, and they reduce the risk of wiretaps.


Field *

An individual data element in a computer record. Examples include employee name, customer address, account number, product unit price and product quantity in stock.


File *

A named collection of related records.


File allocation table (FAT) *

A table used by the operating system to keep track of where every file is located on the disk. Since a file is often fragmented and thus subdivided into many sectors within the disk, the information stored in the FAT is used when loading or updating the contents of the file.


File layout *

Specifies the length of the file record and the sequence and size of its fields. Also will specify the type of data contained within each field; for example, alphanumeric, zoned decimal, packed and binary.


File server *

A high-capacity disk storage device or a computer that stores data centrally for network users and manages access to that data. File servers can be dedicated so that no process other than network management can be executed while the network is available; file servers can be nondedicated so that standard user applications can run while the network is available.


File Transfer Protocol (FTP) *

A protocol used to transfer file sover a TCP/IP network (Internet, UNIX, etc.)


Financial audit *

An audit designed to determine the accuracy of financial records and information. Anew: a review of financial records to determine their accuracy.


Fire-control system

A fire-suppression system using water or chemicals to extinguish a fire in the data processing facility.


Firewall *

A system or combination of systems that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment such as the Internet. Anew: according to The American Heritage Dictionary, a fireproof wall used as a barrier to prevent the spread of fire. In information systems, the term refers to a combination of hardware and software used to restrict access between public and private networks.


Firmware *

Memory chips with embedded program code that hold their content when power is turned off. Anew: the solid-state memory chips on a circuit board containing a read-only program designed to operate the hardware.



A systematic diagram that details the procedures for data manipulation and data transformation in a computer program. The program flowchart is developed during SDLC design in phase 2.


Foreign key *

A value that represents a reference to a tuple (a row in a table) containing the matching candidate key value. The problem of ensuring that the database does not include any invalid foreign key values is known as the referential integrity problem. The constraint that values of a given foreign key must match values of the corresponding candidate key is known as a referential constraint. The relation (table) that contains the foreign key is referred to as the referencing relation and the relation that contains the corresponding candidate key as the referenced relation or target relation. (In the relational theory it would be a candidate key, but in real database management systems (DBMSs) implementations it is always the primary key). Anew: data in the database is stored in separate tables to improve speed. A foreign key is the link between data in different database tables. When the links are valid, the database has referential integrity.



Documented in writing and authorized by management.


Format checking

The application of an edit, using a predefined field definition to a submitted information stream; a test to ensure that data conform to a predefined format.


Fourth-generation language (4GL) *

High-level, user-friendly, nonprocedural computer languages used to program and/or read and process computer files. Anew: an English-like programming language with integrated database support. 4GL programming tools allow the forms and database to be generated by using a drag-and-drop functionality. The 4GL does not create the data transformation procedures necessary for business functionality.


Frame relay *

A packet-switched wide-area-network (WAN) technology that provides faster performance than older packet-switched WAN technologies. Best suited for data and image transfers. Because of its variable-length packet architecture, it is not the most efficient technology for real-time voice and video. In a frame-relay network, end nodes establish a connection via a permanent virtual circuit (PVC).


Full backup

The process of copying every file that exists onto backup media such as a tape cartridge. The full backup is used in combination with incremental or differential backup strategies to restore the most recent copy of data. The ability to restore files from a full backup is used to calculate the recovery point objective (RPO). Files that cannot be restored are lost.


Function point analysis (FPA)

A technique used to determine the size of a development task, based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal sites. Anew: a software estimation method used to forecast development, based on the number of system inputs, number of outputs, and complexity. FPA is used in the SDLC feasibility study to calculate resources and time required. FPA can be used as a baseline to measure the progress of software development.


Function testing

Tests run during software development to determine the integrity of specific program functions.



Reducing the detail in an average by using an unstratified mean to roll the details into a larger lump-sum value.



A device (router, firewall) on a network that serves as an entrance to another network. Anew: a device running software to transfer data between two networking protocols. The gateway is an OSI layer 7 application. Examples include a mainframe gateway converting TCP/IP to 3,270 sessions.


