This site is 100% ad supported. Please add an exception to adblock for this site.

CISA Glossary 4


undefined, object
copy deck
"Content filtering"
"Controlling access to a network by analyzing the contents of the incoming and outgoing packets and either letting them pass or denying them based on a list of rules. Differs from packet filtering in that it is the data in the packet that are analyzed instead of the attributes of the packet itself (e.g.# source/target IP address# TCP flags)."
"The acts preventing# mitigating and recovering from disruption. The terms business resumption planning# disaster recovery planning and contingency planning also may be used in this context; they all concentrate on the recovery aspects of continuity."
"Continuous auditing approach"
"This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer."
"Control group"
"Members of the operations area that are responsible for the collection# logging and submission of input for the various user groups"
"Control objective"
"The objectives of management that are used as the framework for developing and implementing controls (control procedures)."
"Control Objectives for Enterprise Governance"
"A discussion document which sets out an ""Enterprise Governance Model"" focusing strongly on both the enterprise business goals and the information technology enablers which facilitate good enterprise governance# published by the Information Systems Audit and Control Foundation in 1999"
"Control perimeter"
"The boundary defining the scope of control authority for an entity. For example# if a system is within the control perimeter# the right and ability exists to control it in response to an attack."
"Control risk"
"The risk that an error which could occur in an audit area# and which could be material# individually or in combination with other errors# will not be prevented or detected and corrected on a timely basis by the internal control system"
"control risk self-assessment"
"An empowering method/process by which management and staff of all levels collectively identify and evaluate IS related risks and controls under the guidance of a facilitator who could be an IS auditor. The IS auditor can utilise CRSA for gathering relevant information about risks and controls and to forge greater collaboration with management and staff. CRSA provides a framework and tools for management and employees to: *Identify and prioritise their business objectives. *Assess and manage high risk areas of business processes. *Self-evaluate the adequacy of controls. *Develop risk treatment recommendations"
"Control section"
"The area of the central processing unit (CPU) that executes software# allocates internal memory and transfers operations between the arithmetic-logic# internal storage and output sections of the computer"
"Control weakness"
"A deficiency in the design or operation of a control procedure. Control weaknesses can potentially result in risks relevant to the area of activity not being reduced to an acceptable level (relevant risks are those that threaten achievement of the objectives relevant to the area of activity being examined). Control weaknesses can be material when the design or operation of one or more control procedures does not reduce to a relatively low level the risk that misstatements caused by illegal acts or irregularities may occur and not be detected by the related control procedures."
"(Control procedures) Those policies and procedures implemented to achieve a related control objective"
"corporate exchange rate"
"An exchange rate# which can be used optionally to perform foreign currency conversion. The corporate exchange rate is generally a standard market rate determined by senior financial management for use throughout the organization."
"Corporate governance"
"""...the structure through which the objectives of an organization are set# and the means of attaining those objectives# and determines monitoring performance guidelines. Good corporate governance should provide proper incentives for board and management to pursue objectives that are in the interests of the company and stakeholders and should facilitate effective monitoring# thereby encouraging firms to use resources more efficiently."" (Source: Principles of Corporate Governance# 1999 issued by the Organization for Economic Cooperation and Development (OECD))"
"Corrective controls"
"These controls are designed to correct errors# omissions and unauthorized uses and intrusions# once they are detected."
"A report on ""Internal Control--An Integrated Framework"" sponsored by the Committee of Sponsoring Organizations of the Treadway Commission in 1992. It provides guidance and a comprehensive framework of internal control for all organizations."
"Measure of interconnectivity among software program modules’ structure. Coupling depends on the interface complexity between modules. This can be defined as the point at which entry or reference is made to a module# and what data passes across the interface. In application software design# it is preferable to strive for the lowest possible coupling between modules. Simple connectivity among modules results in software that is easier to understand# maintain and less prone to a ripple or domino effect caused when errors occur at one location and propagate through the system."
"The proportion of known attacks detected by an intrusion detection system"
"Credentialed analysis"
"In vulnerability analysis# passive monitoring approaches in which passwords or other access credentials are required. This sort of check usually involves accessing a system data object."
"credit risk"
"The risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise to perform as agreed. Internet banking provides the opportunity for banks to expand their geographic range. Customers can reach a given bank from literally anywhere in the world. In dealing with customers over the Internet# absent any personal contact# it is challenging for banks to verify the good faith of their customers# which is an important element in making sound credit decisions."
"The standards and benchmarks used to measure and present the subject matter and against which the IS auditor evaluates the subject matter. Criteria should be: Objective—free from bias Measurable—provide for consistent measurement Complete—include all relevant factors to reach a conclusion Relevant—relate to the subject matter"
"A certificate issued by one certification authority to a second certification authority so that users of the first certification authority are able to obtain the public key of the second certification authority and verify the certificates it has created. Often cross certification refers specifically to certificates issued to each other by two CAs at the same level in a hierarchy."
