CISA2 Flashcards
(207 cards)
1
Q
Acceptable use policy
A
A policy that establishes an agreement between users and the enterprise and defines for all parties’ the ranges of use that are approved before gaining access to a network or the Internet
2
Q
Alternative routing
A
A service that allows the option of having an alternate route to complete a call when the marked destination is not available. In signaling, alternate routing is the process of allocating substitute routes for a given signaling traffic stream in case of failure(s) affecting the normal signaling links or routes of that traffic stream.
3
Q
Asymmetric key (public key)
A
A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message (See public key encryption)
4
Q
Asynchronous Transfer Mode (ATM)
A
A high-bandwidth low-delay switching and multiplexing technology that allows integration of real-time voice, video and data. It is a data link layer protocol. ATM is a protocol-independent transport mechanism. It allows high-speed data transfer rates at up to 155 Mbit/s. The acronym ATM should not be confused with the alternate usage for ATM, which refers to an automated teller machine.
5
Q
Attribute sampling
A
An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size)
6
Q
Audit objective
A
The specific goal(s) of an audit. These often center on substantiating the existence of internal controls to minimize business risk.
7
Q
Audit plan
A
- A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members to obtain sufficient appropriate audit evidence to form an opinion. Includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report, its intended audience and other general aspects of the work 2. A high-level description of the audit work to be performed in a certain period of time
8
Q
Authentication
A
The act of verifying the identity of a user and the user’s eligibility to access computerized information. Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.
9
Q
Audit risk
A
The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred
9
Q
Audit trail
A
A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source
10
Q
Balanced scorecard (BSC)
A
Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives
11
Q
Batch control
A
Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage. There are two main forms of batch controls: sequence control, which involves consecutively numbering the records in a batch so that the presence of each record can be confirmed, and control total, which is a total of the values in selected fields within the transactions.
12
Q
Batch processing
A
The processing of a group of transactions at the same time. Transactions are collected and processed against the master files at a specified time.
13
Q
Benchmarking
A
A systematic approach to comparing organization performance against peers and competitors in an effort to learn the best ways of conducting business. Examples include benchmarking of quality, logistic efficiency and various other metrics.
14
Q
Bridge
A
A device that connects two similar networks together
15
Q
Black box testing
A
A testing approach that focuses on the functionality of the application or product and does not require knowledge of the code intervals
16
Q
Base case
A
A standardized body of data created for testing purposes. Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system.
17
Q
Brouters
A
Devices that perform the functions of both a bridge and a router. A brouter operates at both the data link and the network layers. It connects same data-link-type local area network (LAN) segments and different data-link ones, which is a significant advantage. Like a bridge, it forwards packets based on the data-link layer address to a different network of the same type. Also, whenever required, it processes and forwards messages to a different data-link-type network based on the network protocol address. When connecting same data-link type networks, it is as fast as a bridge and is able to connect different data-link type networks.
18
Q
Business case
A
Documentation of the rationale for making a business investment, used to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle
19
Q
Business continuity plan (BCP)
A
A plan used by an organization to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems.
20
Q
Business impact analysis (BIA)
A
A process to determine the impact of losing the support of any resource. The BIA assessment study establishes the escalation of that loss over time. It is predicated on the fact that senior management, when provided reliable data to document the potential impact of a lost resource, can make the appropriate decision.
21
Q
Business process reengineering (BPR)
A
The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings
22
Q
Capability Maturity Model Integration (CMMI)
A
CMMI is a model used by many organizations to identify best practices useful in helping them assess and increase the maturity of their software development processes.
23
Q
Capacity stress testing
A
Testing an application with large quantities of data to evaluate its performance during peak periods. Also called volume testing.
24
Certificate (certification) authority (CA)
A trusted third party that serves authentication infrastructures or organizations, and registers entities and issues them certificates
25
Certificate revocation list (CRL)
An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility. The CRL details digital certificates that are no longer valid. The time gap between two updates is very critical and is also a risk in digital certificates verification.
26
Chain of custody
A legal principle regarding the validity and integrity of evidence. It requires accountability for anything that will be used as evidence in a legal proceeding to ensure that it can be accounted for from the time it was collected until the time it is presented in a court of law. Includes documentation as to who had access to the evidence and when, as well as the ability to identify evidence as being the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited. Chain of custody depends on the ability to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence, so it cannot be changed, and providing a documentary record of custody to prove that the evidence was at all times under strict control and not subject to tampering.
