CISA Exam

Start Studying!

Terms

undefined, object

copy deck

RADIUS (remote authentication dial-in user service): A type of service providing an authentication and accounting system often used for dial-up and remote access security
Universal Description; Discovery and Integration (UDDI): A web-based version of the traditional phone book's yellow and white pages enabling businesses to be publicly listed in promoting greater e-commerce activities.
Abend: An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing
Access control: The process that limits and controls access to resources of a computer system; a logical or physical control designed to protect against unauthorized entry or use. Access control can be defined by the system (mandatory access control; or MAC) or defined by the user who owns the object (discretionary access control; or DAC).
Access control table: An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals
Access method: The technique used for selecting records in a file; one at a time; for processing; retrieval or storage. The access method is related to; but distinct from; the file organization that determines how the records are stored.
Access path: The logical route an end user takes to access computerized information. Typically; it includes a route through the operating system; telecommunications software; selected application software and the access control system.
Access rights: Also called permissions or privileges; these are the rights granted to users by the administrator or supervisor. Access rights determine the actions users can perform (e.g.; read; write; execute; create and delete) on files in shared volumes or file shares on the server.
Accountability: The ability to map a given activity or event back to the responsible party
ACK (acknowledgement): A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly by the receiver without errors; or that the receiver is now ready to accept a transmission
Active recovery site (mirrored): Recovery strategy that involves two active sites; each capable of taking over the otherâ€™s workload in the event of a disaster. Each site will have enough idle processing power to restore data from the other site and to accommodate the excess workload in the event of a disaster.
Active response: A response; in which the system (automatically or in concert with the user) blocks or otherwise affects the progress of a detected attack. The response takes one of three forms--amending the environment; collecting more information or striking back against the user.
Address: The code used to designate the location of a specific piece of data within computer storage
Address space: The number of distinct locations that may be referred to with the machine address. For most binary machines; it is equal to 2n; where n is the number of bits in the machine address.
Addressing: The method used to identify the location of a participant in a network. Ideally; addressing specifies where the participant is located rather than who they are (name) or how to get there (routing).
adjusting period: The calendar can contain â€œrealâ€ accounting periods and/or adjusting accounting periods. The â€œrealâ€ accounting periods must not overlap; and cannot have any gaps between â€œrealâ€ accounting periods. Adjusting accounting periods can overlap with other accounting periods. For example; a period called DEC-93 can be defined that includes 01-DEC-1993 through 31-DEC-1993. An adjusting period called DEC31-93 can also be defined that includes only one day: 31-DEC-1993 through 31-DEC-1993.
Administrative controls: The actions/controls dealing with operational effectiveness; efficiency and adherence to regulations and management policies
allocation entry: A recurring journal entry used to allocate revenues or costs. For example; an allocation entry could be defined to allocate costs to each department based on headcount.
Alpha: The use of alphabetic characters or an alphabetic character string
Analog: A transmission signal that varies continuously in amplitude and time and is generated in wave formation. Analog signals are used in telecommunications.
Anomaly: Unusual or statistically rare
Anomaly detection: Detection on the basis of whether the system activity matched that defined as abnormal
Anonymity: The quality or state of not being named or identified
Anonymous File Transfer Protocol (FTP): A method for downloading public files using the File Transfer Protocol (FTP). Anonymous FTP is called anonymous because users do not need to identify themselves before accessing files from a particular server. In general; users enter the word anonymous when the host prompts for a username; anything can be entered for the password; such as the user's e-mail address or simply the word guest. In many cases; an anonymous FTP site will not even prompt users for a name and password.
Antivirus software: Applications that detect; prevent and possibly remove all known viruses from files located in a microcomputer hard drive
Appearance: The act of giving the idea or impression of being or doing something
Appearance of independence: Behavior adequate to meet the situations occurring during audit work (interviews; meetings; reporting; etc.). The IS auditor should be aware that appearance of independence depends upon the perceptions of others and can be influenced by improper actions or associations.
Applet: A program written in a portable; platform independent computer language; such as Java. It is usually embedded in an HTML page and then executed by a browser. Applets can only perform a restricted set of operations; thus preventing; or at least minimizing; the possible security compromise of the host computers.
application: A computer program or set of programs that perform the processing of records for a specific function
Application acquisition review: An evaluation of an application system being acquired or evaluated; which considers such matters as: appropriate controls are designed into the system; the application will process information in a complete; accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is acquired in compliance with the established system acquisition process.
Application controls: Refer to the transactions and data relating to each computer-based application system and are therefore specific to each such application. The objectives of application controls; which may be manual; or programmed; are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from both manual and programmed processing. Examples of application controls include data input validation; agreement of batch totals and encryption of data transmitted.