"The art of designing# analyzing and attacking cryptographic schemes"
"data analysis"
"Typically in large organisations where the quantum of data processed by the ERPs are extremely voluminous# analysis of patterns and trends prove to be extremely useful in ascertaining the efficiency and effectiveness of operations. Most ERPs provide opportunities for extraction and analysis of data# some with built-in tools through the use of third-party developed tools that interface with the ERP systems"
"Data communications"
"The transfer of data between separate computer processing sites/devices using telephone lines# microwave and/or satellite links"
"Data custodian"
"Individuals and departments responsible for the storage and safeguarding of computerized information. This typically is within the IS organization."
"Data dictionary"
"A data dictionary is a database that contains the name# type# range of values# source and authorization for access for each data element in a database. It also indicates which application programs use that data so that when a data structure is contemplated# a list of the affected programs can be generated. The data dictionary may be a stand-alone information system used for management or documentation purposes# or it may control the operation of a database."
"Data diddling"
"Changing data with malicious intent before or during input into the system"
"Data Encryption Standard (DES)"
"A private key cryptosystem published by the National Bureau of Standards (NBS)# the predecessor of the US National Institute of Standards and Technology (NIST). DES has been used commonly for data encryption in the forms of software and hardware implementation (also see private key cryptosystems)."
"data flow"
"The flow of data from the input (in Internet banking# ordinarily user input at his/her desktop) to output (in Internet banking# ordinarily data in a bank’s central database). Data flow includes travelling through the communication lines# routers# switches and firewalls as well as processing through various applications on servers which process the data from user fingers to storage in bank central database."
"data integrity"
"The property that data meet with a priority expectation of quality and that the data can be relied upon"
"Data leakage"
"Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes"
"Data owner"
"Individuals# normally managers or directors# who have responsibility for the integrity# accurate reporting and use of computerized data"
"Data security"
"Those controls that seek to maintain confidentiality# integrity and availability of information"
"Data structure"
"The relationships among files in a database and among data items within each file"
"A stored collection of related data needed by organizations and individuals to meet their information processing and retrieval requirements"
"Database administrator (DBA)"
"An individual or department responsible for the security and information classification of the shared data stored on a database system. This responsibility includes the design# definition and maintenance of the database."
"Database management system (DBMS)"
"A complex set of software programs that control the organization# storage and retrieval of data in a database. It also controls the security and integrity of the database."
"Database replication"
"The process of creating and managing duplicate versions of a database. Replication not only copies a database but also synchronizes a set of replicas so that changes made to one replica are reflected in all the others. The beauty of replication is that it enables many users to work with their own local copy of a database but have the database updated as if they were working on a single centralized database. For database applications where geographically users are distributed widely# replication is often the most efficient method of database access."
"Database specifications"
"These are the requirements for establishing a database application. They include field definitions# field requirements and reporting requirements for the individual information in the database."
"A packet (encapsulated with a frame containing information)# which is transmitted in a packet-switching network from source to destination"
"Data-oriented systems development"
"The purpose is to provide usable data rather than a function. The focus of the development is to provide ad hoc reporting for users by developing a suitable accessible database of information."
"DDoS (distributed denial-of-service) attack"
"A denial-of-service (DoS) assault from multiple sources; see DoS"
"The process of distributing computer processing to different locations within an organization"
"Decision support systems (DSS)"
"An interactive system that provides the user with easy access to decision models and data# to support semistructured decision-making tasks"
"Decoy server"
"See honey pot."
"A technique used to recover the original plaintext from the ciphertext such that it is intelligible to the reader. The decryption is a reverse process of the encryption."
"Decryption key"
"A piece of information# in a digitized form# used to recover the plaintext from the corresponding ciphertext by decryption"
"Default deny policy"
"A policy whereby access is denied unless it is specifically allowed. The inverse of default allow."
"Default password"
"The password used to gain access when a system is first installed on a computer or network device. There is a large list published on the Internet and maintained at several locations. Failure to change these after the installation leaves the system vulnerable."
"To apply a variable# alternating current (AC) field for the purpose of demagnetizing magnetic recording media. The process involves increasing the AC field gradually from zero to some maximum value and back to zero# which leaves a very low residue of magnetic induction on the media. Degauss loosely means to erase."
"The process of converting an analog telecommunications signal into a digital computer signal"
"Detailed IS ontrols"
"Controls over the acquisition# implementation# delivery and support of IS systems and services. They are made up of application controls plus those general controls not included in pervasive controls."