27
Check digit
A numeric value, which has been calculated mathematically, that is added to data to ensure that original data have not been altered or that an incorrect, but valid match has occurred. Check digit control is effective in detecting transposition and transcription errors.
28
Checklist
A list of items that is used to verify the completeness of a task or goal. Used in quality assurance (and, in general, in information systems audit) to check process compliance, code standardization and error prevention, and other items for which consistency processes or standards have been defined.
29
Checkpoint restart procedures
A point in a routine at which sufficient information can be stored to permit restarting the computation from that point.
29
Checksum
A mathematical value that is assigned to a file and used to “test” the file at a later date to verify that the data contained in the file have not been maliciously changed. A cryptographic checksum is created by performing a complicated series of mathematical operations (known as a cryptographic algorithm) that translates the data in the file into a fixed string of digits called a hash value, which is then used as the checksum. Without knowing which cryptographic algorithm was used to create the hash value, it is highly unlikely that an unauthorized person would be able to change data without inadvertently changing the corresponding checksum. Cryptographic checksums are used in data transmission and data storage. Cryptographic checksums are also known as message authentication codes, integrity check-values, modification detection codes or message integrity codes.
30
Circuit-switched network
A data transmission service requiring the establishment of a circuit-switched connection before data can be transferred from source data terminal equipment (DTE) to a sink DTE. A circuit-switched data transmission service uses a connection network.
31
Circular routing
In open systems architecture, circular routing is the logical path of a message in a communication network based on a series of gates at the physical network layer in the open systems interconnection (OSI) model.
32
Cold site
An IS backup facility that has the necessary electrical and physical components of a computer facility but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the users have to move from their main computing location to the alternative computer facility.
33
Compensating control
An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions
34
Comparison program
A program for the examination of data, using logical or conditional tests to determine or to identify similarities or differences
35
Compiler
A program that translates programming language (source code) into machine executable instructions (object code)
36
Completeness check
A procedure designed to ensure that no fields are missing from a record
37
Compliance testing
Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period
38
Components (as in component-based development)
Cooperating packages of executable software that make their services available through defined interfaces. Components used in developing systems may be commercial off-the-shelf software (COTS) or may be purposely built. However, the goal of component-based development is to ultimately use as many predeveloped, pretested components as possible.
39
Comprehensive audit
An audit designed to determine the accuracy of financial records as well as evaluate the internal controls of a function or department
40
Computer sequence checking
Verifies that the control number follows sequentially and that any control numbers out of sequence are rejected or noted on an exception report for further research
41
Computer-assisted audit technique (CAAT)
Any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities
42
Concurrency control
Refers to a class of controls used in database management systems (DBMS) to ensure that transactions are processed in an atomic, consistent, isolated and durable manner (ACID). This implies that only serial and recoverable schedules are permitted, and that committed transactions are not discarded when undoing aborted transactions.
43
Contingency planning
Process of developing advance arrangements and procedures that enable an enterprise to respond to an event that could occur by chance or unforeseen circumstances
44
Continuity
Preventing, mitigating and recovering from disruption. The terms “business resumption planning,” “disaster recovery planning” and “contingency planning” also may be used in this context; they all concentrate on the recovery aspects of continuity.
45
Continuous auditing approach
This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.
46
Continuous improvement
The goals of continuous improvement (Kaizen) include the elimination of waste, defined as “activities that add cost, but do not add value;” just-in-time (JIT) delivery; production load leveling of amounts and types; standardized work; paced moving lines; right-sized equipment. A closer definition of the Japanese usage of Kaizen is “to take it apart and put back together in a better way.” What is taken apart is usually a process, system, product or service. Kaizen is a daily activity whose purpose goes beyond improvement. It is also a process that, when done correctly, humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how to do rapid experiments using the scientific method and how to learn to see and eliminate waste in business processes.
47
Control objective
A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process
48
Control risk
The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls
49
Corporate governance
The system by which organizations are directed and controlled. The board of directors are responsible for the governance of their organizations. It consists of the leadership and organizational structures and processes that ensure the organization sustains and extends strategies and objectives.