Application development review: An evaluation of an application system under development which considers matters such as: appropriate controls are designed into the system; the application will process information in a complete; accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is developed in compliance with the established systems development life cycle process
Application implementation review: An evaluation of any part of an implementation project (e.g.; project management; test plans; user acceptance testing procedures)
Application layer: A layer within the International Organization for Standardization (ISO)/Open Systems Interconnection (OSI) model. It is used in information transfers between users through application programs and other devices. In this layer various protocols are needed. Some of them are specific to certain applications and others are more general for network services.
Application maintenance review: An evaluation of any part of a project to perform maintenance on an application system (e.g.; project management; test plans; user acceptance testing procedures)
Application program: A program that processes actions upon business data; such as data entry; update or query. It contrasts with systems program; such as an operating system or network control program; and with utility programs; such as copy or sort.
Application programming: The act or function of developing and maintaining applications programs in production
Application programming interface (API): "A set of routines; protocols and tools referred to as ""building blocks"" used in business application software development. A good API makes it easier to develop a program by providing all the building blocks related to functional characteristics of an operating system; which applications need to specify when; for example; interfacing with an operating system (e.g.; provided by MS-Windows; different versions of UNIX). A programmer would utilize these APIs in developing applications that can operate effectively and efficiently on the platform chosen."
Application proxy: A proxy service that connects programs running on internal networks to services on exterior networks by creating two connections; one from the requesting client and another to the destination service
application security: Refers to the security aspects supported by the ERP; primarily with regard to the roles or responsibilities and audit trails within the applications
Application software tracing and mapping: Specialized tools that can be used to analyze the flow of data; through the processing logic of the application software; and document the logic; paths; control conditions and processing sequences. Both the command language or job control statements and programming language can be analyzed. This technique includes program/system: mapping; tracing; snapshots; parallel simulations and code comparisons.
Application system: An integrated set of computer programs designed to serve a particular function that has specific input; processing and output activities (e.g.; general ledger; manufacturing resource planning; human resource management)
Arithmetic-logic unit (ALU): The area of the central processing unit that performs mathematical and analytical operations
Artificial intelligence: Advanced computer systems that can simulate human capabilities; such as analysis; based on a predetermined set of rules
ASCII: (American Standard Code for Information Interchange) An eight-digit/seven-bit code representing 128 characters; used in most small computers
ASP/MSP (application or managed service provider): A third party that delivers and manages applications and computer services; including security services to multiple users via the Internet or a private network
Assembler: A program that takes as input a program written in assembly language and translates it into machine code or relocatable code
Assembly language: A low-level computer programming language which uses symbolic code and produces machine instructions
Asymmetric key (public key): A cipher technique whereby different cryptographic keys are used to encrypt and decrypt a message (see public key cryptosystems)
Asynchronous Transfer Mode (ATM): ATM is a high-bandwidth low-delay switching and multiplexing technology. It is a data link layer protocol. This means that it is a protocol-independent transport mechanism. ATM allows integration of real-time voice and video as well as data. ATM allows very high speed data transfer rates at up to 155 Mbit/s.
Asynchronous transmission: Character-at-a-time transmission
Attitude: Way of thinking; behaving; feeling; etc.
Attribute sampling: An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size)
Audit: The process of generating; recording and reviewing a chronological record of system events to ascertain their accuracy
Audit accountability: Performance measurement of service delivery including cost; timeliness and quality against agreed service levels
Audit authority: A statement of the position within the organization; including lines of reporting and the rights of access
Audit charter: A document which defines the IS audit function's responsibility; authority and accountability
Audit evidence: The information systems auditor (IS auditor) gathers information in the course of performing an IS audit. The information used by the IS auditor to meet audit objectives is referred to as audit evidence (evidence). Also used to describe the level of risk that an auditor is prepared to accept during an audit engagement.
Audit expert systems: Expert or decision support systems that can be used to assist IS auditors in the decision-making process by automating the knowledge of experts in the field. This technique includes automated risk analysis; systems software and control objectives software packages.
Audit objective: The specific goal(s) of an audit. These often center on substantiating the existence of internal controls to minimize business risk.
Audit plan: A high level description of the audit work to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited; the type of work planned; the high level objectives and scope of the work; and topics such as budget; resource allocation; schedule dates; type of report and its intended audience and other general aspects of the work.
