Glossary of Terms
|
|
Term
|
Definition
|
Abend
|
An abnormal end to a computer job; termination of a task prior
to its completion because of an error condition that cannot be resolved by
recovery facilities while the task is executing
|
Access control
|
The process that limits and controls access to resources of a
computer system; a logical or physical control designed to protect against
unauthorized entry or use. Access control can be defined by the system
(mandatory access control, or MAC) or defined by the user who owns the object
(discretionary access control, or DAC).
|
Access control table
|
An internal computerized table of access rules regarding the
levels of computer access permitted to logon IDs and computer terminals
|
Access method
|
The technique used for selecting records in a file, one at a
time, for processing, retrieval or storage. The access method is related to,
but distinct from, the file organization that determines how the records are
stored.
|
Access path
|
The logical route an end user takes to access computerized
information. Typically, it includes a route through the operating system,
telecommunications software, selected application software and the access
control system.
|
Access rights
|
Also called permissions or privileges, these are the rights
granted to users by the administrator or supervisor. Access rights determine
the actions users can perform (e.g., read, write, execute, create and delete)
on files in shared volumes or file shares on the server.
|
Accountability
|
The ability to map a given activity or event back to the
responsible party
|
ACK (acknowledgement)
|
A flag set in a packet to indicate to the sender that the
previous packet sent was accepted correctly by the receiver without errors,
or that the receiver is now ready to accept a transmission
|
Active recovery site (mirrored)
|
Recovery strategy that involves two active sites, each capable
of taking over the other’s workload in the event of a disaster. Each site
will have enough idle processing power to restore data from the other site
and to accommodate the excess workload in the event of a disaster.
|
Active response
|
A response, in which the system (automatically or in concert
with the user) blocks or otherwise affects the progress of a detected attack.
The response takes one of three forms--amending the environment, collecting
more information or striking back against the user.
|
Address
|
The code used to designate the location of a specific piece of
data within computer storage
|
Address space
|
The number of distinct locations that may be referred to with
the machine address. For most binary machines, it is equal to 2n, where n is
the number of bits in the machine address.
|
Addressing
|
The method used to identify the location of a participant in a
network. Ideally, addressing specifies where the participant is located
rather than who they are (name) or how to get there (routing).
|
adjusting period
|
The calendar can contain “real” accounting periods and/or
adjusting accounting periods. The “real” accounting periods must not overlap,
and cannot have any gaps between “real” accounting periods. Adjusting
accounting periods can overlap with other accounting periods. For example, a
period called DEC-93 can be defined that includes 01-DEC-1993 through
31-DEC-1993. An adjusting period called DEC31-93 can also be defined that
includes only one day: 31-DEC-1993 through 31-DEC-1993.
|
Administrative controls
|
The actions/controls dealing with operational effectiveness,
efficiency and adherence to regulations and management policies
|
allocation entry
|
A recurring journal entry used to allocate revenues or costs.
For example, an allocation entry could be defined to allocate costs to each
department based on headcount.
|
Alpha
|
The use of alphabetic characters or an alphabetic character
string
|
Analog
|
A transmission signal that varies continuously in amplitude and
time and is generated in wave formation. Analog signals are used in
telecommunications.
|
Anomaly
|
Unusual or statistically rare
|
Anomaly detection
|
Detection on the basis of whether the system activity matched
that defined as abnormal
|
Anonymity
|
The quality or state of not being named or identified
|
Anonymous File Transfer Protocol (FTP)
|
A method for downloading public files using the File Transfer
Protocol (FTP). Anonymous FTP is called anonymous because users do not need
to identify themselves before accessing files from a particular server. In
general, users enter the word anonymous when the host prompts for a username;
anything can be entered for the password, such as the user's e-mail address
or simply the word guest. In many cases, an anonymous FTP site will not even
prompt users for a name and password.
|
Antivirus software
|
Applications that detect, prevent and possibly remove all known
viruses from files located in a microcomputer hard drive
|
Appearance
|
The act of giving the idea or impression of being or doing
something
|
Appearance of independence
|
Behavior adequate to meet the situations occurring during audit
work (interviews, meetings, reporting, etc.). The IS auditor should be aware
that appearance of independence depends upon the perceptions of others and
can be influenced by improper actions or associations.
|
Applet
|
A program written in a portable, platform independent computer
language, such as Java. It is usually embedded in an HTML page and then
executed by a browser. Applets can only perform a restricted set of
operations, thus preventing, or at least minimizing, the possible security
compromise of the host computers.
|
application
|
A computer program or set of programs that perform the
processing of records for a specific function
|
Application acquisition review
|
An evaluation of an application system being acquired or
evaluated, which considers such matters as: appropriate controls are designed
into the system; the application will process information in a complete,
accurate and reliable manner; the application will function as intended; the
application will function in compliance with any applicable statutory
provisions; the system is acquired in compliance with the established system
acquisition process.
|
Application controls
|
Refer to the transactions and data relating to each
computer-based application system and are therefore specific to each such
application. The objectives of application controls, which may be manual, or
programmed, are to ensure the completeness and accuracy of the records and
the validity of the entries made therein resulting from both manual and
programmed processing. Examples of application controls include data input
validation, agreement of batch totals and encryption of data transmitted.
|
Application development review
|
An evaluation of an application system under development which
considers matters such as: appropriate controls are designed into the system;
the application will process information in a complete, accurate and reliable
manner; the application will function as intended; the application will
function in compliance with any applicable statutory provisions; the system
is developed in compliance with the established systems development life
cycle process
|
Application implementation review
|
An evaluation of any part of an implementation project (e.g.,
project management, test plans, user acceptance testing procedures)
|
Application layer
|
A layer within the International Organization for
Standardization (ISO)/Open Systems Interconnection (OSI) model. It is used in
information transfers between users through application programs and other
devices. In this layer various protocols are needed. Some of them are
specific to certain applications and others are more general for network services.
|
Application maintenance review
|
An evaluation of any part of a project to perform maintenance on
an application system (e.g., project management, test plans, user acceptance
testing procedures)
|
Application program
|
A program that processes actions upon business data, such as
data entry, update or query. It contrasts with systems program, such as an
operating system or network control program, and with utility programs, such
as copy or sort.
|
Application programming
|
The act or function of developing and maintaining applications
programs in production
|
Application programming interface (API)
|
A set of routines, protocols and tools referred to as
"building blocks" used in business application software
development. A good API makes it easier to develop a program by providing all
the building blocks related to functional characteristics of an operating
system, which applications need to specify when, for example, interfacing
with an operating system (e.g., provided by MS-Windows, different versions of
UNIX). A programmer would utilize these APIs in developing applications that
can operate effectively and efficiently on the platform chosen.
|
Application proxy
|
A proxy service that connects programs running on internal
networks to services on exterior networks by creating two connections, one
from the requesting client and another to the destination service
|
application security
|
Refers to the security aspects supported by the ERP, primarily
with regard to the roles or responsibilities and audit trails within the
applications
|
Application software tracing and mapping
|
Specialized tools that can be used to analyze the flow of data,
through the processing logic of the application software, and document the
logic, paths, control conditions and processing sequences. Both the command
language or job control statements and programming language can be analyzed.
This technique includes program/system: mapping, tracing, snapshots, parallel
simulations and code comparisons.
|
Application system
|
An integrated set of computer programs designed to serve a
particular function that has specific input, processing and output activities
(e.g., general ledger, manufacturing resource planning, human resource
management)
|
Arithmetic-logic unit (ALU)
|
The area of the central processing unit that performs
mathematical and analytical operations
|
Artificial intelligence
|
Advanced computer systems that can simulate human capabilities,
such as analysis, based on a predetermined set of rules
|
ASCII
|
(American Standard Code for Information Interchange)
An eight-digit/seven-bit code representing 128 characters; used in most small computers |
ASP/MSP (application or managed service provider)
|
A third party that delivers and manages applications and
computer services, including security services to multiple users via the
Internet or a private network
|
Assembler
|
A program that takes as input a program written in assembly
language and translates it into machine code or relocatable code
|
Assembly language
|
A low-level computer programming language which uses symbolic
code and produces machine instructions
|
Asymmetric key (public key)
|
A cipher technique whereby different cryptographic keys are used
to encrypt and decrypt a message (see public key cryptosystems)
|
Asynchronous Transfer Mode (ATM)
|
ATM is a high-bandwidth low-delay switching and multiplexing
technology. It is a data link layer protocol. This means that it is a
protocol-independent transport mechanism. ATM allows integration of real-time
voice and video as well as data. ATM allows very high speed data transfer
rates at up to 155 Mbit/s.
|
Asynchronous transmission
|
Character-at-a-time transmission
|
Attest reporting engagement
|
An engagement where an IS auditor is engaged to either examine
management’s assertion regarding particular a subject matter or the subject
matter directly. The IS auditor’s report consists of an opinion on one of the
following:
* The subject matter. These reports relate directly to the subject matter itself rather than an assertion. In certain situations management will not be able to make an assertion over the subject of the engagement. An example of this situation is when IT services are out-sourced to third party. Management will not ordinarily be able to make an assertion over the controls that the third-party is responsible for. Hence, an IS auditor would have to report directly on the subject matter rather than an assertion * Management’s assertion about the effectiveness of the control procedures * Examination reporting engagement where the IS auditor is engaged to issue an opinion on particular subject matter. These engagements can include reports on controls implemented by management and on their operating effectiveness |
Attitude
|
Way of thinking, behaving, feeling, etc.
|
Attribute sampling
|
An audit technique used to select items from a population for
audit testing purposes based on selecting all those items that have certain
attributes or characteristics (such as all items over a certain size)
|
Audit
|
The process of generating, recording and reviewing a
chronological record of system events to ascertain their accuracy
|
Audit accountability
|
Performance measurement of service delivery including cost,
timeliness and quality against agreed service levels
|
Audit authority
|
A statement of the position within the organization, including
lines of reporting and the rights of access
|
Audit charter
|
A document which defines the IS audit function's responsibility,
authority and accountability
|
Audit evidence
|
The information systems auditor (IS auditor) gathers information
in the course of performing an IS audit. The information used by the IS
auditor to meet audit objectives is referred to as audit evidence (evidence).
Also used to describe the level of risk that an auditor is prepared to accept
during an audit engagement.
|
Audit expert systems
|
Expert or decision support systems that can be used to assist IS
auditors in the decision-making process by automating the knowledge of
experts in the field. This technique includes automated risk analysis,
systems software and control objectives software packages.
|
Audit objective
|
The specific goal(s) of an audit. These often center on
substantiating the existence of internal controls to minimize business risk.
|
Audit plan
|
A high level description of the audit work to be performed in a
certain period of time (ordinarily a year). It includes the areas to be
audited, the type of work planned, the high level objectives and scope of the
work, and topics such as budget, resource allocation, schedule dates, type of
report and its intended audience and other general aspects of the work.
|
Audit program
|
A series of steps to complete an audit objective
|
Audit responsibility
|
The roles, scope and objectives documented in the service level
agreement between management and audit
|
Audit risk
|
The risk of giving an incorrect audit opinion
|
Audit sampling
|
The application of audit procedures to less than 100 percent of
the items within a population to obtain audit evidence about a particular
characteristic of the population
|
Audit trail
|
A visible trail of evidence enabling one to trace information
contained in statements or reports back to the original input source
|
auditability
|
The level to which transactions can be traced and audited
through a system
|
Authentication
|
The act of verifying the identity of a system entity (e.g., a
user, a system, a network node) and the entity’s eligibility to access
computerized information. Designed to protect against fraudulent logon
activity. Authentication can also refer to the verification of the
correctness of a piece of data.
|
authorization
|
The process of determining what types of activities are
permitted. Ordinarily, authorisation is in the context of authentication:
once you have authenticated a user, he/she may be authorised to perform
different types of access or activity
|
Automated teller machine (ATM)
|
A 24-hour, stand-alone mini-bank, located outside branch bank
offices or in public places like shopping malls. Through ATMs, clients can
make deposits, withdrawals, account inquiries and transfers. Typically, the
ATM network is comprised of two spheres: a proprietary sphere, in which the
bank manages the transactions of its clients, and the public or shared
domain, in which a client of one financial institution can use another’s
ATMs.
|
Availability
|
Availability relates to information being available when
required by the business process now and in the future. It also concerns the
safeguarding of necessary resources and associated capabilities.
|
Backup
|
Files, equipment, data and procedures available for use in the
event of a failure or loss, if the originals are destroyed or out of service
|
Bandwidth
|
The range between the highest and lowest transmittable
frequencies. It equates to the transmission capacity of an electronic line
and is expressed in bytes per second or Hertz (cycles per second).
|
Bar case
|
A standardized body of data created for testing purposes. Users
normally establish the data. Base case validates production application
systems and tests the ongoing accurate operation of the system.
|
Bar code
|
A printed machine-readable code that consists of parallel bars
of varied width and spacing
|
Base case
|
A standardized body of data created for testing purposes. Users
normally establish the data. Base cases validate production application
systems and test the ongoing accurate operation of the system.
|
Baseband
|
A form of modulation in which data signals are pulsed directly
on the transmission medium without frequency division and usually utilize a
transceiver. In baseband the entire bandwidth of the transmission medium
(e.g., coaxial cable) is utilized for a single channel.
|
Batch control
|
Correctness checks built into data processing systems and
applied to batches of input data, particularly in the data preparation stage.