50
Corrective control
Designed to correct errors, omissions and unauthorized uses and intrusions once they are detected
51
Data custodian
Individual(s) and department(s) responsible for the storage and safeguarding of computerized information. This typically is within the IS organization.
52
Data dictionary
A database that contains the name, type, range of values, source, and authorization for access for each data element in a database. It also indicates which application programs use those data so that when a data structure is contemplated, a list of the affected programs can be generated. May be a stand-alone information system used for management or documentation purposes, or it may control the operation of a database.
53
Data diddling
Changing data with malicious intent before or during input into the system
54
Data Encryption Standard (DES)
An algorithm for encoding binary data. It is a secret key cryptosystem published by the National Bureau of Standards (NBS), the predecessor of the US National Institute of Standards and Technology (NIST). DES was defined as a Federal Information Processing Standard (FIPS) in 1976 and has been used commonly for data encryption in the forms of software and hardware implementation. (See private key cryptosystem.)
55
Data owner
Individual(s), normally a manager or director, who have responsibility for the integrity, accurate reporting and use of computerized data
56
Database administrator (DBA)
An individual or department responsible for the security and information classification of the shared data stored on a database system. This responsibility includes the design, definition and maintenance of the database.
57
Database management system (DBMS)
A software system that controls the organization, storage and retrieval of data in a database
58
Decentralization
The process of distributing computer processing to different locations within an organization
59
Decision support system (DSS)
An interactive system that provides the user with easy access to decision models and data, to support semistructured decision-making tasks
60
Decryption
A technique used to recover the original plaintext from the ciphertext such that it is intelligible to the reader. The decryption is a reverse process of the encryption.
61
Decryption key
A piece of information used to recover the plaintext from the corresponding ciphertext by decryption
62
Degauss
The application of variable levels of alternating current for the purpose of demagnetizing magnetic recording media. The process involves increasing the alternating current field gradually from zero to some maximum value and back to zero, leaving a very low residue of magnetic induction on the media. Degauss loosely means to erase.
63
Demodulation
The process of converting an analog telecommunications signal into a digital computer signal.
64
Detection risk
The risk that material errors or misstatements that have occurred will not be detected by the IS auditor
65
Detective control
Exists to detect and report when errors, omissions and unauthorized uses or entries occur.
66
Disaster tolerance
The time gap during which the business can accept the non-availability of IT facilities.
67
Digital certificate
A piece of information, a digitized form of signature, that provides sender authenticity, message integrity and nonrepudiation. A digital signature is generated using the sender’s private key or applying a one-way hash function.
68
Digital signature
A piece of information, a digitized form of a signature, that provides sender authenticity, message integrity and nonrepudiation. A digital signature is generated using the sender’s private key or applying a one-way hash function.
69
Disaster recovery plan (DRP)
A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster
70
Discovery sampling
A form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population
71
Diskless workstations
A workstation or PC on a network that does not have its own disk, but instead stores files on a network file server
72
Diverse routing
The method of routing traffic through split cable facilities or duplicate cable facilities. This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual entrance facilities. However, acquiring this type of access is time-consuming and costly. Most carriers provide facilities for alternate and diverse routing, although the majority of services are transmitted over terrestrial media. These cable facilities are usually located in the ground or basement. Ground-based facilities are at great risk due to the aging infrastructures of cities. In addition, cable-based facilities usually share room with mechanical and electrical systems that can impose great risk due to human error and disastrous events.
73
Dry-pipe fire extinguisher system
Refers to a sprinkler system that does not have water in the pipes during idle usage, unlike a fully charged fire extinguisher system that has water in the pipes at all times. The dry-pipe system is activated at the time of the fire alarm and water is emitted to the pipes from a water reservoir for discharge to the location of the fire.
74
Ecommerce
The processes by which enterprises conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology. Ecommerce encompasses both business-to-business (B2B) and business-to-consumer (B2C) ecommerce models but does not include existing non-Internet Internet ecommerce methods based on private networks, such as electronic data interchange (EDI) and Society for Worldwide Interbank Financial Telecommunication (SWIFT).
75
Edit control
Detects errors in the input portion of information that is sent to the computer for processing. May be manual or automated and allow the user to edit data errors before processing.