General controls

Higher-level policies, standards, and procedures used across the entire organization to govern everyone's behavior.


Generalized Audit Software (GAS) *

Multipurpose audit software that can be used for general processes such as record selection, matching, recalculation and reporting.


Generally Accepted Accounting Principles (GAAP)

A well-recognized set of agreed-upon procedures for auditing financial records and information systems.


Geographical Information Systems (GIS) *

A tool used to integrate, convert, analyze and produce information regarding the surface of the earth. GIS data exists as maps, tridimensional virtual models, lists and tables.


Governance *

Ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives. Conditions can include the cost of capital, foreign exchange rates, etc. Options can include shifting manufacturing to other locations, sub-contracting portions of the enterprise to third parties, selecting a product mix from many available choices, etc.



A list of recommendations to follow in the absence of an existing standard.



An individual who attempts to gain unauthorized access to a computer system. Anew: a malicious attacker of a computer system. A secondary meaning in computer programming is a programmer able to generate usable applications where none existed previously.



A chlorine-based gas previously used in fire-suppression systems. Production of gaseous Halon 1301 has been banned since 1994 because of the damaging effects of chlorine products on the earth's ozone. Halon is still used on aircraft because of the severity of fires while in flight. Computer room halon has been replaced by FM-200, NAF-S-3, and other products.


Hand geometry

Used in biometrics to verify a user's identity based on the unique three-dimensional geometry of the human user's hand. Common examples include checking wrinkle patterns, measuring joints, and analyzing blood-vessel patterns.


Hardware *

The physical components of a computer system.


Hash file

A mathematical value generated from the original message file for verifying integrity. The sender runs their original message through a hash algorithm to produce a unique hash value. The sender sends their message and hash file to the recipient. The recipient reruns the same hash process and compares the sender's hash file against the hash generated by the recipient. The purpose of a hash file is to determine whether any changes have occurred to the original message file. Matching hash files indicate that no changes occurred; different hash values indicate that the message has been altered.


Hash message authentication code (HMAC)

A hashed message file is used to verify message integrity (to prove no changes occurred) and is also encrypted to provide authentication of the sender. The more common hashing algorithms with encryption are MD5 and SHA-1 (also known as SHA-160). Newer HMAC versions include SHA-256 and SHA-512. The format is [HMAC name] dash [output size]. SHA-512 means SHA algorithm with 512 output size.


Hash total

The total of any numeric data field in a document or computer file. This total is checked against a control total of the same field to facilitate accuracy of processing.


Hashing algorithm

The mathematical formula used to reduce the contents of any size message file into a smaller output file representing a unique value that is very difficult to duplicate. The hash algorithm creates a unique output file that can be used like a tamper seal. If the source message is altered, the hashing algorithm generates a different hash value when regenerated by the recipient. Both sender and recipient must use the same hash algorithm.


Help Desk *

A service offered via phone/Internet by an organization to its clients or employees that provides information, assistance, and troubleshooting advice regarding software, hardware, or networks. A help desk is staffed by people that can either resolve the problem on their own or escalate the problem to specialized personnel. A help desk is often equipped with dedicated customer relationship management (CRM) software that logs the problems and tracks them until they are solved.


Heuristic filter *

A method often employed by antispam software to filter spam using criteria established in a centralized rule database. Every email message is given a rank, based on its header and contents, which is then matched against preset thresholds. A message that surpasses the threshold will be flagged as spam and discarded, returned to its sender or put in a spam directory for further review by the intended recipient.



Programmed rules inside the database used to evaluate data by sorting for possible correlations. Used in expert systems, decision support systems, email spam filters, and many common business applications. Antivirus software and intrusion detection and prevention systems use heuristics to determine which requests to accept or discard.


Hierarchical database *

A database structured in a tree/root or parent/child relationship. Each parent can have many children, but each child may have only one parent.


Honey net

A fake network created to entice a hacker to attack. The purpose is for the attack to generate an alarm signalling the early warning of a hacker's presence.