"Detection risk"
"The risk that the IS auditor's substantive procedures will not detect an error which could be material# individually or in combination with other errors"
"Detective controls"
"These controls exist to detect and report when errors# omissions and unauthorized uses or entries occur."
"Used as a control over dial-up telecommunications lines. The telecommunications link established through dial-up into the computer from a remote location is interrupted so the computer can dial back to the caller. The link is permitted only if the caller is from a valid phone number or telecommunications channel."
"Dial-in access controls"
"Controls that prevent unauthorized access from remote users that attempt to access a secured environment. These controls range from dial-back controls to remote user authentication."
"Digital certificate"
"A certificate identifying a public key to its subscriber# corresponding to a private key held by that subscriber. It is a unique code that typically is used to allow the authenticity and integrity of communicated data to be verified."
"digital certification"
"A process to authenticate (or certify) a party’s digital signature# carried out by trusted third parties."
"Digital signature"
"A piece of information# a digitized form of signature# that provides sender authenticity# message integrity and nonrepudiation. A digital signature is generated using the sender’s private key or applying a one-way hash function."
"Direct reporting engagement"
"An engagement where management does not make a written assertion about the effectiveness of their control procedures# and the IS auditor provides an opinion about subject matter directly# such as the effectiveness of the control procedures"
"Discovery sampling"
"A form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population"
"Diskless workstations"
"A workstation or PC on a network that does not have its own disk. Instead# it stores files on a network file server."
"Distributed data processing network"
"A system of computers connected together by a communications network. Each computer processes its data and the network supports the system as a whole. Such a network enhances communication among the linked computers and allows access to shared files."
"DMZ (demilitarized zone)"
"Commonly it is the network segment between the Internet and a private network. It allows access to services from the Internet and the internal private network# while denying access from the Internet directly to the private network."
"DNS (domain name system)"
"A hierarchical database that is distributed across the Internet that allows names to be resolved into IP addresses (and vice versa) to locate services such as web and e-mail servers"
"DoS (denial-of-service) attack"
"An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate"
"The act of transferring computerized information from one computer to another computer"
"Downtime report"
"A report that identifies the elapsed time when a computer is not operating correctly because of machine failure"
"Dry-pipe fire extinguisher system"
"Refers to a sprinkler system that does not have water in the pipes during idle usage# unlike a fully charged fire extinguisher system that has water in the pipes at all times. The dry-pipe system is activated at the time of the fire alarm# and water is emitted to the pipes from a water reservoir for discharge to the location of the fire."
"Due care"
"Diligence which a person would exercise under a given set of circumstances"
"Due professional care"
"Diligence which a person# who possesses a special skill# would exercise under a given set of circumstances"
"Dumb terminal"
"A display terminal without processing capability. Dumb terminals are dependent upon the main computer for processing. All entered data are accepted without further editing or validation."
"Duplex routing"
"The method or communication mode of routing data over the communication network (also see half duplex and full duplex)"
"Dynamic analysis"
"Analysis that is performed in real time or in continuous form"
"Echo checks"
"Detects line errors by retransmitting data back to the sending device for comparison with the original transmission"
"Defined by ISACA as the processes by which organisations conduct business electronically with their customers# suppliers and other external business partners# using the Internet as an enabling technology. It therefore encompasses both business-to-business (B2B) and business-to-consumer (B2C) e-Commerce models# but does not include existing non-Internet e-Commerce methods based on private networks such as EDI and SWIFT."
"Edit controls"
"Detects errors in the input portion of information that is sent to the computer for processing. The controls may be manual or automated and allow the user to edit data errors before processing."
"Editing ensures that data conform to predetermined criteria and enable early identification of potential errors."
"Electronic cash"
"An electronic form functionally equivalent to cash in order to make and receive payments in cyberbanking"
"Electronic data interchange (EDI)"
"The electronic transmission of transactions (information) between two organizations. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents# including invoices or purchase orders."
"Electronic funds transfer (EFT)"
"The exchange of money via telecommunications. EFT refers to any financial transaction that originates at a terminal and transfers a sum of money from one account to another."
"Electronic signature"
"Any technique designed to provide the electronic equivalent of a handwritten signature to demonstrate the origin and integrity of specific data. Digital signatures are an example of electronic signatures."
"Electronic vaulting"
"A data recovery strategy that allows organizations to recover data within hours after a disaster. It includes recovery of data from an offsite storage media that mirrors data via a communication link. Typically used for batch/journal updates to critical files to supplement full backups taken periodically."
"E-mail/interpersonal messaging"
"An individual using a terminal# PC or an application can access a network to send an unstructured message to another individual or group of people."