Audit program: A series of steps to complete an audit objective
Audit responsibility: The roles; scope and objectives documented in the service level agreement between management and audit
Audit risk: The risk of giving an incorrect audit opinion
Audit sampling: The application of audit procedures to less than 100 percent of the items within a population to obtain audit evidence about a particular characteristic of the population
Audit trail: A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source
auditability: The level to which transactions can be traced and audited through a system
Authentication: The act of verifying the identity of a system entity (e.g.; a user; a system; a network node) and the entityâ€™s eligibility to access computerized information. Designed to protect against fraudulent logon activity. Authentication can also refer to the verification of the correctness of a piece of data.
authorization: The process of determining what types of activities are permitted. Ordinarily; authorisation is in the context of authentication: once you have authenticated a user; he/she may be authorised to perform different types of access or activity
Automated teller machine (ATM): A 24-hour; stand-alone mini-bank; located outside branch bank offices or in public places like shopping malls. Through ATMs; clients can make deposits; withdrawals; account inquiries and transfers. Typically; the ATM network is comprised of two spheres: a proprietary sphere; in which the bank manages the transactions of its clients; and the public or shared domain; in which a client of one financial institution can use anotherâ€™s ATMs.
Availability: Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Backup: Files; equipment; data and procedures available for use in the event of a failure or loss; if the originals are destroyed or out of service
Bandwidth: The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).
Bar case: A standardized body of data created for testing purposes. Users normally establish the data. Base case validates production application systems and tests the ongoing accurate operation of the system.
Bar code: A printed machine-readable code that consists of parallel bars of varied width and spacing
Base case: A standardized body of data created for testing purposes. Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system.
Baseband: A form of modulation in which data signals are pulsed directly on the transmission medium without frequency division and usually utilize a transceiver. In baseband the entire bandwidth of the transmission medium (e.g.; coaxial cable) is utilized for a single channel.
Batch control: Correctness checks built into data processing systems and applied to batches of input data; particularly in the data preparation stage. There are two main forms of batch controls: 1) sequence control; which involves numbering the records in a batch consecutively so that the presence of each record can be confirmed; and 2) control total; which is a total of the values in selected fields within the transactions.
Batch processing: The processing of a group of transactions at the same time. Transactions are collected and processed against the master files at a specified time.
Baud rate: The rate of transmission for telecommunication data. It is expressed in bits per second (bps).
Benchmark: A test that has been designed to evaluate the performance of a system. In a benchmark test; a system is subjected to a known workload and the performance of the system against this workload is measured. Typically; the purpose is to compare the measured performance with that of other systems that have been subject to the same benchmark test.
Binary code: A code whose representation is limited to 0 and 1
Biometric locks: Door and entry locks that are activated by such biometric features as voice; eye retina; fingerprint or signature
Biometrics: A security technique that verifies an individualâ€™s identity by analyzing a unique physical attribute; such as a handprint
Black box testing: A testing approach which focuses on the functionality of the application or product and does not require knowledge of the code intervals.
Blackbox testing: Asoftware testing technique whereby the internal workings of the item being tested are not known by the tester. For example, in a black box test on a software design the tester only knows the inputs and what the expected outcomes should be and not how the program arrives at those outputs.
Border router: See external router.
Bridge: A device that connects two similar networks together
Broadband: In broadband; multiple channels are formed by dividing the transmission medium into discrete frequency segments. It generally requires the use of a modem.
Brouters: Devices that perform the functions of both bridges and routers; are called brouters. Naturally; they operate at both the data link and the network layers. A brouter connects same data link type LAN segments as well as different data link ones; which is a significant advantage. Like a bridge it forwards packets based on the data link layer address to a different network of the same type. Also; whenever required; it processes and forwards messages to a different data link type network based on the network protocol address. When connecting same data link type networks; they are as fast as bridges besides being able to connect different data link type networks.
browser: A computer program that enables the user to retrieve information that has been made publicly available on the Internet; also; that permits multimedia (graphics) applications on the World Wide Web
Brute force: The name given to a class of algorithms that repeatedly try all possible combinations until a solution is found
BSP (business service provider): An ASP that also provides outsourcing of business processes such as payment processing; sales order processing and application development
budget: Estimated cost and revenue amounts for a given range of periods and set of books. There can be multiple budget versions for the same set of books.
budget formula: A mathematical expression used to calculate budget amounts based on actual results; other budget amounts and statistics. With budget formulas; budgets using complex equations; calculations and allocations can be automatically created.
budget hierarchy: A group of budgets linked together at different levels such that the budgeting authority of a lower-level budget is controlled by an upper-level budget.
budget organization: An entity (department; cost center; division or other group) responsible for entering and maintaining budget data.
Buffer: Memory reserved to temporarily hold data. Buffers are used to offset differences between the operating speeds of different devices; such as a printer and a computer. In a program; buffers are reserved areas of RAM that hold data while they are being processed.
Bulk data transfer: A data recovery strategy that includes a recovery from complete backups that are physically shipped off site once a week. Specifically; logs are batched electronically several times daily; and then loaded into a tape library located at the same facility as the planned recovery.
Bus: Common path or channel between hardware devices. It can be between components internal to a computer or between external computers in a communications network.