There are two main forms of batch controls: 1) sequence control, which involves
numbering the records in a batch consecutively so that the presence of each
record can be confirmed, and 2) control total, which is a total of the values
in selected fields within the transactions.
|
Batch processing
|
The processing of a group of transactions at the same time.
Transactions are collected and processed against the master files at a
specified time.
|
Baud rate
|
The rate of transmission for telecommunication data. It is
expressed in bits per second (bps).
|
Benchmark
|
A test that has been designed to evaluate the performance of a
system. In a benchmark test, a system is subjected to a known workload and
the performance of the system against this workload is measured. Typically,
the purpose is to compare the measured performance with that of other systems
that have been subject to the same benchmark test.
|
Binary code
|
A code whose representation is limited to 0 and 1
|
Biometric locks
|
Door and entry locks that are activated by such biometric
features as voice, eye retina, fingerprint or signature
|
Biometrics
|
A security technique that verifies an individual’s identity by
analyzing a unique physical attribute, such as a handprint
|
Black box testing
|
A testing approach which focuses on the functionality of the
application or product and does not require knowledge of the code intervals.
|
Blackbox testing
|
A testing approach which focuses on the functionality of the
application or product and does not require knowledge of the code intervals
|
Border router
|
See external router.
|
Bridge
|
A device that connects two similar networks together
|
Broadband
|
In broadband, multiple channels are formed by dividing the
transmission medium into discrete frequency segments. It generally requires
the use of a modem.
|
Brouters
|
Devices that perform the functions of both bridges and routers,
are called brouters. Naturally, they operate at both the data link and the
network layers. A brouter connects same data link type LAN segments as well
as different data link ones, which is a significant advantage. Like a bridge
it forwards packets based on the data link layer address to a different
network of the same type. Also, whenever required, it processes and forwards
messages to a different data link type network based on the network protocol
address. When connecting same data link type networks, they are as fast as
bridges besides being able to connect different data link type networks.
|
browser
|
A computer program that enables the user to retrieve information
that has been made publicly available on the Internet; also, that permits multimedia
(graphics) applications on the World Wide Web
|
Brute force
|
The name given to a class of algorithms that repeatedly try all
possible combinations until a solution is found
|
BSP (business service provider)
|
An ASP that also provides outsourcing of business processes such
as payment processing, sales order processing and application development
|
budget
|
Estimated cost and revenue amounts for a given range of periods
and set of books. There can be multiple budget versions for the same set of
books.
|
budget formula
|
A mathematical expression used to calculate budget amounts based
on actual results, other budget amounts and statistics. With budget formulas,
budgets using complex equations, calculations and allocations can be
automatically created.
|
budget hierarchy
|
A group of budgets linked together at different levels such that
the budgeting authority of a lower-level budget is controlled by an
upper-level budget.
|
budget organization
|
An entity (department, cost center, division or other group)
responsible for entering and maintaining budget data.
|
Buffer
|
Memory reserved to temporarily hold data. Buffers are used to
offset differences between the operating speeds of different devices, such as
a printer and a computer. In a program, buffers are reserved areas of RAM
that hold data while they are being processed.
|
Bulk data transfer
|
A data recovery strategy that includes a recovery from complete
backups that are physically shipped off site once a week. Specifically, logs
are batched electronically several times daily, and then loaded into a tape
library located at the same facility as the planned recovery.
|
Bus
|
Common path or channel between hardware devices. It can be
between components internal to a computer or between external computers in a
communications network.
|
Bus topology
|
A type of local area network (LAN) architecture in which each
station is directly attached to a common communication channel. Signals
transmitted over the channel take the form of messages. As each message
passes along the channel, each station receives it. Each station then
determines, based on an address contained in the message, whether to accept
and process the message or simply to ignore it.
|
Business impact analysis (BIA)
|
An exercise that determines the impact of losing the support of
any resource to an organization and establishes the escalation of that loss
over time, identifies the minimum resources needed to recover and prioritizes
the recovery of processes and supporting systems
|
business process integrity
|
Controls over the business processes that are supported by the
ERP
|
Business process reengineering (BPR)
|
Modern expression for organizational development stemming from
IS/IT impacts. The ultimate goal of BPR is to yield a better performing
structure, more responsive to the customer base and market conditions, while
yielding material cost savings. To reengineer means to redesign a structure
and procedures with intelligence and skills, while being well informed about
all of the attendant factors of a given situation, so as to obtain the
maximum benefits from mechanization as basic rationale.
|
Business risk
|
Risks that could impact the organization’s ability to perform
business or provide a service. They can be financial, regulatory or control
oriented.
|
Business-to-consumer e-commerce (B2C)
|
Refers to the processes by which organisations conduct business
electronically with their customers and or public at large using the Internet
as the enabling technology.
|
Bypass label processing (BLP)
|
A technique of reading a computer file while bypassing the
internal file/data set label. This process could result in bypassing of the
security access control system.
|
CAATs
|
See computer-assisted audit techniques
|
Cadbury
|
The Committee on the Financial Aspects of Corporate Governance,
set up in May 1991 by the UK Financial Reporting Council, the London Stock
Exchange and the UK accountancy profession, was chaired by Sir Adrian Cadbury
and produced a report on the subject commonly known, in the UK, as the
Cadbury Report.
|
Capacity stress testing
|
Testing an application with large quantities of data to evaluate
its performance during peak periods. It also is called volume testing.
|
Card swipes
|
A physical control technique that uses a secured card or ID to
gain access to a highly sensitive location. Card swipes, if built correctly,
act as a preventative control over physical access to those sensitive
locations. After a card has been swiped, the application attached to the
physical card swipe device logs all card users that try to access the secured
location. The card swipe device prevents unauthorized access and logs all
attempts to enter the secured location.
|
Cathode ray tube (CRT)
|
A vacuum tube that displays data by means of an electron beam
striking the screen, which is coated with suitable phosphor material or a
device similar to a television screen upon which data can be displayed
|
Central office (CO)
|
A telecommunications carrier’s facilities in a local area in
which service is provided where local service is switched to long distance
|
Central processing unit (CPU)
|
Computer hardware that houses the electronic circuits that
control/direct all operations of the computer system
|
Centralized data processing
|
Identified by one central processor and databases that form a
distributed processing configuration
|
Certificate authority (CA)
|
A trusted third party that serves authentication infrastructures
or organizations and registers entities and issues them certificates
|
Certificate Revocation List
|
A list of retracted certificates
|
Challenge/response token
|
A method of user authentication. Challenge response
authentication is carried out through use of the Challenge Handshake
Authentication Protocol (CHAP). When a user tries to log into the server, the
server sends the user a "challenge," which is a random value. The
user enters a password, which is used as an encryption key to encrypt the
"challenge" and return it to the server. The server is aware of the
password. It, therefore, encrypts the "challenge" value and
compares it with the value received from the user. If the values match, the
user is authenticated.
The challenge/response activity continues throughout the session and this protects the session from password sniffing attacks. In addition, CHAP is not vulnerable to "man in the middle" attacks as the challenge value is a random value that changes on each access attempt. |
Check digit
|
A numeric value, which has been calculated mathematically, is
added to data to ensure that original data have not been altered or that an
incorrect, but valid match has occurred. This control is effective in
detecting transposition and transcription errors.
|
Check digit verification (self-checking digit)
|
A programmed edit or routine that detects transposition and
transcription errors by calculating and checking the check digit
|
Checkpoint restart procedures
|
A point in a routine at which sufficient information can be
stored to permit restarting the computation from that point
|
Ciphertext
|
Information generated by an encryption algorithm to protect the
plaintext. The ciphertext is unintelligible to the unauthorized reader.
|
Circuit-switched network
|
A data transmission service requiring the establishment of a
circuit-switched connection before data can be transferred from source data
terminal equipment (DTE) to a sink DTE. A circuit-switched data transmission
service uses a connection network.
|
Circular routing
|
In open systems architecture, circular routing is the logical
path of a message in a communications network based on a series of gates at
the physical network layer in the open systems interconnection (OSI) model.
|
Cleartext
|
Data that is not encrypted. Also known as plaintext.
|
Client-server
|
A group of computers connected by a communications network,
where the client is the requesting machine and the server is the supplying
machine. Software is specialized at both ends. Processing may take place on
either the client or the server but it is transparent to the user.
|
Cluster controller
|
A communications terminal control hardware unit that controls a
number of computer terminals. All messages are buffered by the controller and
then transmitted to the receiver.
|
Coaxial cable
|
It is composed of an insulated wire that runs through the middle
of each cable, a second wire that surrounds the insulation of the inner wire
like a sheath, and the outer insulation which wraps the second wire. Coaxial
cable has a greater transmission capacity than standard twisted-pair cables
but has a limited range of effective distance.
|
COBIT®
|
Control Objectives for Information and related Technology, the
international set of IT control objectives published by ISACF,® 2000, 1998,
1996
|
COCO
|
Criteria Of Control, published by the Canadian Institute of
Chartered Accountants in 1995
|
Cohesion
|
The extent to which a system unit--subroutine, program, module,
component, subsystem--performs a single dedicated function. Generally, the
more cohesive are units, the easier it is to maintain and enhance a system,
since it is easier to determine where and how to apply a change.
|
Cold site
|
An IS backup facility that has the necessary electrical and
physical components of a computer facility, but does not have the computer
equipment in place. The site is ready to receive the necessary replacement
computer equipment in the event the users have to move from their main
computing location to the alternative computer facility.
|
Combined Code on Corporate Governance
|
The consolidation in 1998 of the "Cadbury,"
"Greenbury" and "Hampel" Reports. Named after the
Committee Chairs, these reports were sponsored by the UK Financial Reporting
Council, the London Stock Exchange, the Confederation of British Industry,
the Institute of Directors, the Consultative Committee of Accountancy Bodies,
the National Association of Pension Funds and the Association of British
Insurers to address the Financial Aspects of Corporate Governance, Directors'
Remuneration and the implementation of the Cadbury and Greenbury
recommendations.
|
Communications controller
|
Small computers used to connect and coordinate communication
links between distributed or remote devices and the main computer, thus
freeing the main computer from this overhead function
|
Comparison program
|
A program for the examination of data, using logical or
conditional tests to determine or to identify similarities or differences
|
Compensating control
|
An internal control that reduces the risk of an existing or
potential control weakness resulting in errors and omissions
|
Compiler
|
A program that translates programming language (source code)
into machine executable instructions (object code)
|
Completeness check
|
A procedure designed to ensure that no fields are missing from a
record
|
Compliance testing
|
Tests of control designed to obtain audit evidence on both the
effectiveness of the controls and their operation during the audit period
|
Components (as in component-based development)
|
Cooperating packages of executable software that make their
services available through defined interfaces. Components used in developing
systems may be commercial off-the-shelf software (COTS) or may be purposely
built. However, the goal of component-based development is to ultimately use
as much predeveloped, pretested components as possible.
|
Comprehensive audit
|
An audit designed to determine the accuracy of financial
records, as well as evaluate the internal controls of a function or
department
|
Computationally greedy
|
Requiring a great deal of computing power; processor intensive
|
Computer sequence checking
|
Verifies that the control number follows sequentially and any
control numbers out of sequence are rejected or noted on an exception report
for further research
|
computer server
|
1) A computer dedicated to servicing requests for resources from
other computers on a network. Servers typically run network operating
systems. 2) A computer that provides services to another computer (the
client).
|
Computer-aided software engineering (CASE)
|
The use of software packages that aid in the development of all
phases of an information system. System analysis, design programming and
documentation are provided. Changes introduced in one CASE chart will update
all other related charts automatically. CASE can be installed on a
microcomputer for easy access.
|
Computer-assisted audit technique (CAATs)
|
Any automated audit technique, such as generalized audit
software, test data generators, computerized audit programs and specialized
audit utilities
|
Concurrent access
|
A fail-over process, in which all nodes run the same resource
group (there can be no IP or MAC addresses in a concurrent resource group)
and access the external storage concurrently
|
Confidentiality
|
Confidentiality concerns the protection of sensitive information
from unauthorized disclosure
|
Console log
|
An automated detail report of computer system activity
|
consumer
|
One who obtains products or services from a bank to be used
primarily for personal, family or household purposes.
|
Content filtering
|
Controlling access to a network by analyzing the contents of the
incoming and outgoing packets and either letting them pass or denying them
based on a list of rules. Differs from packet filtering in that it is the
data in the packet that are analyzed instead of the attributes of the packet
itself (e.g., source/target IP address, TCP flags).
|
Continuity
|
The acts preventing, mitigating and recovering from disruption.
The terms business resumption planning, disaster recovery planning and
contingency planning also may be used in this context; they all concentrate
on the recovery aspects of continuity.
|
Continuous auditing approach
|
This approach allows IS auditors to monitor system reliability
on a continuous basis and to gather selective audit evidence through the
computer.
|
Control group
|
Members of the operations area that are responsible for the
collection, logging and submission of input for the various user groups
|
Control objective
|
The objectives of management that are used as the framework for
developing and implementing controls (control procedures).
|
Control Objectives for Enterprise Governance
|
A discussion document which sets out an "Enterprise
Governance Model" focusing strongly on both the enterprise business
goals and the information technology enablers which facilitate good
enterprise governance, published by the Information Systems Audit and Control
Foundation in 1999
|
Control perimeter
|
The boundary defining the scope of control authority for an
entity. For example, if a system is within the control perimeter, the right
and ability exists to control it in response to an attack.
|
Control risk
|
The risk that an error which could occur in an audit area, and
which could be material, individually or in combination with other errors,
will not be prevented or detected and corrected on a timely basis by the
internal control system
|
control risk self-assessment
|
An empowering method/process by which management and staff of
all levels collectively identify and evaluate IS related risks and controls
under the guidance of a facilitator who could be an IS auditor. The IS
auditor can utilise CRSA for gathering relevant information about risks and
controls and to forge greater collaboration with management and staff. CRSA
provides a framework and tools for management and employees to:
*Identify and prioritise their business objectives. *Assess and manage high risk areas of business processes. *Self-evaluate the adequacy of controls. *Develop risk treatment recommendations |
Control section
|
The area of the central processing unit (CPU) that executes
software, allocates internal memory and transfers operations between the
arithmetic-logic, internal storage and output sections of the computer
|
Control weakness
|
A deficiency in the design or operation of a control procedure.