76
Electronic data interchange (EDI)
The electronic transmission of transactions (information) between two organizations. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents, including invoices or purchase orders.
77
Encapsulation (objects)
The technique used by layered protocols in which a lower-layer protocol accepts a message from a higher-layer protocol and places it in the data portion of a frame in the lower layer.
78
Encryption
The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)
79
Encryption key
A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertext
79
Feasibility study
A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need
80
Escrow agreement
A legal arrangement whereby an asset (often money, but sometimes other property, such as art, a deed of title, website, software source code or a cryptographic key) is delivered to a third party (called an escrow agent) to be held in trust or otherwise pending a contingency or the fulfillment of a condition or conditions in a contract. Upon the occurrence of the escrow agreement, the escrow agent will deliver the asset to the proper recipient; otherwise the escrow agent is bound by his/ her fiduciary duty to maintain the escrow account. Source code escrow means deposit of the source code for the software into an account held by an escrow agent. Escrow is typically requested by a party licensing software (e.g., licensee or buyer) to ensure maintenance of the software. The software source code is released by the escrow agent to the licensee if the licensor (e.g., seller or contractor) files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement.
81
Foreign key
A value that represents a reference to a tuple (a row in a table) containing the matching candidate key value. The problem of ensuring that the database does not include any invalid foreign key values is known as the referential integrity problem. The constraint that values of a given foreign key must match values of the corresponding candidate key is known as a referential constraint. The relation (table) that contains the foreign key is referred to as the referencing relation and the relation that contains the corresponding candidate key as the referenced relation or target relation. (In the relational theory it would be a candidate key, but in real database management systems (DBMSs) implementations it is always the primary key.)
82
Format checking
The application of an edit, using a predefined field definition to a submitted information stream; a test to ensure that data conform to a predefined format
83
Function point analysis
A technique used to determine the size of a development task, based on the number of function points. Function points are factors, such as inputs, outputs, inquiries and logical internal sites.
84
Generalized audit software (GAS)
Multipurpose audit software that can be used for general processes, such as record selection, matching, recalculation and reporting
85
Hash total
The total of any numeric data field in a document or computer file. This total is checked against a control total of the same field to facilitate accuracy of processing.
86
Heuristic filter
A method often employed by antispam software to filter spam using criteria established in a centralized rule database. Every email message is given a rank, based upon its header and contents, which is then matched against preset thresholds. A message that surpasses the threshold will be flagged as spam and discarded, returned to its sender or put in a spam directory for further review by the intended recipient.
87
Hot site
A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster
87
Honeypot
A specially configured server, also known as a decoy server, designed to attract and monitor intruders in a manner such that their actions do not affect production systems.
88
Image processing
The process of electronically inputting source documents by taking an image of the document, thereby eliminating the need for key entry
89
Information processing facility (IPF)
The computer room and support areas
89
Incident response
The response of an enterprise to a disaster or other significant event that may significantly affect the enterprise, its people, or its ability to function productively. An incident response may include evacuation of a facility, initiating a disaster recovery plan (DRP), performing damage assessment, and any other measures necessary to bring an enterprise to a more stable status.
90
Incremental testing
Deliberately testing only the value-added functionality of a software component
91
Information security governance
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise’s resources are used responsibly
92
Inherent risk
The risk level or exposure without considering the actions that management has taken or might take (e.g., implementing controls)
93
Input control
Techniques and procedures used to verify, validate and edit data, to ensure that only correct data are entered into the computer
94
Integrity
The guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity
94
Integrated test facilities (ITF)
A testing methodology where test data are processed in production systems. The data usually represent a set of fictitious entities, such as departments, customers and products. Output reports are verified to confirm the correctness of the processing.
95
Interface testing
A testing technique that is used to evaluate output from one application while the information is sent as input to another application
96
Internal controls
The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and undesired events will be prevented or detected and corrected
96
IT governance framework
A model that integrates a set of guidelines, policies and methods that represent the organizational approach to the IT governance. Per COBIT, IT governance is the responsibility of the board of directors and executive management. It is an integral part of institutional governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.