Bus topology: A type of local area network (LAN) architecture in which each station is directly attached to a common communication channel. Signals transmitted over the channel take the form of messages. As each message passes along the channel; each station receives it. Each station then determines; based on an address contained in the message; whether to accept and process the message or simply to ignore it.
Business impact analysis (BIA): An exercise that determines the impact of losing the support of any resource to an organization and establishes the escalation of that loss over time; identifies the minimum resources needed to recover and prioritizes the recovery of processes and supporting systems
business process integrity: Controls over the business processes that are supported by the ERP
Business process reengineering (BPR): Modern expression for organizational development stemming from IS/IT impacts. The ultimate goal of BPR is to yield a better performing structure; more responsive to the customer base and market conditions; while yielding material cost savings. To reengineer means to redesign a structure and procedures with intelligence and skills; while being well informed about all of the attendant factors of a given situation; so as to obtain the maximum benefits from mechanization as basic rationale.
Business risk: Risks that could impact the organizationâ€™s ability to perform business or provide a service. They can be financial; regulatory or control oriented.
Business-to-consumer e-commerce (B2C): Refers to the processes by which organisations conduct business electronically with their customers and or public at large using the Internet as the enabling technology.
Bypass label processing (BLP): A technique of reading a computer file while bypassing the internal file/data set label. This process could result in bypassing of the security access control system.
CAATs: See computer-assisted audit techniques
Cadbury: The Committee on the Financial Aspects of Corporate Governance; set up in May 1991 by the UK Financial Reporting Council; the London Stock Exchange and the UK accountancy profession; was chaired by Sir Adrian Cadbury and produced a report on the subject commonly known; in the UK; as the Cadbury Report.
Capacity stress testing: Testing an application with large quantities of data to evaluate its performance during peak periods. It also is called volume testing.
Card swipes: A physical control technique that uses a secured card or ID to gain access to a highly sensitive location. Card swipes; if built correctly; act as a preventative control over physical access to those sensitive locations. After a card has been swiped; the application attached to the physical card swipe device logs all card users that try to access the secured location. The card swipe device prevents unauthorized access and logs all attempts to enter the secured location.
Cathode ray tube (CRT): A vacuum tube that displays data by means of an electron beam striking the screen; which is coated with suitable phosphor material or a device similar to a television screen upon which data can be displayed
Central office (CO): A telecommunications carrierâ€™s facilities in a local area in which service is provided where local service is switched to long distance
Central processing unit (CPU): Computer hardware that houses the electronic circuits that control/direct all operations of the computer system
Centralized data processing: Identified by one central processor and databases that form a distributed processing configuration
Certificate authority (CA): A trusted third party that serves authentication infrastructures or organizations and registers entities and issues them certificates
Certificate Revocation List: A list of retracted certificates
Challenge/response token: "A method of user authentication. Challenge response authentication is carried out through use of the Challenge Handshake Authentication Protocol (CHAP). When a user tries to log into the server; the server sends the user a ""challenge;"" which is a random value. The user enters a password; which is used as an encryption key to encrypt the ""challenge"" and return it to the server. The server is aware of the password. It; therefore; encrypts the ""challenge"" value and compares it with the value received from the user. If the values match; the user is authenticated. The challenge/response activity continues throughout the session and this protects the session from password sniffing attacks. In addition; CHAP is not vulnerable to ""man in the middle"" attacks as the challenge value is a random value that changes on each access attempt."
Check digit: A numeric value; which has been calculated mathematically; is added to data to ensure that original data have not been altered or that an incorrect; but valid match has occurred. This control is effective in detecting transposition and transcription errors.
Check digit verification (self-checking digit): A programmed edit or routine that detects transposition and transcription errors by calculating and checking the check digit
Checkpoint restart procedures: A point in a routine at which sufficient information can be stored to permit restarting the computation from that point. NOTE: seems to pertain to recover, shutting down database after all records have been committed for example
Ciphertext: Information generated by an encryption algorithm to protect the plaintext. The ciphertext is unintelligible to the unauthorized reader.
Circuit-switched network: A data transmission service requiring the establishment of a circuit-switched connection before data can be transferred from source data terminal equipment (DTE) to a sink DTE. A circuit-switched data transmission service uses a connection network.
Circular routing: In open systems architecture; circular routing is the logical path of a message in a communications network based on a series of gates at the physical network layer in the open systems interconnection (OSI) model.
Cleartext: Data that is not encrypted. Also known as plaintext.
Client-server: A group of computers connected by a communications network; where the client is the requesting machine and the server is the supplying machine. Software is specialized at both ends. Processing may take place on either the client or the server but it is transparent to the user.
Cluster controller: A communications terminal control hardware unit that controls a number of computer terminals. All messages are buffered by the controller and then transmitted to the receiver.