Honeypot *

A specially configured server, also known as a decoy server, designed to attract and monitor intruders in an manner such that their actions do not affect production systems. Anew: an individual system set up to entice a hacker and generate an early warning alarm of the hacker's presence.


Host based

Software that is installed on an individual host for the purpose of monitoring activity on that specific host.


Host enumeration

Automated software discovery of all the active hosts on a network.


Hot site *

A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster. Anew: an alternate processing facility that is fully equipped with all the necessary computer equipment and capable of commencing operation as soon as the latest data files have been loaded. Hot sites are capable of being in full operation within minutes or hours.



See network hub.


Hybrid sourcing

A combination of using in-house workers and outsourcing selected processes.


Hypertext Markup Language (HTML) *

A language designed for the creation of web pages with hypertext and other information to be displayed in a web browser. HTML is used to structure information --denoting certain text as headings, paragraphs, lists and so on-- and can be used to describe, to some degree, the appearance and semantics of a document.



The process of determining a user's identity based on their claim of identity. The identity claimed by the user must be verified with an authentication process before access is granted.


Image processing *

The process of electronically inputting source documents by taking an image of the document, thereby eliminating the need for key entry.



See inoculation.



The level of damage that will occur.


Impact assessment *

A review of the possible consequences of a risk.


Impersonation *

"A security concept related to Windows NT that allows a server application to temporarily ""be"" the client in terms off access to secure objects. Impersonation has three possible levels: identification, letting the server inspect the client's identity; impersonation, letting the server act on behalf of the client; and delegation, the same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials). Impersonation by imitating or copying the identification, behaviour or actions of another may also be used in social engineering to obtain otherwise unauthorized physical access."


Incident *

Any event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of that service. Anew: any disruptive event, especially those that may cause harm.


Incident Command System (ICS)

ICS is the internationally recognized, government mandated standard for crisis command during disaster recovery and business continuity events.


Incident commander (IC)

Under the international Incident Command System (ICS), the incident commander is the first person to arrive on the scene regardless of training or experience. Even a four-year-old child calling 911 for help is the initial incident commander until relieved by a more qualified person. The incident commander directs the emergency response activities.


Incident handling

The systematic process of responding to an incident in order to determine its significance and impact. Proper incident handling will prevent negligent activities that could destroy meaningful evidence. A computer incident always has the potential of being a cybercrime scene.


Incremental backup

The process of backing up only the files that have changed since the last backup was run. An incremental backup uses the file archive bit flag to signal files that should be copied to the backup tape.


Independence *

An IS auditor's self-governance and freedom from conflict of interest and undue influence. The IS auditor should be free to make his/her own decisions, not influenced by the organization being audited and its people (managers and employees). Anew: independence in an audit refers to the auditor not being related to the audit subject. The desire is for the auditor to be objective and free of conflict because they are not related to the audit subject.


Independent audit

Independent audits are conducted by an auditor who is not related to the auditee. These audits therefore represent a high value of assurance that can be used for external purposes, including regulatory licensing.


Indexed sequential access method (ISAM) *

A disk access method that stores data sequentially while also maintaining an index of key fields to all the records in the file for direct access capability.


Information assets

Data that has a value.


Information processing facility (IPF) *

The computer room and support areas. Anew: the building that houses the data center.


Information security governance *

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly.


Inherent risk *

The risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls). Anew: The risk that a material error could occur, assuming that there are no related internal controls to prevent them, or the natural or built-in risk that always exists.


Initial program load (IPL)

Computer systems are susceptible to compromise while the system is loading and before the security control front end becomes active. Computer software is vulnerable to configuration changes during the initial program loading. A system in IPL mode is in supervisory mode.



A technique used by antivirus software to replace the original end-of-file (EOF) marker with a new EOF marker generated by the antivirus program. Anything attempting to attach itself to the new EOF marker indicates a virus attack.


Input control *

Techniques and procedures used to verify, validate and edit data to ensure that only correct data are entered into the computer.