97
Internet Protocol Security (IPSec)
A set of protocols developed by the Internet Engineering Task Force (IETF) to support the secure exchange of packets
97
Internet packet (IP) spoofing
An attack using packets with the spoofed source Internet packet (IP) addresses. This technique exploits applications that use authentication based on IP addresses. This technique also may enable an unauthorized user to gain root access on the target system.
98
IT steering committee
An executive-management-level committee that assists in the delivery of the IT strategy, oversees day-to-day management of IT service delivery and IT projects, and focuses on implementation aspects
99
IT strategic plan
A long-term plan (i.e., three- to five-year horizon) in which business and IT management cooperatively describe how IT resources will contribute to the enterprise’s strategic objectives (goals)
100
IT strategy committee
A committee at the level of the board of directors to ensure that the board is involved in major IT matters and decisions. The committee is primarily accountable for managing the portfolios of IT-enabled investments, IT services and other IT resources. The committee is the owner of the portfolio.
101
Key performance indicator (KPI)
A measure that determines how well the process is performing in enabling the goal to be reached. A lead indicator of whether a goal will likely be reached or not, and a good indicator of capabilities, practices and skills. It measures the activity goal, which is an action that the process owner must take to achieve effective process performance.
102
Judgment sampling
Any sample that is selected subjectively or in such a manner that the sample selection process is not random or the sampling results are not evaluated mathematically
103
Leased line
A communication line permanently assigned to connect two points, as opposed to a dial up line that is only available and open when a connection is made by dialing the target machine or network. Also known as a dedicated line.
104
Limit check
Tests specified amount fields against stipulated high or low limits of acceptability. When both high and low values are used, the test may be called a range check.
105
Logical access controls
The policies, procedures, organizational structure and electronic access controls designed to restrict access to computer software and data files
106
Maturity
In business, indicates the degree of reliability or dependency that the business can place on a process achieving the desired goals or objectives
107
Middleware
Another term for an application programmer interface (API). It refers to the interfaces that allow programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services.
107
Materiality
An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited. An expression of the relative significance or importance of a particular matter in the context of the organization as a whole.
107
Mandatory access controls (MAC)
A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users or programs acting on their behalf
107
Monetary unit sampling
A sampling technique that estimates the amount of overstatement in an account balance
108
Mobile site
The use of a mobile/temporary facility to serve as a business resumption location. The facility can usually be delivered to any site and can house information technology and staff.
109
Nondisclosure agreement (NDA)
A legal contract between at least two parties that outlines confidential materials the parties wish to share with one another for certain purposes but wish to restrict from generalized use; a contract through which the parties agree not to disclose information covered by the agreement. Also called a confidential disclosure agreement (CDA), confidentiality agreement or secrecy agreement. An NDA creates a confidential relationship between the parties to protect any type of trade secret. As such, an NDA can protect non-public business information. In the case of certain governmental entities, the confidentiality of information other than trade secrets may be subject to applicable statutory requirements and, in some cases, may be required to be revealed to an outside party requesting the information. Generally, the governmental entity will include a provision in the contract to allow the seller to review a request for information the seller identifies as confidential and the seller may appeal such a decision requiring disclosure. NDAs are commonly signed when two companies or individuals are considering doing business together and need to understand the processes used in one another’s businesses solely for the purpose of evaluating
110
Normalization
The elimination of redundant data
111
Numeric check
An edit check designed to ensure that the data element in a particular field is numeric
112
Object orientation
An approach to system development in which the basic unit of attention is an object, which represents an encapsulation of both data (an object’s attributes) and functionality (an object’s methods). Objects usually are created using a general template called a class. A class is the basis for most design work in objects. A class and its objects communicate in defined ways. Aggregate classes interact through messages, which are directed requests for services from one class (the client) to another class (the server). A class may share the structure or methods defined in one or more other classes—a relationship known as inheritance.
113
Offsite storage
A facility located away from the building housing the primary information processing facility (IPF), used for storage of computer media, such as offline backup data and storage files
114
Operational audit
An audit designed to evaluate the various internal controls, economy and efficiency of a function or department
115
Parity check
A general hardware control that helps to detect data errors when data are read from memory or communicated from one computer to another. A 1-bit digit (either 0 or 1) is added to a data item to indicate whether the sum of that data item’s bit is odd or even. When the parity bit disagrees with the sum of the other bits, the computer reports an error. The probability of a parity check detecting an error is 50 percent.