Coaxial cable: It is composed of an insulated wire that runs through the middle of each cable; a second wire that surrounds the insulation of the inner wire like a sheath; and the outer insulation which wraps the second wire. Coaxial cable has a greater transmission capacity than standard twisted-pair cables but has a limited range of effective distance.
COBIT®: Control Objectives for Information and related Technology; the international set of IT control objectives published by ISACF;® 2000; 1998; 1996
COCO: Criteria Of Control; published by the Canadian Institute of Chartered Accountants in 1995
Cohesion: The extent to which a system unit--subroutine; program; module; component; subsystem--performs a single dedicated function. Generally; the more cohesive are units; the easier it is to maintain and enhance a system; since it is easier to determine where and how to apply a change.
Cold site: An IS backup facility that has the necessary electrical and physical components of a computer facility; but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the users have to move from their main computing location to the alternative computer facility.
Combined Code on Corporate Governance: "The consolidation in 1998 of the ""Cadbury;"" ""Greenbury"" and ""Hampel"" Reports. Named after the Committee Chairs; these reports were sponsored by the UK Financial Reporting Council; the London Stock Exchange; the Confederation of British Industry; the Institute of Directors; the Consultative Committee of Accountancy Bodies; the National Association of Pension Funds and the Association of British Insurers to address the Financial Aspects of Corporate Governance; Directors' Remuneration and the implementation of the Cadbury and Greenbury recommendations."
Communications controller: Small computers used to connect and coordinate communication links between distributed or remote devices and the main computer; thus freeing the main computer from this overhead function
Comparison program: A program for the examination of data; using logical or conditional tests to determine or to identify similarities or differences
Compensating control: An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions
Compiler: A program that translates programming language (source code) into machine executable instructions (object code)
Completeness check: A procedure designed to ensure that no fields are missing from a record
Compliance testing: Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period
Components (as in component-based development): Cooperating packages of executable software that make their services available through defined interfaces. Components used in developing systems may be commercial off-the-shelf software (COTS) or may be purposely built. However; the goal of component-based development is to ultimately use as much predeveloped; pretested components as possible.
Comprehensive audit: An audit designed to determine the accuracy of financial records; as well as evaluate the internal controls of a function or department
Computationally greedy: Requiring a great deal of computing power; processor intensive
Computer sequence checking: Verifies that the control number follows sequentially and any control numbers out of sequence are rejected or noted on an exception report for further research
computer server: 1) A computer dedicated to servicing requests for resources from other computers on a network. Servers typically run network operating systems. 2) A computer that provides services to another computer (the client).
Computer-aided software engineering (CASE): The use of software packages that aid in the development of all phases of an information system. System analysis; design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access.
Computer-assisted audit technique (CAATs): Any automated audit technique; such as generalized audit software; test data generators; computerized audit programs and specialized audit utilities
Concurrent access: A fail-over process; in which all nodes run the same resource group (there can be no IP or MAC addresses in a concurrent resource group) and access the external storage concurrently
Confidentiality: Confidentiality concerns the protection of sensitive information from unauthorized disclosure
Console log: An automated detail report of computer system activity
consumer: One who obtains products or services from a bank to be used primarily for personal; family or household purposes.
Content filtering: Controlling access to a network by analyzing the contents of the incoming and outgoing packets and either letting them pass or denying them based on a list of rules. Differs from packet filtering in that it is the data in the packet that are analyzed instead of the attributes of the packet itself (e.g.; source/target IP address; TCP flags).
Continuity: The acts preventing; mitigating and recovering from disruption. The terms business resumption planning; disaster recovery planning and contingency planning also may be used in this context; they all concentrate on the recovery aspects of continuity.
Continuous auditing approach: This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.
Control group: Members of the operations area that are responsible for the collection; logging and submission of input for the various user groups
Control objective: The objectives of management that are used as the framework for developing and implementing controls (control procedures).
Control Objectives for Enterprise Governance: "A discussion document which sets out an ""Enterprise Governance Model"" focusing strongly on both the enterprise business goals and the information technology enablers which facilitate good enterprise governance; published by the Information Systems Audit and Control Foundation in 1999"
Control perimeter: The boundary defining the scope of control authority for an entity. For example; if a system is within the control perimeter; the right and ability exists to control it in response to an attack.