Control weaknesses can potentially result in risks relevant to the area of
activity not being reduced to an acceptable level (relevant risks are those
that threaten achievement of the objectives relevant to the area of activity
being examined). Control weaknesses can be material when the design or
operation of one or more control procedures does not reduce to a relatively
low level the risk that misstatements caused by illegal acts or
irregularities may occur and not be detected by the related control
procedures.
|
Controls
|
(Control procedures) Those policies and procedures implemented
to achieve a related control objective
|
corporate exchange rate
|
An exchange rate, which can be used optionally to perform foreign
currency conversion. The corporate exchange rate is generally a standard
market rate determined by senior financial management for use throughout the
organization.
|
Corporate governance
|
"...the structure through which the objectives of an
organization are set, and the means of attaining those objectives, and
determines monitoring performance guidelines. Good corporate governance
should provide proper incentives for board and management to pursue
objectives that are in the interests of the company and stakeholders and
should facilitate effective monitoring, thereby encouraging firms to use
resources more efficiently." (Source: Principles of Corporate
Governance, 1999 issued by the Organization for Economic Cooperation and
Development (OECD))
|
Corrective controls
|
These controls are designed to correct errors, omissions and
unauthorized uses and intrusions, once they are detected.
|
COSO
|
A report on "Internal Control--An Integrated
Framework" sponsored by the Committee of Sponsoring Organizations of the
Treadway Commission in 1992. It provides guidance and a comprehensive
framework of internal control for all organizations.
|
Coupling
|
Measure of interconnectivity among software program modules’
structure. Coupling depends on the interface complexity between modules. This
can be defined as the point at which entry or reference is made to a module,
and what data passes across the interface. In application software design, it
is preferable to strive for the lowest possible coupling between modules.
Simple connectivity among modules results in software that is easier to
understand, maintain and less prone to a ripple or domino effect caused when
errors occur at one location and propagate through the system.
|
Coverage
|
The proportion of known attacks detected by an intrusion
detection system
|
Credentialed analysis
|
In vulnerability analysis, passive monitoring approaches in
which passwords or other access credentials are required. This sort of check
usually involves accessing a system data object.
|
credit risk
|
The risk to earnings or capital arising from an obligor’s
failure to meet the terms of any contract with the bank or otherwise to
perform as agreed. Internet banking provides the opportunity for banks to
expand their geographic range. Customers can reach a given bank from
literally anywhere in the world. In dealing with customers over the Internet,
absent any personal contact, it is challenging for banks to verify the good
faith of their customers, which is an important element in making sound
credit decisions.
|
Criteria
|
The standards and benchmarks used to measure and present the
subject matter and against which the IS auditor evaluates the subject matter.
Criteria should be:
Objective—free from bias Measurable—provide for consistent measurement Complete—include all relevant factors to reach a conclusion Relevant—relate to the subject matter |
Cross-certification
|
A certificate issued by one certification authority to a second
certification authority so that users of the first certification authority
are able to obtain the public key of the second certification authority and
verify the certificates it has created. Often cross certification refers
specifically to certificates issued to each other by two CAs at the same
level in a hierarchy.
|
Cryptography
|
The art of designing, analyzing and attacking cryptographic
schemes
|
data analysis
|
Typically in large organisations where the quantum of data
processed by the ERPs are extremely voluminous, analysis of patterns and
trends prove to be extremely useful in ascertaining the efficiency and
effectiveness of operations. Most ERPs provide opportunities for extraction
and analysis of data, some with built-in tools through the use of third-party
developed tools that interface with the ERP systems
|
Data communications
|
The transfer of data between separate computer processing
sites/devices using telephone lines, microwave and/or satellite links
|
Data custodian
|
Individuals and departments responsible for the storage and
safeguarding of computerized information. This typically is within the IS
organization.
|
Data dictionary
|
A data dictionary is a database that contains the name, type,
range of values, source and authorization for access for each data element in
a database. It also indicates which application programs use that data so that
when a data structure is contemplated, a list of the affected programs can be
generated. The data dictionary may be a stand-alone information system used
for management or documentation purposes, or it may control the operation of
a database.
|
Data diddling
|
Changing data with malicious intent before or during input into
the system
|
Data Encryption Standard (DES)
|
A private key cryptosystem published by the National Bureau of
Standards (NBS), the predecessor of the US National Institute of Standards
and Technology (NIST). DES has been used commonly for data encryption in the
forms of software and hardware implementation (also see private key
cryptosystems).
|
data flow
|
The flow of data from the input (in Internet banking, ordinarily
user input at his/her desktop) to output (in Internet banking, ordinarily
data in a bank’s central database). Data flow includes travelling through the
communication lines, routers, switches and firewalls as well as processing
through various applications on servers which process the data from user
fingers to storage in bank central database.
|
data integrity
|
The property that data meet with a priority expectation of
quality and that the data can be relied upon
|
Data leakage
|
Siphoning out or leaking information by dumping computer files
or stealing computer reports and tapes
|
Data owner
|
Individuals, normally managers or directors, who have
responsibility for the integrity, accurate reporting and use of computerized
data
|
Data security
|
Those controls that seek to maintain confidentiality, integrity
and availability of information
|
Data structure
|
The relationships among files in a database and among data items
within each file
|
Database
|
A stored collection of related data needed by organizations and
individuals to meet their information processing and retrieval requirements
|
Database administrator (DBA)
|
An individual or department responsible for the security and
information classification of the shared data stored on a database system.
This responsibility includes the design, definition and maintenance of the
database.
|
Database management system (DBMS)
|
A complex set of software programs that control the
organization, storage and retrieval of data in a database. It also controls
the security and integrity of the database.
|
Database replication
|
The process of creating and managing duplicate versions of a
database. Replication not only copies a database but also synchronizes a set
of replicas so that changes made to one replica are reflected in all the
others. The beauty of replication is that it enables many users to work with
their own local copy of a database but have the database updated as if they
were working on a single centralized database. For database applications
where geographically users are distributed widely, replication is often the
most efficient method of database access.
|
Database specifications
|
These are the requirements for establishing a database
application. They include field definitions, field requirements and reporting
requirements for the individual information in the database.
|
Datagram
|
A packet (encapsulated with a frame containing information),
which is transmitted in a packet-switching network from source to destination
|
Data-oriented systems development
|
The purpose is to provide usable data rather than a function.
The focus of the development is to provide ad hoc reporting for users by
developing a suitable accessible database of information.
|
DDoS (distributed denial-of-service) attack
|
A denial-of-service (DoS) assault from multiple sources; see DoS
|
Decentralization
|
The process of distributing computer processing to different
locations within an organization
|
Decision support systems (DSS)
|
An interactive system that provides the user with easy access to
decision models and data, to support semistructured decision-making tasks
|
Decoy server
|
See honey pot.
|
Decryption
|
A technique used to recover the original plaintext from the
ciphertext such that it is intelligible to the reader. The decryption is a
reverse process of the encryption.
|
Decryption key
|
A piece of information, in a digitized form, used to recover the
plaintext from the corresponding ciphertext by decryption
|
Default deny policy
|
A policy whereby access is denied unless it is specifically
allowed. The inverse of default allow.
|
Default password
|
The password used to gain access when a system is first
installed on a computer or network device. There is a large list published on
the Internet and maintained at several locations. Failure to change these
after the installation leaves the system vulnerable.
|
Degauss
|
To apply a variable, alternating current (AC) field for the
purpose of demagnetizing magnetic recording media. The process involves
increasing the AC field gradually from zero to some maximum value and back to
zero, which leaves a very low residue of magnetic induction on the media.
Degauss loosely means to erase.
|
Demodulation
|
The process of converting an analog telecommunications signal
into a digital computer signal
|
Detailed IS ontrols
|
Controls over the acquisition, implementation, delivery and support
of IS systems and services. They are made up of application controls plus
those general controls not included in pervasive controls.
|
Detection risk
|
The risk that the IS auditor's substantive procedures will not
detect an error which could be material, individually or in combination with
other errors
|
Detective controls
|
These controls exist to detect and report when errors, omissions
and unauthorized uses or entries occur.
|
Dial-back
|
Used as a control over dial-up telecommunications lines. The
telecommunications link established through dial-up into the computer from a
remote location is interrupted so the computer can dial back to the caller.
The link is permitted only if the caller is from a valid phone number or
telecommunications channel.
|
Dial-in access controls
|
Controls that prevent unauthorized access from remote users that
attempt to access a secured environment. These controls range from dial-back
controls to remote user authentication.
|
Digital certificate
|
A certificate identifying a public key to its subscriber,
corresponding to a private key held by that subscriber. It is a unique code
that typically is used to allow the authenticity and integrity of
communicated data to be verified.
|
digital certification
|
A process to authenticate (or certify) a party’s digital
signature, carried out by trusted third parties.
|
Digital signature
|
A piece of information, a digitized form of signature, that
provides sender authenticity, message integrity and nonrepudiation. A digital
signature is generated using the sender’s private key or applying a one-way
hash function.
|
Direct reporting engagement
|
An engagement where management does not make a written assertion
about the effectiveness of their control procedures, and the IS auditor
provides an opinion about subject matter directly, such as the effectiveness
of the control procedures
|
Discovery sampling
|
A form of attribute sampling that is used to determine a
specified probability of finding at least one example of an occurrence
(attribute) in a population
|
Diskless workstations
|
A workstation or PC on a network that does not have its own
disk. Instead, it stores files on a network file server.
|
Distributed data processing network
|
A system of computers connected together by a communications
network. Each computer processes its data and the network supports the system
as a whole. Such a network enhances communication among the linked computers
and allows access to shared files.
|
DMZ (demilitarized zone)
|
Commonly it is the network segment between the Internet and a private
network. It allows access to services from the Internet and the internal
private network, while denying access from the Internet directly to the
private network.
|
DNS (domain name system)
|
A hierarchical database that is distributed across the Internet
that allows names to be resolved into IP addresses (and vice versa) to locate
services such as web and e-mail servers
|
DoS (denial-of-service) attack
|
An assault on a service from a single source that floods it with
so many requests that it becomes overwhelmed and is either stopped completely
or operates at a significantly reduced rate
|
Downloading
|
The act of transferring computerized information from one
computer to another computer
|
Downtime report
|
A report that identifies the elapsed time when a computer is not
operating correctly because of machine failure
|
Dry-pipe fire extinguisher system
|
Refers to a sprinkler system that does not have water in the
pipes during idle usage, unlike a fully charged fire extinguisher system that
has water in the pipes at all times. The dry-pipe system is activated at the
time of the fire alarm, and water is emitted to the pipes from a water
reservoir for discharge to the location of the fire.
|
Due care
|
Diligence which a person would exercise under a given set of
circumstances
|
Due professional care
|
Diligence which a person, who possesses a special skill, would
exercise under a given set of circumstances
|
Dumb terminal
|
A display terminal without processing capability. Dumb terminals
are dependent upon the main computer for processing. All entered data are
accepted without further editing or validation.
|
Duplex routing
|
The method or communication mode of routing data over the
communication network (also see half duplex and full duplex)
|
Dynamic analysis
|
Analysis that is performed in real time or in continuous form
|
Echo checks
|
Detects line errors by retransmitting data back to the sending
device for comparison with the original transmission
|
e-commerce
|
Defined by ISACA as the processes by which organisations conduct
business electronically with their customers, suppliers and other external
business partners, using the Internet as an enabling technology. It therefore
encompasses both business-to-business (B2B) and business-to-consumer (B2C)
e-Commerce models, but does not include existing non-Internet e-Commerce
methods based on private networks such as EDI and SWIFT.
|
Edit controls
|
Detects errors in the input portion of information that is sent
to the computer for processing. The controls may be manual or automated and
allow the user to edit data errors before processing.
|
Editing
|
Editing ensures that data conform to predetermined criteria and
enable early identification of potential errors.
|
Electronic cash
|
An electronic form functionally equivalent to cash in order to
make and receive payments in cyberbanking
|
Electronic data interchange (EDI)
|
The electronic transmission of transactions (information)
between two organizations. EDI promotes a more efficient paperless
environment. EDI transmissions can replace the use of standard documents,
including invoices or purchase orders.
|
Electronic funds transfer (EFT)
|
The exchange of money via telecommunications. EFT refers to any
financial transaction that originates at a terminal and transfers a sum of
money from one account to another.
|
Electronic signature
|
Any technique designed to provide the electronic equivalent of a
handwritten signature to demonstrate the origin and integrity of specific
data. Digital signatures are an example of electronic signatures.
|
Electronic vaulting
|
A data recovery strategy that allows organizations to recover
data within hours after a disaster. It includes recovery of data from an
offsite storage media that mirrors data via a communication link. Typically
used for batch/journal updates to critical files to supplement full backups
taken periodically.
|
E-mail/interpersonal messaging
|
An individual using a terminal, PC or an application can access
a network to send an unstructured message to another individual or group of
people.
|
Embedded audit module
|
Integral part of an application system that is designed to
identify and report specific transactions or other information based on
pre-determined criteria. Identification of reportable items occurs as part of
real-time processing. Reporting may be real-time online, or may use store and
forward methods. Also known as integrated test facility or continuous
auditing module.
|
Encapsulation (objects)
|
Encapsulation is the technique used by layered protocols in
which a lower layer protocol accepts a message from a higher layer protocol
and places it in the data portion of a frame in the lower layer.
|
Encryption
|
The process of taking an unencrypted message (plaintext),
applying a mathematical function to it (encryption algorithm with a key) and
producing an encrypted message (ciphertext)
|
Encryption key
|
A piece of information, in a digitized form, used by an
encryption algorithm to convert the plaintext to the ciphertext
|
End-user computing
|
The ability of end users to design and implement their own
information system utilizing computer software products
|
Engagement letter
|
Formal document which defines the IS auditor's responsibility,
authority and accountability for a specific assignment
|
Enterprise governance
|
A broad and wide-ranging concept of corporate governance,
covering associated organizations such as global strategic alliance partners.