"Embedded audit module"
"Integral part of an application system that is designed to identify and report specific transactions or other information based on pre-determined criteria. Identification of reportable items occurs as part of real-time processing. Reporting may be real-time online# or may use store and forward methods. Also known as integrated test facility or continuous auditing module."
"Encapsulation (objects)"
"Encapsulation is the technique used by layered protocols in which a lower layer protocol accepts a message from a higher layer protocol and places it in the data portion of a frame in the lower layer."
"The process of taking an unencrypted message (plaintext)# applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)"
"Encryption key"
"A piece of information# in a digitized form# used by an encryption algorithm to convert the plaintext to the ciphertext"
"End-user computing"
"The ability of end users to design and implement their own information system utilizing computer software products"
"Engagement letter"
"Formal document which defines the IS auditor's responsibility# authority and accountability for a specific assignment"
"Enterprise governance"
"A broad and wide-ranging concept of corporate governance# covering associated organizations such as global strategic alliance partners. (Source: Control Objectives for Enterprise Governance Discussion Document# published by the Information Systems Audit and Control Foundation in 1999)"
"enterprise resource planning"
"First# it denotes the planning and management of resources in an enterprise. Second# it denotes a software system that can be used to manage whole business processes# integrating purchasing# inventory# personnel# customer service# shipping# financial management and other aspects of the business. An ERP system typically is based on a common database# various integrated business process application modules and business analysis tools"
"Error control deviations (compliance testing) or misstatements (substantive testing)"
"Error risk"
"The risk of errors occurring in the area being audited"
"A popular network protocol and cabling scheme that uses a bus topology and CSMA/CD (carrier sense multiple access/collision detection) to prevent network failures or collisions when two devices try to access the network at the same time"
"The information an auditor gathers in the course of performing an IS audit. Evidence is relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support."
"Exception reports"
"An exception report is generated by a program that identifies transactions or data that appear to be incorrect. These items may be outside a predetermined range or may not conform to specified criteria."
"Executable code"
"The machine language code that is generally referred to as the object or load module"
"Expert systems"
"Expert systems are the most prevalent type of computer systems that arise from the research of artificial intelligence. An expert system has a built in hierarchy of rules# which are acquired from human experts in the appropriate field. Once input is provided# the system should be able to define the nature of the problem and provide recommendations to solve the problem."
"The potential loss to an area due to the occurrence of an adverse event"
"Extended Binary-coded Decimal Interchange Code"
"(EBCDIC) An eight-bit code representing 256 characters; used in most large computer systems"
"Extensible Markup Language (XML)"
"Promulgated through the World Wide Web Consortium# XML is a web-based application development technique that allows designers to create their own customized tags# thus# enabling the definition# transmission# validation and interpretation of data between applications and organizations."
"External router"
"The router at the extreme edge of the network under control# usually connected to an ISP or other service provider; also known as border router"
"The transfer of service from an incapacitated primary component to its backup component"
"Describes the design properties of a computer system that allow it to resist active attempts to attack or bypass it"
"False negative"
"In intrusion detection# an error that occurs when an attack is misdiagnosed as a normal activity"
"False positive"
"In intrusion detection# an error that occurs when a normal activity is misdiagnosed as an attack"
"Fault tolerance"
"A system’s level of resilience to seamlessly react from hardware and/or software failure"
"Feasibility study"
"A phase of an SDLC methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need"
"Fiber optic cable"
"Glass fibers that transmit binary signals over a telecommunications network. Fiber optic systems have low transmission losses as compared to twisted-pair cables. They do not radiate energy or conduct electricity. They are free from corruption and lightning-induced interference# and they reduce the risk of wiretaps."
"An individual data element in a computer record. Examples include employee name# customer address# account number# product unit price and product quantity in stock."
"A named collection of related records"
"File layout"
"Specifies the length of the file’s record and the sequence and size of its fields. A file layout also will specify the type of data contained within each field. For example# alphanumeric# zoned decimal# packed and binary are types of data."
"File server"
"A high-capacity disk storage device or a computer that stores data centrally for network users and manages access to that data. File servers can be dedicated so that no process other than network management can be executed while the network is available; file servers can be non-dedicated so that standard user applications can run while the network is available."
"Filtering router"
"A router that is configured to control network access by comparing the attributes of the incoming or outgoing packets to a set of rules"
"FIN (final)"
"A flag set in a packet to indicate that this packet is the final data packet of the transmission"
"Financial audit"
"An audit designed to determine the accuracy of financial records and information"
"A protocol and program that allows the remote identification of users logged into a system"
"A device that forms a barrier between a secure and an open environment. Usually# the open environment is considered hostile. The most notable hostile environment is the Internet. In other words# a firewall enforces a boundary between two or more networks."