Control risk: The risk that an error which could occur in an audit area; and which could be material; individually or in combination with other errors; will not be prevented or detected and corrected on a timely basis by the internal control system
control risk self-assessment: An empowering method/process by which management and staff of all levels collectively identify and evaluate IS related risks and controls under the guidance of a facilitator who could be an IS auditor. The IS auditor can utilise CRSA for gathering relevant information about risks and controls and to forge greater collaboration with management and staff. CRSA provides a framework and tools for management and employees to: *Identify and prioritise their business objectives. *Assess and manage high risk areas of business processes. *Self-evaluate the adequacy of controls.*Develop risk treatment recommendations
Control section: The area of the central processing unit (CPU) that executes software; allocates internal memory and transfers operations between the arithmetic-logic; internal storage and output sections of the computer
Control weakness: A deficiency in the design or operation of a control procedure. Control weaknesses can potentially result in risks relevant to the area of activity not being reduced to an acceptable level (relevant risks are those that threaten achievement of the objectives relevant to the area of activity being examined). Control weaknesses can be material when the design or operation of one or more control procedures does not reduce to a relatively low level the risk that misstatements caused by illegal acts or irregularities may occur and not be detected by the related control procedures.
Controls: (Control procedures) Those policies and procedures implemented to achieve a related control objective
corporate exchange rate: An exchange rate; which can be used optionally to perform foreign currency conversion. The corporate exchange rate is generally a standard market rate determined by senior financial management for use throughout the organization.
Corporate governance: """...the structure through which the objectives of an organization are set; and the means of attaining those objectives; and determines monitoring performance guidelines. Good corporate governance should provide proper incentives for board and management to pursue objectives that are in the interests of the company and stakeholders and should facilitate effective monitoring; thereby encouraging firms to use resources more efficiently."" (Source: Principles of Corporate Governance; 1999 issued by the Organization for Economic Cooperation and Development (OECD))"
Corrective controls: These controls are designed to correct errors; omissions and unauthorized uses and intrusions; once they are detected.
COSO: "A report on ""Internal Control--An Integrated Framework"" sponsored by the Committee of Sponsoring Organizations of the Treadway Commission in 1992. It provides guidance and a comprehensive framework of internal control for all organizations."
Coupling: Measure of interconnectivity among software program modulesâ€™ structure. Coupling depends on the interface complexity between modules. This can be defined as the point at which entry or reference is made to a module; and what data passes across the interface. In application software design; it is preferable to strive for the lowest possible coupling between modules. Simple connectivity among modules results in software that is easier to understand; maintain and less prone to a ripple or domino effect caused when errors occur at one location and propagate through the system.
Coverage: The proportion of known attacks detected by an intrusion detection system
Credentialed analysis: In vulnerability analysis; passive monitoring approaches in which passwords or other access credentials are required. This sort of check usually involves accessing a system data object.
credit risk: The risk to earnings or capital arising from an obligorâ€™s failure to meet the terms of any contract with the bank or otherwise to perform as agreed. Internet banking provides the opportunity for banks to expand their geographic range. Customers can reach a given bank from literally anywhere in the world. In dealing with customers over the Internet; absent any personal contact; it is challenging for banks to verify the good faith of their customers; which is an important element in making sound credit decisions.
Criteria: The standards and benchmarks used to measure and present the subject matter and against which the IS auditor evaluates the subject matter. Criteria should be: Objectiveâ€”free from bias Measurableâ€”provide for consistent measurement Completeâ€”include all relevant factors to reach a conclusionRelevantâ€”relate to the subject matter
Cross-certification: A certificate issued by one certification authority to a second certification authority so that users of the first certification authority are able to obtain the public key of the second certification authority and verify the certificates it has created. Often cross certification refers specifically to certificates issued to each other by two CAs at the same level in a hierarchy.
Cryptography: The art of designing; analyzing and attacking cryptographic schemes
data analysis: Typically in large organisations where the quantum of data processed by the ERPs are extremely voluminous; analysis of patterns and trends prove to be extremely useful in ascertaining the efficiency and effectiveness of operations. Most ERPs provide opportunities for extraction and analysis of data; some with built-in tools through the use of third-party developed tools that interface with the ERP systems
Data communications: The transfer of data between separate computer processing sites/devices using telephone lines; microwave and/or satellite links
Data custodian: Individuals and departments responsible for the storage and safeguarding of computerized information. This typically is within the IS organization.
Data dictionary: A data dictionary is a database that contains the name; type; range of values; source and authorization for access for each data element in a database. It also indicates which application programs use that data so that when a data structure is contemplated; a list of the affected programs can be generated. The data dictionary may be a stand-alone information system used for management or documentation purposes; or it may control the operation of a database.