Instant messaging *

An online mechanism or a form of real-time communication between two or more people based on typed text and multimedia data. The text is conveyed via computers or another electronic device (e.g., cell phone or handheld device) connected over a network, such as the internet.


Integrated audit

A type of audit that combines financial records review with an assessment of internal IS controls.


Integrated development environment (IDE)

An advanced software development tool used for writing programs. The IDE provides built-in functions for capturing the software design, commands, and macros for creating program code and debugging testing.


Integrated services digital network (ISDN) *

A public end-to-end, digital telecommunications network with signaling, switching, and transport capabilities supporting a wide range of service accessed by standardized interfaces with integrated customer control. The standard allows transmission of digital voice, video and data over 64Kbps lines.


Integrated test facilities (ITF) *

A testing methodology where test data are processed in production systems. The data usually represent a set of fictitious entities such as departments, customers or products. Output reports are verified to confirm the correctness of the processing.



Unbiased honesty by a person dealing with other people or in the records of transactions. Anew: guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.



A specification of physical characteristics, electrical signals, format, and procedures used to communicate between systems.


Interface testing

A testing technique that is used to evaluate output from one application while the information is sent as input to another application.


Internal audit

Internal audits are used to help the auditee improve their score. Reports from internal audits may be used only for internal purposes. The reports contain a known bias, which reduces their corresponding value of representations to low or moderate.


Internal controls

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.


International Organization for Standardization (ISO)

A voluntary organization of 160 governments (members) participating in world trade. The objective is to create a universal standard of measurement adopted by each member country. The United States membership is represented by the American National Standards Institute (ANSI) while the United Kingdom is represented by British Standards (BS). Each country cooperates to create the proper conversion of proprietary standards into one worldwide ISO standard to be followed by everyone. ISO measurement standards are used in conjunction with Committee of Sponsoring Organizations (COSO) controls over financial transactions and Organization for Economic Cooperation and Development (OECD) standards for the creation and interpretation of laws within individual countries.


Internet *

Two or more networks connected by a router; the world's largest network using Transmission Control protocol/Internet Protocol (TCP/IP) to link government, university and commercial institutions. Anew: the shared public communications network.


Internet Engineering Task Force (IETF) *

An organization with international affiliates as network industry representatives that sets Internet standards. This includes all network industry developers and researchers concerned with the evolution and planned growth of the internet.


Internet layer

The equivalent to OSI layer 3, the Networking layer, in the TCP/IP model.


Internet packet (IP) spoofing *

An attack using packets with the spoofed source Internet packet (IP) addresses. This technique exploits applications that use authentication based on IP adressess. This technique also may enable an unauthorized user to gain root access on the target system.


Internet Protocol (IP)

The de facto communications protocol and addressing standard used on the Internet. IP is implemented with TCP for connection-oriented data transmission or UDP for connectionless transmission.


Internet Protocol security (Ipsec) *

A set of protocols developed by the IETF to support the secure exchange of packets. Anew: a security-based implementation of the Internet Protocol. IPsec offers encryption during data transmission or the tunnelling of encrypted packets through network routing with an ISP.


Internet Security Association and Key Management Protocol (ISAKMP) *

A protocol for sharing a public key.



The ability for hardware and software systems from different manufacturers to communicate with each other.



A private internal business network.


Intrusion detection and prevention system (IDPS)

A technical system designed to alert personnel to activity that may indicate the presence of a hacker. An intrusion detection system is a type of network hacker alarm. The IDS term has been officially updated by the government to intrusion detection and prevention systems (IDPS). Preprogrammed response procedures activate stored commands to modify the IDPS to block an attack before it can penetrate (prevention activity).


Intrusion detection system (IDS)

See intrusion detection and prevention system (IDPS) for updated terminology.


Iris scan

A type of biometric technique that uses the unique characteristics found in the iris of the human eye.


Irregularity *

Intentional violation of an established management policy or regulatory requirement. It may consist of deliberate misstatements or omission of information concerning the area under audit or the organization as a whole; gross negligence or unintentional illegal acts.