(Source: Control Objectives for Enterprise Governance Discussion Document,
published by the Information Systems Audit and Control Foundation in 1999)
|
enterprise resource planning
|
First, it denotes the planning and management of resources in an
enterprise. Second, it denotes a software system that can be used to manage
whole business processes, integrating purchasing, inventory, personnel,
customer service, shipping, financial management and other aspects of the
business. An ERP system typically is based on a common database, various
integrated business process application modules and business analysis tools
|
error
|
Error control deviations (compliance testing) or misstatements
(substantive testing)
|
Error risk
|
The risk of errors occurring in the area being audited
|
Ethernet
|
A popular network protocol and cabling scheme that uses a bus
topology and CSMA/CD (carrier sense multiple access/collision detection) to
prevent network failures or collisions when two devices try to access the
network at the same time
|
Evidence
|
The information an auditor gathers in the course of performing
an IS audit. Evidence is relevant if it pertains to the audit objectives and
has a logical relationship to the findings and conclusions it is used to
support.
|
Exception reports
|
An exception report is generated by a program that identifies
transactions or data that appear to be incorrect. These items may be outside
a predetermined range or may not conform to specified criteria.
|
Executable code
|
The machine language code that is generally referred to as the
object or load module
|
Expert systems
|
Expert systems are the most prevalent type of computer systems
that arise from the research of artificial intelligence. An expert system has
a built in hierarchy of rules, which are acquired from human experts in the
appropriate field. Once input is provided, the system should be able to
define the nature of the problem and provide recommendations to solve the
problem.
|
Exposure
|
The potential loss to an area due to the occurrence of an
adverse event
|
Extended Binary-coded Decimal Interchange Code
|
(EBCDIC)
An eight-bit code representing 256 characters; used in most large computer systems |
Extensible Markup Language (XML)
|
Promulgated through the World Wide Web Consortium, XML is a
web-based application development technique that allows designers to create
their own customized tags, thus, enabling the definition, transmission,
validation and interpretation of data between applications and organizations.
|
External router
|
The router at the extreme edge of the network under control,
usually connected to an ISP or other service provider; also known as border
router
|
Fail-over
|
The transfer of service from an incapacitated primary component
to its backup component
|
Fail-safe
|
Describes the design properties of a computer system that allow
it to resist active attempts to attack or bypass it
|
False negative
|
In intrusion detection, an error that occurs when an attack is
misdiagnosed as a normal activity
|
False positive
|
In intrusion detection, an error that occurs when a normal
activity is misdiagnosed as an attack
|
Fault tolerance
|
A system’s level of resilience to seamlessly react from hardware
and/or software failure
|
Feasibility study
|
A phase of an SDLC methodology that researches the feasibility
and adequacy of resources for the development or acquisition of a system
solution to a user need
|
Fiber optic cable
|
Glass fibers that transmit binary signals over a
telecommunications network. Fiber optic systems have low transmission losses
as compared to twisted-pair cables. They do not radiate energy or conduct
electricity. They are free from corruption and lightning-induced
interference, and they reduce the risk of wiretaps.
|
Field
|
An individual data element in a computer record. Examples
include employee name, customer address, account number, product unit price
and product quantity in stock.
|
File
|
A named collection of related records
|
File layout
|
Specifies the length of the file’s record and the sequence and
size of its fields. A file layout also will specify the type of data
contained within each field. For example, alphanumeric, zoned decimal, packed
and binary are types of data.
|
File server
|
A high-capacity disk storage device or a computer that stores
data centrally for network users and manages access to that data. File
servers can be dedicated so that no process other than network management can
be executed while the network is available; file servers can be non-dedicated
so that standard user applications can run while the network is available.
|
Filtering router
|
A router that is configured to control network access by
comparing the attributes of the incoming or outgoing packets to a set of
rules
|
FIN (final)
|
A flag set in a packet to indicate that this packet is the final
data packet of the transmission
|
Financial audit
|
An audit designed to determine the accuracy of financial records
and information
|
Finger
|
A protocol and program that allows the remote identification of
users logged into a system
|
Firewall
|
A device that forms a barrier between a secure and an open
environment. Usually, the open environment is considered hostile. The most
notable hostile environment is the Internet. In other words, a firewall
enforces a boundary between two or more networks.
|
Firmware
|
Memory chips with embedded program code that hold their content
when power is turned off
|
fiscal year
|
Any yearly accounting period without regard to its relationship
to a calendar year.
|
foreign exchange risk
|
Is present when a financial asset or liability is denominated in
a foreign currency or is funded by borrowings in another currency
|
Format checking
|
The application of an edit, using a predefined field definition
to a submitted information stream; a test to ensure that data conform to a
predefined format
|
Fourth generation language (4GL)
|
English-like, user friendly, nonprocedural computer languages
used to program and/or read and process computer files
|
Frame relay
|
A packet-switched wide-area-network technology that provides
faster performance than older packet-switched WAN technologies such as X.25
networks, because it was designed for today’s reliable circuits and performs
less rigorous error detection. Frame relay is best suited for data and image
transfers. Because of its variable-length packet architecture, it is not the
most efficient technology for real-time voice and video. In a frame-relay
network, end nodes establish a connection via a permanent virtual circuit
(PVC).
|
Fraud risk
|
The risk that activities will include deliberate circumvention
of controls with the intent to conceal the perpetuation of irregularities.
The unauthorized use of assets or services and abetting or helping to
conceal.
|
FTP (file transfer protocol)
|
A protocol used to transfer files over a TCP/IP network (Internet,
UNIX, etc.)
|
Full duplex
|
A communications channel over which data can be sent and
received simultaneously
|
Function point analysis
|
A technique used to determine the size of a development task,
based on the number of function points. Function points are factors such as
inputs, outputs, inquiries and logical internal sites.
|
Gateway
|
A hardware/software package that is used to connect networks
with different protocols. The gateway has its own processor and memory and
can perform protocol and bandwidth conversions.
|
General computer controls
|
Controls, other than application controls, which relate to the
environment within which computer-based application systems are developed,
maintained and operated, and which are therefore applicable to all applications.
The objectives of general controls are to ensure the proper development and
implementation of applications, the integrity of program and data files and
of computer operations. Like application controls, general controls may be
either manual or programmed. Examples of general controls include the
development and implementation of an IS strategy and an IS security policy,
the organization of IS staff to separate conflicting duties and planning for
disaster prevention and recovery.
|
Generalized audit software
|
A computer program or series of programs designed to perform
certain automated functions. These functions include reading computer files,
selecting data, manipulating data, sorting data, summarizing data, performing
calculations, selecting samples and printing reports or letters in a format
specified by the IS auditor. This technique includes software acquired or
written for audit purposes and software embedded in production systems.
|
Geographic disk mirroring
|
A data recovery strategy that takes a set of physically
disparate disks and synchronously mirrors them over high performance
communication lines. Any write to a disk on one side will result in a write
on the other. The local write will not return until the acknowledgement of
the remote write is successful.
|
Hacker
|
An individual who attempts to gain unauthorized access to a
computer system
|
Half duplex
|
A communications channel that can handle only one signal at a
time. The two stations must alternate their transmissions.
|
Handprint scanner
|
A biometric device that is used to authenticate a user through
palm scans
|
Harden
|
To configure a computer or other network device to resist
attacks
|
Hardware
|
Relates to the technical and physical features of the computer
|
Hash function
|
An algorithm that maps or translates one set of bits into
another (generally smaller) so that a message yields the same result every
time the algorithm is executed using the same message as input. It is
computationally infeasible for a message to be derived or reconstituted from
the result produced by the algorithm. It is computationally infeasible to
find two different messages that produce the same hash result using the same
algorithm.
|
Hash total
|
The total of any numeric data field on a document or computer
file. This total is checked against a control total of the same field to
facilitate accuracy of processing.
|
Hexadecimal
|
A numbering system that uses a base of 16 and uses 16 digits: 0,
1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E and F. Programmers use hexadecimal
numbers as a convenient way of representing binary numbers.
|
Hierarchical database
|
A database structured in a tree/root or parent/child
relationship. Each parent can have many children, but each child may have
only one parent.
|
Honey pot
|
A specially configured server, designed to attract intruders so
that their actions do not affect production systems; also known as a decoy
server
|
Hot site
|
A fully operational offsite data processing facility equipped
with both hardware and system software to be used in the event of a disaster
|
HTTP (hyper text transfer protocol)
|
A communication protocol used to connect to servers on the World
Wide Web. Its primary function is to establish a connection with a web server
and transmit HTML pages to the client browser.
|
HTTPS (hyper text transfer protocol secure)
|
A protocol for accessing a secure web server, whereby all data
transferred is encrypted
|
Hub
|
A common connection point for devices in a network, hubs
commonly are used to connect segments of a LAN. A hub contains multiple
ports. When a packet arrives at one port, it is copied to the other ports so
that all segments of the LAN can see all packets.
|
hyperlink
|
Is an electronic pathway that may be displayed in the form of
highlighted text, graphics or a button that connects one web page with another
web page address.
|
hypertext
|
A language, which enables electronic documents that present
information that can be connected together by links instead of being
presented sequentially, as is the case with normal text.
|
ICMP (internet control message protocol)
|
A set of protocols that allow systems to communicate information
about the state of services on other systems. It is used, for example, in
determining whether systems are up, maximum packet sizes on links, whether a
destination host/network/port is available. Hackers typically (abuse) use
ICMP to determine information about the remote site.
|
Idle standby
|
A fail-over process in which the primary node owns the resource
group. The backup node runs idle, only supervising the primary node. In case
of a primary node outage, the backup node takes over. The nodes are
prioritized, which means the surviving node with the highest priority will
acquire the resource group. A higher priority node joining the cluster will
thus cause a short service interruption.
|
IDS (intrusion detection system)
|
An intrusion detection system (IDS) inspects network activity to
identify suspicious patterns that may indicate a network or system attack
from someone attempting to break into or compromise a system
|
IEEE
|
(Institute of Electrical and Electronics Engineers)--Pronounced
I-triple-E, IEEE is an organization composed of engineers, scientists and
students. The IEEE is best known for developing standards for the computer
and electronics industry.
|
Image processing
|
The process of electronically inputting source documents by
taking an image of the document, thereby eliminating the need for key entry
|
implementation life cycle review
|
Refers to the controls that support the process of
transformation of the organisation’s legacy information systems into the ERP
applications. This would largely cover all aspects of systems implementation
and configuration, such as change management
|
Incremental testing
|
Deliberately testing only the value-added functionality of a
software component
|
Independence
|
Self-governance and freedom from conflict of interest and undue
influence. The IS auditor should be free to make his/her own decisions, not
influenced by the organization being audited and its people (managers and
employers).
|
Independent appearance
|
The outward impression of being self-governing and free from
conflict of interest and undue influence
|
Independent attitude
|
Impartial point of view which allows the IS auditor to act
objectively and with fairness
|
Indexed sequential access method (ISAM)
|
A disk access method that stores data sequentially, while also
maintaining an index of key fields to all the records in the file for direct
access capability
|
Indexed sequential file
|
A file format in which records are organized and can be
accessed, according to a preestablished key that is part of the record
|
Information engineering
|
Data-oriented development techniques that work on the premise
that data are at the center of information processing and that certain data
relationships are significant to a business and must be represented in the
data structure of its systems
|
Information processing facility (IPF)
|
The computer room and support areas
|
Inherent risk
|
The susceptibility of an audit area to error which could be
material, individually or in combination with other errors, assuming that
there are no related internal controls
|
Inheritance (objects)
|
Inheritance refers to database structures that have a strict
hierarchy (no multiple inheritance). Inheritance can initiate other objects
irrespective of the class hierarchy, thus there is no strict hierarchy of
objects.
|
Initial program load (IPL)
|
The initialization procedure that causes an operating system to
be loaded into storage at the beginning of a workday or after a system
malfunction
|
Input controls
|
Techniques and procedures used to verify, validate and edit
data, to ensure that only correct data are entered into the computer
|
Integrated services digital network (ISDN)
|
A public end-to-end digital telecommunications network with
signaling, switching and transport capabilities supporting a wide range of
service accessed by standardized interfaces with integrated customer control.