"Memory chips with embedded program code that hold their content when power is turned off"
"fiscal year"
"Any yearly accounting period without regard to its relationship to a calendar year."
"foreign exchange risk"
"Is present when a financial asset or liability is denominated in a foreign currency or is funded by borrowings in another currency"
"Format checking"
"The application of an edit# using a predefined field definition to a submitted information stream; a test to ensure that data conform to a predefined format"
"Fourth generation language (4GL)"
"English-like# user friendly# nonprocedural computer languages used to program and/or read and process computer files"
"Frame relay"
"A packet-switched wide-area-network technology that provides faster performance than older packet-switched WAN technologies such as X.25 networks# because it was designed for today’s reliable circuits and performs less rigorous error detection. Frame relay is best suited for data and image transfers. Because of its variable-length packet architecture# it is not the most efficient technology for real-time voice and video. In a frame-relay network# end nodes establish a connection via a permanent virtual circuit (PVC)."
"Fraud risk"
"The risk that activities will include deliberate circumvention of controls with the intent to conceal the perpetuation of irregularities. The unauthorized use of assets or services and abetting or helping to conceal."
"FTP (file transfer protocol)"
"A protocol used to transfer files over a TCP/IP network (Internet# UNIX# etc.)"
"Full duplex"
"A communications channel over which data can be sent and received simultaneously"
"Function point analysis"
"A technique used to determine the size of a development task# based on the number of function points. Function points are factors such as inputs# outputs# inquiries and logical internal sites."
"A hardware/software package that is used to connect networks with different protocols. The gateway has its own processor and memory and can perform protocol and bandwidth conversions."
"General computer controls"
"Controls# other than application controls# which relate to the environment within which computer-based application systems are developed# maintained and operated# and which are therefore applicable to all applications. The objectives of general controls are to ensure the proper development and implementation of applications# the integrity of program and data files and of computer operations. Like application controls# general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IS strategy and an IS security policy# the organization of IS staff to separate conflicting duties and planning for disaster prevention and recovery."
"Generalized audit software"
"A computer program or series of programs designed to perform certain automated functions. These functions include reading computer files# selecting data# manipulating data# sorting data# summarizing data# performing calculations# selecting samples and printing reports or letters in a format specified by the IS auditor. This technique includes software acquired or written for audit purposes and software embedded in production systems."
"Geographic disk mirroring"
"A data recovery strategy that takes a set of physically disparate disks and synchronously mirrors them over high performance communication lines. Any write to a disk on one side will result in a write on the other. The local write will not return until the acknowledgement of the remote write is successful."
"An individual who attempts to gain unauthorized access to a computer system"
"Half duplex"
"A communications channel that can handle only one signal at a time. The two stations must alternate their transmissions."
"Handprint scanner"
"A biometric device that is used to authenticate a user through palm scans"
"To configure a computer or other network device to resist attacks"
"Relates to the technical and physical features of the computer"
"Hash function"
"An algorithm that maps or translates one set of bits into another (generally smaller) so that a message yields the same result every time the algorithm is executed using the same message as input. It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm. It is computationally infeasible to find two different messages that produce the same hash result using the same algorithm."
"Hash total"
"The total of any numeric data field on a document or computer file. This total is checked against a control total of the same field to facilitate accuracy of processing."
"A numbering system that uses a base of 16 and uses 16 digits: 0# 1# 2# 3# 4# 5# 6# 7# 8# 9# A# B# C# D# E and F. Programmers use hexadecimal numbers as a convenient way of representing binary numbers."
"Hierarchical database"
"A database structured in a tree/root or parent/child relationship. Each parent can have many children# but each child may have only one parent."
"Honey pot"
"A specially configured server# designed to attract intruders so that their actions do not affect production systems; also known as a decoy server"
"Hot site"
"A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster"
"HTTP (hyper text transfer protocol)"
"A communication protocol used to connect to servers on the World Wide Web. Its primary function is to establish a connection with a web server and transmit HTML pages to the client browser."
"HTTPS (hyper text transfer protocol secure)"
"A protocol for accessing a secure web server# whereby all data transferred is encrypted"
"A common connection point for devices in a network# hubs commonly are used to connect segments of a LAN. A hub contains multiple ports. When a packet arrives at one port# it is copied to the other ports so that all segments of the LAN can see all packets."
"Is an electronic pathway that may be displayed in the form of highlighted text# graphics or a button that connects one web page with another web page address."
"A language# which enables electronic documents that present information that can be connected together by links instead of being presented sequentially# as is the case with normal text."
"ICMP (internet control message protocol)"
"A set of protocols that allow systems to communicate information about the state of services on other systems. It is used# for example# in determining whether systems are up# maximum packet sizes on links# whether a destination host/network/port is available. Hackers typically (abuse) use ICMP to determine information about the remote site."