Having no significant bearing on the final outcome. Irrelevant, or trivial, information will not change the results.


IS steering committee

A committee composed of business executives for the purpose of conveying current business priorities and objectives to IT management. The steering committee provides governance for major projects and the IT budget.


IT governance

A clearly stated process of leadership to lead and control the performance expected from the IT function. The focus of IT governance is control over the technology environment.


IT governance framework *

A model that integrates a set of guidelines, policies and methods that represent the organizational approach to IT governance. Per COBIT, IT governance is the responsibility of the board of directors and executive management. It is an integral part of institutional governance, and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategy and objectives.


IT incident *

Any event that is not part of the ordinary operation of a service that causes, or may cause, an interruption to, or a reduction in, the quality of that service.


IT infrastructure *

The set of hardware, software and facilities that integrates an enterprise's IT assets. Specifically, the equipment (including servers, routers, switches and cabling), software, services and products used in storing, processing, transmitting and displaying all forms of information for the organization's users.


IT steering committee

An executive-management-level committee that assists in the delivery of the IT strategy, oversees day-to-day management of IT service delivery and IT projects and focuses on implementation aspects service delivery and projects.


Iterative development

The progressive development of software through a succession of multiple versions.



A very portable object-oriented programming language created by Sun Microsystems. Java can run on cellular phones, iPods, and most computing devices. Java has very good security mechanisms.


Java Virtual Machine (JVM)

An internal processing environment for running a Java program inside of another Java program session, also known as a virtual machine. The partitioning of resources creates a secure environment to protect the rest of the computer system from harm.


Joint venture

Two or more obligators (persons or organizations) bind themselves without actual partnership or corporate designation in a specific venture with the risk, liability, and potential profits shared between the parties. All parties participating in the venture share a communal liability for the failure of the other party.


Just-in-time inventory (JIT)

A process of scheduling the minimum amount of inventory to arrive shortly before it is required in the manufacturing process. The objective is to reduce inventory on hand. The opposite of JIT is stockpiling inventory. JIT practices create a quandary with business continuity plans.


Key distribution

The safe process of exchanging keys to be used in a cryptographic system for encryption and decryption.


Key goal indicator (KGI)

The KGI identifies a specific goal to be reached. KPI (historical score) is used together with KGI (goal) in planning and forecasting.


Key performance indicator (KPI) *

A measure that determines how well the process is performing in enabling the goal to be reached. A lead indicator of whether a goal will likely be reached or not, and a good indicator of capabilities, practices and skills. It measures the activity goal, which is an action that the process owner must take to achieve effective process performance. Anew: a historical score of business process performance. Unfortunately, the score may indicate that a failure has occurred before corrective action can be taken.


Key wrapping

Encryption keys must be stored and transmitted in a different encrypted format to protect them from harm. A user should not have direct access to encryption keys. Encryption keys are re-encrypted with a different algorithm that uses a different key to obscure the original key. This key wrapping technique protects the real key from harm. It's extremely difficult to tell where the wrapping stops and the key inside begins.


Keyboard remapping

Changing the normal function of keys on the keyboard to execute different commands.


Knowledge base

A database of information derived from the knowledge of individuals who perform the related tasks. Knowledge-base systems are used for decision support systems.


Leased line

A dedicated communications line between two locations, such as a T1 circuit. Also known as a circuit-switched connection. This type of connection is charged by distance covered regardless of volume of data transmitted.


Least privilege

Granting only the minimum access necessary to perform the job function or role. Least privilege is implemented to improve confidentiality.


Legal deadline (LD)

Used in business continuity and disaster recovery planning to identify potential violations that must be avoided or that require special handling to minimize penalties. Examples include mandatory government filings, required legal disclosures, specific performance, and contract breaches. Also see lost work in process (LWIP).


Lessons learned

A best practice for recording the analysis of problems and improvements that worked. The purpose is to avoid repeating mistakes while improving the technique used.