115
Packet
Data unit that is routed from source to destination in a packet-switched network. A packet contains both routing information and data. Transmission Control Protocol/Internet Protocol (TCP/IP) is such a packet-switched network.
115
Paper test
A walk-through of the steps of a regular test, but without actually performing the steps. Usually used in disaster recovery and contingency testing; team members review and become familiar with the plans and their specific roles and responsibilities.
116
Parallel testing
The process of feeding test data into two systems, the modified system and an alternative system (possibly the original system), and comparing results to demonstrate the consistency and inconsistency between two versions of the application
117
Passive assault
Intruders attempt to learn some characteristic of the data being transmitted. With a passive assault, intruders may be able to read the contents of the data, so the privacy of the data is violated. Alternatively, although the content of the data itself may remain secure, intruders may read and analyze the plaintext source and destination identifiers attached to a message for routing purposes, or they may examine the lengths and frequency of messages being transmitted.
118
Preventive control
An internal control that is used to avoid undesirable events, errors and other occurrences that an enterprise has determined could have a negative material effect on a process or end product
119
Point-of-sale (POS) systems
Enable the capture of data at the time and place of transaction. POS terminals may include use of optical scanners for use with bar codes or magnetic card readers for use with credit cards. POS systems may be online to a central computer or may use stand-alone terminals or microcomputers that hold the transactions until the end of a specified period when they are sent to the main computer for batch processing.
119
Penetration testing
A live test of the effectiveness of security defenses through mimicking the actions of real life attackers
120
Program Evaluation and Review Technique (PERT)
A project management technique used in the planning and control of system projects
121
Program flowchart
Shows the sequence of instructions in a single program or subroutine. The symbols used in program flowcharts should be the internationally accepted standard. Program flowcharts should be updated when necessary.
122
Prototyping
The process of quickly putting together a working model (a prototype) in order to test various aspects of a design, illustrate ideas or features and gather early user feedback. Prototyping uses programmed simulation techniques to represent a model of the final system to the user for advisement and critique. The emphasis is on end-user screens and reports. Internal controls are not a priority item since this is only a model.
122
Public key cryptosystem
Used in data encryption, it uses an encryption key, as a public key, to encrypt the plaintext to the ciphertext. It uses a different decryption key, as a secret key, to decrypt the ciphertext to the corresponding plaintext. In contrast to a private key cryptosystem, the decryption key should be secret; however, the encryption key can be known to everyone. In a public key cryptosystem, the two keys are asymmetric, such that the encryption key is not equivalent to the decryption key.
123
Public key infrastructure (PKI)
A series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued
124
Public key encryption
A cryptographic system that uses two keys: one is a public key, which is known to everyone, and the second is a private or secret key, which is only known to the recipient of the message
125
Quality assurance (QA)
A planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements (ISO/ IEC 24765).
126
Range check
Range checks ensure that data fall within a predetermined range
127
Recovery point objective (RPO)
Determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time to which it is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.
128
Rapid application development
A methodology that enables enterprises to develop strategically important systems faster, while reducing development costs and maintaining quality by using a series of proven application development techniques, within a well-defined methodology
129
Reasonableness check
Compares data to predefined reasonability limits or occurrence rates established for the data
130
Recovery time objective (RTO)
The amount of time allowed for the recovery of a business function or resource after a disaster occurs
131
Redundancy check
Detects transmission errors by appending calculated bits onto the end of each segment of data
132
Registration authority (RA)
The individual institution that validates an entity’s proof of identity and ownership of a key pair
132
Redundant Array of Inexpensive Disks (RAID)
Provides performance improvements and fault-tolerant capabilities via hardware or software solutions, by writing to a series of multiple disks to improve performance and/or save large files simultaneously
133
Reengineering
A process involving the extraction of components from existing systems and restructuring these components to develop new systems or to enhance the efficiency of existing systems. Existing software systems thus can be modernized to prolong their functionality. An example of this is a software code translator that can take an existing hierarchical database system and transpose it to a relational database system. Computer-aided software engineering (CASE) includes a source code reengineering feature.
134
Repeaters
A physical layer device that regenerates and propagates electrical signals between two network segments. Repeaters receive signals from one network segment and amplify (regenerate) the signal to compensate for signals (analog or digital) distorted by transmission loss due to reduction of signal strength during transmission (i.e., attenuation).