"Idle standby"
"A fail-over process in which the primary node owns the resource group. The backup node runs idle# only supervising the primary node. In case of a primary node outage# the backup node takes over. The nodes are prioritized# which means the surviving node with the highest priority will acquire the resource group. A higher priority node joining the cluster will thus cause a short service interruption."
"IDS (intrusion detection system)"
"An intrusion detection system (IDS) inspects network activity to identify suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system"
"(Institute of Electrical and Electronics Engineers)--Pronounced I-triple-E# IEEE is an organization composed of engineers# scientists and students. The IEEE is best known for developing standards for the computer and electronics industry."
"Image processing"
"The process of electronically inputting source documents by taking an image of the document# thereby eliminating the need for key entry"
"implementation life cycle review"
"Refers to the controls that support the process of transformation of the organisation’s legacy information systems into the ERP applications. This would largely cover all aspects of systems implementation and configuration# such as change management"
"Incremental testing"
"Deliberately testing only the value-added functionality of a software component"
"Self-governance and freedom from conflict of interest and undue influence. The IS auditor should be free to make his/her own decisions# not influenced by the organization being audited and its people (managers and employers)."
"Independent appearance"
"The outward impression of being self-governing and free from conflict of interest and undue influence"
"Independent attitude"
"Impartial point of view which allows the IS auditor to act objectively and with fairness"
"Indexed sequential access method (ISAM)"
"A disk access method that stores data sequentially# while also maintaining an index of key fields to all the records in the file for direct access capability"
"Indexed sequential file"
"A file format in which records are organized and can be accessed# according to a preestablished key that is part of the record"
"Information engineering"
"Data-oriented development techniques that work on the premise that data are at the center of information processing and that certain data relationships are significant to a business and must be represented in the data structure of its systems"
"Information processing facility (IPF)"
"The computer room and support areas"
"Inherent risk"
"The susceptibility of an audit area to error which could be material# individually or in combination with other errors# assuming that there are no related internal controls"
"Inheritance (objects)"
"Inheritance refers to database structures that have a strict hierarchy (no multiple inheritance). Inheritance can initiate other objects irrespective of the class hierarchy# thus there is no strict hierarchy of objects."
"Initial program load (IPL)"
"The initialization procedure that causes an operating system to be loaded into storage at the beginning of a workday or after a system malfunction"
"Input controls"
"Techniques and procedures used to verify# validate and edit data# to ensure that only correct data are entered into the computer"
"Integrated services digital network (ISDN)"
"A public end-to-end digital telecommunications network with signaling# switching and transport capabilities supporting a wide range of service accessed by standardized interfaces with integrated customer control. The standard allows transmission of digital voice# video and data over 64 Kpbs lines."
"Integrated test facilities (ITF)"
"Test data are processed in production systems. The data usually represent a set of fictitious entities such as departments# customers and products. Output reports are verified to confirm the correctness of the processing."
"The accuracy and completeness of information as well as to its validity in accordance with business values and expectations"
"Intelligent terminal"
"A terminal with built-in processing capability. It has no disk or tape storage but has memory. The terminal interacts with the user by editing and validating data as they are entered prior to final processing."
"interest rate risk"
"Is the risk to earnings or capital arising from movements in interest rates. From an economic perspective# a bank focuses on the sensitivity of the value of its assets# liabilities and revenues to changes in interest rates. Internet banking may attract deposits# loans and other relationships from a larger pool of possible customers than other forms of marketing. Greater access to customers who primarily seek the best rate or term reinforces the need for managers to maintain appropriate asset/liability management systems# which should include the ability to react quickly to changing market conditions."
"Interface testing"
"A testing technique that is used to evaluate output from one application# while the information is sent as input to another application"
"Internal control"
"The policies# procedures# practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected."
"Internal control structure"
"The dynamic# integrated processes# effected by the governing body# management and all other staff# that are designed to provide reasonable assurance regarding the achievement of the following general objectives: Effectiveness# efficiency and economy of operations Reliability of management Compliance with applicable laws# regulations and internal policies Management’s strategies for achieving these general objectives are affected by the design and operation of the following components: Control environment Information system Control procedures"
"Internal penetrators"
"Authorized users of a computer system who overstep their legitimate access rights. This category is divided into masqueraders and clandestine users."
"Internal storage"
"The main memory of the computer’s central processing unit"
"1) Two or more networks connected by a router 2) The world’s largest network using TCP/IP protocols to link government# university and commercial institutions"
"Internet banking"
"Use of the Internet as a remote delivery channel for banking services. Services include the traditional ones# such as opening an account or transferring funds to different accounts# and new banking services# such as electronic bill presentment and payment (allowing customers to receive and pay bills on a bank’s web site)."