The standard allows transmission of digital voice, video and data over 64
Kpbs lines.
|
Integrated test facilities (ITF)
|
Test data are processed in production systems. The data usually
represent a set of fictitious entities such as departments, customers and
products. Output reports are verified to confirm the correctness of the
processing.
|
Integrity
|
The accuracy and completeness of information as well as to its
validity in accordance with business values and expectations
|
Intelligent terminal
|
A terminal with built-in processing capability. It has no disk
or tape storage but has memory. The terminal interacts with the user by
editing and validating data as they are entered prior to final processing.
|
interest rate risk
|
Is the risk to earnings or capital arising from movements in
interest rates. From an economic perspective, a bank focuses on the
sensitivity of the value of its assets, liabilities and revenues to changes
in interest rates. Internet banking may attract deposits, loans and other
relationships from a larger pool of possible customers than other forms of
marketing. Greater access to customers who primarily seek the best rate or term
reinforces the need for managers to maintain appropriate asset/liability
management systems, which should include the ability to react quickly to
changing market conditions.
|
Interface testing
|
A testing technique that is used to evaluate output from one
application, while the information is sent as input to another application
|
Internal control
|
The policies, procedures, practices and organizational
structures designed to provide reasonable assurance that business objectives
will be achieved and that undesired events will be prevented or detected and
corrected.
|
Internal control structure
|
The dynamic, integrated processes, effected by the governing
body, management and all other staff, that are designed to provide reasonable
assurance regarding the achievement of the following general objectives:
Effectiveness, efficiency and economy of operations Reliability of management Compliance with applicable laws, regulations and internal policies Management’s strategies for achieving these general objectives are affected by the design and operation of the following components: Control environment Information system Control procedures |
Internal penetrators
|
Authorized users of a computer system who overstep their
legitimate access rights. This category is divided into masqueraders and
clandestine users.
|
Internal storage
|
The main memory of the computer’s central processing unit
|
Internet
|
1) Two or more networks connected by a router
2) The world’s largest network using TCP/IP protocols to link government, university and commercial institutions |
Internet banking
|
Use of the Internet as a remote delivery channel for banking
services. Services include the traditional ones, such as opening an account
or transferring funds to different accounts, and new banking services, such
as electronic bill presentment and payment (allowing customers to receive and
pay bills on a bank’s web site).
|
Internet Engineering Task Force (IETF)
|
The Internet standards setting organization with affiliates
internationally from network industry representatives. This includes all
network industry developers and researchers concerned with evolution and
planned growth of the Internet.
|
Internet Inter-ORB Protocol (IIOP)
|
A protocol developed by the object management group (OMG) to
implement Common Object Request Broker Architecture (CORBA) solutions over
the World Wide Web. CORBA enables modules of network-based programs to
communicate with one another. These modules or program parts, such as tables,
arrays, and more complex program subelements, are referred to as objects. Use
of IIOP in this process enables browsers and servers to exchange both simple
and complex objects. This significantly differs from HTTP, which only
supports the transmission of text.
|
Internet packet (IP) spoofing
|
An attack using packets with the spoofed source Internet packet
(IP) addresses. This technique exploits applications that use authentication
based on IP addresses. This technique also may enable an unauthorized user to
gain root access on the target system.
|
intranet
|
A private network that uses the infrastructure and standards of
the Internet and World Wide Web, but is isolated from the public Internet by
firewall barriers.
|
Intrusion
|
Any intentional violation of the security policy of a system
|
Intrusion detection
|
The process of monitoring the events occurring in a computer
system or network, detecting signs of security problems
|
Intrusive monitoring
|
In vulnerability analysis, gaining information by performing
checks that affects the normal operation of the system, even crashing the
system
|
IP (Internet protocol)
|
Specifies the format of packets and the addressing scheme
|
IPSec (Internet protocol security)
|
A set of protocols developed by the IETF to support the secure
exchange of packets
|
Irregularities
|
Intentional violations of established management policy or
regulatory requirements. Deliberate misstatements or omissions of information
concerning the area under audit or the organization as a whole; gross
negligence or unintentional illegal acts.
|
ISO17799
|
An international standard that defines information
confidentiality, integrity and availability controls
|
ISP (Internet service provider)
|
A third party that provides organizations with a variety of
Internet, and Internet-related services
|
IT governance
|
A structure of relationships and processes to direct and control
the enterprise in order to achieve the enterprise's goals by adding value
while balancing risk versus return over IT and its processes
|
Job control language (JCL)
|
A language used to control run routines in connection with
performing tasks on a computer
|
journal entry
|
A debit or credit to a general ledger account. See also manual
journal entry.
|
Judgment sampling
|
Any sample that is selected subjectively or in such a manner
that the sample selection process is not random or the sampling results are
not evaluated mathematically
|
L2F (Layer 2 forwarding)
|
A tunnelling protocol developed by Cisco Systems to support the
creation of VPNs
|
L2TP (Layer 2 tunneling protocol)
|
An extension to PPP to facilitate the creation of VPNs. L2TP
merges the best features of PPTP (from Microsoft) and L2F (from Cisco).
|
Latency
|
The time it takes a system and network delay to respond. System
latency is the time a system takes to retrieve data. Network latency is the
time it takes for a packet to travel from source to the final destination.
|
LDAP (Lightweight Directory Access Protocol)
|
A set of protocols for accessing information directories. It is
based on the X.500 standard, but is significantly simpler.
|
Leased lines
|
A communication line permanently assigned to connect two points,
as opposed to a dial-up line that is only available and open when a
connection is made by dialing the target machine or network. Also known as a
dedicated line.
|
legal risk
|
Is the risk to earnings or capital arising from violations of,
or nonconformance with, laws, rules, regulations, prescribed practices or
ethical standards. Banks are subject to various forms of legal risk. This can
include the risk that assets will turn out to be worth less or liabilities
will turn out to be greater than expected because of inadequate or incorrect
legal advice or documentation. In addition, existing laws may fail to resolve
legal issues involving a bank; a court case involving a particular bank may
have wider implications for banking business and involve costs to it and many
or all other banks; and, laws affecting banks or other commercial enterprises
may change. Banks are particularly susceptible to legal risks when entering
new types of transactions and when the legal right of a counter-party to
enter into transactions is not established.
|
Librarian
|
The individual responsible for the safeguard and maintenance of
all program and data files
|
Limit check
|
Tests of specified amount fields against stipulated high or low
limits of acceptability. When both high and low values are used, the test may
be called a range check.
|
Link editor (linkage editor)
|
A utility program that combines several separately compiled
modules into one, resolving internal references between them
|
liquidity risk
|
Is the risk to earnings or capital arising from a bank’s
inability to meet its obligations when they come due, without incurring
unacceptable losses. Internet banking may increase deposit volatility from
customers who maintain accounts solely on the basis of rate or terms.
|
Local area network (LAN)
|
A communication network that serves several users within a
specified geographic area. It is made up of servers, workstations, a network
operating system and a communications link. Personal computer LANs function
as distributed processing systems in which each computer in the network does
its own processing and manages some of its data. Shared data are stored in a
file server that acts as a remote disk drive to all users in the network.
|
Local loop
|
The communication lines that provide connectivity between the
telecommunications carrier’s central office and the subscriber’s facilities
|
Log
|
To record details of information or events in an organized
record-keeping system, usually sequenced in the order they occurred
|
Logical access controls
|
The policies, procedures, organizational structure and
electronic access controls designed to restrict access to computer software
and data files
|
Logoff
|
Disconnecting from the computer
|
Logon
|
The act of connecting to the computer. It typically requires
entry of a user ID and password into a computer terminal.
|
Logs/Log file
|
Files created specifically to record various actions occurring
on the system to be monitored, such as failed login attempts, full disk
drives and e-mail delivery failures
|
Machine language
|
The logical language a computer understands
|
Magnetic card reader
|
A card reader that reads cards with a magnetizable surface on
which data can be stored and retrieved
|
Magnetic ink character recognition (MICR)
|
Used to electronically input, read and interpret information
directly from a source document; requires the source document to have
specially-coded magnetic ink typeset
|
Management information system (MIS)
|
An organized assembly of resources and procedures required to
collect, process and distribute data for use in decision making
|
Man-in-the-middle attack
|
An attack strategy in which the attacker intercepts the
communications stream between two parts of the victim system and then
replaces the traffic between the two components with the intruder’s own,
eventually assuming control of the communication
|
manual journal entry
|
A journal entry entered at a computer terminal. Manual journal
entries can include regular, statistical, inter-company and foreign currency
entries
|
Mapping
|
Diagramming data that are to be exchanged electronically,
including how it is to be used and what business management systems need it.
It is a preliminary step for developing an applications link. (Also see
application tracing and mapping.)
|
Masking
|
A computerized technique of blocking out the display of
sensitive information, such as passwords, on a computer terminal or report
|
Masqueraders
|
Attackers that penetrate systems by using user identifiers and
passwords taken from legitimate users
|
Master file
|
A file of semipermanent information that is used frequently for
processing data or for more than one purpose
|
Materiality
|
An auditing concept regarding the importance of an item of
information with regard to its impact or effect on the functioning of the
entity being audited. An expression of the relative significance or
importance of a particular matter in the context of the organization as a
whole.
|
Memory dump
|
The act of copying raw data from one place to another with
little or no formatting for readability. Usually, dump refers to copying data
from main memory to a display screen or a printer. Dumps are useful for
diagnosing bugs. After a program fails, one can study the dump and analyze
the contents of memory at the time of the failure. Dumps are usually output in
a difficult-to-read form (that is, binary, octal or hexadecimal), so a memory
dump will not help unless each person knows exactly for what to look.
|
Message switching
|
A telecommunications traffic controlling methodology in which a
complete message is sent to a concentration point and stored until the
communications path is established
|
Microwave transmission
|
A high-capacity line-of-sight transmission of data signals
through the atmosphere which often requires relay stations
|
Middleware
|
Another term for an application programmer interface (API). It
refers to the interfaces that allow programmers to access lower- or
higher-level services by providing an intermediary layer that includes
function calls to the services.
|
Misuse detection
|
Detection on the basis of whether the system activity matches
that defined as bad
|
Modem (modulator-demodulator)
|
Connects a terminal or computer to a communications network via
a telephone line. Modems turn digital pulses from the computer into
frequencies within the audio range of the telephone system. When acting in
the receiver capacity, a modem decodes incoming frequencies.
|
Modulation
|
The process of converting a digital computer signal into an
analog telecommunications signal
|
Monetary unit sampling
|
A sampling technique that estimates the amount of overstatement
in an account balance
|
Monitor
|
Any information collection mechanism utilized by an intrusion
detection system
|
Monitoring policy
|
The rules outlining the way in which information is captured and
interpreted
|
Multiplexing
|
The transmission of more than one signal across a physical
channel
|
Multiplexor
|
A device used for combining several lower-speed channels into a
higher-speed channel
|
Mutual takeover
|
A fail-over process, which is basically a two-way idle standby:
two servers are configured so that both can take over the other node’s
resource group. Both must have enough CPU power to run both applications with
sufficient speed, or performance losses must be taken into account expected
until the failed node reintegrates. This also works nicely in three or more
node configurations.
|
NAT (Network Address Translation)
|
An Internet standard that allows a network to use one set of IP
addresses for internal traffic and a second set of addresses for external
traffic. The server, providing the NAT service, changes the source address of
outgoing packets from the internal to the external address and reverses it
for packets returning.
|
Netware
|
A popular local area network operating system developed by the
Novell Corp.
|
Network
|
A system of interconnected computers and the communications
equipment used to connect them
|
Network administrator
|
The person responsible for maintaining a LAN and assisting end
users
|
Network hop
|
An attack strategy in which the attacker successively hacks into
a series of connected systems, obscuring his/her identify from the victim of
the attack
|
Node
|
Point at which terminals are given access to a network
|
Noise
|
Disturbances, such as static, in data transmissions that cause
messages to be misinterpreted by the receiver
|
Non-intrusive monitoring
|
In vulnerability analysis, gaining information by performing
standard system status queries and inspecting system attributes
|
nonrepudiable trnasactions
|
Transactions that cannot be denied after the fact
|
Nonrepudiation
|
The assurance that a party cannot later deny originating data,
that it is the provision of proof of the integrity and origin of the data
which can be verified by a third party. Nonrepudiation may be provided by a
digital signature.
|
Normalization
|
The elimination of redundant data
|
Numeric check
|
An edit check designed to ensure the data in a particular field
is numeric
|
Object code
|
Machine-readable instructions produced from a compiler or
assembler program that has accepted and translated the source code
|
Object Management Group (OMG)
|
A consortium with more than 700 affiliates from the software
industry. Its purpose is to provide a common framework for developing
applications using object-oriented programming techniques. For example, OMG
is known principally for promulgating the CORBA specification.
|
Object orientation
|
An approach to system development where the basic unit of
attention is an object, which represents an encapsulation of both data (an
object’s attributes) and functionality (an object’s methods). Objects usually
are created using a general template called a class. Classes are the basis
for most design work in objects. Classes and their objects communicate in
defined ways. Aggregate classes interact through messages, which are directed
requests for services from one class (the client) to another class (the
server). A class may share the structure or methods defined in one or more
other classes--a relationship known as inheritance.
