Flashcards in Glossary- A Deck (49):
Security policy that defines the types of activities that are acceptable and those that are not acceptable.
Any attempt by an intruder to bypass access controls in order to gain entry into a system.
Any means that detects or prevents unauthorized access and that per- mits authorized access.
access control list (ACL)
An access control method where a list of permitted or de- nied users (or systems, or services, as the case may be) is used to control access.
access control log
A record of attempted accesses.
access control policy
Statement that defines the policy for the granting, review, and
revocation of access to systems and work areas.
A formal business process that is used to control access to net- works and information systems.
A device that provides communication services using the 802.11 (Wi-Fi) protocol standard.
A review of the users, systems, or other subjects that are permitted to access protected objects. The purpose of a review is to ensure that all subjects should still be authorized to have access.
An administrative lock that is placed on a user account when a pre- determined event occurs, such as reaching an expiration date, or when there have been several unsuccessful attempts to access the user account.
address resolution protocol (ARP)
A standard network protocol used to obtain the address for another station on a local area network (LAN).
An audit of operational efficiency.
Controls in the form of policies, processes, procedures, and
Software development process where a large project team is bro- ken up into smaller teams, and project deliverables are broken up into smaller pieces, each of which can be attained in a few weeks.
In cryptography, a specific mathematical formula that is used to perform encryption, decryption, message digests, and digital signatures.
annualized loss expectancy (ALE)
The expected loss of asset value due to threat real- ization. ALE is defined as SLE × ARO.
annualized rate of occurrence (ARO)
An estimate of the number of times that a threat will occur every year.
See antivirus software.
Software that is designed to detect and remove viruses and other
forms of malware.
The suite of protocols used to transmit packets from one station to an- other over a network.
A type of computer with preinstalled software that requires little or no maintenance.
Layer 7 of the OSI network model. See also OSI network model.
Layer 4 of the TCP/IP network model. The purpose of the application layer is the delivery of messages from one process to another on the same network or on different networks. See also TCP/IP network model.
A device used to control packets being sent to an application server, primarily to block unwanted or malicious content.
application programming language
See programming language.
A server that runs application software.
A standard that defines technology architecture at the data- base, system, or network level.
arithmetic logic unit (ALU)
The part of a central processing unit that performs arith- metic computations. See central processing unit.
The process of confirming the existence, location, and condition of assets; also, the results of such a process.
The processes used to manage the inventory, classification, use, and disposal of assets.
The collection of property that is owned by an organization.
asset value (AV)
The value of an IT asset, which is usually (but not necessarily) the
asset’s replacement value.
A method for encryption, decryption, and digital signatures that uses pairs of encryption keys, consisting of a public key and a private key.
A type of replication where writing data to the remote storage system is not kept in sync with updates on the local storage system. Instead,there may be a time lag, and there is no guarantee that data on the remote system is identical to that on the local storage system. See also replication.
asynchronous transfer mode (ATM)
A LAN and WAN protocol standard for sending messages in the form of cells over networks. On an ATM network, all messages are transmitted in synchronization with a network-based time clock. A station that wishes to send a message to another station must wait for the time clock.
The characteristic of a complex transaction whereby it is either performed completely as a single unit or not at all.
A sampling technique used to study the characteristics of a pop- ulation to determine how many samples possess a specific characteristic. See also sampling.
A written document that defines the mission and goals of the audit program as well as roles and responsibilities.
A feature in an application, operating system, or database management system where events are recorded in a separate log.
A set of audit procedures that is used to accomplish a set of audit objectives.
The purpose or goals of an audit. Generally, the objective of an audit is to determine if controls exist and are effective in some specific aspect of business operations in an organization.
The step-by-step instructions and checklists required to perform specific audit activities. Procedures may include a list of people to interview and ques- tions to ask them, evidence to request, audit tools to use, sampling rates, where and how evidence will be archived, and how evidence will be evaluated.
The plan for conducting audits over a long period.
The final, written product of an audit. An audit report will include a description of the purpose, scope, and type of audit performed; persons interviewed; evidence collected; rates and methods of sampling; and findings on the existence and effectiveness of each control.
The process, procedures, systems, and applications that are the subject of an audit.
The process of asserting one’s identity and providing proof of that identity. Typically, authentication requires a user ID (the assertion) and a password (the proof). However, authentication can also require stronger means of proof, such as a digital certificate, token, smart card, or biometric.
The process whereby a system determines what rights and privileges a user has.
Data that has been captured by computer-assisted audit tech- niques. See also computer-assisted audit technique (CAAT).
A control that is enacted through some automatic mechanism that requires little or no human intervention.