Librarian *

The individual responsible for the safeguard and maintenance of all program and data files.


Licensing agreement *

A contract that establishes the terms and conditions under which a piece of software is being licensed (i.e., made legally available for use) from the software developer (owner) to the user.


Life cycle

A series of stages that characterize the course of existence of an organizational investment (e.g., product, project, program).


Limit check *

Tests specified amount fields against stipulated high or low limits of acceptability Tests specified against stipulated high acceptability. When both high and low values are used, the test may be called a range check.


Literals *

Any notation for representing a value within programming language source code (e.g., a string literal); a chunk of input data that is represented "as is" in compressed data.


Local area network (LAN) *

Communication network that serves several users within a specified geographic area. A personal computer LAN functions as a distributed processing system in which each computer in the network does its own processing and manages some of its data. Shared data are stored in a file server that acts as a remote disk drive for all users in the network. Anew: a computer network with boundaries that match the physical building.


Log *

To record details of information or events in an organized record-keeping system, usually sequenced in the order in which they occurred.


Logic bomb

A programmed function inside of a computer software application designed to damage the system or data files on the occurrence of a particular event, date, or time. Logic bombs are extremely difficult to locate.


Logical access

Electronic access to a system without being physically present.


Logical access controls

The policies, procedures, organizational structure and electronic access controls designed to restrict access to computer software and data files.


Logical backup

The process of copying current data files for records retention (safe keeping). Logical backup will ignore deleted files and temporary system data in swap space. Also see bitstream imaging.


Logon *

The act of connecting to the computer, who typically requires entry of a user ID and password into a computer terminal.


Lost work in process (LWIP)

Work tasks and data processing that were lost by a disaster, disruption, or failure. All work since the last backup is lost and must be re-created. LWIP may cause a violation of a legal deadline (LD). LWIP needs to be calculated by the organization when planning their recovery point objective (RPO) and recovery time objective (RTO).


MAC address

A unique serial number burned into the network interface card by the manufacturer. The Media Access Control (MAC) address operates in the Data-Link layer (layer 2) of the OSI model. The MAC address is used to tie the TCP/IP address to a particular computer.



A large-scale, traditional, multiuser, multiprocessor system designed with excellent internal controls.


Major software release

A new generation of software or a major design change resulting in a new version. Major releases tend to occur in 12- to 24-month intervals.


Malware *

Short for malicious software Designed to infiltrate, damage or obtain information from a computer system without the owner\s consent. Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. Spyware is generally used for marketing purposes and, as such, is not really malicious although it is generally unwanted. Spyware can, however, be used to gather information for identity theft or other clearly illicit purposes. Anew: a family classification of computer programs designed to intentionally cause malicious damage.


Management information system (MIS) *

An organized assembly of resources and procedures required to collect, process and distribute data for use in decision making.


Management oversight

A committee or reporting hierarchy to convey questionable situations involving management to the highest level of authority, often the board of directors.


Mandatory access control (MAC) *

A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users or programs acting on their behalf. Anew: an access control system, based on rules that require the user to have an explicit level of access that matches the appropriate security label. The only way to increase access is by a formal promotion of the user ID to the next security level.



A physical location between doorway barriers that is designed to trap an unauthorized individual between the closed doors. Fully caged turnstiles can provide a mantrap to capture potential intruders.


Manual reconciliation

The process of manually verifying that records match.


Manufacturing requirements planning (MRP)

A computer database designed to schedule the requirements of manufacturing design, purchasing, scheduling, and the manufacturing production process.


Mapping *

Diagramming data that is to be exchanged electronically, including how they are to be used and what business management systems need them.Mapping is a preliminary step for developing an applications link. (See Application tracing and mapping)



A computerized technique of blocking out the display of sensitive information, such as passwords, on a computer terminal or report.



Pretending to possess an identity under false pretence.


Master file

A file of semi permanent information that is used frequently for processing data or for more than one purpose.