"Internet Engineering Task Force (IETF)"
"The Internet standards setting organization with affiliates internationally from network industry representatives. This includes all network industry developers and researchers concerned with evolution and planned growth of the Internet."
"Internet Inter-ORB Protocol (IIOP)"
"A protocol developed by the object management group (OMG) to implement Common Object Request Broker Architecture (CORBA) solutions over the World Wide Web. CORBA enables modules of network-based programs to communicate with one another. These modules or program parts# such as tables# arrays# and more complex program subelements# are referred to as objects. Use of IIOP in this process enables browsers and servers to exchange both simple and complex objects. This significantly differs from HTTP# which only supports the transmission of text."
"Internet packet (IP) spoofing"
"An attack using packets with the spoofed source Internet packet (IP) addresses. This technique exploits applications that use authentication based on IP addresses. This technique also may enable an unauthorized user to gain root access on the target system."
"A private network that uses the infrastructure and standards of the Internet and World Wide Web# but is isolated from the public Internet by firewall barriers."
"Any intentional violation of the security policy of a system"
"Intrusion detection"
"The process of monitoring the events occurring in a computer system or network# detecting signs of security problems"
"Intrusive monitoring"
"In vulnerability analysis# gaining information by performing checks that affects the normal operation of the system# even crashing the system"
"IP (Internet protocol)"
"Specifies the format of packets and the addressing scheme"
"IPSec (Internet protocol security)"
"A set of protocols developed by the IETF to support the secure exchange of packets"
"Intentional violations of established management policy or regulatory requirements. Deliberate misstatements or omissions of information concerning the area under audit or the organization as a whole; gross negligence or unintentional illegal acts."
"An international standard that defines information confidentiality# integrity and availability controls"
"ISP (Internet service provider)"
"A third party that provides organizations with a variety of Internet# and Internet-related services"
"IT governance"
"A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes"
"Job control language (JCL)"
"A language used to control run routines in connection with performing tasks on a computer"
"journal entry"
"A debit or credit to a general ledger account. See also manual journal entry."
"Judgment sampling"
"Any sample that is selected subjectively or in such a manner that the sample selection process is not random or the sampling results are not evaluated mathematically"
"L2F (Layer 2 forwarding)"
"A tunnelling protocol developed by Cisco Systems to support the creation of VPNs"
"L2TP (Layer 2 tunneling protocol)"
"An extension to PPP to facilitate the creation of VPNs. L2TP merges the best features of PPTP (from Microsoft) and L2F (from Cisco)."
"The time it takes a system and network delay to respond. System latency is the time a system takes to retrieve data. Network latency is the time it takes for a packet to travel from source to the final destination."
"LDAP (Lightweight Directory Access Protocol)"
"A set of protocols for accessing information directories. It is based on the X.500 standard# but is significantly simpler."
"Leased lines"
"A communication line permanently assigned to connect two points# as opposed to a dial-up line that is only available and open when a connection is made by dialing the target machine or network. Also known as a dedicated line."
"legal risk"
"Is the risk to earnings or capital arising from violations of# or nonconformance with# laws# rules# regulations# prescribed practices or ethical standards. Banks are subject to various forms of legal risk. This can include the risk that assets will turn out to be worth less or liabilities will turn out to be greater than expected because of inadequate or incorrect legal advice or documentation. In addition# existing laws may fail to resolve legal issues involving a bank; a court case involving a particular bank may have wider implications for banking business and involve costs to it and many or all other banks; and# laws affecting banks or other commercial enterprises may change. Banks are particularly susceptible to legal risks when entering new types of transactions and when the legal right of a counter-party to enter into transactions is not established."
"The individual responsible for the safeguard and maintenance of all program and data files"
"Limit check"
"Tests of specified amount fields against stipulated high or low limits of acceptability. When both high and low values are used# the test may be called a range check."
"Link editor (linkage editor)"
"A utility program that combines several separately compiled modules into one# resolving internal references between them"
"liquidity risk"
"Is the risk to earnings or capital arising from a bank’s inability to meet its obligations when they come due# without incurring unacceptable losses. Internet banking may increase deposit volatility from customers who maintain accounts solely on the basis of rate or terms."
"Local area network (LAN)"
"A communication network that serves several users within a specified geographic area. It is made up of servers# workstations# a network operating system and a communications link. Personal computer LANs function as distributed processing systems in which each computer in the network does its own processing and manages some of its data. Shared data are stored in a file server that acts as a remote disk drive to all users in the network."