|
Objectivity
|
The ability to exercise judgement, express opinions and present
recommendations with impartiality
|
object-oriented system development
|
A system development methodology that is organised around
"objects" rather than "actions,” and ”data ” rather than
”logic.” Object-oriented analysis is an assessment of a physical system to
determine which objects in the real world need to be represented as objects
in a software system. Any object-oriented design is software design that is
centred around designing the objects that will make up a program. Any
object-oriented program is one that is composed of objects or software parts.
|
Offline files
|
Computer file storage media not physically connected to the
computer; typically tapes or tape cartridges used for backup purposes
|
Offsite storage
|
A storage facility located away from the building housing the
primary information processing facility (IPF), used for storage of computer
media such as offline backup data and storage files
|
Online data processing
|
Processing is achieved by entering information into the computer
via a video display terminal. The computer immediately accepts or rejects the
information, as it is entered.
|
Open systems
|
Systems for which detailed specifications of their components
composition are published in a nonproprietary environment, thereby enabling
competing organizations to use these standard components to build competitive
systems. The advantages of using open systems include portability,
interoperability and integration.
|
Operating system
|
A master control program that runs the computer and acts as a
scheduler and traffic controller. It is the first program copied into the
computer’s memory after the computer is turned on and must reside in memory
at all times. It is the software that interfaces between the computer
hardware (disk, keyboard, mouse, network, modem, printer) and the application
software (word processor, spreadsheet, e-mail), which also controls access to
the devices and is partially responsible for security components and sets the
standards for the application programs that run in it.
|
Operating system audit trails
|
Records of system events generated by a specialized operating
system mechanism
|
Operational audit
|
An audit designed to evaluate the various internal controls,
economy and efficiency of a function or department
|
Operational control
|
These controls deal with the everyday operation of a company or
organization to ensure all objectives are achieved.
|
operational risk
|
The most important types of operational risk involve breakdowns
in internal controls and corporate governance. Such breakdowns can lead to
financial losses through error, fraud or failure to perform in a timely
manner or cause the interests of the bank to be compromised in some other
way, for example, by its dealers, lending officers or other staff exceeding
their authority or conducting business in an unethical or risky manner. Other
aspects of operational risk include major failure of information technology
systems or events such as security problems or other disasters
|
Operator console
|
A special terminal used by computer operations personnel to
control computer and systems operations functions. These terminals typically
provide a high level of computer access and should be properly secured.
|
Optical character recognition
|
Used to electronically scan and input written information from a
source document
|
Optical scanner
|
An input device that reads characters and images that are
printed or painted on a paper form into the computer.
|
Output analyzer
|
Checks the accuracy of the results produced by a test run. There
are three types of checks that an output analyzer can perform. First, if a
standard set of test data and test results exists for a program, the output
of a test run after program maintenance can be compared with the set of
results that should be produced. Second, as programmers prepare test data and
calculate the expected results, these results can be stored on a file and the
output analyzer compares the actual results of a test run with the expected
results. Third, the output analyzer can act as a query language; it accepts
queries about whether certain relationships exist in the file of output
results and reports compliance or noncompliance.
|
Outsourcing
|
A formal agreement with a third party to perform an IS function
for an organization
|
Packet
|
Data unit that is routed from source to destination in a
packet-switched network. A packet contains both routing information and data.
Transmission control protocol/Internet protocol (TCP/IP) is such a
packet-switched network.
|
Packet filtering
|
Controlling access to a network by analyzing the attributes of
the incoming and outgoing packets and either letting them pass, or denying
them, based on a list of rules
|
Packet switching
|
The process of transmitting messages in convenient pieces that
can be reassembled at the destination
|
Parallel simulation
|
Parallel simulation involves the IS auditor writing a program to
replicate those application processes that are critical to an audit opinion
and using this program to reprocess application system data. The results
produced are compared with the results generated by the application system
and any discrepancies identified.
|
Parallel testing
|
The process of feeding test data into two systems, the modified
system and an alternative system (possibly the original system) and comparing
results
|
Parity check
|
A general hardware control, which helps to detect data errors
when data are read from memory or communicated from one computer to another.
A 1-bit digit (either 0 or 1) is added to a data item to indicate whether the
sum of that data item’s bit is odd or even. When the parity bit disagrees
with the sum of the other bits, the computer reports an error. The
probability of a parity check detecting an error is 50 percent.
|
Partitioned file
Partitioned file |
A file format in which the file is divided into multiple subfiles
and a directory is established to locate each subfile
|
Passive assault
|
In a passive assault, intruders attempt to learn some
characteristic of the data being transmitted. They may be able to read the
contents of the data so the privacy of the data is violated. Alternatively,
although the content of the data itself may remain secure, intruders may read
and analyze the plaintext source and destination identifiers attached to a
message for routing purposes, or they may examine the lengths and frequency of
messages being transmitted.
|
Passive response
|
A response option in intrusion detection in which the system
simply reports and records the problem detected, relying on the user to take
subsequent action
|
Password
|
A protected, generally computer-encrypted string of characters
that authenticate a computer user to the computer system
|
Password cracker
|
Specialized security checker that tests user’s passwords,
searching for passwords that are easy to guess by repeatedly trying words
from specially crafted dictionaries. Failing that, many password crackers can
brute force all possible combinations in a relatively short period of time
with current desktop computer hardware.
|
payment system
|
A financial system that establishes the means for transferring
money between suppliers and users of funds, ordinarily by exchanging debits
or credits between banks or financial institutions.
|
Penetration testing
|
A live test of the effectiveness of security defenses through
mimicking the actions of real-life attackers
|
Performance indicators
|
A set of metrics designed to measure the extent to which
performance objectives are being achieved on an on-going basis. They can
include service level agreements, critical success factors, customer
satisfaction ratings, internal or external benchmarks, industry best
practices and international standards.
|
Performance testing
|
Comparing the system’s performance to other equivalent systems
using well defined benchmarks
|
Peripherals
|
Auxiliary computer hardware equipment used for input, output and
data storage. Examples include disk drives and printers.
|
Permanent virtual circuit (PVC)
|
A permanent connection between hosts in a packet switched
network
|
Personal identification number (PIN)
|
A type of password (i.e., a secret number assigned to an
individual) that, in conjunction with some means of identifying the
individual, serves to verify the authenticity of the individual. PINs have
been adopted by financial institutions as the primary means of verifying
customers in an electronic funds transfer system (EFTS).
|
Pervasive IS controls
|
General controls which are designed to manage and monitor the IS
environment and which, therefore, affect all IS-related activities
|
Piggy backing
|
1) Following an authorized person into a restricted access area;
2) electronically attaching to an authorized telecommunications link to
intercept and possibly alter transmissions.
|
Plaintext
|
Digital information, such as cleartext, that is intelligible to
the reader
|
Point-of-presence (POP)
|
A phone number that represents the area in which the
communications provider or Internet service provider (ISP) provides service
|
Point-of-sale systems (POS)
|
Point-of-sale systems enable capture of data at the time and
place of transaction. POS terminals may include use of optical scanners for
use with bar codes or magnetic card readers for use with credit cards. POS
systems may be online to a central computer or may use stand-alone terminals
or microcomputers that hold the transactions until the end of a specified
period when they are sent to the main computer for batch processing.
|
Polymorphism (objects)
|
Polymorphism refers to database structures that send the same
command to different child objects that can produce different results
depending on their family hierarchical tree structure.
|
Population
|
The entire set of data from which a sample is selected and about
which the IS auditor wishes to draw conclusions
|
Port
|
An interface point between the CPU and a peripheral device
|
Posting
|
The process of actually entering transactions into computerized
or manual files. Such transactions might immediately update the master files
or may result in memo posting, in which the transactions are accumulated over
a period of time, then applied to master file updating.
|
PPP (point-to-point protocol)
|
A protocol used for transmitting data between two ends of a
connection
|
PPTP (point-to-point tunneling protocol)
|
A protocol used to transmit data securely between two end points
to create a VPN
|
Preventive controls
|
These controls are designed to prevent or restrict an error,
omission or unauthorized intrusion.
|
price risk
|
Is the risk to earnings or capital arising from changes in the
value of portfolios of financial instruments. Price risk arises from market
making, dealing and position taking in interest rate, foreign exchange,
equity and commodities markets. Banks may be exposed to price risk if they
create or expand deposit brokering, loan sales or securitisation programs as
a result of Internet banking activities.
|
Privacy
|
Freedom from unauthorized intrusion
|
Private key
|
A mathematical key (kept secret by the holder) used to create
digital signatures and, depending upon the algorithm, to decrypt messages or
files encrypted (for confidentiality) with the corresponding public key
|
Private key cryptosystems
|
Used in data encryption, it uses a secret key to encrypt the
plaintext to the ciphertext. It also uses the same key to decrypt the
ciphertext to the corresponding plaintext. In this case, the key is symmetric
such that the encryption key is equivalent to the decryption key.
|
Privilege
|
The level of trust with which a system object is imbued
|
Procedure
|
The portion of a security policy that states the general process
that will be performed to accomplish a security goal
|
Production programs
|
Programs that are used to process live or actual data that were
received as input into the production environment.
|
Production software
|
Software that is being used and executed to support normal and
authorized organizational operations. Such software is to be distinguished
from test software, which is being developed or modified, but has not yet
been authorized for use by management.
|
Professional competence
|
Proven level of ability, often linked to qualifications issued
by relevant professional bodies and compliance with their codes of practice
and standards
|
Program evaluation and review technique (PERT)
|
A project management technique used in the planning and control
of system projects
|
Program flowcharts
|
Program flowcharts show the sequence of instructions in a single
program or subroutine. The symbols used should be the internationally
accepted standard. Program flowcharts should be updated when necessary.
|
Program narratives
|
Program narratives provide a detailed explanation of program
flowcharts, including control points and any external input.
|
Project sponsor
|
Considered for acquisition the person responsible for high-level
decisions, such as changes to the scope and/or budget of the project, and
whether or not to implement
|
Project team
|
Group of people responsible for a project, whose terms of
reference may include the development, acquisition, implementation or
maintenance of an application system. The team members may include line
management, operational line staff, external contractors and IS auditors.
|
Promiscuous mode
|
Allows the network interface to capture all network traffic
irrespective of the hardware device to which the packet is addressed
|
Protection domain
|
The area of the system that the intrusion detection system is
meant to monitor and protect
|
Protocol
|
The rules by which a network operates and controls the flow and
priority of transmissions
|
Protocol converter
|
Hardware devices, such as asynchronous and synchronous
transmissions, that convert between two different types of transmission
|
Protocol stack
|
A set of utilities that implement a particular network protocol.
For instance, in Windows machines a TCP/IP stack consists of TCP/IP software,
sockets software and hardware driver software.
|
Prototyping
|
A system development technique that enables users and developers
to reach agreement on system requirements. Prototyping uses programmed
simulation techniques to represent a model of the final system to the user
for advisement and critique. The emphasis is on end-user screens and reports.
Internal controls are not a priority item since this is only a model.
|
Proxy server
|
A server that acts on behalf of a user. Typical proxies accept a
connection from a user, make a decision as to whether or not the user or
client IP address is permitted to use the proxy, perhaps perform additional
authentication, and complete a connection to a remote destination on behalf
of the user.
|
Public key
|
In an asymmetric cryptographic scheme, the key that may be
widely published to enable the operation of the scheme
|
Public key cryptosystem
|
Used in data encryption, it uses an encryption key, as a public
key, to encrypt the plaintext to the ciphertext. It uses the different
decryption key, as a secret key, to decrypt the ciphertext to the
corresponding plaintext. In contrast to a private key cryptosystem, the decryption
key should be secret; however, the encryption key can be known to everyone.