Materiality *

An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited. An expression of the relative significance or importance of a particular matter in the context of the organization as a whole. Anew: materiality applies to evidence. Evidence is materially significant if it will have enough bearing to change the final outcome.



In business, indicates the degree of reliability or dependency that the business can place on a process achieving the desired degree reliability dependency place process achieving goals or objectives.


Maturity model *

See Capability Maturity Model (CMM).


Maximum acceptable outage (MAO)

The longest period of downtime that an organization can survive from a specific outage involving a system, process, or resource.


Maximum tolerable downtime (MTD)

Synonym for maximum acceptable outage (MAO), used as a negative connotation.


Media Access Control (MAC) *

Applied to the hardware at the factory and cannot be modified, MAC is a unique, 48-bit, hard-coded address of a physical layer device, such as an Ethernet local area network (LAN) or a wireless network card.


Media ocidation *

The deterioration of the media on which data are digitally stored due to exposure to oxygen and moisture. Tapes deteriorating in a warm, humid environment are an example of media oxidation. Proper environmental controls should prevent, or significantly slow, this process.


Meshed network

Connection of redundant links.


Message digest

A hash file of a fixed length created by a source file of any length. The purpose of the message digest is to indicate whether the source file has changed.


Message modification

The alteration of a message to change its contents.


Message switching *

A telecommunications methodology that controls traffic in which a complete message is sent to a concentration point and stored until the communications path is established.



A systematic process of procedures to generate a desired outcome.


Metropolitan area network (MAN)

A type of limited-area network in which the boundary is equal to the city's metropolitan area.


Middleware *

Another term for an application programmer interface (API). It refers to the interfaces that allow programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services. Anew: all software programs, interfaces, and utilities that operate invisibly between the user and their data. Middleware performs an intermediary service to create an invisible workflow connecting various programs. Examples include the database application running on your server, SQL/ODBC drivers, print formatting utilities, communication gateways, operating system, and all device drivers.


Milestone *

A terminal element that marks the completion of a work package or phase. Typically marked by a high-level event such as project completion, receipt, endorsement or signing of a previously-defined deliverable or a high-level review meeting at which the appropriate level of project completion is determined and agreed to. A milestone is associated with some sort of decision that outlines the future of a project and, for an outsourced project, may have a payment to the contractor associated with it.


Minor software update

Small corrective update issued by the software developer to fix problems found in a major version previously released. Also known as a software patch or minor software release. Also see major software release.



A special template of biometric data converted into a count of specific characteristics that is unique to each user.



Duplicate or redundant components operating in parallel.


Mission-critical application *

An application that is vital to the operation of the organization. The term is very popular for describing the applications required to run the day-to-day business.


Mobile site *

The use of a mobile/temporary facility to serve as a business resumption location. The facility can usually be delivered to any site and can house information technology and staff.


Modulation *

The process of converting a digital computer signal into an analog telecommunications signal.


Monetary unit sampling *

A sampling technique that estimates the amount of overstatement in an account balance.



To transmit data across the network to several specific stations concurrently.



Using multiple processors.



Running multiple tasks concurrently in a time-sharing mode by allocating a specific amount of resources.



Running several instances of a program concurrently for multiple users.



An overlay setting used to parse the IP address into two distinct portions representing the unique network address and unique host address. Without this setting, the computer will be confused and unable to communicate on the network.


Network *

A system of interconnected computers and the communication equipment used to connect them.


Network administrator *

Responsible for planning, implementing and maintaining the telecommunications infrastructure; also may be responsible for voice networks. For smaller organizations, the network administrator may also maintain a local area network (LAN) and assist end users.


Network attached storage (NAS) *

Utilize dedicated storage devices that centralize storage of data. NAS devices generally do not provide traditional file/print or application services.


Network based

A hardware or software device that is watching the communications traffic flowing across the network to other systems.


Network File System (NFS)

A method of sharing disk systems across the network by using remote procedure calls. NFS was invented by Sun Microsystems to share hard disks with multiple users across the network.


Network hub

An OSI layer 1 device designed to relay electrical transmissions and receive signals between computers.