"Local loop"
"The communication lines that provide connectivity between the telecommunications carrier’s central office and the subscriber’s facilities"
"To record details of information or events in an organized record-keeping system# usually sequenced in the order they occurred"
"Logical access controls"
"The policies# procedures# organizational structure and electronic access controls designed to restrict access to computer software and data files"
"Disconnecting from the computer"
"The act of connecting to the computer. It typically requires entry of a user ID and password into a computer terminal."
"Logs/Log file"
"Files created specifically to record various actions occurring on the system to be monitored# such as failed login attempts# full disk drives and e-mail delivery failures"
"Machine language"
"The logical language a computer understands"
"Magnetic card reader"
"A card reader that reads cards with a magnetizable surface on which data can be stored and retrieved"
"Magnetic ink character recognition (MICR)"
"Used to electronically input# read and interpret information directly from a source document; requires the source document to have specially-coded magnetic ink typeset"
"Management information system (MIS)"
"An organized assembly of resources and procedures required to collect# process and distribute data for use in decision making"
"Man-in-the-middle attack"
"An attack strategy in which the attacker intercepts the communications stream between two parts of the victim system and then replaces the traffic between the two components with the intruder’s own# eventually assuming control of the communication"
"manual journal entry"
"A journal entry entered at a computer terminal. Manual journal entries can include regular# statistical# inter-company and foreign currency entries"
"Diagramming data that are to be exchanged electronically# including how it is to be used and what business management systems need it. It is a preliminary step for developing an applications link. (Also see application tracing and mapping.)"
"A computerized technique of blocking out the display of sensitive information# such as passwords# on a computer terminal or report"
"Attackers that penetrate systems by using user identifiers and passwords taken from legitimate users"
"Master file"
"A file of semipermanent information that is used frequently for processing data or for more than one purpose"
"An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited. An expression of the relative significance or importance of a particular matter in the context of the organization as a whole."
"Memory dump"
"The act of copying raw data from one place to another with little or no formatting for readability. Usually# dump refers to copying data from main memory to a display screen or a printer. Dumps are useful for diagnosing bugs. After a program fails# one can study the dump and analyze the contents of memory at the time of the failure. Dumps are usually output in a difficult-to-read form (that is# binary# octal or hexadecimal)# so a memory dump will not help unless each person knows exactly for what to look."
"Message switching"
"A telecommunications traffic controlling methodology in which a complete message is sent to a concentration point and stored until the communications path is established"
"Microwave transmission"
"A high-capacity line-of-sight transmission of data signals through the atmosphere which often requires relay stations"
"Another term for an application programmer interface (API). It refers to the interfaces that allow programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services."
"Misuse detection"
"Detection on the basis of whether the system activity matches that defined as bad"
"Modem (modulator-demodulator)"
"Connects a terminal or computer to a communications network via a telephone line. Modems turn digital pulses from the computer into frequencies within the audio range of the telephone system. When acting in the receiver capacity# a modem decodes incoming frequencies."
"The process of converting a digital computer signal into an analog telecommunications signal"
"Monetary unit sampling"
"A sampling technique that estimates the amount of overstatement in an account balance"
"Any information collection mechanism utilized by an intrusion detection system"
"Monitoring policy"
"The rules outlining the way in which information is captured and interpreted"
"The transmission of more than one signal across a physical channel"
"A device used for combining several lower-speed channels into a higher-speed channel"
"Mutual takeover"
"A fail-over process# which is basically a two-way idle standby: two servers are configured so that both can take over the other node’s resource group. Both must have enough CPU power to run both applications with sufficient speed# or performance losses must be taken into account expected until the failed node reintegrates. This also works nicely in three or more node configurations."
"NAT (Network Address Translation)"
"An Internet standard that allows a network to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. The server# providing the NAT service# changes the source address of outgoing packets from the internal to the external address and reverses it for packets returning."
"A popular local area network operating system developed by the Novell Corp."
"A system of interconnected computers and the communications equipment used to connect them"
"Network administrator"
"The person responsible for maintaining a LAN and assisting end users"
"Network hop"
"An attack strategy in which the attacker successively hacks into a series of connected systems# obscuring his/her identify from the victim of the attack"
"Point at which terminals are given access to a network"
"Disturbances# such as static# in data transmissions that cause messages to be misinterpreted by the receiver"
"Non-intrusive monitoring"
"In vulnerability analysis# gaining information by performing standard system status queries and inspecting system attributes"
"nonrepudiable trnasactions"
"Transactions that cannot be denied after the fact"
"The assurance that a party cannot later deny originating data# that it is the provision of proof of the integrity and origin of the data which can be verified by a third party. Nonrepudiation may be provided by a digital signature."
"The elimination of redundant data"
"Numeric check"
"An edit check designed to ensure the data in a particular field is numeric"
"Object code"
"Machine-readable instructions produced from a compiler or assembler program that has accepted and translated the source code"

Deck Info