Glossary- A

Question 1

acceptable use

Answer 1

Security policy that defines the types of activities that are acceptable and those that are not acceptable.

Question 2

access bypass

Answer 2

Any attempt by an intruder to bypass access controls in order to gain entry into a system.

Question 3

access control

Answer 3

Any means that detects or prevents unauthorized access and that per- mits authorized access.

Question 4

access control list (ACL)

Answer 4

An access control method where a list of permitted or de- nied users (or systems, or services, as the case may be) is used to control access.

Question 5

access control log

Answer 5

A record of attempted accesses.

Question 6

access control policy

Answer 6

Statement that defines the policy for the granting, review, and
revocation of access to systems and work areas.

Question 7

access management

Answer 7

A formal business process that is used to control access to net- works and information systems.

Question 8

access point

Answer 8

A device that provides communication services using the 802.11 (Wi-Fi) protocol standard.

Question 9

access review

Answer 9

A review of the users, systems, or other subjects that are permitted to access protected objects. The purpose of a review is to ensure that all subjects should still be authorized to have access.

Question 10

account lockout

Answer 10

An administrative lock that is placed on a user account when a pre- determined event occurs, such as reaching an expiration date, or when there have been several unsuccessful attempts to access the user account.

Question 11

address resolution protocol (ARP)

Answer 11

A standard network protocol used to obtain the address for another station on a local area network (LAN).

Question 12

administrative audit

Answer 12

An audit of operational efficiency.

Question 13

administrative control

Answer 13

Controls in the form of policies, processes, procedures, and

standards.

Question 14

agile development

Answer 14

Software development process where a large project team is bro- ken up into smaller teams, and project deliverables are broken up into smaller pieces, each of which can be attained in a few weeks.

Question 15

algorithm

Answer 15

In cryptography, a specific mathematical formula that is used to perform encryption, decryption, message digests, and digital signatures.

Question 16

annualized loss expectancy (ALE)

Answer 16

The expected loss of asset value due to threat real- ization. ALE is defined as SLE × ARO.

Question 17

annualized rate of occurrence (ARO)

Answer 17

An estimate of the number of times that a threat will occur every year.

Question 18

anti-malware

Answer 18

See antivirus software.

Question 19

antivirus software

Answer 19

Software that is designed to detect and remove viruses and other
forms of malware.

Question 20

AppleTalk

Answer 20

The suite of protocols used to transmit packets from one station to an- other over a network.

Question 21

appliance

Answer 21

A type of computer with preinstalled software that requires little or no maintenance.

Question 22

application

Answer 22

Layer 7 of the OSI network model. See also OSI network model.

OR

Layer 4 of the TCP/IP network model. The purpose of the application layer is the delivery of messages from one process to another on the same network or on different networks. See also TCP/IP network model.

Question 23

application firewall

Answer 23

A device used to control packets being sent to an application server, primarily to block unwanted or malicious content.

Question 24

application programming language

Answer 24

See programming language.

Question 25

application server

Answer 25

A server that runs application software.

Question 26

architecture standard

Answer 26

A standard that defines technology architecture at the data- base, system, or network level.

Question 27

arithmetic logic unit (ALU)

Answer 27

The part of a central processing unit that performs arith- metic computations. See central processing unit.

Question 28

asset inventory

Answer 28

The process of confirming the existence, location, and condition of assets; also, the results of such a process.

Question 29

asset management

Answer 29

The processes used to manage the inventory, classification, use, and disposal of assets.

Question 30

assets

Answer 30

The collection of property that is owned by an organization.

Question 31

asset value (AV)

Answer 31

The value of an IT asset, which is usually (but not necessarily) the asset’s replacement value.

Question 32

asymmetric encryption

Answer 32

A method for encryption, decryption, and digital signatures that uses pairs of encryption keys, consisting of a public key and a private key.

Question 33

asynchronous replication

Answer 33

A type of replication where writing data to the remote storage system is not kept in sync with updates on the local storage system. Instead,there may be a time lag, and there is no guarantee that data on the remote system is identical to that on the local storage system. See also replication.

Question 34

asynchronous transfer mode (ATM)

Answer 34

A LAN and WAN protocol standard for sending messages in the form of cells over networks. On an ATM network, all messages are transmitted in synchronization with a network-based time clock. A station that wishes to send a message to another station must wait for the time clock.

Question 35

atomicity

Answer 35

The characteristic of a complex transaction whereby it is either performed completely as a single unit or not at all.

Question 36

attribute sampling

Answer 36

A sampling technique used to study the characteristics of a pop- ulation to determine how many samples possess a specific characteristic. See also sampling.

Question 37

audit charter

Answer 37

A written document that defines the mission and goals of the audit program as well as roles and responsibilities.

Question 38

audit logging

Answer 38

A feature in an application, operating system, or database management system where events are recorded in a separate log.

Question 39

audit methodology

Answer 39

A set of audit procedures that is used to accomplish a set of audit objectives.

Question 40

audit objective

Answer 40

The purpose or goals of an audit. Generally, the objective of an audit is to determine if controls exist and are effective in some specific aspect of business operations in an organization.

Question 41

audit procedures

Answer 41

The step-by-step instructions and checklists required to perform specific audit activities. Procedures may include a list of people to interview and ques- tions to ask them, evidence to request, audit tools to use, sampling rates, where and how evidence will be archived, and how evidence will be evaluated.

Question 42

audit program

Answer 42

The plan for conducting audits over a long period.

Question 43

audit report

Answer 43

The final, written product of an audit. An audit report will include a description of the purpose, scope, and type of audit performed; persons interviewed; evidence collected; rates and methods of sampling; and findings on the existence and effectiveness of each control.

Question 44

audit scope

Answer 44

The process, procedures, systems, and applications that are the subject of an audit.

Question 45

authentication

Answer 45

The process of asserting one’s identity and providing proof of that identity. Typically, authentication requires a user ID (the assertion) and a password (the proof). However, authentication can also require stronger means of proof, such as a digital certificate, token, smart card, or biometric.

Question 46

authorization

Answer 46

The process whereby a system determines what rights and privileges a user has.

Question 47

automated workpapers

Answer 47

Data that has been captured by computer-assisted audit tech- niques. See also computer-assisted audit technique (CAAT).

Question 48

automatic control

Answer 48

A control that is enacted through some automatic mechanism that requires little or no human intervention.

Question 49

availability management

Answer 49

The IT function that consists of activities concerned with the availability of IT applications and services. See also IT service management.