135
Regression testing
A testing technique used to retest earlier program abends or logical errors that occurred during the initial testing phase
136
Resilience
The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognizable effect
137
Reverse engineering
A software engineering technique whereby existing application system code can be redesigned and coded using computer-aided software engineering (CASE) technology
137
Return on investment (ROI)
A measure of operating performance and efficiency, computed in its simplest form by dividing net income by the total investment over the period being considered
138
Risk analysis
The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats. It often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of that event.
139
Risk
The combination of the probability of an event and its consequence (ISO/IEC 73)
139
Risk appetite
The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.
140
Risk assessment
process used to identify and evaluate risk and its potential effects. Includes assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.
141
Risk evaluation
The process of comparing the estimated risk against given risk criteria to determine the significance of the risk. [ISO/IEC Guide 73:2002]
142
Risk mitigation
The management of risk through the use of countermeasures and controls
143
Risk tolerance
The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives
144
Risk transfer
The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service. Also known as risk sharing.
145
Risk treatment
The process of selection and implementation of measures to modify risk [ISO/IEC Guide 73:2002]
146
Router
A networking device that can send (route) data packets from one local area network (LAN) or wide area network (WAN) to another, based on addressing at the network layer (Layer 3) in the open systems interconnection (OSI) model. Networks connected by routers can use different or similar networking protocols. Routers usually are capable of filtering packets based on parameters, such as source address, destination address, protocol and network application (ports).
147
RSA
A public key cryptosystem developed by R. Rivest, A. Shamir and L. Adleman used for both encryption and digital signatures. The RSA has two different keys, the public encryption key and the secret decryption key. The strength of RSA depends on the difficulty of the prime number factorization. For applications with high-level security, the number of the decryption key bits should be greater than 512 bits.
148
alami technique
A method of computer fraud involving a computer code that instructs the computer to slice off small amounts of money from an authorized computer transaction and reroute this amount to the perpetrator’s account
149
Scope creep
Also called requirement creep; this refers to uncontrolled changes in a project’s scope. Scope creep can occur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consists of either new products or new features of already approved products. Hence, the project team drifts away from its original purpose. Because of one’s tendency to focus on only one dimension of a project, scope creep can also result in a project team overrunning its original budget and schedule. For example, scope creep can be a result of poor change control, lack of proper identification of what products and features are required to bring about the achievement of project objectives in the first place, or a weak project manager or executive sponsor.
150
Secure Sockets Layer (SSL)
A protocol that is used to transmit private documents through the Internet. The SSL protocol uses a private key to encrypt the data that is to be transferred through the SSL connection.
151
Security administrator
The person responsible for implementing, monitoring and enforcing security rules established and authorized by management
152
Security policy
A high-level document representing an enterprise’s information security philosophy and commitment
153
Segregation/separation of duties (SoD)
A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets. Segregation/separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection.
154
Sequence check
Verification that the control number follows sequentially and any control numbers out of sequence are rejected or noted on an exception report for further research. Can be alpha or numeric and usually utilizes a key field.
155
Sequential file
A computer file storage format in which one record follows another. Records can be accessed sequentially only. It is required with magnetic tape.
156
Service level agreement
An agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines (SLA) minimum performance targets for a service and how they will be measured
157
Source code
The language in which a program is written. Source code is translated into object code by assemblers and compilers. In some cases, source code may be converted automatically into another language by a conversion program. Source code is not executable by the computer directly. It must first be converted into machine language.
158
Source lines of code (SLOC)
Often used in deriving single- point software size estimations.
159
Standard
A mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as International Organization for Standardization (ISO)
160
Statistical sampling
A method of selecting a portion of a population, by means of mathematical calculations and probabilities, for the purpose of making scientifically and mathematically sound inferences regarding the characteristics of the entire population
161
Storage area networks (SANs)
A variation of a local area network (LAN) that is dedicated for the purpose of connecting storage devices to servers and other computing devices. SANs centralize the process for the storage and administration of data.