Data diddling: Changing data with malicious intent before or during input into the system
Data Encryption Standard (DES): A private key cryptosystem published by the National Bureau of Standards (NBS); the predecessor of the US National Institute of Standards and Technology (NIST). DES has been used commonly for data encryption in the forms of software and hardware implementation (also see private key cryptosystems).
data flow: The flow of data from the input (in Internet banking; ordinarily user input at his/her desktop) to output (in Internet banking; ordinarily data in a bankâ€™s central database). Data flow includes travelling through the communication lines; routers; switches and firewalls as well as processing through various applications on servers which process the data from user fingers to storage in bank central database.
data integrity: The property that data meet with a priority expectation of quality and that the data can be relied upon
Data leakage: Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes
Data owner: Individuals; normally managers or directors; who have responsibility for the integrity; accurate reporting and use of computerized data
Data security: Those controls that seek to maintain confidentiality; integrity and availability of information
Data structure: The relationships among files in a database and among data items within each file
Database: A stored collection of related data needed by organizations and individuals to meet their information processing and retrieval requirements
Database administrator (DBA): An individual or department responsible for the security and information classification of the shared data stored on a database system. This responsibility includes the design; definition and maintenance of the database.
Database management system (DBMS): A complex set of software programs that control the organization; storage and retrieval of data in a database. It also controls the security and integrity of the database.
Database replication: The process of creating and managing duplicate versions of a database. Replication not only copies a database but also synchronizes a set of replicas so that changes made to one replica are reflected in all the others. The beauty of replication is that it enables many users to work with their own local copy of a database but have the database updated as if they were working on a single centralized database. For database applications where geographically users are distributed widely; replication is often the most efficient method of database access.
Database specifications: These are the requirements for establishing a database application. They include field definitions; field requirements and reporting requirements for the individual information in the database.
Datagram: A packet (encapsulated with a frame containing information); which is transmitted in a packet-switching network from source to destination
Data-oriented systems development: The purpose is to provide usable data rather than a function. The focus of the development is to provide ad hoc reporting for users by developing a suitable accessible database of information.
DDoS (distributed denial-of-service) attack: A denial-of-service (DoS) assault from multiple sources; see DoS
Decentralization: The process of distributing computer processing to different locations within an organization
Decision support systems (DSS): An interactive system that provides the user with easy access to decision models and data; to support semistructured decision-making tasks
Decoy server: See honey pot.
Decryption: A technique used to recover the original plaintext from the ciphertext such that it is intelligible to the reader. The decryption is a reverse process of the encryption.
Decryption key: A piece of information; in a digitized form; used to recover the plaintext from the corresponding ciphertext by decryption
Default deny policy: A policy whereby access is denied unless it is specifically allowed. The inverse of default allow.
Default password: The password used to gain access when a system is first installed on a computer or network device. There is a large list published on the Internet and maintained at several locations. Failure to change these after the installation leaves the system vulnerable.
Degauss: To apply a variable; alternating current (AC) field for the purpose of demagnetizing magnetic recording media. The process involves increasing the AC field gradually from zero to some maximum value and back to zero; which leaves a very low residue of magnetic induction on the media. Degauss loosely means to erase.
Demodulation: The process of converting an analog telecommunications signal into a digital computer signal
Detailed IS ontrols: Controls over the acquisition; implementation; delivery and support of IS systems and services. They are made up of application controls plus those general controls not included in pervasive controls.
Detection risk: The risk that the IS auditor's substantive procedures will not detect an error which could be material; individually or in combination with other errors
Detective controls: These controls exist to detect and report when errors; omissions and unauthorized uses or entries occur.
Dial-back: Used as a control over dial-up telecommunications lines. The telecommunications link established through dial-up into the computer from a remote location is interrupted so the computer can dial back to the caller. The link is permitted only if the caller is from a valid phone number or telecommunications channel.
Dial-in access controls: Controls that prevent unauthorized access from remote users that attempt to access a secured environment. These controls range from dial-back controls to remote user authentication.
Digital certificate: A certificate identifying a public key to its subscriber; corresponding to a private key held by that subscriber. It is a unique code that typically is used to allow the authenticity and integrity of communicated data to be verified.
digital certification: A process to authenticate (or certify) a partyâ€™s digital signature; carried out by trusted third parties.
Digital signature: A piece of information; a digitized form of signature; that provides sender authenticity; message integrity and nonrepudiation. A digital signature is generated using the senderâ€™s private key or applying a one-way hash function.
Direct reporting engagement: An engagement where management does not make a written assertion about the effectiveness of their control procedures; and the IS auditor provides an opinion about subject matter directly; such as the effectiveness of the control procedures
Discovery sampling: A form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population
Diskless workstations: A workstation or PC on a network that does not have its own disk. Instead; it stores files on a network file server.
Distributed data processing network: A system of computers connected together by a communications network. Each computer processes its data and the network supports the system as a whole. Such a network enhances communication among the linked computers and allows access to shared files.
DMZ (demilitarized zone): Commonly it is the network segment between the Internet and a private network. It allows access to services from the Internet and the internal private network; while denying access from the Internet directly to the private network.