In a public key cryptosystem, two keys are asymmetric, such that the
encryption key is not equivalent to the decryption key.
|
Public key infrastructure
|
A system that authentically distributes users’ public keys using
certificates
|
Queue
|
A group of items that is waiting to be serviced or processed
|
Quick ship
|
A recovery solution provided by recovery and/or hardware vendors
and includes a pre-established contract to deliver hardware resources within
a specified number amount of hours after a disaster occurs. This solution
usually provides organizations with the ability to recover within 72 hours or
greater.
|
RADIUS
|
(remote authentication dial-in user service)
A type of service providing an authentication and accounting system often used for dial-up and remote access security |
Random access memory (RAM)
|
The computer’s primary working memory. Each byte of memory can
be accessed randomly regardless of adjacent bytes.
|
Range check
|
Range checks ensure that data fall within a predetermined range
(also see limit checks).
|
rapid application development
|
A methodology that enables organisations to develop
strategically important systems faster, while reducing development costs and
maintaining quality by using a series of proven application development
techniques, within a well-defined methodology.
|
Real-time analysis
|
Analysis that is performed on a continuous basis, with results
gained in time to alter the run-time system
|
Real-time processing
|
An interactive online system capability that immediately updates
computer files when transactions are initiated through a terminal
|
Reasonable assurance
|
A level of comfort short of a guarantee but considered adequate
given the costs of the control and the likely benefits achieved
|
Reasonableness check
|
Compares data to predefined reasonability limits or occurrence
rates established for the data.
|
Reciprocal agreement
|
Emergency processing agreements between two or more
organizations with similar equipment or applications. Typically, participants
promise to provide processing time to each other when an emergency arises.
|
Record
|
A collection of related information treated as a unit. Separate
fields within the record are used for processing of the information.
|
Record, screen and report layouts
|
Record layouts provide information regarding the type of record,
its size and the type of data contained in the record. Screen and report
layouts describe what information is provided and necessary for input.
|
Recovery point objective (RPO)—
|
A measurement of the point prior to an outage to which data are
to be restored
|
Recovery testing
|
A test to check the system’s ability to recover after a software
or hardware failure
|
Recovery time objective (RTO)
|
The amount of time allowed for the recovery of a business
function or resource after a disaster occurs
|
Redo logs
|
Files maintained by a system, primarily a database management
system, for the purposed of reapplying changes following an error or outage
recovery
|
Redundancy check
|
Detects transmission errors by appending calculated bits onto
the end of each segment of data
|
Reengineering
|
A process involving the extraction of components from existing
systems and restructuring these components to develop new systems or to
enhance the efficiency of existing systems. Existing software systems thus
can be modernized to prolong their functionality. An example of this is a
software code translator that can take an existing hierarchical database
system and transpose it to a relational database system. CASE includes a
source code reengineering feature.
|
registration authority (RA)
|
An entity that may be given responsibility for performing some
of the administrative tasks necessary in the registration of subjects, such
as confirming the subject's identity, validating that the subject is entitled
to have the attributes requested in a certificate and verifying that the
subject has possession of the private key associated with the public key
requested for a certificate.
|
Regression testing
|
A testing technique used to retest earlier program abends or
logical errors that occurred during the initial testing phase
|
Relevant audit evidence
|
Audit evidence is relevant if it pertains to the audit
objectives and has a logical relationship to the findings and conclusions it
is used to support.
|
Reliable audit evidence
|
Audit evidence is reliable if, in the IS auditor's opinion, it
is valid, factual, objective and supportable.
|
Remote job entry (RJE)
|
The transmission of job control language (JCL) and batches of
transactions from a remote terminal location
|
Remote procedure calls (RPCs)
|
The traditional Internet service protocol widely used for many
years on UNIX-based operating systems and supported by the Internet
Engineering Task Force (IETF) that allows a program on one computer to
execute a program on another (e.g., server). The primary benefit derived from
its use is that a system developer need not develop specific procedures for
the targeted computer system. For example, in a client-server arrangement, the
client program sends a message to the server with appropriate arguments, and
the server returns a message containing the results of the program executed.
(See also CORBA and DCOM, as two newer object-oriented methods for related
RPC functionality.)
|
Repository
|
The central database that stores and organizes data
|
repudiation
|
The denial by one of the parties to a transaction or
participation in all or part of that transaction or of the content of
communications related to that transaction.
|
reputational risk
|
The current and prospective effect on earnings and capital
arising from negative public opinion. This affects the bank’s ability to
establish new relationships or services or continue servicing existing
relationships. Reputation risk may expose the bank to litigation, financial
loss or a decline in its customer base. A bank’s reputation can be damaged by
Internet banking services that are poorly executed or otherwise alienate
customers and the public. An Internet bank has a greater reputation risk as
compared to a traditional brick-and-mortar bank since it is easier for its
customers to leave and go to a different Internet bank and since it cannot
discuss any problems with the customer in person
|
Request for proposal (RFP)
|
A document distributed to software vendors requesting them to
submit a proposal to develop or provide a software product
|
Requirements definition
|
A phase of an SDLC methodology where the affected user groups
define the requirements of the system for meeting the defined needs
|
Residual risk
|
The risk associated with an event when the control is in place
to reduce the effect or likelihood of that event being taken into account
|
Reverse engineering
|
A software engineering technique whereby an existing application
system code can be redesigned and coded using computer-aided software
engineering (CASE) technology
|
RFC (request for comments)
|
A document that has been approved by the IETF becomes an RFC and
is assigned a unique number once published. If it gains enough interest, it
may evolve into an Internet standard.
|
Ring topology
|
A type of LAN architecture in which the cable forms a loop, with
stations attached at intervals around the loop. Signals transmitted around
the ring take the form of messages. Each station receives the messages and
each station determines, on the basis of an address, whether to accept or
process a given message. However, after receiving a message, each station
acts as a repeater, retransmitting the message at its original signal
strength
|
Risk
|
The possibility of an act or event occurring that would have an
adverse effect on the organization and its information systems
|
Risk assessment
|
A process used to identify and evaluate risks and their
potential effects
|
Rootkit
|
A software suite designed to aid an intruder in gaining unauthorized
administrative access to a computer system
|
Rotating standby
|
A fail-over process in which there are two nodes (as in idle
standby but without priority). The node that enters the cluster first owns
the resource group, and the second will join as a standby node.
|
Rounding down
|
A method of computer fraud involving a computer code that
instructs the computer to remove small amounts of money from an authorized
computer transaction by rounding down to the nearest whole value denomination
and rerouting the rounded off amount to the perpetrator’s account
|
Router
|
A networking device that can send (route) data packets from one
local area network (LAN) or wide area network (WAN) to another, based on
addressing at the network layer (Layer 3) in the OSI model. Networks
connected by routers can use different or similar networking protocols.
Routers usually are capable of filtering packets based on parameters, such as
source addresses, destination addresses, protocol and network applications
(ports).
|
RS-232 interface
|
Interface between data terminal equipment and data
communications equipment employing serial binary data interchange
|
RSA
|
A public key cryptosystem developed by R. Rivest, A. Shamir and
L. Adleman. The RSA has two different keys, the public encryption key and the
secret decryption key. The strength of the RSA depends on the difficulty of
the prime number factorization. For applications with high-level security,
the number of the decryption key bits should be greater than 512 bits. RSA is
used for both encryption and digital signatures.
|
Rulebase
|
The list of rules and/or guidance that is used to analyze event
data
|
Run instructions
|
Computer operating instructions which detail the step-by-step
processes that are to occur so an application system can be properly
executed. It also identifies how to address problems that occur during
processing.
|
Run-to-run totals
|
Provide verification that all transmitted data are read and
processed
|
Salami technique
|
A method of computer fraud involving a computer code that instructs
the computer to slice off small amounts of money from an authorized computer
transaction and reroute this amount to the perpetrator’s account
|
Sampling risk
|
The probability that the IS auditor has reached an incorrect
conclusion because an audit sample, rather than the whole population, was
tested. While sampling risk can be reduced to an acceptably low level by
using an appropriate sample size and selection method, it can never be
eliminated.
|
Scheduling
|
A method used in the information processing facility (IPF) to
determine and establish the sequence of computer job processing
|
Screening routers
|
A router configured to permit or deny traffic based on a set of
permission rules installed by the administrator
|
secure socket layer (SSL)
|
A protocol originally developed by Netscape Communications to
provide a high level of security for its browser software. It has become
accepted widely as a means of securing Internet message exchanges. It ensures
confidentiality of the data in transmission using encryption.
|
Security administrator
|
The person responsible for implementing, monitoring and
enforcing security rules established and authorized by management
|
Security management
|
1) The process of establishing and maintaining security in a
computer or network system. The stages of this process include prevention of
security problems, detection of intrusions, investigation of intrusions and
resolution.
2) In network management, controlling access to the network and resources, finding intrusions, identifying entry points for intruders and repairing or otherwise closing those avenues of access. |
Security perimeter
|
The boundary that defines the area of security concern and
security policy coverage
|
Security policy
|
1) The set of management statements that documents an organization’s
philosophy of protecting its computing and information assets
2) The set of security rules enforced by the system’s security features |
Security software
|
Software used to administer logical security. It usually
includes authentication of users, access granting according to predefined
rules, monitoring and reporting functions.
|
Security testing
|
Making sure the modified/new system includes appropriate access
controls and does not introduce any security holes that might compromise
other systems
|
security/transaction risk
|
The current and prospective risk to earnings and capital arising
from fraud, error and the inability to deliver products or services, maintain
a competitive position and manage information. Security risk is evident in
each product and service offered and encompasses product development and
delivery, transaction processing, systems development, computing systems,
complexity of products and services and the internal control environment. A
high level of security risk may exist with Internet banking products,
particularly if those lines of business are not adequately planned,
implemented and monitored
|
Segregation/separation of duties
|
A basic control that prevents or detects errors and
irregularities by assigning responsibility for initiating transactions,
recording transactions and custody of assets to separate individuals.
Commonly used in large IT organizations so that no single person is in a
position to introduce fraudulent or malicious code without detection.
|
Sequence check
|
Verifies that the control number follows sequentially and any
control numbers out of sequence are rejected or noted on an exception report
for further research (can be alpha or numeric and usually utilizes a key
field)
|
Sequential file
|
A computer file storage format in which one record follows
another. Records can be accessed sequentially only. It is required with
magnetic tape.
|
Service bureau
|
A computer facility that provides data processing services to
clients on a continual basis
|
Service level agreement (SLA)
|
Defined minimum performance measures at or above which the
service delivered is considered acceptable
|
Service provider
|
The organization providing the outsourced service
|
Service user
|
The organization using the outsourced service
|
Shell
|
The interface between the user and the system
|
Signatures
|
Patterns indicating misuse of a system
|
Simple fail-over
|
A fail-over process in which the primary node owns the resource
group. The backup node runs a non-critical application (e.g., a development
or test environment) and takes over the critical resource group but not vice
versa.
|
Simple Object Access Protocol (SOAP)
|
A platform-independent XML-based formatted protocol enabling
applications to communicate with each other over the Internet. Use of this
protocol may provide a significant security risk to web application
operations, since use of SOAP piggybacks onto a web-based document object
model and is transmitted via the web's HTTP service protocol (port 80) to
penetrate server firewalls, which are usually configured to accept port 80
and port 21 (FTP) requests. Web-based document models define how objects on a
web page are associated with each other, and how they can be manipulated
while being sent from a server to a client browser. SOAP typically relies on
XML for presentation formatting and also adds appropriate HTTP-based headers
to send it.
|
Single point of failure
|
A resource whose loss will result in the loss of service or
production
|
Smart card
|
A small electronic device that contains electronic memory, and
possibly an embedded integrated circuit. It can be used for a number of
purposes including the storage of digital certificates or digital cash, or it
can be used as a token to authenticate users.
|
SMTP (Simple Mail Transport Protocol)
|
The standard e-mail protocol on the Internet
|
Sniff
|
The act of capturing network packets, including those not
necessarily destined for the computer running the sniffing software
|
Sniffing
|
An attack capturing sensitive pieces of information, such as
passwords, passing through the network
|
Software
|
Programs and supporting documentation that enable and facilitate
use of the computer. Software controls the operation of the hardware.
|
Source code
|
Source code is the language in which a program is written.
Source code is translated into object code by assemblers and compilers. In
some cases, source code may be converted automatically into another language
by a conversion program. Source code is not executable by the computer
directly. It must first be converted into a machine language.
|
Source code compare programs
|
Programs that provide assurance that the software being audited
is the correct version of the software, by providing a meaningful listing of
any discrepancies between the two versions of the program
|
Source documents
|
The forms used to record data that have been captured. A source
document may be a piece of paper, a turnaround document or an image displayed
for online data input.
|
Source lines of code (SLOC)
|
Source lines of code are often used in deriving single-point
software-size estimations.
|
Spanning port
|
A port configured on a network switch to receive copies of
traffic from one or more other ports on the switch
|
Split data systems
|
A condition in which each of an organization’s regional
locations maintains its own financial and operational data while sharing
processing with an organizationwide, centralized database. This permits easy
sharing of data while maintaining a certain level of autonomy.
|
Split DNS
|
An implementation of DNS intended to secure responses provided
by the server such that different responses are given to internal vs.
external users
|
Spoofing
|
Faking the sending address of a transmission in order to gain
illegal entry into a secure system
|
Spool (simultaneous peripheral operations online)
|
An automated function that can be operating system or
application based in which electronic data being transmitted between storage
areas are spooled or stored until the receiving device or storage area is
prepared and able to receive the information. This operation allows more efficient
electronic data transfers from one device to another by permitting higher
speed sending functions, such as internal memory, to continue on with other
operations instead of waiting on the slower speed receiving device, such as a
printer.
|
Standing data
|
Permanent reference data used in transaction processing. These
data are changed infrequently, such as a product price file or a name and
address file.
|
Star topology
|
A type of LAN architecture that utilizes a central controller to
which all nodes are directly connected. All transmissions from one station to
another pass through the central controller, which is responsible for
managing and controlling all communication. The central controller often acts
as a switching device.
|
Static analysis
|
Analysis of information that occurs on a noncontinuous basis;
also known as interval-based analysis
|
Statistical sampling
|
A method of selecting a portion of a population, by means of
mathematical calculations and probabilities, for the purpose of making
scientifically and mathematically sound inferences regarding the
characteristics of the entire population
|
strategic risk
|
The current and prospective effect on earnings or capital
arising from adverse business decisions, improper implementation of decisions
or lack of responsiveness to industry changes.
|
Structured programming
|
A top-down technique of designing programs and systems. It makes
programs more readable, more reliable and more easily maintained.
|
Structured Query Language (SQL)
|
The primary language used by both application programmers and
end users in accessing relational databases
|
Subject matter
|
(Area of activity) The specific information subject to the IS
auditor’s report and related procedures which can include things such as the
design or operation of internal controls and compliance with privacy
practices or standards or specified laws and regulations.
|
Substantive testing
|
Tests of detailed activities and transactions, or analytical
review tests, designed to obtain audit evidence on the completeness, accuracy
or existence of those activities or transactions during the audit period
|
Sufficient audit evidence
|
Audit evidence is sufficient if it is adequate, convincing and
would lead another IS auditor to form the same conclusions.
|
Surge suppressor
|
Filters out electrical surges and spikes
|
SWIFT
|
Founded in Brussels in 1973, the Society for the Worldwide
Interbank Financial Telecommunication (SWIFT) is a co-operative organisation
dedicated to the promotion and development of standardised global
interactivity for financial transactions. SWIFT's original mandate was to
establish a global communications link for data processing and a common
language for international financial transactions. The Society operates a
messaging service for financial messages, such as letters of credit,
payments, and securities transactions, between member banks worldwide.