162
Structured Query Language (SQL)
The primary language used by both application programmers and end users in accessing relational databases
163
Substantive testing
Obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period
164
Surge suppressor
Filters out electrical surges and spikes
165
Switches
Typically associated as a data link layer device, switches enable local area network (LAN) segments to be created and interconnected, which also has the added benefit of reducing collision domains in Ethernet-based networks.
166
System development life cycle (SDLC)
The phases deployed in the development or acquisition of a software system. SDLC is an approach used to plan, design, develop, test and implement an application system or a major modification to an application system. Typical phases of the SDLC include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and postimplementation review.
167
Table look-up
Used to ensure that input data agree with predetermined criteria stored in a table
168
Transmission Control Protocol/Internet Protocol (TCP/IP)
Provides the basis for the Internet; a set of communication protocols that encompass media access, packet transport, session communications, file transfer, electronic mail (email), terminal emulation, remote file access and network management.
169
Transaction log
A manual or automated log of all updates to data files and databases
170
Tunneling
Commonly used to bridge between incompatible hosts/routers or to provide encryption, a method by which one network protocol encapsulates another protocol within itself. When protocol A encapsulates protocol B, a protocol A header and optional tunneling headers are appended to the original protocol B packet. Protocol A then becomes the data link layer of protocol B. Examples of tunneling protocols include IPSec, Point- to-point Protocol Over Ethernet (PPPoE), and Layer 2 Tunneling Protocol (L2TP).
171
Unit testing
A testing technique that is used to test program logic within a particular program or module. The purpose of the test is to ensure that the internal operation of the programperforms according to specification. It uses a set of test cases that focus on the control structure of the procedural design.
172
Uninterruptible power supply (UPS)
Provides short-term backup power from batteries for a computer system when the electrical power fails or drops to an unacceptable voltage level
173
Validity check
Programmed checking of data validity in accordance with predetermined criteria
174
Variable sampling
A sampling technique used to estimate the average or total value of a population based on a sample; a statistical model used to project a quantitative characteristic, such as a monetary amount
175
Voice-over Internet Protocol (VoIP)
Also called IP Telephony, Internet Telephony and Broadband Phone, a technology that makes it possible to have a voice conversation over the Internet or over any dedicated Internet Protocol (IP) network instead of dedicated voice transmission lines
176
Vulnerability
A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events
177
Vulnerability analysis
A process of identifying and lassifying vulnerabilities
178
WAN switch
A data link layer device used for implementing various WAN technologies, such as asynchronous transfer mode, point-to-point frame relay solutions, and integrated services digital network (ISDN). These devices are typically associated with carrier networks providing dedicated WAN switching and router services to organizations via T-1 or T-3 connections.
179
Warm site
Similar to a hot site but not fully equipped with all of the necessary hardware needed for recovery
180
Waterfall development
Also known as traditional development, a procedure-focused development cycle with formal sign-off at the completion of each level
181
White box testing
A testing approach that uses knowledge of a program/module’s underlying implementation and code intervals to verify its expected behavior
182
Wide area network (WAN)
A computer network connecting different remote locations that may range from short distances, such as a floor or building, to extremely long transmissions that encompass a large region or several countries
183
Wi-Fi Protected Access (WPA)
A class of systems used to secure wireless (Wi-Fi) computer networks. WPA was created in response to several serious weaknesses researchers found in the previous system, Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE 802.11i standard and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. WPA2 implements the full standard but will not work with some older network cards. Both provide good security with two significant issues. First, either WPA or WPA2 must be enabled and chosen in preference to WEP; WEP is usually presented as the first security choice in most installation instructions. Second, in the “personal” mode, the most likely choice for homes and small offices, a pass phrase is required that, for full security, must be longer than the typical six- to eight-character passwords users are taught to employ.
184
Wired Equivalent Privacy (WEP)
A scheme that is part of the IEEE 802.11 wireless networking standard to secure IEEE 802.11 wireless networks (also known as Wi-Fi networks). Because a wireless network broadcasts messages using radio, it is particularly susceptible to eavesdropping. WEP was intended to provide comparable confidentiality to a traditional wired network (in particular, it does not protect users of the network from each other), hence the name. Several serious weaknesses were identified by cryptanalysts, and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) in 2004. Despite the weaknesses, WEP provides a level of security that can deter casual snooping.
185
iretapping
The practice of eavesdropping on information being transmitted over telecommunications links
186
187
188
189