DNS (domain name system): A hierarchical database that is distributed across the Internet that allows names to be resolved into IP addresses (and vice versa) to locate services such as web and e-mail servers
DoS (denial-of-service) attack: An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate
Downloading: The act of transferring computerized information from one computer to another computer
Downtime report: A report that identifies the elapsed time when a computer is not operating correctly because of machine failure
Dry-pipe fire extinguisher system: Refers to a sprinkler system that does not have water in the pipes during idle usage; unlike a fully charged fire extinguisher system that has water in the pipes at all times. The dry-pipe system is activated at the time of the fire alarm; and water is emitted to the pipes from a water reservoir for discharge to the location of the fire.
Due care: Diligence which a person would exercise under a given set of circumstances
Due professional care: Diligence which a person; who possesses a special skill; would exercise under a given set of circumstances
Dumb terminal: A display terminal without processing capability. Dumb terminals are dependent upon the main computer for processing. All entered data are accepted without further editing or validation.
Duplex routing: The method or communication mode of routing data over the communication network (also see half duplex and full duplex)
Dynamic analysis: Analysis that is performed in real time or in continuous form
Echo checks: Detects line errors by retransmitting data back to the sending device for comparison with the original transmission
e-commerce: Defined by ISACA as the processes by which organisations conduct business electronically with their customers; suppliers and other external business partners; using the Internet as an enabling technology. It therefore encompasses both business-to-business (B2B) and business-to-consumer (B2C) e-Commerce models; but does not include existing non-Internet e-Commerce methods based on private networks such as EDI and SWIFT.
Edit controls: Detects errors in the input portion of information that is sent to the computer for processing. The controls may be manual or automated and allow the user to edit data errors before processing.
Editing: Editing ensures that data conform to predetermined criteria and enable early identification of potential errors.
Electronic cash: An electronic form functionally equivalent to cash in order to make and receive payments in cyberbanking
Electronic data interchange (EDI): The electronic transmission of transactions (information) between two organizations. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents; including invoices or purchase orders.
Electronic funds transfer (EFT): The exchange of money via telecommunications. EFT refers to any financial transaction that originates at a terminal and transfers a sum of money from one account to another.
Electronic signature: Any technique designed to provide the electronic equivalent of a handwritten signature to demonstrate the origin and integrity of specific data. Digital signatures are an example of electronic signatures.
Electronic vaulting: A data recovery strategy that allows organizations to recover data within hours after a disaster. It includes recovery of data from an offsite storage media that mirrors data via a communication link. Typically used for batch/journal updates to critical files to supplement full backups taken periodically.
E-mail/interpersonal messaging: An individual using a terminal; PC or an application can access a network to send an unstructured message to another individual or group of people.
Embedded audit module: Integral part of an application system that is designed to identify and report specific transactions or other information based on pre-determined criteria. Identification of reportable items occurs as part of real-time processing. Reporting may be real-time online; or may use store and forward methods. Also known as integrated test facility or continuous auditing module.
Encapsulation (objects): Encapsulation is the technique used by layered protocols in which a lower layer protocol accepts a message from a higher layer protocol and places it in the data portion of a frame in the lower layer.
Encryption: The process of taking an unencrypted message (plaintext); applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)
Encryption key: A piece of information; in a digitized form; used by an encryption algorithm to convert the plaintext to the ciphertext
End-user computing: The ability of end users to design and implement their own information system utilizing computer software products
Engagement letter: Formal document which defines the IS auditor's responsibility; authority and accountability for a specific assignment
Enterprise governance: A broad and wide-ranging concept of corporate governance; covering associated organizations such as global strategic alliance partners. (Source: Control Objectives for Enterprise Governance Discussion Document; published by the Information Systems Audit and Control Foundation in 1999)
enterprise resource planning: First; it denotes the planning and management of resources in an enterprise. Second; it denotes a software system that can be used to manage whole business processes; integrating purchasing; inventory; personnel; customer service; shipping; financial management and other aspects of the business. An ERP system typically is based on a common database; various integrated business process application modules and business analysis tools
error: Error control deviations (compliance testing) or misstatements (substantive testing)
Error risk: The risk of errors occurring in the area being audited
Ethernet: A popular network protocol and cabling scheme that uses a bus topology and CSMA/CD (carrier sense multiple access/collision detection) to prevent network failures or collisions when two devices try to access the network at the same time
Evidence: The information an auditor gathers in the course of performing an IS audit. Evidence is relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support.
Exception reports: An exception report is generated by a program that identifies transactions or data that appear to be incorrect. These items may be outside a predetermined range or may not conform to specified criteria.
Executable code: The machine language code that is generally referred to as the object or load module
Expert systems: Expert systems are the most prevalent type of computer systems that arise from the research of artificial intelligence. An expert system has a built in hierarchy of rules; which are acquired from human experts in the appropriate field. Once input is provided; the system should be able to define the nature of the problem and provide recommendations to solve the problem.

Start Studying!

Deck Info

Number of cards 250