SWIFT's essential function is to deliver these messages quickly and
securely—both of which are prime considerations for financial matters. Member
organisations create formatted messages that are then forwarded to SWIFT for
delivery to the recipient member organisation. SWIFT operates out of its
Brussels headquarters and processes data at centres in Belgium and the United
States
|
Switch
|
A device that forwards packets between LAN devices or segments.
LANs that use switches are called switched LANs.
|
Symmetric key encryption
|
Two trading partners both share one or more secrets. No one else
can read their messages. A different key (or set of keys) is needed for each
pair of trading partners. Same key is used for encryption and decryption.
(Also see Private Key Cryptosystems).
|
SYN (synchronize)
|
A flag set in the initial setup packets to indicate that the
communicating parties are synchronizing the sequence numbers used for the data
transmission
|
Synchronous transmission
|
Block-at-a-time data transmission
|
System exit
|
Special system software features and utilities that allow the
user to perform complex system maintenance. Use of these exits often permits
the user to operate outside of the security access control system.
|
System flowcharts
|
System flowcharts are graphical representations of the sequence
of operations in an information system or program. Information system
flowcharts show how data from source documents flow through the computer to
final distribution to users. Symbols used should be the internationally
accepted standard. System flowcharts should be updated when necessary.
|
System narratives
|
System narratives provide an overview explanation of system
flowcharts, with explanation of key control points and system interfaces.
|
System software
|
A collection of computer programs used in the design, processing
and control of all applications. The programs and processing routines that
control the computer hardware, including the operating system and utility
programs.
|
System testing
|
A series of tests designed to ensure that the modified program
interacts correctly with other system components. These test procedures
typically are performed by the system maintenance staff in their development
library.
|
Systems acquisition process
|
The procedures established to purchase application software, or
an upgrade, including evaluation of the supplier's financial stability, track
record, resources and references from existing customers
|
Systems analysis
|
The systems development phase in which systems specifications
and conceptual designs are developed, based on end-user needs and
requirements
|
Systems development life cycle (SDLC)
|
An approach used to plan, design, develop, test and implement an
application system or a major modification to an application system. Typical
phases include the feasibility study, requirements study, requirements
definition, detailed design, programming, testing, installation and
post-implementation review.
|
Table look-ups
|
Used to ensure that input data agree with predetermined criteria
stored in a table
|
TACACS+
|
(terminal access controller access control system plus)--
An authentication protocol, often used by remote-access servers |
Tape management system (TMS)
|
A system software tool that logs, monitors and directs computer
tape usage
|
Taps
|
Wiring devices that may be inserted into communication links for
use with analysis probes, LAN analyzers and intrusion detection security
systems
|
TCP (transmission control protocol)
|
A connection-based Internet protocol that supports reliable data
transfer connections. Packet data is verified using checksums and
retransmitted if it is missing or corrupted. The application plays no part in
validating the transfer.
|
TCP/IP protocol
|
(Transmission Control Protocol/Internet Protocol) A set of
communications protocols that encompasses media access, packet transport,
session communications, file transfer, electronic mail, terminal emulation,
remote file access and network management. TCP/IP provides the basis for the
Internet.
|
Tcpdump
|
A network monitoring and data acquisition tool that performs
filter translation, packet acquisition and packet display
|
technical infrastructure security
|
Refers to the security of the infrastructure that supports the
ERP networking and telecommunications, operating systems and databases.
|
Telecommunications
|
Electronic communications by special devices over distances or
around devices that preclude direct interpersonal exchange
|
Teleprocessing
|
Using telecommunications facilities for handling and processing
of computerized information
|
Telnet
|
Used to enable remote access to a server computer. Commands
typed are run on the remote server.
|
Terminal
|
A device for sending and receiving computerized data over
transmission lines
|
Terms of reference
|
A document that confirms the client's and the IS auditor's
acceptance of a review assignment
|
Test data
|
Simulated transactions that can be used to test processing
logic, computations and controls actually programmed in computer applications.
Individual programs or an entire system can be tested. This technique
includes Integrated Test Facilities (ITFs) and Base Case System Evaluations
(BCSEs).
|
Test generators
|
Software used to create data to be used in the testing of
computer programs
|
Test programs
|
Programs that are tested and evaluated before approval into the
production environment. Test programs, through a series of change control
moves, migrate from the test environment to the production environment and
become production programs.
|
Third-party review
|
An independent audit of the control structure of a service
organization, such as a service bureau, with the objective of providing
assurances to the users of the service organization that the internal control
structure is adequate, effective and sound
|
Threat
|
Any situation or event that has the potential to harm a system
|
Token
|
A device that is used to authenticate a user, typically in
addition to a username and password. It is usually a credit card-sized device
that displays a pseudo random number that changes every few minutes.
|
Token ring topology
|
A type of LAN ring topology in which a frame containing a
specific format, called the token, is passed from one station to the next
around the ring. When a station receives the token, it is allowed to
transmit. The station can send as many frames as desired until a predefined
time limit is reached. When a station either has no more frames to send or
reaches the time limit, it transmits the token. Token passing prevents data
collisions that can occur when two computers begin transmitting at the same
time.
|
Top-level management
|
The highest level of management in the organization, responsible
for direction and control of the organization as a whole (such as director,
general manager, partner, chief officer and executive manager).
|
Topology
|
The physical layout of how computers are linked together.
Examples include ring, star and bus.
|
Transaction
|
Business events or information grouped together because they
have a single or similar purpose. Typically, a transaction is applied to a
calculation or event that then results in the updating of a holding or master
file.
|
Transaction log
|
A manual or automated log of all updates to data files and
databases
|
Transaction protection
|
Also known as "automated remote journaling of redo
logs." A data recovery strategy that is similar to electronic vaulting,
except that instead of transmitting several transaction batches daily, the
archive logs are shipped as they are created.
|
Trap door
|
Unauthorized electronic exits, or doorways, out of an authorized
computer program into a set of malicious instructions or programs
|
Trojan horse
|
Purposefully hidden malicious or damaging code within an
authorized computer program. Unlike viruses, they do not replicate
themselves, but they can be just as destructive to a single computer.
|
Trust
|
Generally, the assumption that an entity will behave
substantially as expected. Trust may apply only for a specific function. The
key role of this term in an authentication framework is to describe the
relationship between an authenticating entity and a certificate authority
(CA). An authenticating entity must be certain that it can trust the CA to
create only valid and reliable certificates, and users of those certificates
rely upon the authenticating entity's determination of trust.
|
Trusted processes
|
Processes certified as supporting a security goal
|
Trusted systems
|
Systems that employ sufficient hardware and software assurance
measures to allow their use for processing of a range of sensitive or
classified information
|
Tuple
|
A row or record consisting of a set of attribute value pairs
(column or field) in a relational data structure
|
Twisted pairs
|
A pair of small, insulated wires that are twisted around each
other to minimize interference from other wires in the cable. This is a
low-capacity transmission medium.
|
UDP (User Datagram Protocol)
|
A connectionless Internet protocol that is designed for network
efficiency and speed at the expense of reliability. A data request by the
client is served by sending packets without testing to verify if they
actually arrive at the destination, not if they were corrupted in transit. It
is up to the application to determine these factors and request
retransmissions.
|
Uninterruptible power supply (UPS)
|
Provides short-term backup power from batteries for a computer
system when the electrical power fails or drops to an unacceptable voltage
level
|
Unit testing
|
A testing technique that is used to test program logic within a
particular program or module. The purpose of the test is to ensure that the
program meets system development guidelines and does not abnormally end
during processing.
|
Universal Description, Discovery and Integration
|
(UDDI)
A web-based version of the traditional phone book's yellow and white pages enabling businesses to be publicly listed in promoting greater e-commerce activities. |
UNIX
|
A multiuser, multitasking operating system that is used widely
as the master control program in workstations and especially servers
|
untrustworthy host
|
To the basic border firewall, add a host that resides on an
untrusted network where the firewall cannot protect it. That host is
minimally configured and carefully managed to be as secure as possible. The
firewall is configured to require incoming and outgoing traffic to go through
the untrustworthy host. The host is referred to as untrustworthy because it
cannot be protected by the firewall; therefore, hosts on the trusted networks
can place only limited trust in it.
|
Uploading
|
The process of electronically sending computerized information
from one computer to another computer. Most often, the transfer is from a
smaller computer to a larger one.
|
Useful audit evidence
|
Audit evidence is useful if it assists the IS auditors in
meeting their audit objectives.
|
Utility programs
|
Specialized system software used to perform particular
computerized functions and routines that are frequently required during
normal processing. Examples include sorting, backing up and erasing data.
|
Utility software
|
Computer programs provided by a computer hardware manufacturer
or software vendor and used in running the system. This technique can be used
to examine processing activities; to test programs, system activities and
operational procedures; to evaluate data file activity; and, to analyze job
accounting data.
|
Vaccine
|
A program designed to detect computer viruses
|
Validity check
|
Programmed checking of data validity in accordance with
predetermined criteria
|
Value-added network (VAN)
|
A data communication network that adds processing services such
as error correction, data translation and/or storage to the basic function of
transporting data
|
Variable sampling
|
A sampling technique used to estimate the average or total value
of a population based on a sample; a statistical model used to project a
quantitative characteristic, such as a dollar amount
|
Verification
|
Checks that data are entered correctly
|
virtual organizations
|
Organizations that have no official physical site presence and
are made up of diverse geographically dispersed or mobile employees.
|
Virtual private network (VPN)
|
A private network that is configured within a public network.
For years, common carriers have built VPNs that appear as private national or
international networks to the customer, but physically share backbone trunks
with other customers. VPNs enjoy the security of a private network via access
control and encryption, while taking advantage of the economies of scale and
built-in management facilities of large public networks.
|
Virus
|
A destructive computer program that spreads from computer to
computer using a range of methods, including infecting floppy disks and other
programs. Viruses typically attach themselves to a program and modify it so
that the virus code runs when the program is first started. The infected
program typically runs normally, but the virus code then infects other
programs whenever it can. (Also see worm.)
|
Voice mail
|
A system of storing messages in a private recording medium where
the called party can later retrieve the messages
|
Vulnerabilities
|
Weaknesses in systems that can be exploited in ways that violate
security policy
|
vulnerability
|
A weakness in system security procedures, system design,
implementation or internal controls that could be exploited to violate system
security.
|
Vulnerability analysis
|
Analysis of the security state of a system or its compromise on
the basis of information collected at intervals
|
War dialler
|
Software packages that sequentially dial telephone numbers,
recording any numbers that answer
|
Warm-site
|
A warm-site is similar to a hot-site; however, it is not fully
equipped with all necessary hardware needed for recovery.
|
waterfall development
|
Also known as traditional development, it is a very
procedure-focused development cycle with formal sign-off at the completion of
each level.
|
web page
|
A viewable screen displaying information, presented through a
web browser in a single view sometimes requiring the user to scroll to review
the entire page. A bank web page may display the bank’s logo, provide
information about bank products and services, or allow a customer to interact
with the bank or third parties that have contracted with the bank.
|
Web Services Description Language (WSDL)
|
An XML-formatted language used to describe a web service's
capabilities as collections of communication endpoints capable of exchanging
messages. WSDL is the language that UDDI uses. (Also see Universal
Description, Discovery and Integration (UDDI))
|
web site
|
Consists of one or more web pages that may originate at one or
more web server computers. A person can view the pages of a website in any
order, as he or she would a magazine.
|
Whitebox testing
|
A testing approach that uses knowledge of a program/module’s
underlying implementation and code intervals to verify its expected behavior.
|
Wide area network (WAN)
|
A computer network connecting different remote locations that
may range from short distances, such as a floor or building, to extremely
long transmissions that encompass a large region or several countries
|
Windows NT
|
A version of the Windows operating system that supports
preemptive multitasking
|
Wiretapping
|
The practice of eavesdropping on information being transmitted
over telecommunications links
|
world wide web (WWW)
|
A sub-network of the Internet through which information is
exchanged by text, graphics, audio and video.
|
World Wide Web Consortium (W3C)
|
An international consortium founded in 1994 of affiliates from
public and private organizations involved with the Internet and the web. The
W3C's primary mission is to promulgate open standards to further enhance the
economic growth of Internet web services globally.
|
Worm
|
With respect to security, a special type of virus that does not
attach itself to programs, but rather spreads via other methods such as
e-mail (also see virus)
|
X.25
|
A protocol for packet-switching networks
|
X.25 interface
|
An interface between data terminal equipment (DTE) and data
circuit-terminating equipment (DCE) for terminals operating in the packet
mode on some public data networks
|
X.500
|
Standard that defines how global directories should be
structured. X.500 directories are hierarchical with different levels for each
category of information, such as country, state and city.
|
Saturday, May 18, 2013
Glossary of Computer Terms
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment