Professional Documents
Culture Documents
Term
Abend
Acceptable
interruptionwindow
Acceptable use policy
Acceptableusepolicy
Definition
Anabnormalendtoacomputerjob;terminationofataskpriortoitscompletionbecauseofan
errorconditionthatcannotberesolvedbyrecoveryfacilitieswhilethetaskisexecuting
Themaximumperiodoftimethatasystemcanbeunavailablebeforecompromisingthe
achievementoftheenterprise'sbusinessobjectives
A policy that establishes an agreement between users and the enterprise and defines for all parties'
Apolicythatestablishesanagreementbetweenusersandtheenterpriseanddefinesforallparties'
therangesofusethatareapprovedbeforegainingaccesstoanetworkortheInternet
Accesscontrol
Theprocesses,rulesanddeploymentmechanismsthatcontrolaccesstoinformationsystems,
resourcesandphysicalaccesstopremises
Accesscontrollist(ACL) Aninternalcomputerizedtableofaccessrulesregardingthelevelsofcomputeraccesspermittedto
logonIDsandcomputerterminals
Accesscontroltable
Accessmethod
ScopeNote:Alsoreferredtoasaccesscontroltables
Aninternalcomputerizedtableofaccessrulesregardingthelevelsofcomputeraccesspermittedto
logonIDsandcomputerterminals
Thetechniqueusedforselectingrecordsinafile,oneatatime,forprocessing,retrievalorstorage
Theaccessmethodisrelatedto,butdistinctfrom,thefileorganization,whichdetermineshowthe
Th
th d i l t d t b t di ti t f
th fil
i ti
hi h d t
i
h th
recordsarestored.
Accesspath
Accessrights
Accessserver
Accountability
Accountabilityof
governance
Thelogicalroutethatanendusertakestoaccesscomputerizedinformation
ScopeNote:Typicallyincludesaroutethroughtheoperatingsystem,telecommunicationssoftware,
selectedapplicationsoftwareandtheaccesscontrolsystem
Thepermissionorprivilegesgrantedtousers,programsorworkstationstocreate,change,deleteor
viewdataandfileswithinasystem,asdefinedbyrulesestablishedbydataownersandthe
informationsecuritypolicy
Providescentralizedaccesscontrolformanagingremoteaccessdialupservices
Theabilitytomapagivenactivityoreventbacktotheresponsibleparty
Governanceensuresthatenterpriseobjectivesareachievedbyevaluatingstakeholderneeds,
conditionsandoptions;settingdirectionthroughprioritizationanddecisionmaking;andmonitoring
di i
d
i
i di
i
h
h i ii i
dd i i
ki
d
i i
performance,complianceandprogressagainstplans.Inmostenterprises,governanceisthe
responsibilityoftheboardofdirectorsundertheleadershipofthechairperson.
ScopeNote:COBIT5Perspective
Accountableparty
Theindividual,grouporentitythatisultimatelyresponsibleforasubjectmatter,processorscope
ScopeNote:WithintheITAssuranceFramework(ITAF),theterm"management"isequivalentto
"accountableparty."
Page 1 of 103
Term
Definition
Acknowledgment(ACK) Aflagsetinapackettoindicatetothesenderthatthepreviouspacketsentwasacceptedcorrectly
by the receiver without errors, or that the receiver is now ready to accept a transmission
bythereceiverwithouterrors,orthatthereceiverisnowreadytoacceptatransmission
Activerecoverysite
(Mirrored)
Activeresponse
Arecoverystrategythatinvolvestwoactivesites,eachcapableoftakingovertheother'sworkload
intheeventofadisaster
ScopeNote:Eachsitewillhaveenoughidleprocessingpowertorestoredatafromtheothersite
andtoaccommodatetheexcessworkloadintheeventofadisaster.
Aresponseinwhichthesystemeitherautomatically,orinconcertwiththeuser,blocksorotherwise
affectstheprogressofadetectedattack
Activity
Address
Addressspace
ScopeNote:Takesoneofthreeforms:amendingtheenvironment,collectingmoreinformationor
strikingbackagainsttheuser
ThemainactionstakentooperatetheCOBITprocess
Within computer storage the code used to designate the location of a specific piece of data
Withincomputerstorage,thecodeusedtodesignatethelocationofaspecificpieceofdata
Thenumberofdistinctlocationsthatmaybereferredtowiththemachineaddress
Addressing
ScopeNote:Formostbinarymachines,itisequalto2n,wherenisthenumberofbitsinthe
machineaddress.
Themethodusedtoidentifythelocationofaparticipantinanetwork
Adjustingperiod
ScopeNote:Ideally,specifieswheretheparticipantislocatedratherthanwhotheyare(name)or
howtogetthere(routing)
Thecalendarcancontain"real"accountingperiodsand/oradjustingaccountingperiods.The"real"
accountingperiodsmustnotoverlapandcannothaveanygapsbetweenthem.Adjustingaccounting
periodscanoverlapwithotheraccountingperiods.
ScopeNote:Forexample,aperiodcalledDEC93canbedefinedthatincludes01DEC1993through
Scope
Note: For example a period called DEC 93 can be defined that includes 01 DEC 1993 through
31DEC1993.AnadjustingperiodcalledDEC3193canalsobedefinedthatincludesonlyoneday:
31DEC1993through31DEC1993.
Administrativecontrol Therules,proceduresandpracticesdealingwithoperationaleffectiveness,efficiencyandadherence
toregulationsandmanagementpolicies
AdvancedEncryption Apublicalgorithmthatsupportskeysfrom128bitsto256bitsinsize
Standard(AES)
AdvancedEncryption Apublicalgorithmthatsupportskeysfrom128bitsto256bitsinsize
Standard(AES)
Advancedpersistent Anadversarythatpossessessophisticatedlevelsofexpertiseandsignificantresourceswhichallowit
threat(APT)
tocreateopportunitiestoachieveitsobjectivesusingmultipleattackvectors(NISTSP80061)
ScopeNote:TheAPT:
1 pursues its objectives repeatedly over an extended period of time
1.pursuesitsobjectivesrepeatedlyoveranextendedperiodoftime
2.adaptstodefenderseffortstoresistit
3.isdeterminedtomaintainthelevelofinteractionneededtoexecuteitsobjectives
Adversary
Athreatagent
Page 2 of 103
Term
Adware
Alertsituation
Alignment
Allocationentry
Alpha
Alternatefacilities
Alternateprocess
Alternative routing
Alternativerouting
AmericanStandard
CodeforInformation
Interchange
Amortization
Analog
Definition
Asoftwarepackagethatautomaticallyplays,displaysordownloadsadvertisingmaterialtoa
computer after the software is installed on it or while the application is being used
computerafterthesoftwareisinstalledonitorwhiletheapplicationisbeingused
ScopeNote:Inmostcases,thisisdonewithoutanynotificationtotheuserorwithouttheusers
consent.Thetermadwaremayalsorefertosoftwarethatdisplaysadvertisements,whetherornot
itdoessowiththeusersconsent;suchprogramsdisplayadvertisementsasanalternativeto
sharewareregistrationfees.Theseareclassifiedasadwareinthesenseofadvertisingsupported
software,butnotasspyware.Adwareinthisformdoesnotoperatesurreptitiouslyormisleadthe
user,anditprovidestheuserwithaspecificservice.
Thepointinanemergencyprocedurewhentheelapsedtimepassesathresholdandthe
interruptionisnotresolved.Theenterpriseenteringintoanalertsituationinitiatesaseriesof
escalationsteps.
AstatewheretheenablersofgovernanceandmanagementofenterpriseITsupportthegoalsand
strategiesoftheenterprise
ScopeNote:COBIT5Perspective
Arecurringjournalentryusedtoallocaterevenuesorcosts
ScopeNote:Forexample,anallocationentrycouldbedefinedtoallocatecoststoeachdepartment
basedonheadcount.
Theuseofalphabeticcharactersoranalphabeticcharacterstring
Locationsandinfrastructuresfromwhichemergencyorbackupprocessesareexecuted,whenthe
mainpremisesareunavailableordestroyed
ScopeNote:Includesotherbuildings,officesordataprocessingcenters
Automaticormanualprocessdesignedandestablishedtocontinuecriticalbusinessprocessesfrom
pointoffailuretoreturntonormal
A service that allows the option of having an alternate route to complete a call when the marked
Aservicethatallowstheoptionofhavinganalternateroutetocompleteacallwhenthemarked
destinationisnotavailable
ScopeNote:Insignaling,alternativeroutingistheprocessofallocatingsubstituteroutesforagiven
signalingtrafficstreamincaseoffailure(s)affectingthenormalsignalinglinksorroutesofthat
trafficstream.
SeeASCII
Theprocessofcostallocationthatassignstheoriginalcostofanintangibleassettotheperiods
benefited;calculatedinthesamewayasdepreciation
Atransmissionsignalthatvariescontinuouslyinamplitudeandtimeandisgeneratedinwave
formation
ScopeNote:Analogsignalsareusedintelecommunications
Page 3 of 103
Term
Analyticaltechnique
Definition
Theexaminationofratios,trends,andchangesinbalancesandothervaluesbetweenperiodsto
obtain a broad understanding of the enterprise'ssfinancialoroperationalpositionandtoidentify
obtainabroadunderstandingoftheenterprise
financial or operational position and to identify
areasthatmayrequirefurtherorcloserinvestigation
Anomaly
Anomalydetection
Anonymity
Antimalware
ScopeNote:Oftenusedwhenplanningtheassuranceassignment
Unusualorstatisticallyrare
Detectiononthebasisofwhetherthesystemactivitymatchesthatdefinedasabnormal
Thequalityorstateofnotbeingnamedoridentified
Atechnologywidelyusedtoprevent,detectandremovemanycategoriesofmalware,including
computerviruses,worms,Trojans,keyloggers,maliciousbrowserplugins,adwareandspyware
Antivirussoftware
AnapplicationsoftwaredeployedatmultiplepointsinanITarchitecture
Appearance
Appearanceof
independence
Itisdesignedtodetectandpotentiallyeliminateviruscodebeforedamageisdoneandrepairor
quarantine files that have already been infected
quarantinefilesthathavealreadybeeninfected
Theactofgivingtheideaorimpressionofbeingordoingsomething
Behavioradequatetomeetthesituationsoccurringduringauditwork(interviews,meetings,
reporting,etc.)
Applet
Application
ScopeNote:AnISauditorshouldbeawarethatappearanceofindependencedependsonthe
perceptionsofothersandcanbeinfluencedbyimproperactionsorassociations.
Aprogramwritteninaportable,platformindependentcomputerlanguage,suchasJava,JavaScript
orVisualBasic
ScopeNote:AnappletisusuallyembeddedinanHyperTextMarkupLanguage(HTML)page
downloadedfromwebserversandthenexecutedbyabrowseronclientmachinestorunanyweb
basedapplication(e.g.,generatewebpageinputforms,runaudio/videoprograms,etc.).Applets
can only perform a restricted set of operations thus preventing or at least minimizing the possible
canonlyperformarestrictedsetofoperations,thuspreventing,oratleastminimizing,thepossible
securitycompromiseofthehostcomputers.However,appletsexposetheuser'smachinetoriskif
notproperlycontrolledbythebrowser,whichshouldnotallowanapplettoaccessamachine's
informationwithoutpriorauthorizationoftheuser.
Acomputerprogramorsetofprogramsthatperformstheprocessingofrecordsforaspecific
function
ScopeNote:Contrastswithsystemsprograms,suchasanoperatingsystemornetworkcontrol
program,andwithutilityprograms,suchascopyorsort
Applicationacquisition Anevaluationofanapplicationsystembeingacquiredorevaluated,thatconsiderssuchmattersas:
review
appropriatecontrolsaredesignedintothesystem;theapplicationwillprocessinformationina
complete,accurateandreliablemanner;theapplicationwillfunctionasintended;theapplication
willfunctionincompliancewithanyapplicablestatutoryprovisions;thesystemisacquiredin
compliance with the established system acquisition process
compliancewiththeestablishedsystemacquisitionprocess
Application
architecture
Descriptionofthelogicalgroupingofcapabilitiesthatmanagetheobjectsnecessarytoprocess
informationandsupporttheenterprisesobjectives.
ScopeNote:COBIT5perspective
Page 4 of 103
Term
Application
benchmarking
Applicationcontrols
Application
developmentreview
Application
implementationreview
Applicationlayer
Application
maintenancereview
Applicationor
managedservice
provider(ASP/MSP)
Applicationprogram
Definition
Theprocessofestablishingtheeffectivedesignandoperationofautomatedcontrolswithinan
application
Thepolicies,proceduresandactivitiesdesignedtoprovidereasonableassurancethatobjectives
relevanttoagivenautomatedsolution(application)areachieved
Anevaluationofanapplicationsystemunderdevelopmentthatconsidersmatterssuchas:
appropriatecontrolsaredesignedintothesystem;theapplicationwillprocessinformationina
complete,accurateandreliablemanner;theapplicationwillfunctionasintended;theapplication
willfunctionincompliancewithanyapplicablestatutoryprovisions;thesystemisdevelopedin
compliancewiththeestablishedsystemdevelopmentlifecycleprocess
Anevaluationofanypartofanimplementationproject
ScopeNote:Examplesincludeprojectmanagement,testplansanduseracceptancetesting(UAT)
procedures.
IntheOpenSystemsInterconnection(OSI)communicationsmodel,theapplicationlayerprovides
services for an application program to ensure that effective communication with another
servicesforanapplicationprogramtoensurethateffectivecommunicationwithanother
applicationprograminanetworkispossible.
ScopeNote:Theapplicationlayerisnottheapplicationthatisdoingthecommunication;aservice
layerthatprovidestheseservices.
Anevaluationofanypartofaprojecttoperformmaintenanceonanapplicationsystem
ScopeNote:Examplesincludeprojectmanagement,testplansanduseracceptancetesting(UAT)
procedures.
Athirdpartythatdeliversandmanagesapplicationsandcomputerservices,includingsecurity
servicestomultipleusersviatheInternetoraprivatenetwork
Aprogramthatprocessesbusinessdatathroughactivitiessuchasdataentry,updateorquery
ScopeNote:Contrastswithsystemsprograms,suchasanoperatingsystemornetworkcontrol
program,andwithutilityprogramssuchascopyorsort
Application
Theactorfunctionofdevelopingandmaintainingapplicationprogramsinproduction
programming
Application
Asetofroutines,protocolsandtoolsreferredtoas"buildingblocks"usedinbusinessapplication
programminginterface softwaredevelopment
(API)
ScopeNote:AgoodAPImakesiteasiertodevelopaprogrambyprovidingallthebuildingblocks
relatedtofunctionalcharacteristicsofanoperatingsystemthatapplicationsneedtospecify,for
example,wheninterfacingwiththeoperatingsystem(e.g.,providedbyMicrosoftWindows,
differentversionsofUNIX).AprogrammerutilizestheseAPIsindevelopingapplicationsthatcan
operate effectively and efficiently on the platform chosen
operateeffectivelyandefficientlyontheplatformchosen.
Applicationproxy
Aservicethatconnectsprogramsrunningoninternalnetworkstoservicesonexteriornetworksby
creatingtwoconnections,onefromtherequestingclientandanothertothedestinationservice
Applicationsecurity
Referstothesecurityaspectssupportedbytheapplication,primarilywithregardtotherolesor
responsibilitiesandaudittrailswithintheapplications
Page 5 of 103
Term
Applicationservice
provider (ASP)
provider(ASP)
Definition
Alsoknownasmanagedserviceprovider(MSP),itdeploys,hostsandmanagesaccesstoapackaged
application to multiple parties from a centrally managed facility.
applicationtomultiplepartiesfromacentrallymanagedfacility.
Applicationsoftware
tracingandmapping
ScopeNote:Theapplicationsaredeliveredovernetworksonasubscriptionbasis.
Specializedtoolsthatcanbeusedtoanalyzetheflowofdatathroughtheprocessinglogicofthe
applicationsoftwareanddocumentthelogic,paths,controlconditionsandprocessingsequences
ScopeNote:Boththecommandlanguageorjobcontrolstatementsandprogramminglanguagecan
beanalyzed.Thistechniqueincludesprogram/system:mapping,tracing,snapshots,parallel
simulationsandcodecomparisons.
Applicationsystem
Architecture
Architectureboard
Anintegratedsetofcomputerprogramsdesignedtoserveaparticularfunctionthathasspecific
input,processingandoutputactivities
ScopeNote:Examplesincludegeneralledger,manufacturingresourceplanningandhuman
Scope
Note: Examples include general ledger manufacturing resource planning and human
resource(HR)management.
Descriptionofthefundamentalunderlyingdesignofthecomponentsofthebusinesssystem,orof
oneelementofthebusinesssystem(e.g.,technology),therelationshipsamongthem,andthe
mannerinwhichtheysupportenterpriseobjectives
Agroupofstakeholdersandexpertswhoareaccountableforguidanceonenterprisearchitecture
relatedmattersanddecisions,andforsettingarchitecturalpoliciesandstandards
ScopeNote:COBIT5perspective
Arithmeticlogicunit
(ALU)
Artificialintelligence
ASCII
Assembler
AssemblyLanguage
Assertion
Theareaofthecentralprocessingunit(CPU)thatperformsmathematicalandanalyticaloperations
Advancedcomputersystemsthatcansimulatehumancapabilities,suchasanalysis,basedona
predetermined set of rules
predeterminedsetofrules
Representing128characters,theAmericanStandardCodeforInformationInterchange(ASCII)code
normallyuses7bits.However,somevariationsoftheASCIIcodesetallow8bits.This8bitASCII
codeallows256characterstoberepresented.
Aprogramthattakesasinputaprogramwritteninassemblylanguageandtranslatesitintomachine
codeormachinelanguage
Alowlevelcomputerprogramminglanguagewhichusessymboliccodeandproducesmachine
instructions
Anyformaldeclarationorsetofdeclarationsaboutthesubjectmattermadebymanagement
ScopeNote:Assertionsshouldusuallybeinwritingandcommonlycontainalistofspecific
attributesaboutthesubjectmatteroraboutaprocessinvolvingthesubjectmatter.
Assessment
Abroadreviewofthedifferentaspectsofacompanyorfunctionthatincludeselementsnot
A
broad review of the different aspects of a company or function that includes elements not
coveredbyastructuredassuranceinitiative
ScopeNote:Mayincludeopportunitiesforreducingthecostsofpoorquality,employee
perceptionsonqualityaspects,proposalstoseniormanagementonpolicy,goals,etc.
Page 6 of 103
Term
Asset
Assurance
Definition
Somethingofeithertangibleorintangiblevaluethatisworthprotecting,includingpeople,
information, infrastructure, finances and reputation
information,infrastructure,financesandreputation
Pursuanttoanaccountablerelationshipbetweentwoormoreparties,anITauditandassurance
professionalisengagedtoissueawrittencommunicationexpressingaconclusionaboutthesubject
mattersforwhichtheaccountablepartyisresponsible.Assurancereferstoanumberofrelated
activitiesdesignedtoprovidethereaderoruserofthereportwithalevelofassuranceorcomfort
overthesubjectmatter.
ScopeNote:Assuranceengagementscouldincludesupportforauditedfinancialstatements,
reviewsofcontrols,compliancewithrequiredstandardsandpractices,andcompliancewith
agreements,licenses,legislationandregulation.
Assuranceengagement Anobjectiveexaminationofevidenceforthepurposeofprovidinganassessmentonrisk
management,controlorgovernanceprocessesfortheenterprise.
Assuranceinitiative
ScopeNote:Examplesmayincludefinancial,performance,complianceandsystemsecurity
Scope
Note: Examples may include financial performance compliance and system security
engagements
Anobjectiveexaminationofevidenceforthepurposeofprovidinganassessmentonrisk
management,controlorgovernanceprocessesfortheenterprise
ScopeNote:Examplesmayincludefinancial,performance,complianceandsystemsecurity
engagements.
Asymmetrickey(public Aciphertechniqueinwhichdifferentcryptographickeysareusedtoencryptanddecryptamessage
key)
ScopeNote:SeePublickeyencryption.
AsynchronousTransfer Ahighbandwidthlowdelayswitchingandmultiplexingtechnologythatallowsintegrationofreal
Mode(ATM)
timevoiceandvideoaswellasdata.Itisadatalinklayerprotocol.
ScopeNote:ATMisaprotocolindependenttransportmechanism.Itallowshighspeeddata
transferratesatupto155Mbit/s.
Asynchronous
transmission
Attack
Attackmechanism
TheacronymATMshouldnotbeconfusedwiththealternateusageforATM,whichreferstoan
automatedtellermachine.
Characteratatimetransmission
Anactualoccurrenceofanadverseevent
Amethodusedtodelivertheexploit.Unlesstheattackerispersonallyperformingtheattack,an
attackmechanismmayinvolveapayload,orcontainer,thatdeliverstheexploittothetarget.
Attackvector
Apathorrouteusedbytheadversarytogainaccesstothetarget(asset)
Attenuation
ScopeNote:Therearetwotypesofattackvectors:ingressandegress(alsoknownasdata
exfiltration)
Reductionofsignalstrengthduringtransmission
Page 7 of 103
Term
Attestreporting
engagement
Attitude
Attributesampling
Audit
Auditaccountability
Auditauthority
Auditcharter
Definition
AnengagementinwhichanISauditorisengagedtoeitherexaminemanagementsassertion
regarding a particular subject matter or the subject matter directly
regardingaparticularsubjectmatterorthesubjectmatterdirectly
ScopeNote:TheISauditorsreportconsistsofanopinionononeofthefollowing:Thesubject
matter.Thesereportsrelatedirectlytothesubjectmatteritselfratherthantoanassertion.In
certainsituationsmanagementwillnotbeabletomakeanassertionoverthesubjectofthe
engagement.AnexampleofthissituationiswhenITservicesareoutsourcedtothirdparty.
Managementwillnotordinarilybeabletomakeanassertionoverthecontrolsthatthethirdpartyis
responsiblefor.Hence,anISauditorwouldhavetoreportdirectlyonthesubjectmatterratherthan
onanassertion.
Wayofthinking,behaving,feeling,etc.
Methodtoselectaportionofapopulationbasedonthepresenceorabsenceofacertain
characteristic
Formalinspectionandverificationtocheckwhetherastandardorsetofguidelinesisbeing
followed records are accurate or efficiency and effectiveness targets are being met
followed,recordsareaccurate,orefficiencyandeffectivenesstargetsarebeingmet
ScopeNote:Maybecarriedoutbyinternalorexternalgroups
Performancemeasurementofservicedeliveryincludingcost,timelinessandqualityagainstagreed
servicelevels
Astatementofthepositionwithintheenterprise,includinglinesofreportingandtherightsof
access
Adocumentapprovedbythosechargedwithgovernancethatdefinesthepurpose,authorityand
responsibilityoftheinternalauditactivity
ScopeNote:Thechartershould:
Establishtheinternalauditfuntionspositionwithintheenterprise
Authoriseaccesstorecords,personnelandphysicalpropertiesrelevanttotheperformanceofIS
audit and assurance engagementsDefine the scope of audit functions activities
auditandassuranceengagementsDefinethescopeofauditfunctionsactivities
Auditengagement
Auditevidence
Auditexpertsystems
Audit objective
Auditobjective
Aspecificauditassignmentorreviewactivity,suchasanaudit,controlselfassessmentreview,
fraudexaminationorconsultancy.
ScopeNote:Anauditengagementmayincludemultipletasksoractivitiesdesignedtoaccomplisha
specificsetofrelatedobjectives.
p
j
Theinformationusedtosupporttheauditopinion
ExpertordecisionsupportsystemsthatcanbeusedtoassistISauditorsinthedecisionmaking
processbyautomatingtheknowledgeofexpertsinthefield
ScopeNote:Thistechniqueincludesautomatedriskanalysis,systemssoftwareandcontrol
objectivessoftwarepackages.
The specific goal(s) of an audit
Thespecificgoal(s)ofanaudit
ScopeNote:Theseoftencenteronsubstantiatingtheexistenceofinternalcontrolstominimize
businessrisk.
Page 8 of 103
Term
Auditplan
Definition
1.Aplancontainingthenature,timingandextentofauditprocedurestobeperformedby
engagement team members in order to obtain sufficient appropriate audit evidence to form an
engagementteammembersinordertoobtainsufficientappropriateauditevidencetoforman
opinion
ScopeNote:Includestheareastobeaudited,thetypeofworkplanned,thehighlevelobjectives
andscopeofthework,andtopicssuchasbudget,resourceallocation,scheduledates,typeof
reportanditsintendedaudienceandothergeneralaspectsofthework
Auditprogram
Auditresponsibility
Auditrisk
Auditsampling
Auditsubjectmatter
risk
Audittrail
Audituniverse
Auditability
2.Ahighleveldescriptionoftheauditworktobeperformedinacertainperiodoftime
Astepbystepsetofauditproceduresandinstructionsthatshouldbeperformedtocompletean
audit
Theroles,scopeandobjectivesdocumentedintheservicelevelagreement(SLA)between
managementandaudit
Theriskofreachinganincorrectconclusionbaseduponauditfindings
ScopeNote:Thethreecomponentsofauditriskare:
Controlrisk
Detectionrisk
Inherentrisk
Theapplicationofauditprocedurestolessthan100percentoftheitemswithinapopulationto
obtainauditevidenceaboutaparticularcharacteristicofthepopulation
Riskrelevanttotheareaunderreview:
Businessrisk(customercapabilitytopay,creditworthiness,marketfactors,etc.)
Contractrisk(liability,price,type,penalties,etc.)
Countryrisk(political,environment,security,etc.)
Projectrisk(resources,skillset,methodology,productstability,etc.)
Technologyrisk(solution,architecture,hardwareandsoftwareinfrastructurenetwork,delivery
channels etc )
channels,etc.)
ScopeNote:Seeinherentrisk
Avisibletrailofevidenceenablingonetotraceinformationcontainedinstatementsorreportsback
totheoriginalinputsource
Aninventoryofauditareasthatiscompiledandmaintainedtoidentifyareasforauditduringthe
auditplanningprocess
ScopeNote:Traditionally,thelistincludesallfinancialandkeyoperationalsystemsaswellasother
unitsthatwouldbeauditedaspartoftheoverallcycleofplannedwork.Theaudituniverseserves
asthesourcefromwhichtheannualauditscheduleisprepared.Theuniversewillbeperiodically
revisedtoreflectchangesintheoverallriskprofile.
Theleveltowhichtransactionscanbetracedandauditedthroughasystem
Page 9 of 103
Term
Auditableunit
Auditorsopinion
Definition
Subjects,unitsorsystemsthatarecapableofbeingdefinedandevaluated
ScopeNote:Auditableunitsmayinclude:
Policies,proceduresandpractices
Costcenters,profitcentersandinvestmentcenters
Generalledgeraccountbalances
Informationsystems(manualandcomputerized)
Majorcontractsandprograms
Organizationalunits,suchasproductorservicelines
Functions,suchasinformationtechnology(IT),purchasing,marketing,production,finance,
accountingandhumanresources(HR)
Transactionsystemsforactivities,suchassales,collection,purchasing,disbursement,inventory
andcostaccounting,production,treasury,payroll,andcapitalassets
Financialstatements
Laws
Laws and regulations
AformalstatementexpressedbytheISauditorassuranceprofessionalthatdescribesthescopeof
theaudit,theproceduresusedtoproducethereportandwhetherornotthefindingssupportthat
theauditcriteriahavebeenmet.
ScopeNote:Thetypesofopinionsare:
Unqualifiedopinion:Notesnoexceptionsornoneoftheexceptionsnotedaggregatetoa
significantdeficiency
Qualifiedopinion:Notesexceptionsaggregatedtoasignificantdeficiency(butnotamaterial
weakness)
Adverseopinion:Notesoneormoresignificantdeficienciesaggregatingtoamaterialweakness
Authentication
1.Theactofverifyingidentity(i.e.,user,system)
ScopeNote:Risk:Canalsorefertotheverificationofthecorrectnessofapieceofdata
2.Theactofverifyingtheidentityofauserandtheuserseligibilitytoaccesscomputerized
information
ScopeNote:Assurance:Authenticationisdesignedtoprotectagainstfraudulentlogonactivity.It
p
g
p
g
g
y
canalsorefertotheverificationofthecorrectnessofapieceofdata.
Authenticity
Undisputedauthorship
Automatedapplication Controlsthathavebeenprogrammedandembeddedwithinanapplication
controls
Availability
Ensuringtimelyandreliableaccesstoanduseofinformation
Awareness
Beingacquaintedwith,mindfulof,consciousofandwellinformedonaspecificsubject,which
implies knowing and understanding a subject and acting accordingly
impliesknowingandunderstandingasubjectandactingaccordingly
Backdoor
Ameansofregainingaccesstoacompromisedsystembyinstallingsoftwareorconfiguringexisting
softwaretoenableremoteaccessunderattackerdefinedconditions
Page 10 of 103
Term
Backbone
Backup
Backupcenter
Badge
Definition
Themaincommunicationchannelofadigitalnetwork.Thepartofanetworkthathandlesthemajor
traffic
ScopeNote:Employsthehighestspeedtransmissionpathsinthenetworkandmayalsorunthe
longestdistances.Smallernetworksareattachedtothebackbone,andnetworksthatconnect
directlytotheenduserorcustomerarecalled"accessnetworks."Abackbonecanspana
geographicareaofanysizefromasinglebuildingtoanofficecomplextoanentirecountry.Or,it
canbeassmallasabackplaneinasinglecabinet.
Files,equipment,dataandproceduresavailableforuseintheeventofafailureorloss,ifthe
originalsaredestroyedoroutofservice
AnalternatefacilitytocontinueIT/ISoperationswhentheprimarydataprocessing(DP)centeris
unavailable
Acardorotherdevicethatispresentedordisplayedtoobtainaccesstoanotherwiserestricted
facility,asasymbolofauthority(e.g.,thepolice),orasasimplemeansofidentification
ScopeNote:Alsousedinadvertisingandpublicity
Balancedscorecard
(BSC)
Bandwidth
Barcode
Basecase
Baseband
Baselinearchitecture
Bastion
Batchcontrol
DevelopedbyRobertS.KaplanandDavidP.Nortonasacoherentsetofperformancemeasures
organizedintofourcategoriesthatincludestraditionalfinancialmeasures,butaddscustomer,
internalbusinessprocess,andlearningandgrowthperspectives
Therangebetweenthehighestandlowesttransmittablefrequencies.Itequatestothetransmission
capacityofanelectroniclineandisexpressedinbytespersecondorHertz(cyclespersecond).
Aprintedmachinereadablecodethatconsistsofparallelbarsofvariedwidthandspacing
Astandardizedbodyofdatacreatedfortestingpurposes
ScopeNote:Usersnormallyestablishthedata.Basecasesvalidateproductionapplicationsystems
and test the ongoing accurate operation of the system
andtesttheongoingaccurateoperationofthesystem.
Aformofmodulationinwhichdatasignalsarepulseddirectlyonthetransmissionmediumwithout
frequencydivisionandusuallyutilizeatransceiver
ScopeNote:Theentirebandwidthofthetransmissionmedium(e.g.,coaxialcable)isutilizedfora
singlechannel.
Theexistingdescriptionofthefundamentalunderlyingdesignofthecomponentsofthebusiness
systembeforeenteringacycleofarchitecturereviewandredesign
ScopeNote:COBIT5perspective
Systemheavilyfortifiedagainstattacks
Correctnesschecksbuiltintodataprocessingsystemsandappliedtobatchesofinputdata,
particularlyinthedatapreparationstage
ScopeNote:Therearetwomainformsofbatchcontrols:sequencecontrol,whichinvolves
numberingtherecordsinabatchconsecutivelysothatthepresenceofeachrecordcanbe
confirmed;andcontroltotal,whichisatotalofthevaluesinselectedfieldswithinthetransactions.
Page 11 of 103
Term
Batchprocessing
Definition
Theprocessingofagroupoftransactionsatthesametime
ScopeNote:Transactionsarecollectedandprocessedagainstthemasterfilesataspecifiedtime.
Baudrate
Benchmark
Therateoftransmissionfortelecommunicationsdata,expressedinbitspersecond(bps)
Atestthathasbeendesignedtoevaluatetheperformanceofasystem
ScopeNote:Inabenchmarktest,asystemissubjectedtoaknownworkloadandtheperformance
ofthesystemagainstthisworkloadismeasured.Typically,thepurposeistocomparethemeasured
performancewiththatofothersystemsthathavebeensubjecttothesamebenchmarktest.
Benchmarking
Asystematicapproachtocomparingenterpriseperformanceagainstpeersandcompetitorsinan
efforttolearnthebestwaysofconductingbusiness
Scope Note: Examples include benchmarking of quality logistic efficiency and various other metrics
ScopeNote:Examplesincludebenchmarkingofquality,logisticefficiencyandvariousothermetrics.
Benefit
Benefitsrealization
Binarycode
Biometriclocks
Biometrics
Bitstreamimage
Blackboxtesting
Blockcipher
Botnet
Boundary
Inbusiness,anoutcomewhosenatureandvalue(expressedinvariousways)areconsidered
advantageousbyanenterprise
Oneoftheobjectivesofgovernance.Thebringingaboutofnewbenefitsfortheenterprise,the
maintenanceandextensionofexistingformsofbenefits,andtheeliminationofthoseinitiativesand
assetsthatarenotcreatingsufficientvalue
ScopeNote:COBIT5perspective
Acodewhoserepresentationislimitedto0and1
Doorandentrylocksthatareactivatedbysuchbiometricfeaturesasvoice,eyeretina,fingerprintor
signature
Asecuritytechniquethatverifiesanindividualsidentitybyanalyzingauniquephysicalattribute,
such as a handprint
suchasahandprint
Bitstreambackups,alsoreferredtoasmirrorimagebackups,involvethebackupofallareasofa
computerharddiskdriveorothertypeofstoragemedia.
ScopeNote:Suchbackupsexactlyreplicateallsectorsonagivenstoragedeviceincludingallfiles
andambientdatastorageareas.
Atestingapproachthatfocusesonthefunctionalityoftheapplicationorproductanddoesnot
requireknowledgeofthecodeintervals
Apublicalgorithmthatoperatesonplaintextinblocks(stringsorgroups)ofbits
Atermderivedfromrobotnetwork;isalargeautomatedanddistributednetworkofpreviously
compromisedcomputersthatcanbesimultaneouslycontrolledtolaunchlargescaleattackssuchas
adenialofserviceattackonselectedvictims
Logicalandphysicalcontrolstodefineaperimeterbetweentheorganizationandtheoutsideworld
Page 12 of 103
Term
Bridge
Definition
Datalinklayerdevicedevelopedintheearly1980stoconnectlocalareanetworks(LANs)orcreate
two separate LAN or wide area network (WAN) network segments from a single segment to reduce
twoseparateLANorwideareanetwork(WAN)networksegmentsfromasinglesegmenttoreduce
collisiondomains
ScopeNote:Abridgeactsasastoreandforwarddeviceinmovingframestowardtheirdestination.
ThisisachievedbyanalyzingtheMACheaderofadatapacket,whichrepresentsthehardware
addressofanNIC.
Bringyourowndevice Anenterprisepolicyusedtopermitpartialorfullintegrationofuserownedmobiledevicesfor
(BYOD)
businesspurposes
Broadband
Multiplechannelsareformedbydividingthetransmissionmediumintodiscretefrequency
segments.
Broadcast
Brouter
ScopeNote:Broadbandgenerallyrequirestheuseofamodem.
Amethodtodistributeinformationtomultiplerecipientssimultaneously
Device that performs the functions of both a bridge and a router
Devicethatperformsthefunctionsofbothabridgeandarouter
ScopeNote:Abrouteroperatesatboththedatalinkandthenetworklayers.Itconnectssamedata
linktypeLANsegmentsaswellasdifferentdatalinkones,whichisasignificantadvantage.Likea
bridge,itforwardspacketsbasedonthedatalinklayeraddresstoadifferentnetworkofthesame
type.Also,wheneverrequired,itprocessesandforwardsmessagestoadifferentdatalinktype
networkbasedonthenetworkprotocoladdress.Whenconnectingsamedatalinktypenetworks,it
isasfastasabridgeandisabletoconnectdifferentdatalinktypenetworks.
Browser
Bruteforce
Brute force attack
Bruteforceattack
Budget
Budgetformula
Budgethierarchy
Budgetorganization
Buffer
Acomputerprogramthatenablestheusertoretrieveinformationthathasbeenmadepublicly
availableontheInternet;also,thatpermitsmultimedia(graphics)applicationsontheWorldWide
Web
Aclassofalgorithmsthatrepeatedlytryallpossiblecombinationsuntilasolutionisfound
Repeatedly trying all possible combinations of passwords or encryption keys until the correct one is
Repeatedlytryingallpossiblecombinationsofpasswordsorencryptionkeysuntilthecorrectoneis
found
Estimatedcostandrevenueamountsforagivenrangeofperiodsandsetofbooks
ScopeNote:Therecanbemultiplebudgetversionsforthesamesetofbooks.
Amathematicalexpressionusedtocalculatebudgetamountsbasedonactualresults,otherbudget
amountsandstatistics.
ScopeNote:Withbudgetformulas,budgetsusingcomplexequations,calculationsandallocations
canbeautomaticallycreated.
Agroupofbudgetslinkedtogetheratdifferentlevelssuchthatthebudgetingauthorityofalower
levelbudgetiscontrolledbyanupperlevelbudget
Anentity(department,costcenter,divisionorothergroup)responsibleforenteringand
maintaining budget data
maintainingbudgetdata
Memoryreservedtotemporarilyholddatatooffsetdifferencesbetweentheoperatingspeedsof
differentdevices,suchasaprinterandacomputer
ScopeNote:Inaprogram,buffersarereservedareasofrandomaccessmemory(RAM)thathold
datawhiletheyarebeingprocessed.
Page 13 of 103
Term
Bufferoverflow
Definition
Occurswhenaprogramorprocesstriestostoremoredatainabuffer(temporarydatastorage
area) than it was intended to hold
area)thanitwasintendedtohold
ScopeNote:Sincebuffersarecreatedtocontainafiniteamountofdata,theextra
informationwhichhastogosomewherecanoverflowintoadjacentbuffers,corruptingor
overwritingthevaliddataheldinthem.Althoughitmayoccuraccidentallythroughprogramming
error,bufferoverflowisanincreasinglycommontypeofsecurityattackondataintegrity.Inbuffer
overflowattacks,theextradatamaycontaincodesdesignedtotriggerspecificactions,ineffect
sendingnewinstructionstotheattackedcomputerthatcould,forexample,damagetheuser'sfiles,
changedata,ordiscloseconfidentialinformation.Bufferoverflowattacksaresaidtohavearisen
becausetheCprogramminglanguagesuppliedtheframework,andpoorprogrammingpractices
suppliedthevulnerability.
Bulkdatatransfer
Bus
Busconfiguration
Adatarecoverystrategythatincludesarecoveryfromcompletebackupsthatarephysicallyshipped
offsite once a week
offsiteonceaweek
ScopeNote:Specifically,logsarebatchedelectronicallyseveraltimesdaily,andthenloadedintoa
tapelibrarylocatedatthesamefacilityastheplannedrecovery.
Commonpathorchannelbetweenhardwaredevices
ScopeNote:Canbelocatedbetweencomponentsinternaltoacomputerorbetweenexternal
computersinacommunicationnetwork.
Alldevices(nodes)arelinkedalongonecommunicationlinewheretransmissionsarereceivedbyall
attachednodes.
ScopeNote:Thisarchitectureisreliableinverysmallnetworks,aswellaseasytouseand
understand.Thisconfigurationrequirestheleastamountofcabletoconnectthecomputers
together and therefore is less expensive than other cabling arrangements It is also easy to extend
togetherand,therefore,islessexpensivethanothercablingarrangements.Itisalsoeasytoextend,
andtwocablescanbeeasilyjoinedwithaconnectortomakealongercableformorecomputersto
jointhenetwork.Arepeatercanalsobeusedtoextendabusconfiguration.
Businessbalanced
scorecard
Businesscase
Businesscontinuity
Atoolformanagingorganizationalstrategythatusesweightedmeasuresfortheareasoffinancial
performance(lag)indicators,internaloperations,customermeasurements,learningandgrowth
(lead)indicators,combinedtoratetheenterprise
Documentationoftherationaleformakingabusinessinvestment,usedbothtosupportabusiness
decisiononwhethertoproceedwiththeinvestmentandasanoperationaltooltosupport
managementoftheinvestmentthroughitsfulleconomiclifecycle
Preventing,mitigatingandrecoveringfromdisruption
ScopeNote:Thetermsbusinessresumptionplanning,disasterrecoveryplanningand
contingencyplanningalsomaybeusedinthiscontext;theyfocusonrecoveryaspectsof
contingency planning also may be used in this context; they focus on recovery aspects of
continuity,andforthatreasontheresilienceaspectshouldalsobetakenintoaccount.
Businesscontinuity
plan(BCP)
COBIT5perspective
Aplanusedbyanenterprisetorespondtodisruptionofcriticalbusinessprocesses.Dependsonthe
contingencyplanforrestorationofcriticalsystems
Page 14 of 103
Term
Businesscontrol
Businessdependency
assessment
Businessfunction
Businessgoal
Businessimpact
Businessimpact
analysis(BIA)
Businessimpact
Business
impact
analysis/assessment
(BIA)
Definition
Thepolicies,procedures,practicesandorganizationalstructuresdesignedtoprovidereasonable
assurance that the business objectives will be achieved and undesired events will be prevented or
assurancethatthebusinessobjectiveswillbeachievedandundesiredeventswillbepreventedor
detected
Aprocessofidentifyingresourcescriticaltotheoperationofabusinessprocess
Anactivitythatanenterprisedoes,orneedstodo,toachieveitsobjectives
Thetranslationoftheenterprise'smissionfromastatementofintentionintoperformancetargets
andresults
Theneteffect,positiveornegative,ontheachievementofbusinessobjectives
Aprocesstodeterminetheimpactoflosingthesupportofanyresource
ScopeNote:TheBIAassessmentstudywillestablishtheescalationofthatlossovertime.Itis
predicatedonthefactthatseniormanagement,whenprovidedreliabledatatodocumentthe
potentialimpactofalostresource,canmaketheappropriatedecision.
Evaluating the criticality and sensitivity of information assets
Evaluatingthecriticalityandsensitivityofinformationassets
Anexercisethatdeterminestheimpactoflosingthesupportofanyresourcetoanenterprise,
establishestheescalationofthatlossovertime,identifiestheminimumresourcesneededto
recover,andprioritizestherecoveryofprocessesandthesupportingsystem
ScopeNote:Thisprocessalsoincludesaddressing:
Incomeloss
Unexpectedexpense
Legalissues(regulatorycomplianceorcontractual)
Interdependentprocesses
Lossofpublicreputationorpublicconfidence
Business interruption
Businessinterruption
BusinessModelfor
InformationSecurity
(BMIS)
Businessobjective
Businessprocess
Anyevent,whetheranticipated(i.e.,publicservicestrike)orunanticipated(i.e.,blackout)that
Any
event whether anticipated (i e public service strike) or unanticipated (i e blackout) that
disruptsthenormalcourseofbusinessoperationsatanenterprise
Aholisticandbusinessorientedmodelthatsupportsenterprisegovernanceandmanagement
informationsecurity,andprovidesacommonlanguageforinformationsecurityprofessionalsand
businessmanagement
Afurtherdevelopmentofthebusinessgoalsintotacticaltargetsanddesiredresultsandoutcomes
Businessprocess
control
Aninterrelatedsetofcrossfunctionalactivitiesoreventsthatresultinthedeliveryofaspecific
productorservicetoacustomer
Thepolicies,procedures,practicesandorganizationalstructuresdesignedtoprovidereasonable
assurancethatabusinessprocesswillachieveitsobjectives.
Businessprocess
Business
process
integrity
ScopeNote:COBIT5perspective
Controlsoverthebusinessprocessesthataresupportedbytheenterpriseresourceplanningsystem
Controls
over the business processes that are supported by the enterprise resource planning system
(ERP)
Page 15 of 103
Term
Businessprocess
owner
Businessprocess
reengineering(BPR)
Businessrisk
Businessservice
provider(BSP)
Businesssponsor
Businesstobusiness
Definition
Theindividualresponsibleforidentifyingprocessrequirements,approvingprocessdesignand
managing process performance
managingprocessperformance
ScopeNote:Mustbeatanappropriatelyhighlevelintheenterpriseandhaveauthoritytocommit
resourcestoprocessspecificriskmanagementactivities
Thethoroughanalysisandsignificantredesignofbusinessprocessesandmanagementsystemsto
establishabetterperformingstructure,moreresponsivetothecustomerbaseandmarket
conditions,whileyieldingmaterialcostsavings
Aprobablesituationwithuncertainfrequencyandmagnitudeofloss(orgain)
Anapplicationserviceprovider(ASP)thatalsoprovidesoutsourcingofbusinessprocessessuchas
paymentprocessing,salesorderprocessingandapplicationdevelopment
TheindividualaccountablefordeliveringthebenefitsandvalueofanITenabledbusiness
investmentprogramtotheenterprise
Transactionsinwhichtheacquirerisanenterpriseoranindividualoperatingintheambitsofhis/her
professional activity In this case laws and regulations related to consumer protection are not
professionalactivity.Inthiscase,lawsandregulationsrelatedtoconsumerprotectionarenot
applicable.
ScopeNote:Thecontractsgeneraltermsshouldbecommunicatedtotheotherpartyand
specificallyapproved.Somecompaniesrequiretheotherpartytofilloutcheckboxeswherethereis
adescriptionsuchas"Ispecificallyapprovetheclauses"Thisisnotconvincing;thebestsolutionis
p
g
g
pp
theadoptionofadigitalsignaturescheme,whichallowstheapprovalofclausesandtermswiththe
nonrepudiationcondition.
Businesstoconsumer Sellingprocessesinwhichtheinvolvedpartiesaretheenterprise,whichoffersgoodsorservices,
andaconsumer.Inthiscasethereiscomprehensivelegislationthatprotectstheconsumer.
ScopeNote:Comprehensivelegislationincludes:
Regardingcontractsestablishedoutsidethemerchantsproperty(suchastherighttoendthe
contract with full refund or the return policy for goods)
contractwithfullrefundorthereturnpolicyforgoods)
Regardingdistancecontracts(suchasrulesthatestablishhowacontractshouldbewritten,specific
clausesandtheneedtotransmittotheconsumerandapproveit)
Regardingelectronicformofthecontract(suchasontheInternet,thepossibilityfortheconsumer
toexitfromtheprocedurewithouthavinghis/herdatarecorded)
Businesstoconsumer Referstotheprocessesbywhichenterprisesconductbusinesselectronicallywiththeircustomers
ecommerce(B2C)
and/orpublicatlargeusingtheInternetastheenablingtechnology
Bypasslabelprocessing Atechniqueofreadingacomputerfilewhilebypassingtheinternalfile/datasetlabel.Thisprocess
(BLP)
couldresultinbypassingofthesecurityaccesscontrolsystem.
Cadbury
TheCommitteeontheFinancialAspectsofCorporateGovernance,setupinMay1991bytheUK
FinancialReportingCouncil,theLondonStockExchangeandtheUKaccountancyprofession,was
chaired by Sir Adrian Cadbury and produced a report on the subject commonly known in the UK as
chairedbySirAdrianCadburyandproducedareportonthesubjectcommonlyknownintheUKas
theCadburyReport.
Capability
Anaptitude,competencyorresourcethatanenterprisemaypossessorrequireatanenterprise,
businessfunctionorindividuallevelthathasthepotential,orisrequired,tocontributetoabusiness
outcomeandtocreatevalue
Page 16 of 103
Term
CapabilityMaturity
Model (CMM)
Model(CMM)
Definition
1.Containstheessentialelementsofeffectiveprocessesforoneormoredisciplines
Italsodescribesanevolutionaryimprovementpathfromadhoc,immatureprocessestodisciplined,
matureprocesseswithimprovedqualityandeffectiveness.
2.CMMforsoftware,fromtheSoftwareEngineeringInstitute(SEI),isamodelusedbymany
enterprisestoidentifybestpracticesusefulinhelpingthemassessandincreasethematurityoftheir
softwaredevelopmentprocesses
ScopeNote:CMMrankssoftwaredevelopmententerprisesaccordingtoahierarchyoffiveprocess
maturitylevels.Eachlevelranksthedevelopmentenvironmentaccordingtoitscapabilityof
producingqualitysoftware.Asetofstandardsisassociatedwitheachofthefivelevels.The
standardsforlevelonedescribethemostimmatureorchaoticprocessesandthestandardsforlevel
fivedescribethemostmatureorqualityprocesses.
Amaturitymodelthatindicatesthedegreeofreliabilityordependencythebusinesscanplaceona
processachievingthedesiredgoalsorobjectives
A collection of instructions that an enterprise can follow to gain better control over its software
Capacitystresstesting Testinganapplicationwithlargequantitiesofdatatoevaluateitsperformanceduringpeakperiods.
Alsocalledvolumetesting
Capital
Anexpenditurethatisrecordedasanassetbecauseitisexpectedtobenefitmorethanthecurrent
expenditure/expense period.Theassetisthendepreciatedoramortizedovertheexpectedusefullifeoftheasset.
(CAPEX)
Cardswipe
AphysicalcontroltechniquethatusesasecuredcardorIDtogainaccesstoahighlysensitive
location.
ScopeNote:Ifbuiltcorrectly,cardswipesactasapreventivecontroloverphysicalaccesstothose
Scope
Note: If built correctly card swipes act as a preventive control over physical access to those
sensitivelocations.Afteracardhasbeenswiped,theapplicationattachedtothephysicalcardswipe
devicelogsallcarduserswhotrytoaccessthesecuredlocation.Thecardswipedeviceprevents
unauthorizedaccessandlogsallattemptstoenterthesecuredlocation.
Cathoderaytube(CRT) Avacuumtubethatdisplaysdatabymeansofanelectronbeamstrikingthescreen,whichiscoated
withsuitablephosphormaterialoradevicesimilartoatelevisionscreenonwhichdatacanbe
displayed
Centralprocessingunit Computerhardwarethathousestheelectroniccircuitsthatcontrol/directalloperationsofthe
(CPU)
computersystem
Centralizeddata
Identifiedbyonecentralprocessoranddatabasesthatformadistributedprocessingconfiguration
processing
Certificate
Atrustedthirdpartythatservesauthenticationinfrastructuresorenterprisesandregistersentities
(Certification) authority andissuesthemcertificates
(Certification)authority
and issues them certificates
(CA)
Page 17 of 103
Term
Definition
Certificaterevocation Aninstrumentforcheckingthecontinuedvalidityofthecertificatesforwhichthecertification
list (CRL)
list(CRL)
authority (CA) has responsibility
authority(CA)hasresponsibility
Certificationpractice
statement(CPS)
ScopeNote:TheCRLdetailsdigitalcertificatesthatarenolongervalid.Thetimegapbetweentwo
updatesisverycriticalandisalsoariskindigitalcertificatesverification.
Adetailedsetofrulesgoverningthecertificateauthority'soperations.Itprovidesanunderstanding
ofthevalueandtrustworthinessofcertificatesissuedbyagivencertificateauthority(CA).
ScopeNote:Intermsofthecontrolsthatanenterpriseobserves,themethoditusestovalidatethe
authenticityofcertificateapplicantsandtheCA'sexpectationsofhowitscertificatesmaybeused
Chainofcustody
Alegalprincipleregardingthevalidityandintegrityofevidence.Itrequiresaccountabilityfor
anythingthatwillbeusedasevidenceinalegalproceedingtoensurethatitcanbeaccountedfor
from the time it was collected until the time it is presented in a court of law
fromthetimeitwascollecteduntilthetimeitispresentedinacourtoflaw.
ScopeNote:Includesdocumentationastowhohadaccesstotheevidenceandwhen,aswellasthe
abilitytoidentifyevidenceasbeingtheexactitemthatwasrecoveredortested.Lackofcontrolover
evidencecanleadtoitbeingdiscredited.Chainofcustodydependsontheabilitytoverifythat
evidencecouldnothavebeentamperedwith.Thisisaccomplishedbysealingofftheevidence,soit
g ,
p
g
y
y p
cannotbechanged,andprovidingadocumentaryrecordofcustodytoprovethattheevidencewas
atalltimesunderstrictcontrolandnotsubjecttotampering.
Challenge/response
token
AmethodofuserauthenticationthatiscarriedoutthroughuseoftheChallengeHandshake
AuthenticationProtocol(CHAP)
ScopeNote:WhenausertriestologintotheserverusingCHAP,theserversendstheusera
"challenge,"whichisarandomvalue.Theuserentersapassword,whichisusedasanencryption
"challenge " which is a random value The user enters a password which is used as an encryption
keytoencryptthe"challenge"andreturnittotheserver.Theserverisawareofthepassword.It,
therefore,encryptsthe"challenge"valueandcomparesitwiththevaluereceivedfromtheuser.If
thevaluesmatch,theuserisauthenticated.Thechallenge/responseactivitycontinuesthroughout
thesessionandthisprotectsthesessionfrompasswordsniffingattacks.Inaddition,CHAPisnot
vulnerableto"maninthemiddle"attacksbecausethechallengevalueisarandomvaluethat
g
p
changesoneachaccessattempt.
Changemanagement
Aholisticandproactiveapproachtomanagingthetransitionfromacurrenttoadesired
organizationalstate,focusingspecificallyonthecriticalhumanor"soft"elementsofchange
ScopeNote:Includesactivitiessuchasculturechange(values,beliefsandattitudes),development
ofrewardsystems(measuresandappropriateincentives),organizationaldesign,stakeholder
management human resources (HR) policies and procedures executive coaching change leadership
management,humanresources(HR)policiesandprocedures,executivecoaching,changeleadership
training,teambuildingandcommunicationplanningandexecution
Page 18 of 103
Term
Channelservice
unit/digital service unit
unit/digitalserviceunit
(CSU/DSU)
Chargeback
Checkdigit
Definition
Interfacesatthephysicallayeroftheopensystemsinterconnection(OSI)referencemodel,data
terminal equipment (DTE) to data circuit terminating equipment (DCE), for switched carrier
terminalequipment(DTE)todatacircuitterminatingequipment(DCE),forswitchedcarrier
networks
Theredistributionofexpenditurestotheunitswithinacompanythatgaverisetothem.
ScopeNote:Chargebackisimportantbecausewithoutsuchapolicy,misleadingviewsmaybegiven
astotherealprofitabilityofaproductorservicebecausecertainkeyexpenditureswillbeignoredor
calculatedaccordingtoanarbitraryformula.
Anumericvalue,whichhasbeencalculatedmathematically,isaddedtodatatoensurethatoriginal
datahavenotbeenalteredorthatanincorrect,butvalidmatchhasoccurred.
ScopeNote:Checkdigitcontroliseffectiveindetectingtranspositionandtranscriptionerrors.
Checkdigitverification Aprogrammededitorroutinethatdetectstranspositionandtranscriptionerrorsbycalculatingand
(selfchecking digit)
(selfcheckingdigit)
checking the check digit
checkingthecheckdigit
Checklist
Checkpointrestart
procedures
Checksum
Alistofitemsthatisusedtoverifythecompletenessofataskorgoal
ScopeNote:Usedinqualityassurance(andingeneral,ininformationsystemsaudit),tocheck
processcompliance,codestandardizationanderrorprevention,andotheritemsforwhich
consistencyprocessesorstandardshavebeendefined
Apointinaroutineatwhichsufficientinformationcanbestoredtopermitrestartingthe
computationfromthatpoint
Amathematicalvaluethatisassignedtoafileandusedtotestthefileatalaterdatetoverifythat
thedatacontainedinthefilehasnotbeenmaliciouslychanged
ScopeNote:Acryptographicchecksumiscreatedbyperformingacomplicatedseriesof
mathematicaloperations(knownasacryptographicalgorithm)thattranslatesthedatainthefile
mathematical
operations (known as a cryptographic algorithm) that translates the data in the file
intoafixedstringofdigitscalledahashvalue,whichisthenusedasthechecksum.Withoutknowing
whichcryptographicalgorithmwasusedtocreatethehashvalue,itishighlyunlikelythatan
unauthorizedpersonwouldbeabletochangedatawithoutinadvertentlychangingthe
correspondingchecksum.Cryptographicchecksumsareusedindatatransmissionanddatastorage.
Cryptographicchecksumsarealsoknownasmessageauthenticationcodes,integritycheckvalues,
g
g y
modificationdetectioncodesormessageintegritycodes.
Chiefexecutiveofficer
(CEO)
Chieffinancialofficer
(CFO)
Chiefinformation
officer (CIO)
officer(CIO)
Thehighestrankingindividualinanenterprise
Theindividualprimarilyresponsibleformanagingthefinancialriskofanenterprise
ThemostseniorofficialoftheenterprisewhoisaccountableforITadvocacy,aligningITand
business strategies and planning resourcing and managing the delivery of IT services information
businessstrategies,andplanning,resourcingandmanagingthedeliveryofITservices,information
andthedeploymentofassociatedhumanresources
ScopeNote:Insomecases,theCIOrolehasbeenexpandedtobecomethechiefknowledgeofficer
(CKO)whodealsinknowledge,notjustinformation.Alsoseechieftechnologyofficer(CTO).
Page 19 of 103
Term
Definition
ChiefInformation
Thepersoninchargeofinformationsecuritywithintheenterprise
Security Officer (CISO)
SecurityOfficer(CISO)
ChiefSecurityOfficer
(CSO)
Chieftechnology
officer(CTO)
Cipher
Ciphertext
Circuitswitched
network
Circularrouting
Cleartext
Clientserver
Cloudcomputing
Clustercontroller
Thepersonusuallyresponsibleforallsecuritymattersbothphysicalanddigitalinanenterprise
Theindividualwhofocusesontechnicalissuesinanenterprise
ScopeNote:Oftenviewedassynonymouswithchiefinformationofficer(CIO)
Analgorithmtoperformencryption
Informationgeneratedbyanencryptionalgorithmtoprotecttheplaintextandthatisunintelligible
totheunauthorizedreader.
Adatatransmissionservicerequiringtheestablishmentofacircuitswitchedconnectionbeforedata
canbetransferredfromsourcedataterminalequipment(DTE)toasinkDTE
Scope Note: A circuitswitched data transmission service uses a connection network
ScopeNote:Acircuitswitcheddatatransmissionserviceusesaconnectionnetwork.
Inopensystemsarchitecture,circularroutingisthelogicalpathofamessageinacommunication
networkbasedonaseriesofgatesatthephysicalnetworklayerintheopensystems
interconnection(OSI)model.
Datathatisnotencrypted.Alsoknownasplaintext.
Agroupofcomputersconnectedbyacommunicationnetwork,inwhichtheclientistherequesting
machineandtheserveristhesupplyingmachine
ScopeNote:Softwareisspecializedatbothends.Processingmaytakeplaceoneithertheclientor
theserver,butitistransparenttotheuser.
Convenient,ondemandnetworkaccesstoasharedpoolofresourcesthatcanberapidly
provisionedandreleasedwithminimalmanagementeffortorserviceproviderinteraction
Acommunicationterminalcontrolhardwareunitthatcontrolsanumberofcomputerterminals
ScopeNote:Allmessagesarebufferedbythecontrollerandthentransmittedtothereceiver.
Coaxialcable
Composedofaninsulatedwirethatrunsthroughthemiddleofeachcable,asecondwirethat
surroundstheinsulationoftheinnerwirelikeasheath,andtheouterinsulationwhichwrapsthe
secondwire
ScopeNote:Hasagreatertransmissioncapacitythanstandardtwistedpaircables,buthasalimited
rangeofeffectivedistance
Page 20 of 103
Term
COBIT
Definition
1.COBIT5:FormerlyknownasControlObjectivesforInformationandrelatedTechnology(COBIT);
now used only as the acronym in its fifth iteration. A complete, internationally accepted framework
nowusedonlyastheacronyminitsfifthiteration.Acomplete,internationallyacceptedframework
forgoverningandmanagingenterpriseinformationandtechnology(IT)thatsupportsenterprise
executivesandmanagementintheirdefinitionandachievementofbusinessgoalsandrelatedIT
goals.COBITdescribesfiveprinciplesandsevenenablersthatsupportenterprisesinthe
development,implementation,andcontinuousimprovementandmonitoringofgoodITrelated
governanceandmanagementpractices
ScopeNote:EarlierversionsofCOBITfocusedoncontrolobjectivesrelatedtoITprocesses,
managementandcontrolofITprocessesandITgovernanceaspects.AdoptionanduseoftheCOBIT
frameworkaresupportedbyguidancefromagrowingfamilyofsupportingproducts.(See
www.isaca.org/cobitformoreinformation.)
CoCo
Codeofethics
2.COBIT4.1andearlier:FormallyknownasControlObjectivesforInformationandrelated
Technology(COBIT).Acomplete,internationallyacceptedprocessframeworkforITthatsupports
Technology
(COBIT) A complete internationally accepted process framework for IT that supports
businessandITexecutivesandmanagementintheirdefinitionandachievementofbusinessgoals
andrelatedITgoalsbyprovidingacomprehensiveITgovernance,management,controland
assurance model. COBIT describes IT processes and associated control objectives, management
CriteriaofControl,publishedbytheCanadianInstituteofCharteredAccountantsin1995
Adocumentdesignedtoinfluenceindividualandorganizationalbehaviorofemployees,bydefining
organizationalvaluesandtherulestobeappliedincertainsituations.
ScopeNote:Acodeofethicsisadoptedtoassistthoseintheenterprisecalledupontomake
decisionsunderstandthedifferencebetween'right'and'wrong'andtoapplythisunderstandingto
theirdecisions.
Coevolving
Coherence
Cohesion
COBIT5perspective
Originatedasabiologicalterm,referstothewaytwoormoreecologicallyinterdependentspecies
Originated
as a biological term refers to the way two or more ecologically interdependent species
becomeintertwinedovertime
ScopeNote:Asthesespeciesadapttotheirenvironmenttheyalsoadapttooneanother.Todays
multibusinesscompaniesneedtotaketheircuefrombiologytosurvive.Theyshouldassumethat
linksamongbusinessesaretemporaryandthatthenumberofconnectionsnotjusttheircontent
p
gy
p,
p
,
matters.Ratherthanplancollaborativestrategyfromthetop,astraditionalcompaniesdo,
corporateexecutivesincoevolvingcompaniesshouldsimplysetthecontextandletcollaboration
(andcompetition)emergefrombusinessunits.
Establishingapotentbindingforceandsenseofdirectionandpurposefortheenterprise,relating
differentpartsoftheenterprisetoeachotherandtothewholetoactasaseeminglyuniqueentity
Theextenttowhichasystemunitsubroutine,program,module,component,subsystemperforms
a single dedicated function
asinglededicatedfunction.
ScopeNote:Generally,themorecohesivetheunit,theeasieritistomaintainandenhancea
systembecauseitiseasiertodeterminewhereandhowtoapplyachange.
Page 21 of 103
Term
Coldsite
Collision
CombinedCodeon
CorporateGovernance
CommonAttack
PatternEnumeration
andClassification
(CAPEC)
Communication
processor
Definition
AnISbackupfacilitythathasthenecessaryelectricalandphysicalcomponentsofacomputer
facility, but does not have the computer equipment in place
facility,butdoesnothavethecomputerequipmentinplace
ScopeNote:Thesiteisreadytoreceivethenecessaryreplacementcomputerequipmentinthe
eventthattheusershavetomovefromtheirmaincomputinglocationtothealternativecomputer
facility.
Thesituationthatoccurswhentwoormoredemandsaremadesimultaneouslyonequipmentthat
canhandleonlyoneatanygiveninstant(FederalStandard1037C)
Theconsolidationin1998ofthe"Cadbury,""Greenbury"and"Hampel"Reports
ScopeNote:NamedaftertheCommitteeChairs,thesereportsweresponsoredbytheUKFinancial
ReportingCouncil,theLondonStockExchange,theConfederationofBritishIndustry,theInstituteof
Directors,theConsultativeCommitteeofAccountancyBodies,theNationalAssociationofPension
FundsandtheAssociationofBritishInsurerstoaddressthefinancialaspectsofcorporate
governance directors'remunerationandtheimplementationoftheCadburyandGreenbury
governance,directors
remuneration and the implementation of the Cadbury and Greenbury
recommendations.
Acatalogueofattackpatternsasanabstractionmechanismforhelpingdescribehowanattack
againstvulnerablesystemsornetworksisexecutedpublishedbytheMITRECorporation
Acomputerembeddedinacommunicationssystemthatgenerallyperformsthebasictasksof
classifyingnetworktrafficandenforcingnetworkpolicyfunctions
ScopeNote:Anexampleisthemessagedataprocessorofadefensedigitalnetwork(DDN)
switchingcenter.Moreadvancedcommunicationprocessorsmayperformadditionalfunctions.
Communications
controller
Smallcomputersusedtoconnectandcoordinatecommunicationlinksbetweendistributedor
remote devices and the main computer thus freeing the main computer from this overhead
remotedevicesandthemaincomputer,thusfreeingthemaincomputerfromthisoverhead
function
Page 22 of 103
Term
Communitystrings
Definition
Authenticateaccesstomanagementinformationbase(MIB)objectsandfunctionasembedded
passwords
ScopeNote:Examplesare:
Readonly(RO)GivesreadaccesstoallobjectsintheMIBexceptthecommunitystrings,butdoes
notallowwriteaccess
Readwrite(RW)GivesreadandwriteaccesstoallobjectsintheMIB,butdoesnotallowaccessto
thecommunitystrings
ReadwriteallGivesreadandwriteaccesstoallobjectsintheMIB,includingthecommunity
strings(onlyvalidforCatalyst4000,5000and6000seriesswitches)
SimpleNetworkManagementProtocol(SNMP)communitystringsaresentacrossthenetworkin
cleartext.Thebestwaytoprotectanoperatingsystem(OS)softwarebaseddevicefrom
unauthorizedSNMPmanagementistobuildastandardIPaccesslistthatincludesthesource
address of the management station(s) Multiple access lists can be defined and tied to different
addressofthemanagementstation(s).Multipleaccesslistscanbedefinedandtiedtodifferent
communitystrings.Ifloggingisenabledontheaccesslist,thenlogmessagesaregeneratedevery
timethatthedeviceisaccessedfromthemanagementstation.Thelogmessagerecordsthesource
IP address of the packet.
Comparisonprogram Aprogramfortheexaminationofdata,usinglogicalorconditionalteststodetermineortoidentify
similaritiesordifferences
Compartmentalization Aprocessforprotectingveryhighvalueassetsorinenvironmentswheretrustisanissue.Accessto
anassetrequirestwoormoreprocesses,controlsorindividuals.
Compensatingcontrol Aninternalcontrolthatreducestheriskofanexistingorpotentialcontrolweaknessresultingin
errorsandomissions
Competence
Theabilitytoperformaspecifictask,actionorfunctionsuccessfully
Competencies
ScopeNote:COBIT5perspective
The strengths of an enterprise or what it does well
Thestrengthsofanenterpriseorwhatitdoeswell
ScopeNote:Canrefertotheknowledge,skillsandabilitiesoftheassuranceteamorindividuals
conductingthework.
Compiler
Aprogramthattranslatesprogramminglanguage(sourcecode)intomachineexecutable
instructions(objectcode)
CompletelyAutomated Atypeofchallengeresponsetestusedincomputingtoensurethattheresponseisnotgenerated
PublicTouringtestto byacomputer.Anexampleisthesiterequestforwebsiteuserstorecognizeandtypeaphrase
tellComputersand
postedusingvariouschallengingtoreadfonts.
HumansApart
(CAPTCHA)
Completelyconnected Anetworktopologyinwhichdevicesareconnectedwithmanyredundantinterconnections
(mesh)configuration
(mesh)
configuration betweennetworknodes(primarilyusedforbackbonenetworks)
between network nodes (primarily used for backbone networks)
Completenesscheck
Compliance
Aproceduredesignedtoensurethatnofieldsaremissingfromarecord
Adherenceto,andtheabilitytodemonstrateadherenceto,mandatedrequirementsdefinedby
lawsandregulations,aswellasvoluntaryrequirementsresultingfromcontractualobligationsand
internalpolicies
Page 23 of 103
Term
Definition
Compliancedocuments Policies,standardandproceduresthatdocumenttheactionsthatarerequiredorprohibited.
Violations may be subject to disciplinary actions.
Violationsmaybesubjecttodisciplinaryactions.
Compliancetesting
Testsofcontroldesignedtoobtainauditevidenceonboththeeffectivenessofthecontrolsand
theiroperationduringtheauditperiod
Component
Ageneraltermthatisusedtomeanonepartofsomethingmorecomplex
Comprehensiveaudit
ScopeNote:Forexample,acomputersystemmaybeacomponentofanITservice,oran
applicationmaybeacomponentofareleaseunit.Componentsarecooperatingpackagesof
executablesoftwarethatmaketheirservicesavailablethroughdefinedinterfaces.Components
usedindevelopingsystemsmaybecommercialofftheshelfsoftware(COTS)ormaybepurposely
built.However,thegoalofcomponentbaseddevelopmentistoultimatelyuseasmanypre
developed,pretestedcomponentsaspossible.
Anauditdesignedtodeterminetheaccuracyoffinancialrecordsaswellastoevaluatetheinternal
controlsofafunctionordepartment
Requiring a great deal of computing power; processor intensive
Requiringagreatdealofcomputingpower;processorintensive
Computationally
Computationally
greedy
Computeremergency Agroupofpeopleintegratedattheenterprisewithclearlinesofreportingandresponsibilitiesfor
responseteam(CERT) standbysupportincaseofaninformationsystemsemergency
Computerforensics
Computersequence
checking
Computerserver
Computeraided
softwareengineering
(CASE)
Thisgroupwillactasanefficientcorrectivecontrol,andshouldalsoactasasinglepointofcontact
forallincidentsandissuesrelatedtoinformationsystems.
Theapplicationofthescientificmethodtodigitalmediatoestablishfactualinformationforjudicial
review
ScopeNote:Thisprocessofteninvolvesinvestigatingcomputersystemstodeterminewhetherthey
areorhavebeenusedforillegalorunauthorizedactivities.Asadiscipline,itcombineselementsof
lawandcomputersciencetocollectandanalyzedatafrominformationsystems(e.g.,personal
computers networks wireless communication and digital storage devices) in a way that is
computers,networks,wirelesscommunicationanddigitalstoragedevices)inawaythatis
admissibleasevidenceinacourtoflaw.
Verifiesthatthecontrolnumberfollowssequentiallyandthatanycontrolnumbersoutofsequence
arerejectedornotedonanexceptionreportforfurtherresearch
1.Acomputerdedicatedtoservicingrequestsforresourcesfromothercomputersonanetwork.
Serverstypicallyrunnetworkoperatingsystems.
2.Acomputerthatprovidesservicestoanothercomputer(theclient)
Theuseofsoftwarepackagesthataidinthedevelopmentofallphasesofaninformationsystem
ScopeNote:Systemanalysis,designprogramminganddocumentationareprovided.Changes
introducedinoneCASEchartwillupdateallotherrelatedchartsautomatically.CASEcanbe
installedonamicrocomputerforeasyaccess.
Computerassisted
Anyautomatedaudittechnique,suchasgeneralizedauditsoftware(GAS),testdatagenerators,
audittechnique(CAAT) computerizedauditprogramsandspecializedauditutilities
Page 24 of 103
Term
Concurrencycontrol
Definition
Referstoaclassofcontrolsusedinadatabasemanagementsystem(DBMS)toensurethat
transactions are processed in an atomic, consistent, isolated and durable manner (ACID). This
transactionsareprocessedinanatomic,consistent,isolatedanddurablemanner(ACID).This
impliesthatonlyserialandrecoverableschedulesarepermitted,andthatcommittedtransactions
arenotdiscardedwhenundoingabortedtransactions.
Concurrentaccess
Afailoverprocess,inwhichallnodesrunthesameresourcegroup(therecanbeno[Internet
Protocol]IPor[mandatoryaccesscontrol]MACaddressinaconcurrentresourcegroup)andaccess
theexternalstorageconcurrently
Confidentiality
Preservingauthorizedrestrictionsonaccessanddisclosure,includingmeansforprotectingprivacy
andproprietaryinformation
Configurablecontrol
Typically,anautomatedcontrolthatisbasedon,andthereforedependenton,theconfigurationof
parameterswithintheapplicationsystem
Configurationitem(CI) Componentofaninfrastructureoranitem,suchasarequestforchange,associatedwithan
infrastructurewhichis(oristobe)underthecontrolofconfigurationmanagement
ScopeNote:Mayvarywidelyincomplexity,sizeandtype,fromanentiresystem(includingall
Scope
Note: May vary widely in complexity size and type from an entire system (including all
hardware,softwareanddocumentation)toasinglemoduleoraminorhardwarecomponent
Configuration
management
Consolelog
Consulted
Consumerization
Containment
Contentfiltering
Context
Thecontrolofchangestoasetofconfigurationitemsoverasystemlifecycle
Anautomateddetailreportofcomputersystemactivity
InaRACI(responsible,accountable,consulted,informed)chart,referstothosepeoplewhose
opinionsaresoughtonanactivity(twowaycommunication)
Anewmodelinwhichemergingtechnologiesarefirstembracedbytheconsumermarketandlater
spreadtothebusiness
Actionstakentolimitexposureafteranincidenthasbeenidentifiedandconfirmed
Controllingaccesstoanetworkbyanalyzingthecontentsoftheincomingandoutgoingpacketsand
eitherlettingthempassordenyingthembasedonalistofrules
ScopeNote:Differsfrompacketfilteringinthatitisthedatainthepacketthatareanalyzedinstead
oftheattributesofthepacketitself(e.g.,source/targetIPaddress,transmissioncontrolprotocol
[TCP]flags)
Theoverallsetofinternalandexternalfactorsthatmightinfluenceordeterminehowanenterprise,
entity,processorindividualacts
ScopeNote:Contextincludes:
technologycontext(technologicalfactorsthataffectanenterprise'sabilitytoextractvaluefrom
data)
datacontext(dataaccuracy,availability,currencyandquality)
skillsandknowledge(generalexperienceandanalytical,technicalandbusinessskills),
organizationalandculturalcontext(politicalfactorsandwhethertheenterpriseprefersdatato
intuition)
strategiccontext(strategicobjectivesoftheenterprise)
Contingencyplan
COBIT5perspective
Aplanusedbyanenterpriseorbusinessunittorespondtoaspecificsystemsfailureordisruption
Page 25 of 103
Term
Contingencyplanning
Continuity
Definition
Processofdevelopingadvancearrangementsandproceduresthatenableanenterprisetorespond
to an event that could occur by chance or unforeseen circumstances.
toaneventthatcouldoccurbychanceorunforeseencircumstances.
Preventing,mitigatingandrecoveringfromdisruption
ScopeNote:Theterms"businessresumptionplanning,""disasterrecoveryplanning"and
"contingencyplanning"alsomaybeusedinthiscontext;theyallconcentrateontherecovery
aspectsofcontinuity.
Continuousauditing
ThisapproachallowsISauditorstomonitorsystemreliabilityonacontinuousbasisandtogather
approach
selectiveauditevidencethroughthecomputer.
Continuousavailability Nonstopservice,withnolapseinservice;thehighestlevelofserviceinwhichnodowntimeis
allowed
Continuous
Thegoalsofcontinuousimprovement(Kaizen)includetheeliminationofwaste,definedas
improvement
"activitiesthataddcost,butdonotaddvalue;"justintime(JIT)delivery;productionloadlevelingof
amountsandtypes;standardizedwork;pacedmovinglines;andrightsizedequipment
ScopeNote:AcloserdefinitionoftheJapaneseusageofKaizenis"totakeitapartandputitback
togetherinabetterway."Whatistakenapartisusuallyaprocess,system,productorservice.
Kaizenisadailyactivitywhosepurposegoesbeyondimprovement.Itisalsoaprocessthat,when
donecorrectly,humanizestheworkplace,eliminateshardwork(bothmentalandphysical),and
teachespeoplehowtodorapidexperimentsusingthescientificmethodandhowtolearntosee
p
andeliminatewasteinbusinessprocesses.
Control
Themeansofmanagingrisk,includingpolicies,procedures,guidelines,practicesororganizational
structures,whichcanbeofanadministrative,technical,management,orlegalnature.
ScopeNote:Alsousedasasynonymforsafeguardorcountermeasure.
See also Internal control
SeealsoInternalcontrol.
Controlcenter
Controlframework
Hoststherecoverymeetingswheredisasterrecoveryoperationsaremanaged
Asetoffundamentalcontrolsthatfacilitatesthedischargeofbusinessprocessowner
responsibilitiestopreventfinancialorinformationlossinanenterprise
Controlgroup
Membersoftheoperationsareawhoareresponsibleforthecollection,loggingandsubmissionof
inputforthevarioususergroups
Controlobjective
Astatementofthedesiredresultorpurposetobeachievedbyimplementingcontrolproceduresin
aparticularprocess
ControlObjectivesfor Adiscussiondocumentthatsetsoutan"enterprisegovernancemodel"focusingstronglyonboth
EnterpriseGovernance theenterprisebusinessgoalsandtheinformationtechnologyenablersthatfacilitategood
enterprisegovernance,publishedbytheInformationSystemsAuditandControlFoundationin1999.
Control perimeter
Controlperimeter
Page 26 of 103
Term
Controlpractice
Definition
Keycontrolmechanismthatsupportstheachievementofcontrolobjectivesthroughresponsibleuse
of resources, appropriate management of risk and alignment of IT with business
ofresources,appropriatemanagementofriskandalignmentofITwithbusiness
Controlrisk
Theriskthatamaterialerrorexiststhatwouldnotbepreventedordetectedonatimelybasisbythe
systemofinternalcontrols(SeeInherentrisk)
Amethod/processbywhichmanagementandstaffofalllevelscollectivelyidentifyandevaluaterisk
andcontrolswiththeirbusinessareas.Thismaybeundertheguidanceofafacilitatorsuchasan
auditororriskmanager.
Theareaofthecentralprocessingunit(CPU)thatexecutessoftware,allocatesinternalmemoryand
transfersoperationsbetweenthearithmeticlogic,internalstorageandoutputsectionsofthe
computer
Adeficiencyinthedesignoroperationofacontrolprocedure.Controlweaknessescanpotentially
resultinriskrelevanttotheareaofactivitynotbeingreducedtoanacceptablelevel(relevantrisk
threatensachievementoftheobjectivesrelevanttotheareaofactivitybeingexamined).Control
weaknesses can be material when the design or operation of one or more control procedures does
weaknessescanbematerialwhenthedesignoroperationofoneormorecontrolproceduresdoes
notreducetoarelativelylowleveltheriskthatmisstatementscausedbyillegalactsorirregularities
mayoccurandnotbedetectedbytherelatedcontrolprocedures.
Controlriskself
assessment
Controlsection
Controlweakness
Cookie
Amessagekeptinthewebbrowserforthepurposeofidentifyingusersandpossiblypreparing
customizedwebpagesforthem
ScopeNote:Thefirsttimeacookieisset,ausermayberequiredtogothrougharegistration
process.Subsequenttothis,wheneverthecookie'smessageissenttotheserver,acustomizedview
basedonthatuser'spreferencescanbeproduced.Thebrowser'simplementationofcookieshas,
however,broughtseveralsecurityconcerns,allowingbreachesofsecurityandthetheftofpersonal
information(e.g.,userpasswordsthatvalidatetheuseridentityandenablerestrictedwebservices).
Corporateexchange
Corporate
exchange
rate
Anexchangeratethatcanbeusedoptionallytoperformforeigncurrencyconversion.Thecorporate
An
exchange rate that can be used optionally to perform foreign currency conversion The corporate
exchangerateisgenerallyastandardmarketratedeterminedbyseniorfinancialmanagementfor
usethroughouttheenterprise.
Corporategovernance Thesystembywhichenterprisesaredirectedandcontrolled.Theboardofdirectorsisresponsible
forthegovernanceoftheirenterprise.Itconsistsoftheleadershipandorganizationalstructuresand
processesthatensuretheenterprisesustainsandextendsstrategiesandobjectives.
Corporatesecurity
officer(CSO)
Correctivecontrol
Responsibleforcoordinatingtheplanning,development,implementation,maintenanceand
monitoringoftheinformationsecurityprogram
Designedtocorrecterrors,omissionsandunauthorizedusesandintrusions,oncetheyaredetected
COSO
CommitteeofSponsoringOrganizationsoftheTreadwayCommission
Countermeasure
ScopeNote:COSO's"InternalControlIntegratedFramework"isaninternationallyaccepted
Scope
Note: COSO's "Internal Control Integrated Framework" is an internationally accepted
standardforcorporategovernance.Seewww.coso.org.
Anyprocessthatdirectlyreducesathreatorvulnerability
Page 27 of 103
Term
Coupling
Definition
Measureofinterconnectivityamongstructureofsoftwareprograms.
Couplingdependsontheinterfacecomplexitybetweenmodules.Thiscanbedefinedasthepointat
whichentryorreferenceismadetoamodule,andwhatdatapassacrosstheinterface.
ScopeNote:Inapplicationsoftwaredesign,itispreferabletostriveforthelowestpossiblecoupling
betweenmodules.Simpleconnectivityamongmodulesresultsinsoftwarethatiseasierto
understandandmaintainandislesspronetoarippleordominoeffectcausedwhenerrorsoccurat
onelocationandpropagatethroughthesystem.
Coverage
Crack
Credentialedanalysis
Criteria
Theproportionofknownattacksdetectedbyanintrusiondetectionsystem(IDS)
To"breakinto"or"getaround"asoftwareprogram
ScopeNote:Forexample,therearecertainnewsgroupsthatpostserialnumbersforpirated
versions of software A cracker may download this information in an attempt to crack the program
versionsofsoftware.Acrackermaydownloadthisinformationinanattempttocracktheprogram
sohe/shecanuseit.Itiscommonlyusedinthecaseofcracking(unencrypting)apasswordorother
sensitivedata.
Invulnerabilityanalysis,passivemonitoringapproachesinwhichpasswordsorotheraccess
credentialsarerequired
ScopeNote:Usuallyinvolvesaccessingasystemdataobject
Thestandardsandbenchmarksusedtomeasureandpresentthesubjectmatterandagainstwhich
anISauditorevaluatesthesubjectmatter
ScopeNote:Criteriashouldbe:Objectivefreefrombias,Measurableprovideforconsistent
measurement,Completeincludeallrelevantfactorstoreachaconclusion,Relevantrelatetothe
subjectmatter
Criticalfunctions
Criticalinfrastructure
Criticalsuccessfactor
(CSF)
Criticality
Criticalityanalysis
Inanattestationengagement,benchmarksagainstwhichmanagement'swrittenassertiononthe
subjectmattercanbeevaluated.Thepractitionerformsaconclusionconcerningsubjectmatterby
referringtosuitablecriteria.
Businessactivitiesorinformationthatcouldnotbeinterruptedorunavailableforseveralbusiness
dayswithoutsignificantlyjeopardizingoperationoftheenterprise
Systemswhoseincapacityordestructionwouldhaveadebilitatingeffectontheeconomicsecurity
ofanenterprise,communityornation.
ThemostimportantissueoractionformanagementtoachievecontroloverandwithinitsIT
processes
Theimportanceofaparticularassetorfunctiontotheenterprise,andtheimpactifthatassetor
functionisnotavailable
Ananalysistoevaluateresourcesorbusinessfunctionstoidentifytheirimportancetothe
enterprise and the impact if a function cannot be completed or a resource is not available
enterprise,andtheimpactifafunctioncannotbecompletedoraresourceisnotavailable
Page 28 of 103
Term
Crosscertification
Crosssiterequest
forgery(CSRF)
Crosssitescripting
(XSS)
Definition
Acertificateissuedbyonecertificateauthority(CA)toasecondCAsothatusersofthefirst
certification authority are able to obtain the public key of the second CA and verify the certificates it
certificationauthorityareabletoobtainthepublickeyofthesecondCAandverifythecertificatesit
hascreated
ScopeNote:OftenreferstocertificatesissuedtoeachotherbytwoCAsatthesamelevelina
hierarchy
Atypeofmaliciousexploitofawebsitewherebyunauthorizedcommandsaretransmittedfroma
userthatthewebsitetrusts(alsoknownasaoneclickattackorsessionriding);acronym
pronounced"seasurf"
Atypeofinjection,inwhichmaliciousscriptsareinjectedintootherwisebenignandtrustedweb
sites
ScopeNote:Crosssitescripting(XSS)attacksoccurwhenanattackerusesawebapplicationtosend
maliciouscode,generallyintheformofabrowsersidescript,toadifferentenduser.Flawsthat
allow these attacks to succeed are quite widespread and occur anywhere a web application uses
allowtheseattackstosucceedarequitewidespreadandoccuranywhereawebapplicationuses
inputfromauserwithintheoutputitgenerateswithoutvalidatingorencodingit.(OWASP)
Cryptography
Cryptosystem
Culture
Theartofdesigning,analyzingandattackingcryptographicschemes
Apairofalgorithmsthattakeakeyandconvertplaintexttociphertextandback
Apatternofbehaviors,beliefs,assumptions,attitudesandwaysofdoingthings
ScopeNote:COBIT5perspective
Customerrelationship Awaytoidentify,acquireandretaincustomers.CRMisalsoanindustrytermforsoftwaresolutions
management(CRM)
thathelpanenterprisemanagecustomerrelationshipsinanorganizedmanner.
Cybercop
Cyberespionage
Cybersecurity
Cybersecurity
architecture
Cyberwarfare
Damageevaluation
Dashboard
Aninvestigatorofactivitiesrelatedtocomputercrime
Activitiesconductedinthenameofsecurity,business,politicsortechnologytofindinformationthat
ought to remain secret It is not inherently military
oughttoremainsecret.Itisnotinherentlymilitary.
Theprotectionofinformationassetsbyaddressingthreatstoinformationprocessed,stored,and
transportedbyinternetworkedinformationsystems
Describesthestructure,componentsandtopology(connectionsandlayout)ofsecuritycontrols
withinanenterprise'sITinfrastructure
p
y
p
p
y
ScopeNote:Thesecurityarchitectureshowshowdefenseindepthisimplementedandhowlayers
ofcontrolarelinkedandisessentialtodesigningandimplementingsecuritycontrolsinanycomplex
environment.
Activitiessupportedbymilitaryorganizationswiththepurposetothreatthesurvivalandwellbeing
ofsociety/foreignentity
Thedeterminationoftheextentofdamagethatisnecessarytoprovideforanestimationofthe
recoverytimeframeandthepotentiallosstotheenterprise
A tool for setting expectations for an enterprise at each level of responsibility and continuous
Atoolforsettingexpectationsforanenterpriseateachlevelofresponsibilityandcontinuous
monitoringoftheperformanceagainstsettargets
Page 29 of 103
Term
Dataanalysis
Dataclassification
Dataclassification
scheme
Data communications
Datacommunications
Datacustodian
Datadictionary
Definition
Typicallyinlargeenterprisesinwhichtheamountofdataprocessedbytheenterpriseresource
planning (ERP) system is extremely voluminous, analysis of patterns and trends proves to be
planning(ERP)systemisextremelyvoluminous,analysisofpatternsandtrendsprovestobe
extremelyusefulinascertainingtheefficiencyandeffectivenessofoperations
ScopeNote:MostERPsystemsprovideopportunitiesforextractionandanalysisofdata(somewith
builtintools)throughtheuseoftoolsdevelopedbythirdpartiesthatinterfacewiththeERP
systems.
Theassignmentofalevelofsensitivitytodata(orinformation)thatresultsinthespecificationof
controlsforeachlevelofclassification.Levelsofsensitivityofdataareassignedaccordingto
predefinedcategoriesasdataarecreated,amended,enhanced,storedortransmitted.The
classificationlevelisanindicationofthevalueorimportanceofthedatatotheenterprise.
Anenterpriseschemeforclassifyingdatabyfactorssuchascriticality,sensitivityandownership
Thetransferofdatabetweenseparatecomputerprocessingsites/devicesusingtelephonelines,
The
transfer of data between separate computer processing sites/devices using telephone lines
microwaveand/orsatellitelinks
Theindividual(s)anddepartment(s)responsibleforthestorageandsafeguardingofcomputerized
data
Adatabasethatcontainsthename,type,rangeofvalues,sourceandauthorizationforaccessfor
eachdataelementinadatabase.
Italsoindicateswhichapplicationprogramsusethosedatasothatwhenadatastructureis
contemplated,alistoftheaffectedprogramscanbegenerated
Datadiddling
Data Encryption
DataEncryption
Standard(DES)
Dataflow
Dataintegrity
Data leakage
Dataleakage
Datanormalization
Dataowner
ScopeNote:Maybeastandaloneinformationsystemusedformanagementordocumentation
purposes,oritmaycontroltheoperationofadatabase
Changingdatawithmaliciousintentbeforeorduringinputintothesystem
An algorithm for encoding binary data
Analgorithmforencodingbinarydata
ScopeNote:ItisasecretkeycryptosystempublishedbytheNationalBureauofStandards(NBS),
thepredecessoroftheUSNationalInstituteofStandardsandTechnology(NIST).DESandits
variantshasbeenreplacedbytheAdvancedEncryptionStandard(AES)
Theflowofdatafromtheinput(inInternetbanking,ordinarilyuserinputathis/herdesktop)to
output(inInternetbanking,ordinarilydatainabankscentraldatabase)
Dataflowincludestravelthroughthecommunicationlines,routers,switchesandfirewallsaswellas
processingthroughvariousapplicationsonservers,whichprocessthedatafromuserfingersto
storageinabank'scentraldatabase.
Thepropertythatdatameetwithapriorityexpectationofqualityandthatthedatacanbereliedon
Siphoningoutorleakinginformationbydumpingcomputerfilesorstealingcomputerreportsand
Siphoning
out or leaking information by dumping computer files or stealing computer reports and
tapes
Astructuredprocessfororganizingdataintotablesinsuchawaythatitpreservestherelationships
amongthedata
Theindividual(s),normallyamanagerordirector,whohasresponsibilityfortheintegrity,accurate
reportinganduseofcomputerizeddata
Page 30 of 103
Term
Dataretention
Datasecurity
Datastructure
Datawarehouse
Definition
Referstothepoliciesthatgoverndataandrecordsmanagementformeetinginternal,legaland
regulatory data archival requirements
regulatorydataarchivalrequirements
Thosecontrolsthatseektomaintainconfidentiality,integrityandavailabilityofinformation
Therelationshipsamongfilesinadatabaseandamongdataitemswithineachfile
Agenerictermforasystemthatstores,retrievesandmanageslargevolumesofdata
ScopeNote:Datawarehousesoftwareoftenincludessophisticatedcomparisonandhashing
techniquesforfastsearchesaswellasforadvancedfiltering.
Database
Astoredcollectionofrelateddataneededbyenterprisesandindividualstomeettheirinformation
processingandretrievalrequirements
Databaseadministrator Anindividualordepartmentresponsibleforthesecurityandinformationclassificationoftheshared
(DBA)
datastoredonadatabasesystem
Thisresponsibilityincludesthedesign,definitionandmaintenanceofthedatabase.
Databasemanagement
Database
management A
Asoftwaresystemthatcontrolstheorganization,storageandretrievalofdatainadatabase
software system that controls the organization storage and retrieval of data in a database
system(DBMS)
Databasereplication
Theprocessofcreatingandmanagingduplicateversionsofadatabase
ScopeNote:Replicationnotonlycopiesadatabasebutalsosynchronizesasetofreplicassothat
changesmadetoonereplicaarereflectedinalloftheothers.Thebeautyofreplicationisthatit
enablesmanyuserstoworkwiththeirownlocalcopyofadatabase,buthavethedatabaseupdated
asiftheywereworkingonasinglecentralizeddatabase.Fordatabaseapplicationsinwhich,
geographicallyusersaredistributedwidely,replicationisoftenthemostefficientmethodof
databaseaccess.
Databasespecifications Thesearetherequirementsforestablishingadatabaseapplication.Theyincludefielddefinitions,
fieldrequirementsandreportingrequirementsfortheindividualinformationinthedatabase.
Datagram
Apacket(encapsulatedwithaframecontaininginformation),thatistransmittedinapacket
switchingnetworkfromsourcetodestination
Dataorientedsystems Focusesonprovidingadhocreportingforusersbydevelopingasuitableaccessibledatabaseof
development
informationandtoprovideuseabledataratherthanafunction
Decentralization
Theprocessofdistributingcomputerprocessingtodifferentlocationswithinanenterprise
Decisionsupport
Aninteractivesystemthatprovidestheuserwitheasyaccesstodecisionmodelsanddata,to
systems(DSS)
supportsemistructureddecisionmakingtasks
Decryption
Atechniqueusedtorecovertheoriginalplaintextfromtheciphertextsothatitisintelligibletothe
reader
Decryptionkey
Thedecryptionisareverseprocessoftheencryption.
Adigitalpieceofinformationusedtorecoverplaintextfromthecorrespondingciphertextby
decryption
Page 31 of 103
Term
Default
Definition
Acomputersoftwaresettingorpreferencethatstateswhatwillautomaticallyhappenintheevent
that the user has not stated another preference
thattheuserhasnotstatedanotherpreference
Defaultdenypolicy
Forexample,acomputermayhaveadefaultsettingtolaunchorstartNetscapewheneveraGIFfile
isopened;however,ifusingAdobePhotoshopisthepreferenceforviewingaGIFfile,thedefault
settingcanbechangedtoPhotoshop.Inthecaseofdefaultaccounts,theseareaccountsthatare
providedbytheoperatingsystemvendor(e.g.,rootinUNIX).
Apolicywherebyaccessisdeniedunlessitisspecificallyallowed;theinverseofdefaultallow
Defaultpassword
Thepasswordusedtogainaccesswhenasystemisfirstinstalledonacomputerornetworkdevice
ScopeNote:ThereisalargelistpublishedontheInternetandmaintainedatseverallocations.
Failuretochangetheseaftertheinstallationleavesthesystemvulnerable.
Defense in depth
Defenseindepth
Degauss
Theapplicationofvariablelevelsofalternatingcurrentforthepurposeofdemagnetizingmagnetic
recordingmedia
Demilitarizedzone
(DMZ)
ScopeNote:Theprocessinvolvesincreasingthealternatingcurrentfieldgraduallyfromzeroto
somemaximumvalueandbacktozero,leavingaverylowresidueofmagneticinductiononthe
media.Degausslooselymeanstoerase.
Ascreened(firewalled)networksegmentthatactsasabufferzonebetweenatrustedand
untrustednetwork
Demodulation
ScopeNote:ADMZistypicallyusedtohousesystemssuchaswebserversthatmustbeaccessible
frombothinternalnetworksandtheInternet.
Theprocessofconvertingananalogtelecommunicationssignalintoadigitalcomputersignal
Demographic
Afactdeterminedbymeasuringandanalyzingdataaboutapopulation;itreliesheavilyonsurvey
researchandcensusdata.
Denialofserviceattack Anassaultonaservicefromasinglesourcethatfloodsitwithsomanyrequeststhatitbecomes
(DoS)
overwhelmedandiseitherstoppedcompletelyoroperatesatasignificantlyreducedrate
Depreciation
Theprocessofcostallocationthatassignstheoriginalcostofequipmenttotheperiodsbenefited
ScopeNote:Themostcommonmethodofcalculatingdepreciationisthestraightlinemethod,
which assumes that assets should be written off in equal amounts over their lives
whichassumesthatassetsshouldbewrittenoffinequalamountsovertheirlives.
DetailedIScontrols
Controlsovertheacquisition,implementation,deliveryandsupportofISsystemsandservicesmade
upofapplicationcontrolsplusthosegeneralcontrolsnotincludedinpervasivecontrols
Page 32 of 103
Term
Detectionrisk
Detectiveapplication
controls
Definition
TheriskthattheISauditorassuranceprofessionalssubstantiveprocedureswillnotdetectanerror
that could be material, individually or in combination with other errors
thatcouldbematerial,individuallyorincombinationwithothererrors
ScopeNote:Seeauditrisk
Designedtodetecterrorsthatmayhaveoccurredbasedonpredefinedlogicorbusinessrules
Usuallyexecutedafteranactionhastakenplaceandoftencoveragroupoftransactions
Detectivecontrol
Device
Dialback
Dialinaccesscontrol
Existstodetectandreportwhenerrors,omissionsandunauthorizedusesorentriesoccur
Agenerictermforacomputersubsystem,suchasaprinter,serialportordiskdrive
Adevicefrequentlyrequiresitsowncontrollingsoftware,calledadevicedriver.
Usedasacontroloverdialuptelecommunicationslines.Thetelecommunicationslinkestablished
throughdialupintothecomputerfromaremotelocationisinterruptedsothecomputercandial
back to the caller The link is permitted only if the caller is calling from a valid phone number or
backtothecaller.Thelinkispermittedonlyifthecalleriscallingfromavalidphonenumberor
telecommunicationschannel.
Preventsunauthorizedaccessfromremoteuserswhoattempttoaccessasecuredenvironment
Rangesfromadialbackcontroltoremoteuserauthentication
Digitalcertificate
Digitalcertification
Digitalcodesigning
Digitalforensics
Digitalsignature
Apieceofinformation,adigitizedformofsignature,thatprovidessenderauthenticity,message
integrityandnonrepudiation.Adigitalsignatureisgeneratedusingthesendersprivatekeyor
applyingaonewayhashfunction.
Aprocesstoauthenticate(orcertify)apartysdigitalsignature;carriedoutbytrustedthirdparties
Theprocessofdigitallysigningcomputercodetoensureitsintegrity
Theprocessofidentifying,preserving,analyzingandpresentingdigitalevidenceinamannerthatis
legally acceptable in any legal proceedings
legallyacceptableinanylegalproceedings
Apieceofinformation,adigitizedformofsignature,thatprovidessenderauthenticity,message
integrityandnonrepudiation
Adigitalsignatureisgeneratedusingthesendersprivatekeyorapplyingaonewayhashfunction.
Directreporting
engagement
Disaster
Anengagementinwhichmanagementdoesnotmakeawrittenassertionabouttheeffectivenessof
theircontrolproceduresandanISauditorprovidesanopinionaboutsubjectmatterdirectly,suchas
theeffectivenessofthecontrolprocedures
1.Asudden,unplannedcalamitouseventcausinggreatdamageorloss.Anyeventthatcreatesan
inabilityonanenterprise'sparttoprovidecriticalbusinessfunctionsforsomepredeterminedperiod
oftime.Similartermsarebusinessinterruption,outageandcatastrophe.
2.Theperiodwhenenterprisemanagementdecidestodivertfromnormalproductionresponses
2
The period when enterprise management decides to divert from normal production responses
andexercisesitsdisasterrecoveryplan(DRP).Ittypicallysignifiesthebeginningofamovefroma
primarylocationtoanalternatelocation.
Disasterdeclaration
Thecommunicationtoappropriateinternalandexternalpartiesthatthedisasterrecoveryplan
(DRP)isbeingputintooperation
Page 33 of 103
Term
Disasternotification
fee
Definition
Thefeethattherecoverysitevendorchargeswhenthecustomernotifiesthemthatadisasterhas
occurred and the recovery site is required
occurredandtherecoverysiteisrequired
Disasterrecovery
ScopeNote:Thefeeisimplementedtodiscouragefalsedisasternotifications.
Activitiesandprogramsdesignedtoreturntheenterprisetoanacceptablecondition
Theabilitytorespondtoaninterruptioninservicesbyimplementingadisasterrecoveryplan(DRP)
torestoreanenterprise'scriticalbusinessfunctions
Disasterrecoveryplan Typicallyareadthroughofadisasterrecoveryplan(DRP)withoutanyrealactionstakingplace
(DRP)deskchecking
ScopeNote:Generallyinvolvesareadingoftheplan,discussionoftheactionitemsanddefinition
ofanygapsthatmightbeidentified
Disasterrecoveryplan
(DRP)
Disasterrecoveryplan
(DRP)walkthrough
Asetofhuman,physical,technicalandproceduralresourcestorecover,withinadefinedtimeand
cost an activity interrupted by an emergency or disaster
cost,anactivityinterruptedbyanemergencyordisaster
Generallyarobusttestoftherecoveryplanrequiringthatsomerecoveryactivitiestakeplaceand
aretested
Adisasterscenarioisoftengivenandtherecoveryteamstalkthroughthestepsthattheywould
needtotaketorecover.Asmanyaspectsoftheplanaspossibleshouldbetested
Disastertolerance
ThetimegapduringwhichthebusinesscanacceptthenonavailabilityofITfacilities
Disclosurecontrolsand Theprocessesinplacedesignedtohelpensurethatallmaterialinformationisdisclosedbyan
procedures
enterpriseinthereportsthatitfilesorsubmitstotheU.S.SecurityandExchangeCommission(SEC)
ScopeNote:DisclosureControlsandProceduresalsorequirethatdisclosuresbeauthorized,
completeandaccurate,andrecorded,processed,summarizedandreportedwithinthetimeperiods
specifiedintheSECrulesandforms.Deficienciesincontrols,andanysignificantchangestocontrols,
must be communicated to the enterprises audit committee and auditors in a timely manner An
mustbecommunicatedtotheenterprisesauditcommitteeandauditorsinatimelymanner.An
enterprisesprincipalexecutiveofficerandfinancialofficermustcertifytheexistenceofthese
controlsonaquarterlybasis.
Discountrate
Discoverysampling
Discretionaryaccess
control(DAC)
Aninterestrateusedtocalculateapresentvaluewhichmightormightnotincludethetimevalueof
money,taxeffects,riskorotherfactors
Aformofattributesamplingthatisusedtodetermineaspecifiedprobabilityoffindingatleastone
exampleofanoccurrence(attribute)inapopulation
Ameansofrestrictingaccesstoobjectsbasedontheidentityofsubjectsand/orgroupstowhich
theybelong
ScopeNote:Thecontrolsarediscretionaryinthesensethatasubjectwithacertainaccess
permissioniscapableofpassingthatpermission(perhapsindirectly)ontoanyothersubject.
Diskmirroring
Disklessworkstations
Thepracticeofduplicatingdatainseparatevolumesontwoharddiskstomakestoragemorefault
tolerant.Mirroringprovidesdataprotectioninthecaseofdiskfailurebecausedataareconstantly
updatedtobothdisks.
AworkstationorPConanetworkthatdoesnothaveitsowndisk,butinsteadstoresfilesona
networkfileserver
Page 34 of 103
Term
Distributeddata
processing network
processingnetwork
Distributeddenialof
serviceattack(DDoS)
Diverserouting
Definition
Asystemofcomputersconnectedtogetherbyacommunicationnetwork
ScopeNote:Eachcomputerprocessesitsdataandthenetworksupportsthesystemasawhole.
Suchanetworkenhancescommunicationamongthelinkedcomputersandallowsaccesstoshared
files.
Adenialofservice(DoS)assaultfrommultiplesources
Themethodofroutingtrafficthroughsplitcablefacilitiesorduplicatecablefacilities
ScopeNote:Thiscanbeaccomplishedwithdifferentand/orduplicatecablesheaths.Ifdifferent
cablesheathsareused,thecablemaybeinthesameconduitand,therefore,subjecttothesame
interruptionsasthecableitisbackingup.Thecommunicationservicesubscribercanduplicatethe
facilitiesbyhavingalternateroutes,althoughtheentrancetoandfromthecustomerpremisesmay
beinthesameconduit.Thesubscribercanobtaindiverseroutingandalternateroutingfromthe
local carrier including dual entrance facilities However acquiring this type of access is time
localcarrier,includingdualentrancefacilities.However,acquiringthistypeofaccessistime
consumingandcostly.Mostcarriersprovidefacilitiesforalternateanddiverserouting,although
themajorityofservicesaretransmittedoverterrestrialmedia.Thesecablefacilitiesareusually
locatedinthegroundorbasement.Groundbasedfacilitiesareatgreatriskduetotheaging
infrastructuresofcities.Inaddition,cablebasedfacilitiesusuallyshareroomwithmechanicaland
electricalsystemsthatcanimposegreatriskduetohumanerroranddisastrousevents.
Domain
InCOBIT,thegroupingofcontrolobjectivesintofourlogicalstagesinthelifecycleofinvestments
involvingIT(PlanandOrganise,AcquireandImplement,DeliverandSupport,andMonitorand
Evaluate)
Domainnamesystem AhierarchicaldatabasethatisdistributedacrosstheInternetthatallowsnamestoberesolvedinto
IPaddresses(andviceversa)tolocateservicessuchaswebandemailservers
(DNS)
Domainnamesystem
Domain
name system
(DNS)exfiltration
Domainnamesystem
(DNS)poisoning
TunnelingoverDNStogainnetworkaccess.Lowerlevelattackvectorforsimpletocomplexdata
Tunneling
over DNS to gain network access Lowerlevel attack vector for simple to complex data
transmission,slowbutdifficulttodetect.
CorruptsthetableofanInternetserver'sDNS,replacinganInternetaddresswiththeaddressof
anothervagrantorscoundreladdress
ScopeNote:Ifawebuserlooksforthepagewiththataddress,therequestisredirectedbythe
y
p
g
scoundrelentryinthetabletoadifferentaddress.Cachepoisoningdiffersfromanotherformof
DNSpoisoninginwhichtheattackerspoofsvalidemailaccountsandfloodsthe"in"boxesof
administrativeandtechnicalcontacts.CachepoisoningisrelatedtoURLpoisoningorlocation
poisoning,inwhichanInternetuserbehavioristrackedbyaddinganidentificationnumbertothe
locationlineofthebrowserthatcanberecordedastheuservisitssuccessivepagesonthesite.Itis
alsocalledDNScachepoisoningorcachepoisoning.
Downloading
Integratesthemanagementoftactics(financialbudgetsandmonthlyreviews)andthemanagement
Integrates
the management of tactics (financial budgets and monthly reviews) and the management
ofstrategy
ScopeNote:Areportingsystem,basedonthebalancedscorecard(BSC),thatallowsprocesstobe
monitoredagainststrategyandcorrectiveactionstobetakenasrequired
Theactoftransferringcomputerizedinformationfromonecomputertoanothercomputer
Page 35 of 103
Term
Downtimereport
Driver(valueandrisk)
Drypipefire
extinguishersystem
Dualcontrol
Duecare
Duediligence
Dueprofessionalcare
Dumbterminal
Definition
Areportthatidentifiestheelapsedtimewhenacomputerisnotoperatingcorrectlybecauseof
machine failure
machinefailure
Adriverincludesaneventorotheractivitythatresultsintheidentificationofanassurance/audit
need
Referstoasprinklersystemthatdoesnothavewaterinthepipesduringidleusage,unlikeafully
chargedfireextinguishersystemthathaswaterinthepipesatalltimes
ScopeNote:Thedrypipesystemisactivatedatthetimeofthefirealarmandwaterisemittedto
thepipesfromawaterreservoirfordischargetothelocationofthefire.
Aprocedurethatusestwoormoreentities(usuallypersons)operatinginconcerttoprotecta
systemresourcesothatnosingleentityactingalonecanaccessthatresource
Thelevelofcareexpectedfromareasonablepersonofsimilarcompetencyundersimilarconditions
Theperformanceofthoseactionsthataregenerallyregardedasprudent,responsibleandnecessary
to conduct a thorough and objective investigation review and/or analysis
toconductathoroughandobjectiveinvestigation,reviewand/oranalysis
Diligencethataperson,whopossessesaspecialskill,wouldexerciseunderagivensetof
circumstances
Adisplayterminalwithoutprocessingcapability
ScopeNote:Dumbterminalsaredependentonthemaincomputerforprocessing.Allentereddata
areacceptedwithoutfurthereditingorvalidation.
Duplexrouting
Themethodorcommunicationmodeofroutingdataoverthecommunicationnetwork
Dynamicanalysis
Analysisthatisperformedinarealtimeorcontinuousform
DynamicHost
Aprotocolusedbynetworkedcomputers(clients)toobtainIPaddressesandotherparameterssuch
ConfigurationProtocol asthedefaultgateway,subnetmaskandIPaddressesofdomainnamesystem(DNS)serversfroma
DHCPserver
(DHCP)
Dynamicpartitioning
Dynamicports
Eavesdropping
Echochecks
Ecommerce
ScopeNote:TheDHCPserverensuresthatallIPaddressesareunique(e.g.,noIPaddressis
Scope
Note: The DHCP server ensures that all IP addresses are unique (e g no IP address is
assignedtoasecondclientwhilethefirstclient'sassignmentisvalid[itsleasehasnotexpired]).
Thus,IPaddresspoolmanagementisdonebytheserverandnotbyahumannetwork
administrator.
Thevariableallocationofcentralprocessingunit(CPU)processingandmemorytomultiple
applicationsanddataonaserver
Dynamicand/orprivateports49152through65535:NotlistedbyIANAbecauseoftheirdynamic
nature.
Listeningaprivatecommunicationwithoutpermission
Detectslineerrorsbyretransmittingdatabacktothesendingdeviceforcomparisonwiththe
originaltransmission
Theprocessesbywhichenterprisesconductbusinesselectronicallywiththeircustomers,suppliers
andotherexternalbusinesspartners,usingtheInternetasanenablingtechnology
ScopeNote:Ecommerceencompassesbothbusinesstobusiness(B2B)andbusinesstoconsumer
(B2C)ecommercemodels,butdoesnotincludeexistingnonInternetecommercemethodsbased
onprivatenetworkssuchaselectronicdatainterchange(EDI)andSocietyforWorldwideInterbank
FinancialTelecommunication(SWIFT).
Page 36 of 103
Term
Economicvalueadd
(EVA)
Definition
TechniquedevelopedbyG.BennettStewartIIIandregisteredbytheconsultingfirmofStern,
Stewart, in which the performance of the corporate capital base (including depreciated investments
Stewart,inwhichtheperformanceofthecorporatecapitalbase(includingdepreciatedinvestments
suchastraining,researchanddevelopment)aswellasmoretraditionalcapitalinvestmentssuchas
physicalpropertyandequipmentaremeasuredagainstwhatshareholderscouldearnelsewhere
Editcontrol
Detectserrorsintheinputportionofinformationthatissenttothecomputerforprocessing
Editing
Egress
Electronicdata
interchange(EDI)
Electronicdocument
Maybemanualorautomatedandallowtheusertoeditdataerrorsbeforeprocessing
Ensuresthatdataconformtopredeterminedcriteriaandenableearlyidentificationofpotential
errors
Networkcommunicationsgoingout
Theelectronictransmissionoftransactions(information)betweentwoenterprises
EDIpromotesamoreefficientpaperlessenvironment.EDItransmissionscanreplacetheuseof
standard documents including invoices or purchase orders
standarddocuments,includinginvoicesorpurchaseorders.
Anadministrativedocument(adocumentwithlegalvalidity,suchasacontract)inanygraphical,
photographic,electromagnetic(tape)orotherelectronicrepresentationofthecontent
ScopeNote:Almostallcountrieshavedevelopedlegislationconcerningthedefinition,useandlegal
validityofanelectronicdocument.Anelectronicdocument,inwhatevermediathatcontainsthe
dataorinformationusedasevidenceofacontractortransactionbetweenparties,isconsidered
togetherwiththesoftwareprogramcapabletoreadit.Thedefinitionofalegallyvaliddocumentas
anyrepresentationoflegallyrelevantdata,notonlythoseprintedonpaper,wasintroducedintothe
legislationrelatedtocomputercrime.Inaddition,manycountriesindefininganddiscipliningthe
useofsuchinstrumentshaveissuedregulationsdefiningspecifics,suchastheelectronicsignature
anddatainterchangeformats.
Electronicfunds
transfer(EFT)
Electronicsignature
Electronicvaulting
Theexchangeofmoneyviatelecommunications
EFTreferstoanyfinancialtransactionthatoriginatesataterminalandtransfersasumofmoney
fromoneaccounttoanother
Anytechniquedesignedtoprovidetheelectronicequivalentofahandwrittensignatureto
demonstratetheoriginandintegrityofspecificdata
Digitalsignaturesareanexampleofelectronicsignatures.
Adatarecoverystrategythatallowsenterprisestorecoverdatawithinhoursafteradisaster
ScopeNote:Typicallyusedforbatch/journalupdatestocriticalfilestosupplementfullbackups
takenperiodically;includesrecoveryofdatafromanoffsitestoragemediathatmirrorsdataviaa
communication link
communicationlink
Page 37 of 103
Term
Ellipticalcurve
cryptography (ECC)
cryptography(ECC)
Definition
Analgorithmthatcombinesplanegeometrywithalgebratoachievestrongerauthenticationwith
smaller keys compared to traditional methods, such as RSA, which primarily use algebraic factoring.
smallerkeyscomparedtotraditionalmethods,suchasRSA,whichprimarilyusealgebraicfactoring.
ScopeNote:Smallerkeysaremoresuitabletomobiledevices.
Embeddedaudit
module(EAM)
Integralpartofanapplicationsystemthatisdesignedtoidentifyandreportspecifictransactionsor
otherinformationbasedonpredeterminedcriteria
Identificationofreportableitemsoccursaspartofrealtimeprocessing.Reportingmayberealtime
onlineormayusestoreandforwardmethods.Alsoknownasintegratedtestfacilityorcontinuous
auditingmodule.
Encapsulation(objects) Thetechniqueusedbylayeredprotocolsinwhichalowerlayerprotocolacceptsamessagefroma
higherlayerprotocolandplacesitinthedataportionofaframeinthelowerlayer
Encapsulationsecurity Protocol,whichisdesignedtoprovideamixofsecurityservicesinIPv4andIPv6.ESPcanbeusedto
payload (ESP)
payload(ESP)
provide confidentiality data origin authentication connectionless integrity an antireplay service (a
provideconfidentiality,dataoriginauthentication,connectionlessintegrity,anantireplayservice(a
formofpartialsequenceintegrity),and(limited)trafficflowconfidentiality.(RFC4303)
ScopeNote:TheESPheaderisinsertedaftertheIPheaderandbeforethenextlayerprotocol
header(transportmode)orbeforeanencapsulatedIPheader(tunnelmode).
Encryption
Theprocessoftakinganunencryptedmessage(plaintext),applyingamathematicalfunctiontoit
(encryptionalgorithmwithakey)andproducinganencryptedmessage(ciphertext)
Encryptionalgorithm
Amathematicallybasedfunctionor
calculationthatencrypts/decryptsdata
Encryptionkey
Apieceofinformation,inadigitizedform,usedbyanencryptionalgorithmtoconverttheplaintext
totheciphertext
Enduser computing
Endusercomputing
The ability of end users to design and implement their own information system utilizing computer
Theabilityofenduserstodesignandimplementtheirowninformationsystemutilizingcomputer
softwareproducts
Engagementletter
FormaldocumentwhichdefinesanISauditor'sresponsibility,authorityandaccountabilityfora
specificassignment
Enterprise
Agroupofindividualsworkingtogetherforacommonpurpose,typicallywithinthecontextofan
organizationalformsuchasacorporation,publicagency,charityortrust
Enterprisearchitecture Descriptionofthefundamentalunderlyingdesignofthecomponentsofthebusinesssystem,orof
(EA)
oneelementofthebusinesssystem(e.g.,technology),therelationshipsamongthem,andthe
mannerinwhichtheysupporttheenterprisesobjectives
Enterprisearchitecture DescriptionofthefundamentalunderlyingdesignoftheITcomponentsofthebusiness,the
(EA)forIT
relationshipsamongthem,andthemannerinwhichtheysupporttheenterprisesobjectives
Enterprisegoal
ScopeNote:SeeBusinessgoal
Enterprisegovernance Asetofresponsibilitiesandpracticesexercisedbytheboardandexecutivemanagementwiththe
goalofprovidingstrategicdirection,ensuringthatobjectivesareachieved,ascertainingthatriskis
managedappropriatelyandverifyingthattheenterprisesresourcesareusedresponsibly
Page 38 of 103
Term
Enterpriserisk
management (ERM)
management(ERM)
Eradication
Definition
Thedisciplinebywhichanenterpriseinanyindustryassesses,controls,exploits,financesand
monitors risk from all sources for the purpose of increasing the enterprise'ssshortandlongterm
monitorsriskfromallsourcesforthepurposeofincreasingtheenterprise
short and longterm
valuetoitsstakeholders
Whencontainmentmeasureshavebeendeployedafteranincidentoccurs,therootcauseofthe
incidentmustbeidentifiedandremovedfromthenetwork.
ERP(enterprise
resourceplanning)
system
ScopeNote:Eradicationmethodsinclude:restoringbackupstoachieveacleanstateofthesystem,
removingtherootcause,improvingdefensesandperformingvulnerabilityanalysistofindfurther
potentialdamagefromthesamerootcause.
Apackagedbusinesssoftwaresystemthatallowsanenterprisetoautomateandintegratethe
majorityofitsbusinessprocesses,sharecommondataandpracticesacrosstheentireenterprise,
andproduceandaccessinformationinarealtimeenvironment
Error
ScopeNote:ExamplesofERPincludeSAP,OracleFinancialsandJ.D.Edwards.
A deviation from accuracy or correctness
Adeviationfromaccuracyorcorrectness
Escrowagent
ScopeNote:Asitrelatestoauditwork,errorsmayrelatetocontroldeviations(compliancetesting)
ormisstatements(substantivetesting).
Aperson,agencyorenterprisethatisauthorizedtoactonbehalfofanothertocreatealegal
relationshipwithathirdpartyinregardtoanescrowagreement;thecustodianofanasset
accordingtoanescrowagreement
ScopeNote:Asitrelatestoacryptographickey,anescrowagentistheagencyorenterprise
chargedwiththeresponsibilityforsafeguardingthekeycomponentsoftheuniquekey.
Escrowagreement
Alegalarrangementwherebyanasset(oftenmoney,butsometimesotherpropertysuchasart,a
deedoftitle,website,softwaresourcecodeoracryptographickey)isdeliveredtoathirdparty
(called an escrow agent) to be held in trust or otherwise pending a contingency or the fulfillment of
(calledanescrowagent)tobeheldintrustorotherwisependingacontingencyorthefulfillmentof
aconditionorconditionsinacontract
ScopeNote:Upontheoccurrenceoftheescrowagreement,theescrowagentwilldelivertheasset
totheproperrecipient;otherwisetheescrowagentisboundbyhis/herfiduciarydutytomaintain
theescrowaccount.Sourcecodeescrowmeansdepositofthesourcecodeforthesoftwareintoan
y
g
yp
y q
y p y
g
( g,
accountheldbyanescrowagent.Escrowistypicallyrequestedbyapartylicensingsoftware(e.g.,
licenseeorbuyer),toensuremaintenanceofthesoftware.Thesoftwaresourcecodeisreleasedby
theescrowagenttothelicenseeifthelicensor(e.g.,sellerorcontractor)filesforbankruptcyor
otherwisefailstomaintainandupdatethesoftwareaspromisedinthesoftwarelicenseagreement.
Ethernet
Event
Apopularnetworkprotocolandcablingschemethatusesabustopologyandcarriersensemultiple
access/collisiondetection(CSMA/CD)topreventnetworkfailuresorcollisionswhentwodevicestry
to access the network at the same time
toaccessthenetworkatthesametime
Somethingthathappensataspecificplaceand/ortime
Page 39 of 103
Term
Eventtype
Definition
ForthepurposeofITriskmanagement,oneofthreepossiblesortsofevents:threatevent,loss
event and vulnerability event
eventandvulnerabilityevent
ScopeNote:Beingabletoconsistentlyandeffectivelydifferentiatethedifferenttypesofevents
thatcontributetoriskisacriticalelementindevelopinggoodriskrelatedmetricsandwellinformed
decisions.Unlessthesecategoricaldifferencesarerecognizedandapplied,anyresultingmetricslose
meaningand,asaresult,decisionsbasedonthosemetricsarefarmorelikelytobeflawed.
Evidence
1.Informationthatprovesordisprovesastatedissue
2.InformationthatanauditorgathersinthecourseofperforminganISaudit;relevantifitpertains
totheauditobjectivesandhasalogicalrelationshiptothefindingsandconclusionsitisusedto
support
Exceptionreports
ExclusiveOR(XOR)
ScopeNote:Auditperspective
Scope
Note: Audit perspective
Anexceptionreportisgeneratedbyaprogramthatidentifiestransactionsordatathatappeartobe
incorrect.
ScopeNote:Exceptionreportsmaybeoutsideapredeterminedrangeormaynotconformto
specifiedcriteria.
TheexclusiveORoperatorreturnsavalueofTRUEonlyifjustoneofitsoperandsisTRUE.
ScopeNote:TheXORoperationisaBooleanoperationthatproducesa0ifitstwoBooleaninputs
arethesame(0and0or1and1)andthatproducesa1ifitstwoinputsaredifferent(1and0).In
contrast,aninclusiveORoperatorreturnsavalueofTRUEifeitherorbothofitsoperandsareTRUE.
Executablecode
Expert system
Expertsystem
Themachinelanguagecodethatisgenerallyreferredtoastheobjectorloadmodule
The most prevalent type of computer system that arises from the research of artificial intelligence
Themostprevalenttypeofcomputersystemthatarisesfromtheresearchofartificialintelligence
ScopeNote:Anexpertsystemhasabuiltinhierarchyofrules,whichareacquiredfromhuman
expertsintheappropriatefield.Onceinputisprovided,thesystemshouldbeabletodefinethe
natureoftheproblemandproviderecommendationstosolvetheproblem.
Exploit
Fulluseofavulnerabilityforthebenefitofanattacker
Exposure
Thepotentiallosstoanareaduetotheoccurrenceofanadverseevent
ExtendedBinarycoded An8bitcoderepresenting256characters;usedinmostlargecomputersystems
forDecimal
InterchangeCode
(EBCDIC)
Extendedenterprise
Describesanenterprisethatextendsoutsideitstraditionalboundaries.Suchenterpriseconcentrate
on the processes they do best and rely on someone outside the entity to perform the remaining
ontheprocessestheydobestandrelyonsomeoneoutsidetheentitytoperformtheremaining
processes.
eXtensibleAccess
Adeclarativeonlinesoftwareapplicationuseraccesscontrolpolicylanguageimplementedin
ControlMarkup
ExtensibleMarkupLanguage(XML)
Language(XACML)
Page 40 of 103
Term
eXtensibleMarkup
Language (XML)
Language(XML)
Externalrouter
Externalstorage
Extranet
Failover
Failsafe
Fallbackprocedures
Definition
PromulgatedthroughtheWorldWideWebConsortium,XMLisawebbasedapplication
development technique that allows designers to create their own customized tags, thus, enabling
developmenttechniquethatallowsdesignerstocreatetheirowncustomizedtags,thus,enabling
thedefinition,transmission,validationandinterpretationofdatabetweenapplicationsand
enterprises.
Therouterattheextremeedgeofthenetworkundercontrol,usuallyconnectedtoanInternet
serviceprovider(ISP)orotherserviceprovider;alsoknownasborderrouter.
Thelocationthatcontainsthebackupcopiestobeusedincaserecoveryorrestorationisrequiredin
theeventofadisaster
AprivatenetworkthatresidesontheInternetandallowsacompanytosecurelysharebusiness
informationwithcustomers,suppliersorotherbusinessesaswellastoexecuteelectronic
transactions
ScopeNote:DifferentfromanIntranetinthatitislocatedbeyondthecompany'sfirewall.
Therefore,anextranetreliesontheuseofsecurelyissueddigitalcertificates(oralternativemethods
of user authentication) and encryption of messages A virtual private network (VPN) and tunneling
ofuserauthentication)andencryptionofmessages.Avirtualprivatenetwork(VPN)andtunneling
areoftenusedtoimplementextranets,toensuresecurityandprivacy.
Thetransferofservicefromanincapacitatedprimarycomponenttoitsbackupcomponent
Describesthedesignpropertiesofacomputersystemthatallowittoresistactiveattemptstoattack
orbypassit
Aplanofactionorsetofprocedurestobeperformedifasystemimplementation,upgradeor
modificationdoesnotworkasintended
ScopeNote:Mayinvolverestoringthesystemtoitsstatepriortotheimplementationorchange.
Fallbackproceduresareneededtoensurethatnormalbusinessprocessescontinueintheeventof
failureandshouldalwaysbeconsideredinsystemmigrationorimplementation.
Fallthroughlogic
Falseenrollment
Anoptimizedcodebasedonabranchpredictionthatpredictswhichwayaprogramwillbranch
when an application is presented
whenanapplicationispresented
Alsocalledfalseacceptance,occurswhenanunauthorizedpersonisidentifiedasanauthorized
personbythebiometricsystem
Occurswhenanunauthorizedpersonmanagestoenrollintothebiometricsystem
Falsenegative
ScopeNote:Enrollmentistheinitialprocessofacquiringabiometricfeatureandsavingitasa
personalreferenceonasmartcard,aPCorinacentraldatabase.
Inintrusiondetection,anerrorthatoccurswhenanattackismisdiagnosedasanormalactivity
Falsepositive
Aresultthathasbeenmistakenlyidentifiedasaproblemwhen,inreality,thesituationisnormal
Faulttolerance
Feasibilitystudy
Asystemslevelofresiliencetoseamlesslyreacttohardwareand/orsoftwarefailure
Aphaseofasystemdevelopmentlifecycle(SDLC)methodologythatresearchesthefeasibilityand
adequacy of resources for the development or acquisition of a system solution to a user need
adequacyofresourcesforthedevelopmentoracquisitionofasystemsolutiontoauserneed
Falseauthorization
Page 41 of 103
Term
Fiberopticcable
Definition
Glassfibersthattransmitbinarysignalsoveratelecommunicationsnetwork
Field
ScopeNote:Fiberopticsystemshavelowtransmissionlossesascomparedtotwistedpaircables.
Theydonotradiateenergyorconductelectricity.Theyarefreefromcorruptionandlightning
inducedinterference,andtheyreducetheriskofwiretaps.
Anindividualdataelementinacomputerrecord
File
Fileallocationtable
(FAT)
ScopeNote:Examplesincludeemployeename,customeraddress,accountnumber,productunit
priceandproductquantityinstock.
Anamedcollectionofrelatedrecords
Atableusedbytheoperatingsystemtokeeptrackofwhereeveryfileislocatedonthedisk
ScopeNote:Sinceafileisoftenfragmentedandthussubdividedintomanysectorswithinthedisk,
theinformationstoredintheFATisusedwhenloadingorupdatingthecontentsofthefile.
Filelayout
Fileserver
FileTransferProtocol
(FTP)
Filtering router
Filteringrouter
FIN(Final)
Financialaudit
Finger
Firewall
Specifiesthelengthofthefilerecordandthesequenceandsizeofitsfields
ScopeNote:Alsowillspecifythetypeofdatacontainedwithineachfield;forexample,
alphanumeric,zoneddecimal,packedandbinary.
Ahighcapacitydiskstoragedeviceoracomputerthatstoresdatacentrallyfornetworkusersand
managesaccesstothosedata
ScopeNote:Fileserverscanbededicatedsothatnoprocessotherthannetworkmanagementcan
beexecutedwhilethenetworkisavailable;fileserverscanbenondedicatedsothatstandarduser
applicationscanrunwhilethenetworkisavailable.
AprotocolusedtotransferfilesoveraTransmissionControlProtocol/InternetProtocol(TCP/IP)
network(Internet,UNIX,etc.)
A router that is configured to control network access by comparing the attributes of the incoming or
Arouterthatisconfiguredtocontrolnetworkaccessbycomparingtheattributesoftheincomingor
outgoingpacketstoasetofrules
Aflagsetinapackettoindicatethatthispacketisthefinaldatapacketofthetransmission
Anauditdesignedtodeterminetheaccuracyoffinancialrecordsandinformation
Aprotocolandprogramthatallowstheremoteidentificationofusersloggedintoasystem
Asystemorcombinationofsystemsthatenforcesaboundarybetweentwoormorenetworks,
typicallyformingabarrierbetweenasecureandanopenenvironmentsuchastheInternet
Firmware
Memorychipswithembeddedprogramcodethatholdtheircontentwhenpoweristurnedoff
Fiscalyear
Anyyearlyaccountingperiodwithoutregardtoitsrelationshiptoacalendaryear
Page 42 of 103
Term
Foreignkey
Definition
Avaluethatrepresentsareferencetoatuple(arowinatable)containingthematchingcandidate
key value
keyvalue
ScopeNote:Theproblemofensuringthatthedatabasedoesnotincludeanyinvalidforeignkey
valuesisknownasthereferentialintegrityproblem.Theconstraintthatvaluesofagivenforeignkey
mustmatchvaluesofthecorrespondingcandidatekeyisknownasareferentialconstraint.The
relation(table)thatcontainstheforeignkeyisreferredtoasthereferencingrelationandthe
relationthatcontainsthecorrespondingcandidatekeyasthereferencedrelationortargetrelation.
(Intherelationaltheoryitwouldbeacandidatekey,butinrealdatabasemanagementsystems
(DBMSs)implementationsitisalwaystheprimarykey.)
Forensicexamination
Formatchecking
Fourthgeneration
language(4GL)
Framerelay
Theprocessofcollecting,assessing,classifyinganddocumentingdigitalevidencetoassistinthe
identificationofanoffenderandthemethodofcompromise
Theapplicationofanedit,usingapredefinedfielddefinitiontoasubmittedinformationstream;a
test to ensure that data conform to a predefined format
testtoensurethatdataconformtoapredefinedformat
Highlevel,userfriendly,nonproceduralcomputerlanguageusedtoprogramand/orreadand
processcomputerfiles
Apacketswitchedwideareanetwork(WAN)technologythatprovidesfasterperformancethan
olderpacketswitchedWANtechnologies
ScopeNote:Bestsuitedfordataandimagetransfers.Becauseofitsvariablelengthpacket
architecture,itisnotthemostefficienttechnologyforrealtimevoiceandvideo.Inaframerelay
network,endnodesestablishaconnectionviaapermanentvirtualcircuit(PVC).
Framework
ScopeNote:SeeControlframeworkandITgovernanceframework.
Freeware
Softwareavailablefreeofcharge
Frequency
A measure of the rate by which events occur over a certain period of time
Ameasureoftheratebywhicheventsoccuroveracertainperiodoftime
Fulleconomiclifecycle Theperiodoftimeduringwhichmaterialbusinessbenefitsareexpectedtoarisefrom,and/or
duringwhichmaterialexpenditures(includinginvestments,runningandretirementcosts)are
expectedtobeincurredby,aninvestmentprogram
ScopeNote:COBIT5perspective
Functionpointanalysis Atechniqueusedtodeterminethesizeofadevelopmenttask,basedonthenumberoffunction
points
ScopeNote:Functionpointsarefactorssuchasinputs,outputs,inquiriesandlogicalinternalsites.
Gateway
Adevice(router,firewall)onanetworkthatservesasanentrancetoanothernetwork
Page 43 of 103
Term
Generalcomputer
control
Definition
AControl,otherthananapplicationcontrol,thatrelatestotheenvironmentwithinwhichcomputer
based application systems are developed, maintained and operated, and that is therefore applicable
basedapplicationsystemsaredeveloped,maintainedandoperated,andthatisthereforeapplicable
toallapplications
Theobjectivesofgeneralcontrolsaretoensuretheproperdevelopmentandimplementationof
applicationsandtheintegrityofprogramanddatafilesandofcomputeroperations.Likeapplication
controls,generalcontrolsmaybeeithermanualorprogrammed.Examplesofgeneralcontrols
includethedevelopmentandimplementationofanISstrategyandanISsecuritypolicy,the
organizationofISstafftoseparateconflictingdutiesandplanningfordisasterpreventionand
recovery.
Generalizedaudit
Multipurposeauditsoftwarethatcanbeusedforgeneralprocesses,suchasrecordselection,
software(GAS)
matching,recalculationandreporting
Genericprocesscontrol Acontrolthatappliestoallprocessesoftheenterprise
Geographicdisk
Geographic
disk
mirroring
Geographical
informationsystem
(GIS)
Goodpractice
Governance
Adatarecoverystrategythattakesasetofphysicallydisparatedisksandsynchronouslymirrors
A
data recovery strategy that takes a set of physically disparate disks and synchronously mirrors
themoverhighperformancecommunicationlines
Anywritetoadiskononesidewillresultinawriteontheotherside.Thelocalwritewillnotreturn
untiltheacknowledgmentoftheremotewriteissuccessful.
Atoolusedtointegrate,convert,handle,analyzeandproduceinformationregardingthesurfaceof
theearth
ScopeNote:GISdataexistasmaps,tridimensionalvirtualmodels,listsandtables
Aprovenactivityorprocessthathasbeensuccessfullyusedbymultipleenterprisesandhasbeen
showntoproducereliableresults
Ensuresthatstakeholderneeds,conditionsandoptionsareevaluatedtodeterminebalanced,
agreedonenterpriseobjectivestobeachieved;settingdirectionthroughprioritizationanddecision
making; and monitoring performance and compliance against agreedon direction and objectives
making;andmonitoringperformanceandcomplianceagainstagreedondirectionandobjectives
ScopeNote:Conditionscanincludethecostofcapital,foreignexchangerates,etc.Optionscan
includeshiftingmanufacturingtootherlocations,subcontractingportionsoftheenterprisetothird
parties,selectingaproductmixfrommanyavailablechoices,etc.
Governanceenabler
Something(tangibleorintangible)thatassistsintherealizationofeffectivegovernance
ScopeNote:COBIT5perspective
Governanceframework Aframeworkisabasicconceptualstructureusedtosolveoraddresscomplexissues.Anenablerof
governance.Asetofconcepts,assumptionsandpracticesthatdefinehowsomethingcanbe
approachedorunderstood,therelationshipsamongsttheentitiesinvolved,therolesofthose
involved,andtheboundaries(whatisandisnotincludedinthegovernancesystem).
ScopeNote:Examples:COBIT,COSOsInternalControlIntegratedFramework
Page 44 of 103
Term
Governanceof
enterprise IT
enterpriseIT
Definition
Agovernanceviewthatensuresthatinformationandrelatedtechnologysupportandenablethe
enterprise strategy and the achievement of enterprise objectives; this also includes the functional
enterprisestrategyandtheachievementofenterpriseobjectives;thisalsoincludesthefunctional
governanceofIT,i.e.,ensuringthatITcapabilitiesareprovidedefficientlyandeffectively.
ScopeNote:COBT5perspective
Governance,Risk
Managementand
Compliance(GRC)
Governance/
managementpractice
Guideline
Hacker
Handprintscanner
Harden
Hardware
Hashfunction
Hash total
Hashtotal
Abusinesstermusedtogroupthethreecloserelateddisciplinesresponsiblefortheprotectionof
assets,andoperations
ForeachCOBITprocess,thegovernanceandmanagementpracticesprovideacompletesetofhigh
levelrequirementsforeffectiveandpracticalgovernanceandmanagementofenterpriseIT.They
arestatementsofactionsfromgovernancebodiesandmanagement.
ScopeNote:COBIT5perspective
A description of a particular way of accomplishing something that is less prescriptive than a
Adescriptionofaparticularwayofaccomplishingsomethingthatislessprescriptivethana
procedure
Anindividualwhoattemptstogainunauthorizedaccesstoacomputersystem
Abiometricdevicethatisusedtoauthenticateauserthroughpalmscans
Toconfigureacomputerorothernetworkdevicetoresistattacks
Thephysicalcomponentsofacomputersystem
Analgorithmthatmapsortranslatesonesetofbitsintoanother(generallysmaller)sothata
messageyieldsthesameresulteverytimethealgorithmisexecutedusingthesamemessageas
input
ScopeNote:Itiscomputationallyinfeasibleforamessagetobederivedorreconstitutedfromthe
resultproducedbythealgorithmortofindtwodifferentmessagesthatproducethesamehash
resultusingthesamealgorithm.
The total of any numeric data field in a document or computer file
Thetotalofanynumericdatafieldinadocumentorcomputerfile
Thistotalischeckedagainstacontroltotalofthesamefieldtofacilitateaccuracyofprocessing.
Hashing
Helpdesk
Usingahashfunction(algorithm)tocreatehashvaluedorchecksumsthatvalidatemessage
integrity
Aserviceofferedviatelephone/Internetbyanenterprisetoitsclientsoremployeesthatprovides
information,assistanceandtroubleshootingadviceregardingsoftware,hardwareornetworks.
ScopeNote:Ahelpdeskisstaffedbypeoplewhocaneitherresolvetheproblemontheirownor
escalatetheproblemtospecializedpersonnel.Ahelpdeskisoftenequippedwithdedicated
customerrelationshipmanagement(CRM)softwarethatlogstheproblemsandtracksthemuntil
theyaresolved.
Page 45 of 103
Term
Heuristicfilter
Hexadecimal
Definition
Amethodoftenemployedbyantispamsoftwaretofilterspamusingcriteriaestablishedina
centralized rule database
centralizedruledatabase
ScopeNote:Everyemailmessageisgivenarank,basedonitsheaderandcontents,whichisthen
matchedagainstpresetthresholds.Amessagethatsurpassesthethresholdwillbeflaggedasspam
anddiscarded,returnedtoitssenderorputinaspamdirectoryforfurtherreviewbytheintended
recipient.
Anumberingsystemthatusesabaseof16anduses16digits:0,1,2,3,4,5,6,7,8,9,A,B,C,D,E
andF
Programmersusehexadecimalnumbersasaconvenientwayofrepresentingbinarynumbers.
Hierarchicaldatabase
Adatabasestructuredinatree/rootorparent/childrelationship
Hijacking
Honeypot
ScopeNote:Eachparentcanhavemanychildren,buteachchildmayhaveonlyoneparent.
Scope
Note: Each parent can have many children but each child may have only one parent
Anexploitationofavalidnetworksessionforunauthorizedpurposes
Aspeciallyconfiguredserver,alsoknownasadecoyserver,designedtoattractandmonitor
intrudersinamannersuchthattheiractionsdonotaffectproductionsystems
Horizontaldefensein
depth
Hotsite
Hub
Humanfirewall
Hurdlerate
Hybridapplication
controls
Hyperlink
Hypertext
ScopeNote:Alsoknownas"decoyserver"
Controlsareplacedinvariousplacesinthepathtoaccessanasset(thisisfunctionallyequivalentto
concentricringmodelabove).
Afullyoperationaloffsitedataprocessingfacilityequippedwithbothhardwareandsystemsoftware
tobeusedintheeventofadisaster
Acommonconnectionpointfordevicesinanetwork,hubsareusedtoconnectsegmentsofalocal
areanetwork(LAN)
ScopeNote:Ahubcontainsmultipleports.Whenapacketarrivesatoneport,itiscopiedtothe
Scope
Note: A hub contains multiple ports When a packet arrives at one port it is copied to the
otherportssothatallsegmentsoftheLANcanseeallpackets.
Apersonpreparedtoactasanetworklayerofdefensethrougheducationandawareness
Alsoknownasrequiredrateofreturn,abovewhichaninvestmentmakessenseandbelowwhichit
doesnot
p
p
p
p
ScopeNote:Oftenbasedonthecostofcapital,plusorminusariskpremium,andoftenvaried
basedonprevailingeconomicconditions
Consistofacombinationofmanualandautomatedactivities,allofwhichmustoperateforthe
controltobeeffective
ScopeNote:Sometimesreferredtoascomputerdependentapplicationcontrols
Anelectronicpathwaythatmaybedisplayedintheformofhighlightedtext,graphicsorabutton
that connects one web page with another web page address
thatconnectsonewebpagewithanotherwebpageaddress
Alanguagethatenableselectronicdocumentsthatpresentinformationtobeconnectedbylinks
insteadofbeingpresentedsequentially,asisthecasewithnormaltext
Page 46 of 103
Term
HypertextMarkup
Language (HTML)
Language(HTML)
HypertextTransfer
ProtocolSecure
(HTTPS)
HypertextTransfer
Protocol(HTTP)
Identityaccess
management(IAM)
Idlestandby
Definition
Alanguagedesignedforthecreationofwebpageswithhypertextandotherinformationtobe
displayed in a web browser; used to structure informationdenoting certain text sure as headings,
displayedinawebbrowser;usedtostructureinformationdenotingcertaintextsureasheadings,
paragraphs,listsandcanbeusedtodescribe,tosomedegree,theappearanceandsemanticsofa
document
Aprotocolforaccessingasecurewebserver,wherebyalldatatransferredareencrypted.
AcommunicationprotocolusedtoconnecttoserversontheWorldWideWeb.Itsprimaryfunction
istoestablishaconnectionwithawebserverandtransmithypertextmarkuplanguage(HTML),
extensiblemarkuplanguage(XML)orotherpagestoclientbrowsers
Encapsulatespeople,processesandproductstoidentifyandmanagethedatausedinan
informationsystemtoauthenticateusersandgrantordenyaccessrightstodataandsystem
resources.ThegoalofIAMistoprovideappropriateaccesstoenterpriseresources.
Afailoverprocessinwhichtheprimarynodeownstheresourcegroupandthebackupnoderuns
idle only supervising the primary node
idle,onlysupervisingtheprimarynode
ScopeNote:Incaseofaprimarynodeoutage,thebackupnodetakesover.Thenodesare
prioritized,whichmeansthatthesurvivingnodewiththehighestprioritywillacquiretheresource
group.Ahigherprioritynodejoiningtheclusterwillthuscauseashortserviceinterruption.
IEEE(Instituteof
Electricaland
ElectronicsEngineers)
IEEE802.11
Image processing
Imageprocessing
Imaging
Impact
Impactanalysis
PronouncedItripleE;IEEEisanorganizationcomposedofengineers,scientistsandstudents
ScopeNote:Bestknownfordevelopingstandardsforthecomputerandelectronicsindustry
AfamilyofspecificationsdevelopedbytheInstituteofElectricalandElectronicsEngineers(IEEE)for
wirelesslocalareanetwork(WLAN)technology.802.11specifiesanovertheairinterfacebetweena
wirelessclientandabasestationorbetweentwowirelessclients.
The process of electronically inputting source documents by taking an image of the document
Theprocessofelectronicallyinputtingsourcedocumentsbytakinganimageofthedocument,
therebyeliminatingtheneedforkeyentry
Aprocessthatallowsonetoobtainabitforbitcopyofdatatoavoiddamageoforiginaldataor
informationwhenmultipleanalysesmaybeperformed.
ScopeNote:Theimagingprocessismadetoobtainresidualdata,suchasdeletedfiles,fragmentsof
p
y
p
deletedfilesandotherinformationpresent,fromthediskforanalysis.Thisispossiblebecause
imagingduplicatesthedisksurface,sectorbysector.
Magnitudeoflossresultingfromathreatexploitingavulnerability
Astudytoprioritizethecriticalityofinformationresourcesfortheenterprisebasedoncosts(or
consequences)ofadverseevents
Inanimpactanalysis,threatstoassetsareidentifiedandpotentialbusinesslossesdeterminedfor
different time periods This assessment is used to justify the extent of safeguards that are required
differenttimeperiods.Thisassessmentisusedtojustifytheextentofsafeguardsthatarerequired
andrecoverytimeframes.Thisanalysisisthebasisforestablishingtherecoverystrategy.
Impactassessment
Areviewofthepossibleconsequencesofarisk
ScopeNote:SeealsoImpactanalysis.
Page 47 of 103
Term
Impairment
Impersonation
Implement
Implementationlife
cyclereview
Incident
Incidentresponse
Definition
Aconditionthatcausesaweaknessordiminishedabilitytoexecuteauditobjectives
ScopeNote:Impairmenttoorganisationalindependenceandindividualobjectivitymayinclude
personalconflictofinterest;scopelimitations;restrictionsonaccesstorecords,personnel,
equipment,orfacilities;andresourcelimitations(suchasfundingorstaffing).
AsecurityconceptrelatedtoWindowsNTthatallowsaserverapplicationtotemporarily"be"the
clientintermsofaccesstosecureobjects
ScopeNote:Impersonationhasthreepossiblelevels:identification,lettingtheserverinspectthe
client'sidentity;impersonation,lettingtheserveractonbehalfoftheclient;anddelegation,the
sameasimpersonationbutextendedtoremotesystemstowhichtheserverconnects(throughthe
preservationofcredentials).Impersonationbyimitatingorcopyingtheidentification,behavioror
actionsofanothermayalsobeusedinsocialengineeringtoobtainotherwiseunauthorizedphysical
access.
In business includes the full economic life cycle of the investment program through retirement;
Inbusiness,includesthefulleconomiclifecycleoftheinvestmentprogramthroughretirement;
(i.e.,whenthefullexpectedvalueoftheinvestmentisrealized,asmuchvalueasisdeemedpossible
hasbeenrealized,oritisdeterminedthattheexpectedvaluecannotberealizedandtheprogramis
terminated)
Referstothecontrolsthatsupporttheprocessoftransformationoftheenterpriseslegacy
informationsystemsintotheenterpriseresourceplanning(ERP)applications
ScopeNote:Largelycoversallaspectsofsystemsimplementationandconfiguration,suchas
changemanagement
Anyeventthatisnotpartofthestandardoperationofaserviceandthatcauses,ormaycause,an
interruptionto,orareductionin,thequalityofthatservice
Theresponseofanenterprisetoadisasterorothersignificanteventthatmaysignificantlyaffect
theenterprise,itspeople,oritsabilitytofunctionproductively
Anincidentresponsemayincludeevacuationofafacility,initiatingadisasterrecoveryplan(DRP),
performingdamageassessment,andanyothermeasuresnecessarytobringanenterprisetoamore
stablestatus.
Incidentresponseplan Theoperationalcomponentofincidentmanagement
Inconsequential
deficiency
Incremental testing
Incrementaltesting
ScopeNote:Theplanincludesdocumentedproceduresandguidelinesfordefiningthecriticalityof
incidents,reportingandescalationprocess,andrecoveryprocedures.
Adeficiencyisinconsequentialifareasonablepersonwouldconclude,afterconsideringthe
possibilityoffurtherundetecteddeficiencies,thatthedeficiencies,eitherindividuallyorwhen
aggregatedwithotherdeficiencies,wouldclearlybetrivialtothesubjectmatter.Ifareasonable
personcouldnotreachsuchaconclusionregardingaparticulardeficiency,thatdeficiencyismore
thaninconsequential.
Deliberately testing only the value added functionality of a software component
Deliberatelytestingonlythevalueaddedfunctionalityofasoftwarecomponent
Page 48 of 103
Term
Independence
Definition
1.Selfgovernance
2.Thefreedomfromconditionsthatthreatenobjectivityortheappearanceofobjectivity.Such
threatstoobjectivitymustbemanagedattheindividualauditor,engagement,functionaland
organizationallevels.IndependenceincludesIndependenceofmindandIndependencein
appearance.
ScopeNote:SeeIndependenceofmindandIndependenceinappearance.
Theavoidanceoffactsandcircumstancesthataresosignificantthatareasonableandinformed
thirdpartywouldbelikelytoconclude,weighingallthespecificfactsandcircumstances,thata
firms,auditfunctions,oramemberoftheauditteams,integrity,objectivityorprofessional
skepticismhasbeencompromised.
Independenceofmind Thestateofmindthatpermitstheexpressionofaconclusionwithoutbeingaffectedbyinfluences
thatcompromiseprofessionaljudgement,therebyallowinganindividualtoactwithintegrityand
exercise objectivity and professional skepticism
exerciseobjectivityandprofessionalskepticism.
Independent
Theoutwardimpressionofbeingselfgoverningandfreefromconflictofinterestandundue
appearance
influence
Independentattitude ImpartialpointofviewwhichallowsanISauditortoactobjectivelyandwithfairness
IndexedSequential
Adiskaccessmethodthatstoresdatasequentiallywhilealsomaintaininganindexofkeyfieldstoall
AccessMethod(ISAM) therecordsinthefilefordirectaccesscapability
Independencein
appearance
Indexedsequentialfile Afileformatinwhichrecordsareorganizedandcanbeaccessed,accordingtoapreestablishedkey
thatispartoftherecord
Information
Anassetthat,likeotherimportantbusinessassets,isessentialtoanenterprisesbusiness.Itcan
existinmanyforms.Itcanbeprintedorwrittenonpaper,storedelectronically,transmittedbypost
orbyusingelectronicmeans,shownonfilms,orspokeninconversation.
Scope Note: COBIT 5 perspective
ScopeNote:COBIT5perspective
Information
architecture
Informationcriteria
Information
engineering
InformationarchitectureisonecomponentofITarchitecture(togetherwithapplicationsand
technology)
Attributesofinformationthatmustbesatisfiedtomeetbusinessrequirements
Dataorienteddevelopmenttechniquesthatworkonthepremisethatdataareatthecenterof
informationprocessingandthatcertaindatarelationshipsaresignificanttoabusinessandmustbe
representedinthedatastructureofitssystems
Informationprocessing Thecomputerroomandsupportareas
facility(IPF)
Informationsecurity
Ensuresthatwithintheenterprise,informationisprotectedagainstdisclosuretounauthorizedusers
(confidentiality),impropermodification(integrity),andnonaccesswhenrequired(availability)
Informationsecurity
governance
Thesetofresponsibilitiesandpracticesexercisedbytheboardandexecutivemanagementwiththe
goalofprovidingstrategicdirection,ensuringthatobjectivesareachieved,ascertainingthatriskis
managedappropriatelyandverifyingthattheenterprisesresourcesareusedresponsibly
Page 49 of 103
Term
Informationsecurity
program
Informationsystems
(IS)
Definition
Theoverallcombinationoftechnical,operationalandproceduralmeasuresandmanagement
structures implemented to provide for the confidentiality, integrity and availability of information
structuresimplementedtoprovidefortheconfidentiality,integrityandavailabilityofinformation
basedonbusinessrequirementsandriskanalysis
Thecombinationofstrategic,managerialandoperationalactivitiesinvolvedingathering,
processing,storing,distributingandusinginformationanditsrelatedtechnologies
ScopeNote:Informationsystemsaredistinctfrominformationtechnology(IT)inthatan
informationsystemhasanITcomponentthatinteractswiththeprocesscomponents.
Informationtechnology Thehardware,software,communicationandotherfacilitiesusedtoinput,store,process,transmit
(IT)
andoutputdatainwhateverform
Informed
InaRACIchart(Responsible,Accountable,Consulted,Informed),Informedreferstothosepeople
whoarekeptuptodateontheprogressofanactivity(onewaycommunication)
Offersthecapabilitytoprovisionprocessing,storage,networksandotherfundamentalcomputing
Infrastructureasa
Service(IaaS)
resources,enablingthecustomertodeployandrunarbitrarysoftware,whichcanincludeoperating
systems (OSs) and applications
systems(OSs)andapplications
Ingestion
Aprocesstoconvertinformationextractedtoaformatthatcanbeunderstoodbyinvestigators.
ScopeNote:SeealsoNormalization.
Ingress
Inherentrisk
Inheritance(objects)
Networkcommunicationscomingin
Therisklevelorexposurewithouttakingintoaccounttheactionsthatmanagementhastakenor
mighttake(e.g.,implementingcontrols)
Databasestructuresthathaveastricthierarchy(nomultipleinheritance)
Inheritancecaninitiateotherobjectsirrespectiveoftheclasshierarchy,thusthereisnostrict
hierarchyofobjects
Initialprogramload
Theinitializationprocedurethatcausesanoperatingsystemtobeloadedintostorageatthe
(IPL)
beginning of a workday or after a system malfunction
beginningofaworkdayorafterasystemmalfunction.
Initializationvector(IV) Amajorconcernisthewaythatwiredequivalentprivacy(WEP)allocatestheRC4initialization
collisions
vectors(IVs)usedtocreatethekeysthatareusedtodriveapseudorandomnumbergeneratorthat
iseventuallyusedforencryptionofthewirelessdatatraffic.TheIVinWEPisa24bitfieldasmall
spacethatpracticallyguaranteesreuse,resultinginkeyreuse.TheWEPstandardalsofailstospecify
howtheseIVsareassigned.ManywirelessnetworkcardsresettheseIVstozeroandthenincrement
y
y
p
p
g
(
y
thembyoneforeveryuse.IfanattackercancapturetwopacketsusingthesameIV(thesamekeyif
thekeyhasnotbeenchanged),mechanismscanbeusedtodetermineportionsoftheoriginal
packets.Thisandotherweaknessesresultinkeyreuse,resultinginsusceptibilitytoattacksto
determinethekeysused.Theseattacksrequirealargenumberofpackets(56million)toactually
fullyderivetheWEPkey,butonalarge,busynetworkthiscanoccurinashorttime,perhapsinas
quicklyas10minutes(although,evensomeofthelargestcorporatenetworkswilllikelyrequire
muchmoretimethanthistogatherenoughpackets).InWEPprotectedwirelessnetworks,many
ti
timesmultiple,orall,stationsusethesamesharedkey.ThisincreasesthechancesofIVcollisions
lti l
ll t ti
th
h d k Thi i
th h
f IV lli i
Injection
Ageneraltermforattacktypeswhichconsistofinjectingcodethatistheninterpreted/executedby
theapplication.(OWASP)
Inputcontrol
Techniquesandproceduresusedtoverify,validateandeditdatatoensurethatonlycorrectdata
areenteredintothecomputer
Page 50 of 103
Term
Inputsandoutputs
Definition
Theprocessworkproducts/artifactsconsiderednecessarytosupportoperationoftheprocess
ScopeNote:Inputsandoutputsenablekeydecisions,providearecordandaudittrailofprocess
activities,andenablefollowupintheeventofanincident.Theyaredefinedatthekeymanagement
practicelevel,mayincludesomeworkproductsusedonlywithintheprocessandareoftenessential
inputstootherprocesses.TheillustrativeCOBIT5inputsandoutputsshouldnotberegardedasan
exhaustivelistsinceadditionalinformationflowscouldbedefineddependingonaparticular
enterprisesenvironmentandprocessframework.
COBIT5perspective
Instantmessaging(IM) Anonlinemechanismoraformofrealtimecommunicationbetweentwoormorepeoplebasedon
typedtextandmultimediadata
Intangibleasset
Integratedservices
digitalnetwork(ISDN)
ScopeNote:Textisconveyedviacomputersoranotherelectronicdevice(e.g.,cellularphoneor
handhelddevice)connectedoveranetwork,suchastheInternet.
Anassetthatisnotphysicalinnature
ScopeNote:Examplesinclude:intellectualproperty(patents,trademarks,copyrights,processes),
goodwill,andbrandrecognition
Apublicendtoenddigitaltelecommunicationsnetworkwithsignaling,switchingandtransport
capabilitiessupportingawiderangeofserviceaccessedbystandardizedinterfaceswithintegrated
customercontrol
ScopeNote:Thestandardallowstransmissionofdigitalvoice,videoanddataover64Kpbslines.
Integratedtestfacilities
Integrated
test facilities Atestingmethodologyinwhichtestdataareprocessedinproductionsystems
A testing methodology in which test data are processed in production systems
(ITF)
ScopeNote:Thedatausuallyrepresentasetoffictitiousentitiessuchasdepartments,customers
orproducts.Outputreportsareverifiedtoconfirmthecorrectnessoftheprocessing.
Integrity
Intellectualproperty
Interfacetesting
Internalcontrol
environment
Theguardingagainstimproperinformationmodificationordestruction,andincludesensuring
informationnonrepudiationandauthenticity
Intangibleassetsthatbelongtoanenterpriseforitsexclusiveuse
ScopeNote:Examplesinclude:patents,copyrights,trademarks,ideas,andtradesecrets.
Atestingtechniquethatisusedtoevaluateoutputfromoneapplicationwhiletheinformationis
sentasinputtoanotherapplication
Therelevantenvironmentonwhichthecontrolshaveeffect
Page 51 of 103
Term
Internalcontrolover
financial reporting
financialreporting
Internalcontrol
structure
Internalcontrols
Internalpenetrators
Definition
Aprocessdesignedby,orunderthesupervisionof,theregistrantsprincipalexecutiveandprincipal
financial officers, or persons performing similar functions, and effected by the registrantssboardof
financialofficers,orpersonsperformingsimilarfunctions,andeffectedbytheregistrant
board of
directors,managementandotherpersonneltoprovidereasonableassuranceregardingthe
reliabilityoffinancialreportingandthepreparationoffinancialstatementsforexternalpurposesin
accordancewithgenerallyacceptedaccountingprincipals.
Includesthosepoliciesandproceduresthat:
Pertaintothemaintenanceofrecordsthatinreasonabledetailaccuratelyandfairlyreflectthe
transactionsanddispositionsoftheassetsoftheregistrant
Providereasonableassurancethattransactionsarerecordedasnecessarytopermitpreparationof
financialstatementsinaccordancewithgenerallyacceptedaccountingprinciples,andthatreceipts
andexpendituresoftheregistrantarebeingmadeonlyinaccordancewithauthorizationsof
managementanddirectorsoftheregistrant
Providereasonableassuranceregardingpreventionortimelydetectionofunauthorized
acquisition use or disposition of the registrants assets that could have a material effect on the
acquisition,useordispositionoftheregistrantsassetsthatcouldhaveamaterialeffectonthe
financial statements
Thedynamic,integratedprocesseseffectedbythegoverningbody,managementandallotherstaff
thataredesignedtoprovidereasonableassuranceregardingtheachievementofthefollowing
generalobjectives:
Effectiveness,efficiencyandeconomyofoperations
Reliabilityofmanagement
Compliancewithapplicablelaws,regulationsandinternalpolicies
Managementsstrategiesforachievingthesegeneralobjectivesareaffectedbythedesignand
operationofthefollowingcomponents:
Controlenvironment
Informationsystem
Controlprocedures
Control procedures
Thepolicies,procedures,practicesandorganizationalstructuresdesignedtoprovidereasonable
assurancethatbusinessobjectiveswillbeachievedandundesiredeventswillbepreventedor
detectedandcorrected
Authorizeduserofacomputersystemwhooverstepshis/herlegitimateaccessrights
ScopeNote:Thiscategoryisdividedintomasqueradersandclandestineusers.
p
g y
q
Internalrateofreturn Thediscountratethatequatesaninvestmentcostwithitsprojectedearnings
(IRR)
ScopeNote:WhendiscountedattheIRR,thepresentvalueofthecashoutflowwillequalthe
presentvalueofthecashinflow.TheIRRandnetpresentvalue(NPV)aremeasuresoftheexpected
profitabilityofaninvestmentproject.
Internalstorage
Themainmemoryofthecomputerscentralprocessingunit(CPU)
International Standards TheworldslargestdeveloperofvoluntaryInternationalStandards
InternationalStandards
The worlds largest developer of voluntary International Standards
Organization(ISO)
Page 52 of 103
Term
Internet
InternetAssigned
NumbersAuthority
(IANA)
Internetbanking
InternetControl
MessageProtocol
(ICMP)
InternetEngineering
TaskForce(IETF)
InternetInterORB
Protocol(IIOP)
Definition
1.Twoormorenetworksconnectedbyarouter
2.TheworldslargestnetworkusingTransmissionControlProtocol/InternetProtocol(TCP/IP)to
linkgovernment,universityandcommercialinstitutions
ResponsiblefortheglobalcoordinationoftheDNSroot,IPaddressing,andotherInternetprotocol
resources
UseoftheInternetasaremotedeliverychannelforbankingservices
ScopeNote:Servicesincludetraditionalones,suchasopeninganaccountortransferringfundsto
differentaccounts,andnewbankingservices,suchaselectronicbillpresentmentandpayment
(allowingcustomerstoreceiveandpaybillsonabankswebsite).
Asetofprotocolsthatallowsystemstocommunicateinformationaboutthestateofserviceson
othersystems
ScopeNote:Forexample,ICMPisusedindeterminingwhethersystemsareup,maximumpacket
sizesonlinks,whetheradestinationhost/network/portisavailable.Hackerstypicallyuse(abuse)
ICMPtodetermineinformationabouttheremotesite.
AnorganizationwithinternationalaffiliatesasnetworkindustryrepresentativesthatsetsInternet
standards.Thisincludesallnetworkindustrydevelopersandresearchersconcernedwiththe
evolutionandplannedgrowthoftheInternet.
Developedbytheobjectmanagementgroup(OMG)toimplementCommonObjectRequestBroker
Architecture(CORBA)solutionsovertheWorldWideWeb
ScopeNote:CORBAenablesmodulesofnetworkbasedprogramstocommunicatewithone
another.Thesemodulesorprogramparts,suchastables,arrays,andmorecomplexprogram
subelements,arereferredtoasobjects.UseofIIOPinthisprocessenablesbrowsersandserversto
exchange both simple and complex objects This differs significantly from HyperText Transfer
exchangebothsimpleandcomplexobjects.ThisdifferssignificantlyfromHyperTextTransfer
Protocol(HTTP),whichonlysupportsthetransmissionoftext.
Internetprotocol(IP)
InternetProtocol(IP)
packetspoofing
Specifiestheformatofpacketsandtheaddressingscheme
AnattackusingpacketswiththespoofedsourceInternetpacket(IP)addresses.
ScopeNote:ThistechniqueexploitsapplicationsthatuseauthenticationbasedonIPaddresses.This
techniquealsomayenableanunauthorizedusertogainrootaccessonthetargetsystem.
Internetservice
provider(ISP)
InternetworkPacket
Exchange/Sequenced
Packet Exchange
PacketExchange
(IPX/SPX)
Interrogation
AthirdpartythatprovidesindividualsandenterpriseswithaccesstotheInternetandavarietyof
otherInternetrelatedservices
IPXislayer3oftheopensystemsinterconnect(OSI)modelnetworkprotocol;SPXislayer4
transportprotocol.TheSPXlayersitsontopoftheIPXlayerandprovidesconnectionoriented
services
servicesbetweentwonodesonthenetwork.
between two nodes on the network
Usedtoobtainpriorindicatorsorrelationships,includingtelephonenumbers,IPaddressesand
namesofindividuals,fromextracteddata
Page 53 of 103
Term
Interruptionwindow
Definition
Thetimethatthecompanycanwaitfromthepointoffailuretotherestorationoftheminimumand
critical services or applications
criticalservicesorapplications
Afterthistime,theprogressivelossescausedbytheinterruptionareexcessivefortheenterprise.
Intranet
Investmentportfolio
AprivatenetworkthatusestheinfrastructureandstandardsoftheInternetandWorldWideWeb,
butisisolatedfromthepublicInternetbyfirewallbarriers
Individualorgroupgainingaccesstothenetworkandit'sresourceswithoutpermission
Anyeventduringwhichunauthorizedaccessoccurs
Theprocessofmonitoringtheeventsoccurringinacomputersystemornetworktodetectsignsof
unauthorizedaccessorattack
Inspectsnetworkandhostsecurityactivitytoidentifysuspiciouspatternsthatmayindicatea
networkorsystemattack
Apreemptiveapproachtonetworksecurityusedtoidentifypotentialthreatsandrespondtothem
to stop or at least limit damage or disruption
tostop,oratleastlimit,damageordisruption
Asystemdesignedtonotonlydetectattacks,butalsotopreventtheintendedvictimhostsfrom
beingaffectedbytheattacks
Invulnerabilityanalysis,gaininginformationbyperformingchecksthataffectthenormaloperation
ofthesystem,andevenbycrashingthesystem
Thecollectionandanalysisofevidencewiththegoaltoidentifyingtheperpetratorofanattackor
unauthorizeduseoraccess
Thecollectionofinvestmentsbeingconsideredand/orbeingmade
IPaddress
IPAuthentication
Header(AH)
ScopeNote:COBIT5perspective
AuniquebinarynumberusedtoidentifydevicesonaTCP/IPnetwork
ProtocolusedtoprovideconnectionlessintegrityanddataoriginauthenticationforIPdatagrams
(hereafterreferredtoasjust"integrity")andtoprovideprotectionagainstreplays.(RFC4302).
Intruder
Intrusion
Intrusiondetection
Intrusiondetection
system(IDS)
Intrusionprevention
Intrusionprevention
system(IPS)
Intrusivemonitoring
Investigation
ScopeNote:AHensuresdataintegritywithachecksumthatamessageauthenticationcode,suchas
MD5,generates.Toensuredataoriginauthentication,AHincludesasecretsharedkeyinthe
algorithmthatitusesforauthentication.Toensurereplayprotection,AHusesasequencenumber
fieldwithintheIPauthenticationheader.
IPSecurity(IPSec)
Irregularity
ISO9001:2000
AsetofprotocolsdevelopedbytheInternetEngineeringTaskForce(IETF)tosupportthesecure
exchangeofpackets
Violationofanestablishedmanagementpolicyorregulatoryrequirement.Itmayconsistof
deliberatemisstatementsoromissionofinformationconcerningtheareaunderauditorthe
enterpriseasawhole,grossnegligenceorunintentionalillegalacts.
CodeofpracticeforqualitymanagementfromtheInternationalOrganizationforStandardization
(ISO).ISO9001:2000specifiesrequirementsforaqualitymanagementsystemforanyenterprise
that needs to demonstrate its ability to consistently provide products or services that meet
thatneedstodemonstrateitsabilitytoconsistentlyprovideproductsorservicesthatmeet
particularqualitytargets.
Page 54 of 103
Term
ISO/IEC17799
Definition
Thisstandarddefinesinformation'sconfidentiality,integrityandavailabilitycontrolsina
comprehensive information security management system.
comprehensiveinformationsecuritymanagementsystem.
ScopeNote:OriginallyreleasedaspartoftheBritishStandardforInformationSecurityin1999and
thenastheCodeofPracticeforInformationSecurityManagementinOctober2000,itwaselevated
bytheInternationalOrganizationforStandardization(ISO)toaninternationalcodeofpracticefor
informationsecuritymanagement.ThelatestversionisISO/IEC17799:2005.
ISO/IEC27001
ITapplication
ITarchitecture
ITgoal
InformationSecurityManagementSpecificationwithGuidanceforUse;thereplacementfor
BS77992.Itisintendedtoprovidethefoundationforthirdpartyauditandisharmonizedwithother
managementstandards,suchasISO/IEC9001and14001.
Electronicfunctionalitythatconstitutespartsofbusinessprocessesundertakenby,orwiththe
assistanceof,IT
ScopeNote:COBIT5perspective
Scope
Note: COBIT 5 perspective
DescriptionofthefundamentalunderlyingdesignoftheITcomponentsofthebusiness,the
relationshipsamongthem,andthemannerinwhichtheysupporttheenterprisesobjectives
AstatementdescribingadesiredoutcomeofenterpriseITinsupportofenterprisegoals.An
outcomecanbeanartifact,asignificantchangeofastateorasignificantcapabilityimprovement.
ScopeNote:COBIT5perspective
ITgovernance
ITgovernance
framework
ITGovernance
Institute(ITGI)
ITincident
ITinfrastructure
ITinvestment
dashboard
Theresponsibilityofexecutivesandtheboardofdirectors;consistsoftheleadership,organizational
structuresandprocessesthatensurethattheenterprisesITsustainsandextendstheenterprise's
strategiesandobjectives
Amodelthatintegratesasetofguidelines,policiesandmethodsthatrepresenttheorganizational
approachtoITgovernance
ScopeNote:PerCOBIT,ITgovernanceistheresponsibilityoftheboardofdirectorsandexecutive
management.Itisanintegralpartofinstitutionalgovernanceandconsistsoftheleadershipand
organizationalstructuresandprocessesthatensurethattheenterprise'sITsustainsandextendsthe
enterprise'sstrategyandobjectives.
Foundedin1998bytheInformationSystemsAuditandControlAssociation(nowknownasISACA).
ITGIstrivestoassistenterpriseleadershipinensuringlongterm,sustainableenterprisesuccessand
toincreasestakeholdervaluebyexpandingawareness.
Anyeventthatisnotpartoftheordinaryoperationofaservicethatcauses,ormaycause,an
interruptionto,orareductionin,thequalityofthatservice
Thesetofhardware,softwareandfacilitiesthatintegratesanenterprise'sITassets
ScopeNote:Specifically,theequipment(includingservers,routers,switchesandcabling),software,
services and products used in storing processing transmitting and displaying all forms of
servicesandproductsusedinstoring,processing,transmittinganddisplayingallformsof
informationfortheenterprisesusers
Atoolforsettingexpectationsforanenterpriseateachlevelandcontinuousmonitoringofthe
performanceagainstsettargetsforexpenditureson,andreturnsfrom,ITenabledinvestment
projectsintermsofbusinessvalues
Page 55 of 103
Term
ITrisk
ITriskissue
Definition
Thebusinessriskassociatedwiththeuse,ownership,operation,involvement,influenceand
adoption of IT within an enterprise
adoptionofITwithinanenterprise
1.AninstanceofITrisk
2.Acombinationofcontrol,valueandthreatconditionsthatimposeanoteworthylevelofITrisk
ITriskprofile
ITriskregister
ITriskscenario
ITservice
ITsteeringcommittee
ITstrategicplan
ITstrategycommittee
Adescriptionoftheoverall(identified)ITrisktowhichtheenterpriseisexposed
ArepositoryofthekeyattributesofpotentialandknownITriskissues
Attributesmayincludename,description,owner,expected/actualfrequency,potential/actual
magnitude,potential/actualbusinessimpact,disposition.
ThedescriptionofanITrelatedeventthatcanleadtoabusinessimpact
ThedaytodayprovisiontocustomersofITinfrastructureandapplicationsandsupportfortheiruse
e.g.,servicedesk,equipmentsupplyandmoves,andsecurityauthorizations
ScopeNote:COBIT5perspective
AnexecutivemanagementlevelcommitteethatassistsinthedeliveryoftheITstrategy,oversees
daytodaymanagementofITservicedeliveryandITprojects,andfocusesonimplementation
aspects
Alongtermplan(i.e.,threetofiveyearhorizon)inwhichbusinessandITmanagement
cooperativelydescribehowITresourceswillcontributetotheenterprisesstrategicobjectives
(goals)
AcommitteeattheleveloftheboardofdirectorstoensurethattheboardisinvolvedinmajorIT
mattersanddecisions
ScopeNote:ThecommitteeisprimarilyaccountableformanagingtheportfoliosofITenabled
investments,ITservicesandotherITresources.Thecommitteeistheowneroftheportfolio.
ITtacticalplan
ITuser
ITIL(ITInfrastructure
Library)
ITrelatedincident
Jobcontrollanguage
(JCL)
Journalentry
Judgmentsampling
Kernelmode
Amediumtermplan(i.e.,sixto18monthhorizon)thattranslatestheITstrategicplandirection
intorequiredinitiatives,resourcerequirementsandwaysinwhichresourcesandbenefitswillbe
monitoredandmanaged
ApersonwhousesITtosupportorachieveabusinessobjective
TheUKOfficeofGovernmentCommerce(OGC)ITInfrastructureLibrary.Asetofguidesonthe
managementandprovisionofoperationalITservices
AnITrelatedeventthatcausesanoperational,developmentaland/orstrategicbusinessimpact
Usedtocontrolrunroutinesinconnectionwithperformingtasksonacomputer
Adebitorcredittoageneralledgeraccount,inOracle
SeealsoManualJournalEntry.
See
also Manual Journal Entry
Anysamplethatisselectedsubjectivelyorinsuchamannerthatthesampleselectionprocessisnot
randomorthesamplingresultsarenotevaluatedmathematically
Usedforexecutionofprivilegedinstructionsfortheinternaloperationofthesystem.Inkernel
mode,therearenoprotectionsfromerrorsormaliciousactivityandallpartsofthesystemand
memoryareaccessible.
Page 56 of 103
Term
Definition
Keygoalindicator(KGI) Ameasurethattellsmanagement,afterthefact,whetheranITprocesshasachieveditsbusiness
requirements; usually expressed in terms of information criteria
requirements;usuallyexpressedintermsofinformationcriteria
Keylength
Thesizeoftheencryptionkeymeasuredinbits
Keymanagement
Managementpracticesthatarerequiredtosuccessfullyexecutebusinessprocesses
practice
Keyperformance
Ameasurethatdetermineshowwelltheprocessisperforminginenablingthegoaltobereached
indicator(KPI)
ScopeNote:Aleadindicatorofwhetheragoalwilllikelybereached,andagoodindicatorof
capabilities,practicesandskills.Itmeasuresanactivitygoal,whichisanactionthattheprocess
ownermusttaketoachieveeffectiveprocessperformance.
Keyriskindicator(KRI) Asubsetofriskindicatorsthatarehighlyrelevantandpossessahighprobabilityofpredictingor
indicatingimportantrisk
Keylogger
Knowledgeportal
Lagindicator
ScopeNote:Generallyawebbasedimplementationcontainingacorerepositoryofinformation
providedfortheextendedenterprisetoresolveanyissues
MetricsforachievementofgoalsAnindicatorrelatingtotheoutcomeorresultofanenabler
ScopeNote:Thisindicatorisonlyavailableafterthefactsorevents.
Latency
Thetimeittakesasystemandnetworkdelaytorespond
ScopeNote:Morespecifically,systemlatencyisthetimethatasystemtakestoretrievedata.
Network latency is the time it takes for a packet to travel from the source to the final destination
Networklatencyisthetimeittakesforapackettotravelfromthesourcetothefinaldestination.
Layer2switches
Datalinkleveldevicesthatcandivideandinterconnectnetworksegmentsandhelptoreduce
collisiondomainsinEthernetbasednetworks
Layer3and4switches Switcheswithoperatingcapabilitiesatlayer3andlayer4oftheopensystemsinterconnect(OSI)
model.Theseswitcheslookattheincomingpacketsnetworkingprotocol,e.g.,IP,andthen
comparethedestinationIPaddresstothelistofaddressesintheirtables,toactivelycalculatethe
bestwaytosendapackettoitsdestination.
Layer47switches
Usedforloadbalancingamonggroupsofservers
Leadindicator
ScopeNote:Alsoknownascontentswitches,contentservicesswitches,webswitchesor
applicationswitches.
MetricsforapplicationofgoodpracticeAnindicatorrelatingtothefunctioningofanenabler
ScopeNote:Thisindicatorwillprovideanindicationonpossibleoutcomeoftheenabler.
Leadership
Theabilityandprocesstotranslatevisionintodesiredbehaviorsthatarefollowedatalllevelsofthe
extendedenterprise
Page 57 of 103
Term
Leasedline
Definition
Acommunicationlinepermanentlyassignedtoconnecttwopoints,asopposedtoadialuplinethat
is only available and open when a connection is made by dialing the target machine or network
isonlyavailableandopenwhenaconnectionismadebydialingthetargetmachineornetwork
Alsoknownasadedicatedline
Legacysystem
Levelofassurance
Librarian
Licensingagreement
Outdatedcomputersystems
Referstothedegreetowhichthesubjectmatterhasbeenexaminedorreviewed
Theindividualresponsibleforthesafeguardandmaintenanceofallprogramanddatafiles
Acontractthatestablishesthetermsandconditionsunderwhichapieceofsoftwareisbeing
licensed(i.e.,madelegallyavailableforuse)fromthesoftwaredeveloper(owner)totheuser
Lifecycle
Aseriesofstagesthatcharacterizethecourseofexistenceofanorganizationalinvestment(e.g.,
product,project,program)
Theprobabilityofsomethinghappening
Tests specified amount fields against stipulated high or low limits of acceptability
Testsspecifiedamountfieldsagainststipulatedhighorlowlimitsofacceptability
Likelihood
Limitcheck
Limit
check
Linkeditor(linkage
editor)
Literals
Localareanetwork
(LAN)
ScopeNote:Whenbothhighandlowvaluesareused,thetestmaybecalledarangecheck.
Autilityprogramthatcombinesseveralseparatelycompiledmodulesintoone,resolvinginternal
referencesbetweenthem
Anynotationforrepresentingavaluewithinprogramminglanguagesourcecode(e.g.,astring
literal);achunkofinputdatathatisrepresented"asis"incompresseddata
Communicationnetworkthatservesseveraluserswithinaspecifiedgeographicarea
ScopeNote:ApersonalcomputerLANfunctionsasadistributedprocessingsysteminwhicheach
computerinthenetworkdoesitsownprocessingandmanagessomeofitsdata.Shareddataare
storedinafileserverthatactsasaremotediskdriveforallusersinthenetwork.
Log
Torecorddetailsofinformationoreventsinanorganizedrecordkeepingsystem,usuallysequenced
To
record details of information or events in an organized recordkeeping system usually sequenced
intheorderinwhichtheyoccurred
Logicalaccess
Abilitytointeractwithcomputerresourcesgrantedusingidentification,authenticationand
authorization.
Logicalaccesscontrols Thepolicies,procedures,organizationalstructureandelectronicaccesscontrolsdesignedtorestrict
accesstocomputersoftwareanddatafiles
Logoff
Theactofdisconnectingfromthecomputer
Logon
Theactofconnectingtothecomputer,whichtypicallyrequiresentryofauserIDandpasswordinto
acomputerterminal
Logs/logfile
Filescreatedspecificallytorecordvariousactionsoccurringonthesystemtobemonitored,suchas
failedloginattempts,fulldiskdrivesandemaildeliveryfailures
Lossevent
Anyeventduringwhichathreateventresultsinloss
MACheader
ScopeNote:FromJones,J.;"FAIRTaxonomy,"RiskManagementInsight,USA,2008
Scope
Note: From Jones J ; "FAIR Taxonomy " Risk Management Insight USA 2008
Representsthehardwareaddressofannetworkinterfacecontroller(NIC)insideadatapacket
Machinelanguage
Magneticcardreader
Thelogicallanguagethatacomputerunderstands
Readscardswithamagneticsurfaceonwhichdatacanbestoredandretrieved
Page 58 of 103
Term
Definition
Magneticinkcharacter Usedtoelectronicallyinput,readandinterpretinformationdirectlyfromasourcedocument
recognition (MICR)
recognition(MICR)
ScopeNote:MICRrequiresthesourcedocumenttohavespeciallycodedmagneticink
Magnitude
Ameasureofthepotentialseverityoflossorthepotentialgainfromrealizedevents/scenarios
Mailrelayserver
Mainframe
Anelectronicmail(email)serverthatrelaysmessagessothatneitherthesendernortherecipientis
alocaluser
Alargehighspeedcomputer,especiallyonesupportingnumerousworkstationsorperipherals
Malware
Shortformalicioussoftware
Designedtoinfiltrate,damageorobtaininformationfromacomputersystemwithouttheowners
consent
Management
Management
informationsystem
(MIS)
Mandatoryaccess
control(MAC)
Maninthemiddle
attack
Manualjournalentry
Mapping
ScopeNote:Malwareiscommonlytakentoincludecomputerviruses,worms,Trojanhorses,
Scope
Note: Malware is commonly taken to include computer viruses worms Trojan horses
spywareandadware.Spywareisgenerallyusedformarketingpurposesand,assuch,isnot
malicious,althoughitisgenerallyunwanted.Spywarecan,however,beusedtogatherinformation
foridentitytheftorotherclearlyillicitpurposes.
Plans,builds,runsandmonitorsactivitiesinalignmentwiththedirectionsetbythegovernance
bodytoachievetheenterpriseobjectives.
Anorganizedassemblyofresourcesandproceduresrequiredtocollect,processanddistributedata
foruseindecisionmaking
Ameansofrestrictingaccesstodatabasedonvaryingdegreesofsecurityrequirementsfor
informationcontainedintheobjectsandthecorrespondingsecurityclearanceofusersorprograms
actingontheirbehalf
Anattackstrategyinwhichtheattackerinterceptsthecommunicationstreambetweentwopartsof
the victim system and then replaces the traffic between the two components with the intruderss
thevictimsystemandthenreplacesthetrafficbetweenthetwocomponentswiththeintruder
own,eventuallyassumingcontrolofthecommunication
Ajournalentryenteredatacomputerterminal
ScopeNote:Manualjournalentriescanincluderegular,statistical,intercompanyandforeign
currencyentries.SeealsoJournalEntry.
Diagrammingdatathataretobeexchangedelectronically,includinghowtheyaretobeusedand
whatbusinessmanagementsystemsneedthem.
SeealsoApplicationTracingandMapping.
Masking
Masqueraders
Masterfile
ScopeNote:Mappingisapreliminarystepfordevelopinganapplicationslink.
Acomputerizedtechniqueofblockingoutthedisplayofsensitiveinformation,suchaspasswords,
on a computer terminal or report
onacomputerterminalorreport
Attackersthatpenetratesystemsbyusingtheidentityoflegitimateusersandtheirlogon
credentials
Afileofsemipermanentinformationthatisusedfrequentlyforprocessingdataorformorethan
onepurpose
Page 59 of 103
Term
Definition
Materialmisstatement Anaccidentalorintentionaluntruestatementthataffectstheresultsofanaudittoameasurable
extent
Materialweakness
Adeficiencyoracombinationofdeficienciesininternalcontrol,suchthatthereisareasonable
possibilitythatamaterialmisstatementwillnotbepreventedordetectedonatimelybasis.
Weaknessincontrolisconsideredmaterialiftheabsenceofthecontrolresultsinfailuretoprovide
reasonableassurancethatthecontrolobjectivewillbemet.Aweaknessclassifiedasmaterial
impliesthat:
Controlsarenotinplaceand/orcontrolsarenotinuseand/orcontrolsareinadequate
Escalationiswarranted
ThereisaninverserelationshipbetweenmaterialityandthelevelofauditriskacceptabletotheIS
auditorassuranceprofessional,i.e.,thehigherthematerialitylevel,thelowertheacceptabilityof
audit
or assurance professional i e the higher the materiality level the lower the acceptability of
theauditrisk,andviceversa.
Materiality
Maturity
Anauditingconceptregardingtheimportanceofanitemofinformationwithregardtoitsimpactor
effectonthefunctioningoftheentitybeingaudited
Anexpressionoftherelativesignificanceorimportanceofaparticularmatterinthecontextofthe
enterpriseasawhole
Inbusiness,indicatesthedegreeofreliabilityordependencythatthebusinesscanplaceona
processachievingthedesiredgoalsorobjectives
Maturitymodel
Maximumtolerable
Maximum
tolerable
outages(MTO)
Measure
Mediaaccesscontrol
(MAC)
Mediaaccesscontrol
(MAC)address
Media oxidation
Mediaoxidation
ScopeNote:SeeCapabilityMaturityModel(CMM).
Maximumtimethatanenterprisecansupportprocessinginalternatemode
Maximum
time that an enterprise can support processing in alternate mode
Astandardusedtoevaluateandcommunicateperformanceagainstexpectedresults
ScopeNote:Measuresarenormallyquantitativeinnaturecapturingnumbers,dollars,percentages,
etc.,butcanalsoaddressqualitativeinformationsuchascustomersatisfaction.Reportingand
g
p
p
g g p g
p
monitoringmeasureshelpanenterprisegaugeprogresstowardeffectiveimplementationof
strategy.
Appliedtothehardwareatthefactoryandcannotbemodified,MACisaunique,48bit,hardcoded
addressofaphysicallayerdevice,suchasanEthernetlocalareanetwork(LAN)orawireless
networkcard
Auniqueidentifierassignedtonetworkinterfacesforcommunicationsonthephysicalnetwork
segment
The deterioration of the media on which data are digitally stored due to exposure to oxygen and
Thedeteriorationofthemediaonwhichdataaredigitallystoredduetoexposuretooxygenand
moisture
ScopeNote:Tapesdeterioratinginawarm,humidenvironmentareanexampleofmediaoxidation.
Properenvironmentalcontrolsshouldprevent,orsignificantlyslow,thisprocess.
Page 60 of 103
Term
Memorydump
Definition
Theactofcopyingrawdatafromoneplacetoanotherwithlittleornoformattingforreadability
ScopeNote:Usually,dumpreferstocopyingdatafromthemainmemorytoadisplayscreenora
printer.Dumpsareusefulfordiagnosingbugs.Afteraprogramfails,onecanstudythedumpand
analyzethecontentsofmemoryatthetimeofthefailure.Amemorydumpwillnothelpunlesseach
personknowswhattolookforbecausedumpsareusuallyoutputinadifficulttoreadform(binary,
octalorhexadecimal).
Message
authenticationcode
Messagedigest
AnAmericanNationalStandardsInstitute(ANSI)standardchecksumthatiscomputedusingData
EncryptionStandard(DES)
Asmallerextrapolatedversionoftheoriginalmessagecreatedusingamessagedigestalgorithm
Messagedigest
algorithm
MessagedigestalgorithmsareSHA1,MD2,MD4andMD5.Thesealgorithmsareonewayfunctions
unlikeprivateandpublickeyencryptionalgorithms.
Messageswitching
ScopeNote:Alldigestalgorithmstakeamessageofarbitrarylengthandproducea128bitmessage
digest.
Atelecommunicationsmethodologythatcontrolstrafficinwhichacompletemessageissenttoa
concentrationpointandstoreduntilthecommunicationspathisestablished
Aquantifiableentitythatallowsthemeasurementoftheachievementofaprocessgoal
Metric
ScopeNote:MetricsshouldbeSMARTspecific,measurable,actionable,relevantandtimely.
Completemetricguidancedefinestheunitused,measurementfrequency,idealtargetvalue(if
appropriate)andalsotheproceduretocarryoutthemeasurementandtheprocedureforthe
interpretationoftheassessment.
Adatanetworkintendedtoserveanareathesizeofalargecity
Metropolitanarea
network(MAN)
Microwave
Microwave
transmission
Middleware
Ahighcapacitylineofsighttransmissionofdatasignalsthroughtheatmospherewhichoften
A
highcapacity lineofsight transmission of data signals through the atmosphere which often
requiresrelaystations
Anothertermforanapplicationprogrammerinterface(API)
Milestone
Itreferstotheinterfacesthatallowprogrammerstoaccesslowerorhigherlevelservicesby
providinganintermediarylayerthatincludesfunctioncallstotheservices.
Aterminalelementthatmarksthecompletionofaworkpackageorphase
Miniaturefragment
Miniature
fragment
attack
ScopeNote:Typicallymarkedbyahighleveleventsuchasprojectcompletion,receipt,
endorsementorsigningofapreviouslydefineddeliverableorahighlevelreviewmeetingatwhich
theappropriatelevelofprojectcompletionisdeterminedandagreedto.Amilestoneisassociated
withadecisionthatoutlinesthefutureofaprojectand,foranoutsourcedproject,mayhavea
paymenttothecontractorassociatedwithit.
Using this method an attacker fragments the IP packet into smaller ones and pushes it through the
Usingthismethod,anattackerfragmentstheIPpacketintosmalleronesandpushesitthroughthe
firewall,inthehopethatonlythefirstofthesequenceoffragmentedpacketswouldbeexamined
andtheotherswouldpasswithoutreview.
Page 61 of 103
Term
Mirroredsite
Missioncritical
application
Misusedetection
Mobilecomputing
Mobile device
Mobiledevice
Mobilesite
Definition
Analternatesitethatcontainsthesameinformationastheoriginal
ScopeNote:Mirroredsitesaresetupforbackupanddisasterrecoveryandtobalancethetraffic
loadfornumerousdownloadrequests.Suchdownloadmirrorsareoftenplacedindifferent
locationsthroughouttheInternet.
Anapplicationthatisvitaltotheoperationoftheenterprise.Thetermisverypopularfordescribing
theapplicationsrequiredtorunthedaytodaybusiness.
Detectiononthebasisofwhetherthesystemactivitymatchesthatdefinedas"bad"
Extendstheconceptofwirelesscomputingtodevicesthatenablenewkindsofapplicationsand
expandanenterprisenetworktoreachplacesincircumstancesthatcouldneverhavebeendoneby
othermeans
ScopeNote:Mobilecomputingiscomprisedofpersonaldigitalassistants(PDAs),cellularphones,
laptopsandothertechnologiesofthiskind.
A small handheld computing devices typically having a display screen with touch input and/or a
Asmall,handheldcomputingdevices,typicallyhavingadisplayscreenwithtouchinputand/ora
miniaturekeyboardandweighinglessthantwopounds
Theuseofamobile/temporaryfacilitytoserveasabusinessresumptionlocation
Thefacilitycanusuallybedeliveredtoanysiteandcanhouseinformationtechnologyandstaff.
Model
Awaytodescribeagivensetofcomponentsandhowthosecomponentsrelatetoeachotherin
ordertodescribethemainworkingsofanobject,system,orconcept
ScopeNote:COBIT5perspective
MODEM
Connectsaterminalorcomputertoacommunicationsnetworkviaatelephoneline
(modulator/demodulat
or)
Modemsturndigitalpulsesfromthecomputerintofrequencieswithintheaudiorangeofthe
telephone system When acting in the receiver capacity a modem decodes incoming frequencies
telephonesystem.Whenactinginthereceivercapacity,amodemdecodesincomingfrequencies.
Modulation
Theprocessofconvertingadigitalcomputersignalintoananalogtelecommunicationssignal
Monetaryunit
sampling
Monitoringpolicy
Asamplingtechniquethatestimatestheamountofoverstatementinanaccountbalance
Multifactor
authentication
Multiplexor
Mutualtakeover
Rulesoutliningordelineatingthewayinwhichinformationabouttheuseofcomputers,networks,
applicationsandinformationiscapturedandinterpreted
Acombinationofmorethanoneauthenticationmethod,suchastokenandpassword(orpersonal
identificationnumber[PIN]ortokenandbiometricdevice).
Adeviceusedforcombiningseverallowerspeedchannelsintoahigherspeedchannel
Afailoverprocess,whichisbasicallyatwowayidlestandby:twoserversareconfiguredsothat
bothcantakeovertheothernodesresourcegroup.Bothmusthaveenoughcentralprocessingunit
(CPU) power to run both applications with sufficient speed or expected performance losses must be
(CPU)powertorunbothapplicationswithsufficientspeed,orexpectedperformancelossesmustbe
takenintoaccountuntilthefailednodereintegrates.
Page 62 of 103
Term
NationalInstitutefor
Standards and
Standardsand
Technology(NIST)
Definition
Developstests,testmethods,referencedata,proofofconceptimplementations,andtechnical
analyses to advance the development and productive use of information technology
analysestoadvancethedevelopmentandproductiveuseofinformationtechnology
ScopeNote:NISTisaUSgovernmententitythatcreatesmandatorystandardsthatarefollowedby
federalagenciesandthosedoingbusinesswiththem.
Netpresentvalue
(NPV)
Calculatedbyusinganaftertaxdiscountrateofaninvestmentandaseriesofexpectedincremental
cashoutflows(theinitialinvestmentandoperationalcosts)andcashinflows(costsavingsor
revenues)thatoccuratregularperiodsduringthelifecycleoftheinvestment
ScopeNote:ToarriveatafairNPVcalculation,cashinflowsaccruedbythebusinessuptoabout
fiveyearsafterprojectdeploymentalsoshouldbetakenintoaccount.
Netreturn
Netcat
Netcentric
technologies
Netware
Network
Therevenuethataprojectorbusinessmakesaftertaxandotherdeductions;oftenalsoclassifiedas
net profit
netprofit
AsimpleUNIXutility,whichreadsandwritesdataacrossnetworkconnectionsusingTransmission
ControlProtocol(TCP)orUserDatagramProtocol(UDP).Itisdesignedtobeareliablebackendtool
thatcanbeuseddirectlyoriseasilydrivenbyotherprogramsandscripts.Atthesametime,itisa
featurerichnetworkdebuggingandexplorationtool,becauseitcancreatealmostanykindof
connectionneededandhasseveralinterestingbuiltincapabilities.NetcatisnowpartoftheRed
HatPowerToolscollectionandcomesstandardonSuSELinux,DebianLinux,NetBSDandOpenBSD
distributions.
Thecontentsandsecurityofinformationorobjects(softwareanddata)onthenetworkarenowof
primeimportancecomparedwithtraditionalcomputerprocessingthatemphasizesthelocationof
hardwareanditsrelatedsoftwareanddata.
ScopeNote:AnexampleofnetcentrictechnologiesistheInternet,wherethenetworkisits
primaryconcern.
primary
concern
Apopularlocalareanetwork(LAN)operatingsystem(OS)developedbytheNovellCorp.
Asystemofinterconnectedcomputersandthecommunicationequipmentusedtoconnectthem
Networkaddress
translation(NAT)
AmethodologyofmodifyingnetworkaddressinformationinIPdatagrampacketheaderswhilethey
areintransitacrossatrafficroutingdeviceforthepurposeofremappingoneIPaddressspaceinto
another
Networkadministrator Responsibleforplanning,implementingandmaintainingthetelecommunicationsinfrastructure;
alsomayberesponsibleforvoicenetworks
Networkattached
storage (NAS)
storage(NAS)
Networkbasic
input/outputsystem
(NetBIOS)
ScopeNote:Forsmallerenterprises,thenetworkadministratormayalsomaintainalocalarea
network(LAN)andassistendusers.
Utilizesdedicatedstoragedevicesthatcentralizestorageofdata
ScopeNote:NAstoragedevicesgenerallydonotprovidetraditionalfile/printorapplication
services.
Aprogramthatallowsapplicationsondifferentcomputerstocommunicatewithinalocalarea
network(LAN).
Page 63 of 103
Term
Networkhop
Definition
Anattackstrategyinwhichtheattackersuccessivelyhacksintoaseriesofconnectedsystems,
obscuring his/her identify from the victim of the attack
obscuringhis/heridentifyfromthevictimoftheattack
Networkinterfacecard Acommunicationcardthatwheninsertedintoacomputer,allowsittocommunicatewithother
(NIC)
computersonanetwork
ScopeNote:MostNICsaredesignedforaparticulartypeofnetworkorprotocol.
Networknewstransfer Usedforthedistribution,inquiry,retrieval,andpostingofNetnewsarticlesusingareliablestream
protocol(NNTP)
basedmechanism.Fornewsreadingclients,NNTPenablesretrievalofnewsarticlesthatarestored
inacentraldatabase,givingsubscriberstheabilitytoselectonlythosearticlestheywishtoread.
(RFC3977)
Networksegmentation Acommontechniquetoimplementnetworksecurityistosegmentanorganizationsnetworkinto
separatezonesthatcanbeseparatelycontrolled,monitoredandprotected.
Networktrafficanalysis Identifiespatternsinnetworkcommunications
Node
Noise
Nondisclosure
agreement(NDA)
Nonintrusive
monitoring
Nonrepudiable
transaction
Nonrepudiation
Nonstatistical
sampling
ScopeNote:Trafficanalysisdoesnotneedtohavetheactualcontentofthecommunicationbut
Scope
Note: Traffic analysis does not need to have the actual content of the communication but
analyzeswheretrafficistakingplace,whenandforhowlongcommunicationsoccurandthesizeof
informationtransferred.
Pointatwhichterminalsaregivenaccesstoanetwork
Disturbancesindatatransmissions,suchasstatic,thatcausemessagestobemisinterpretedbythe
receiver
Alegalcontractbetweenatleasttwopartiesthatoutlinesconfidentialmaterialsthattheparties
wishtosharewithoneanotherforcertainpurposes,butwishtorestrictfromgeneralizeduse;a
contractthroughwhichthepartiesagreenottodiscloseinformationcoveredbytheagreement
ScopeNote:Alsocalledaconfidentialdisclosureagreement(CDA),confidentialityagreementor
secrecyagreement.AnNDAcreatesaconfidentialrelationshipbetweenthepartiestoprotectany
typeoftradesecret.Assuch,anNDAcanprotectnonpublicbusinessinformation.Inthecaseof
certain governmental entities the confidentiality of information other than trade secrets may be
certaingovernmentalentities,theconfidentialityofinformationotherthantradesecretsmaybe
subjecttoapplicablestatutoryrequirements,andinsomecasesmayberequiredtoberevealedto
anoutsidepartyrequestingtheinformation.Generally,thegovernmentalentitywillincludea
provisioninthecontracttoallowthesellertoreviewarequestforinformationthattheseller
identifiesasconfidentialandthesellermayappealsuchadecisionrequiringdisclosure.NDAsare
commonlysignedwhentwocompaniesorindividualsareconsideringdoingbusinesstogetherand
needtounderstandtheprocessesusedinoneanother
sbusinessessolelyforthepurposeof
needtounderstandtheprocessesusedinoneanothersbusinessessolelyforthepurposeof
evaluating the potential business relationship. NDAs can be "mutual," meaning that both parties are
Theuseoftransportedprobesortracestoassembleinformation,tracktrafficandidentify
vulnerabilities
Transactionthatcannotbedeniedafterthefact
Theassurancethatapartycannotlaterdenyoriginatingdata;provisionofproofoftheintegrityand
origin of the data and that can be verified by a third party
originofthedataandthatcanbeverifiedbyathirdparty
ScopeNote:Adigitalsignaturecanprovidenonrepudiation.
Methodofselectingaportionofapopulation,bymeansofownjudgementandexperience,forthe
purposeofquicklyconfirmingaproposition.Thismethoddoesnotallowdrawingmathematical
conclusionsontheentirepopulation.
Page 64 of 103
Term
Normalization
Numeric check
Numericcheck
Obfuscation
Definition
Theeliminationofredundantdata
An edit check designed to ensure that the data element in a particular field is numeric.
Aneditcheckdesignedtoensurethatthedataelementinaparticularfieldisnumeric.
Thedeliberateactofcreatingsourceormachinecodethatisdifficultforhumanstounderstand
Objectcode
Machinereadableinstructionsproducedfromacompilerorassemblerprogramthathasaccepted
andtranslatedthesourcecode
Aconsortiumwithmorethan700affiliatesfromthesoftwareindustrywhosepurposeistoprovide
acommonframeworkfordevelopingapplicationsusingobjectorientedprogrammingtechniques
Objectmanagement
group(OMG)
ScopeNote:Forexample,OMGisknownprincipallyforpromulgatingtheCommonObjectRequest
BrokerArchitecture(CORBA)specification.
Objectorientation
Anapproachtosystemdevelopmentinwhichthebasicunitofattentionisanobject,which
representsanencapsulationofbothdata(anobjectsattributes)andfunctionality(anobjects
methods)
ScopeNote:Objectsusuallyarecreatedusingageneraltemplatecalledaclass.Aclassisthebasis
formostdesignworkinobjects.Aclassanditsobjectscommunicateindefinedways.Aggregate
classesinteractthroughmessages,whicharedirectedrequestsforservicesfromoneclass(the
client)toanotherclass(theserver).Aclassmaysharethestructureormethodsdefinedinoneor
p
moreotherclassesarelationshipknownasinheritance.
Objective
Statementofadesiredoutcome
Objectivity
ScopeNote:COBIT5perspective
Theabilitytoexercisejudgment,expressopinionsandpresentrecommendationswithimpartiality
Objectorientedsystem
Objectoriented
system Asystemdevelopmentmethodologythatisorganizedaround
A system development methodology that is organized around "objects"
objects ratherthan
rather than "actions
actions,"and
and
development
"data"ratherthan"logic"
ScopeNote:Objectorientedanalysisisanassessmentofaphysicalsystemtodeterminewhich
objectsintherealworldneedtoberepresentedasobjectsinasoftwaresystem.Anyobject
orienteddesignissoftwaredesignthatiscenteredarounddesigningtheobjectsthatwillmakeupa
p
g
y j
p g
p
j
p
program.Anyobjectorientedprogramisonethatiscomposedofobjectsorsoftwareparts.
Offlinefiles
Computerfilestoragemediathatarenotphysicallyconnectedtothecomputer;typicalexamples
aretapesortapecartridgesusedforbackuppurposes.
Offsitestorage
Afacilitylocatedawayfromthebuildinghousingtheprimaryinformationprocessingfacility(IPF),
usedforstorageofcomputermediasuchasofflinebackupdataandstoragefiles
Onlinedataprocessing Achievedbyenteringinformationintothecomputerviaavideodisplayterminal
OpenSourceSecurity
TestingMethodology
ScopeNote:Withonlinedataprocessing,thecomputerimmediatelyacceptsorrejectsthe
informationasitisentered.
Anopenandfreelyavailablemethodologyandmanualforsecuritytesting
Page 65 of 103
Term
Opensystem
Definition
Systemforwhichdetailedspecificationsofthecompositionofitscomponentarepublishedina
nonproprietary environment, thereby enabling competing enterprises to use these standard
nonproprietaryenvironment,therebyenablingcompetingenterprisestousethesestandard
componentstobuildcompetitivesystems
ScopeNote:Theadvantagesofusingopensystemsincludeportability,interoperabilityand
integration.
OpenSystems
Amodelforthedesignofanetwork.Theopensystemsinterconnect(OSI)modeldefinesgroupsof
Interconnect(OSI)
functionalityrequiredtonetworkcomputersintolayers.Eachlayerimplementsastandardprotocol
model
toimplementitsfunctionality.TherearesevenlayersintheOSImodel.
OpenWebApplication Anopencommunitydedicatedtoenablingorganizationstoconceive,develop,acquire,operate,and
SecurityProject
maintainapplicationsthatcanbetrusted
(OWASP)
Operatingsystem(OS) Amastercontrolprogramthatrunsthecomputerandactsasaschedulerandtrafficcontroller
ScopeNote:Theoperatingsystemisthefirstprogramcopiedintothecomputer
Scope
Note: The operating system is the first program copied into the computerssmemoryafterthe
memory after the
computeristurnedon;itmustresideinmemoryatalltimes.Itisthesoftwarethatinterfaces
betweenthecomputerhardware(disk,keyboard,mouse,network,modem,printer)andthe
applicationsoftware(wordprocessor,spreadsheet,email),whichalsocontrolsaccesstothe
devicesandispartiallyresponsibleforsecuritycomponentsandsetsthestandardsforthe
applicationprogramsthatruninit.
Operatingsystemaudit Recordofsystemeventsgeneratedbyaspecializedoperatingsystemmechanism
trail
Operationalaudit
Anauditdesignedtoevaluatethevariousinternalcontrols,economyandefficiencyofafunctionor
department
Operationalcontrol
Dealswiththeeverydayoperationofacompanyorenterprisetoensurethatallobjectivesare
achieved
Operational level
Operationallevel
An internal agreement covering the delivery of services that support the IT organization in its
AninternalagreementcoveringthedeliveryofservicesthatsupporttheITorganizationinits
agreement(OLA)
deliveryofservices
Operatorconsole
Aspecialterminalusedbycomputeroperationspersonneltocontrolcomputerandsystems
operationsfunctions
Opticalcharacter
recognition(OCR)
Opticalscanner
ScopeNote:Operatorconsoleterminalstypicallyprovideahighlevelofcomputeraccessand
p p y
shouldbeproperlysecured.
Usedtoelectronicallyscanandinputwritteninformationfromasourcedocument
Aninputdevicethatreadscharactersandimagesthatareprintedorpaintedonapaperforminto
thecomputer
Organization
Themannerinwhichanenterpriseisstructured;canalsomeantheentity
Aninternationalorganizationhelpinggovernmentstackletheeconomic,socialandgovernance
Organizationfor
EconomicCooperation
Economic
Cooperation challengesofaglobaleconomy
challenges of a global economy
andDevelopment
ScopeNote:TheOECDgroups30membercountriesinauniqueforumtodiscuss,develop,and
(OECD)
refineeconomicandsocialpolicies.
Page 66 of 103
Term
Organizational
structure
Definition
Anenablerofgovernanceandofmanagement.Includestheenterpriseanditsstructures,
hierarchies and dependencies.
hierarchiesanddependencies.
ScopeNote:Example:Steeringcommittee
Outcome
Outcomemeasure
COBIT5perspective
Result
Representstheconsequencesofactionspreviouslytaken;oftenreferredtoasalagindicator
ScopeNote:Outcomemeasurefrequentlyfocusesonresultsattheendofatimeperiodand
characterizehistoricperformance.Theyarealsoreferredtoasakeygoalindicator(KGI)andused
toindicatewhethergoalshavebeenmet.Thesecanbemeasuredonlyafterthefactand,therefore,
arecalled"lagindicators."
Output analyzer
Outputanalyzer
Outsourcing
AformalagreementwithathirdpartytoperformISorotherbusinessfunctionsforanenterprise
Owner
Individualorgroupthatholdsorpossessestherightsofandtheresponsibilitiesforanenterprise,
entity or asset
entityorasset.
ScopeNote:Examples:processowner,systemowner
Packet
Packetfiltering
COBIT5perspective
Dataunitthatisroutedfromsourcetodestinationinapacketswitchednetwork
ScopeNote:Apacketcontainsbothroutinginformationanddata.TransmissionControl
Protocol/InternetProtocol(TCP/IP)issuchapacketswitchednetwork.
Controllingaccesstoanetworkbyanalyzingtheattributesoftheincomingandoutgoingpackets
andeitherlettingthempass,ordenyingthem,basedonalistofrules
Page 67 of 103
Term
Definition
Packetinternetgroper AnInternetprogram(InternetControlMessageProtocol[ICMP])usedtodeterminewhethera
(PING)
specific IP address is accessible or online
specificIPaddressisaccessibleoronline
ItisanetworkapplicationthatusesUserDatagramProtocol(UDP)toverifyreachabilityofanother
hostontheconnectednetwork.
Packetswitching
Papertest
Parallelsimulation
Paralleltesting
Paritycheck
ScopeNote:Itworksbysendingapackettothespecifiedaddressandwaitingforareply.PINGis
usedprimarilytotroubleshootInternetconnections.Inaddition,PINGreportsthenumberofhops
requiredtoconnecttwoInternethosts.TherearebothfreewareandsharewarePINGutilities
availableforpersonalcomputers(PCs).
Theprocessoftransmittingmessagesinconvenientpiecesthatcanbereassembledatthe
destination
Awalkthroughofthestepsofaregulartest,butwithoutactuallyperformingthesteps
ScopeNote:Usuallyusedindisasterrecoveryandcontingencytesting;teammembersreviewand
Scope
Note: Usually used in disaster recovery and contingency testing; team members review and
becomefamiliarwiththeplansandtheirspecificrolesandresponsibilities
InvolvesanISauditorwritingaprogramtoreplicatethoseapplicationprocessesthatarecriticalto
anauditopinionandusingthisprogramtoreprocessapplicationsystemdata
ScopeNote:Theresultsproducedbyparallelsimulationarecomparedwiththeresultsgenerated
bytheapplicationsystemandanydiscrepanciesareidentified.
Theprocessoffeedingtestdataintotwosystems,themodifiedsystemandanalternativesystem
(possiblytheoriginalsystem),andcomparingresultstodemonstratetheconsistencyand
inconsistencybetweentwoversionsoftheapplication
Ageneralhardwarecontrolthathelpstodetectdataerrorswhendataarereadfrommemoryor
communicatedfromonecomputertoanother
ScopeNote:A1bitdigit(either0or1)isaddedtoadataitemtoindicatewhetherthesumofthat
Scope
Note: A 1bit digit (either 0 or 1) is added to a data item to indicate whether the sum of that
dataitemsbitisoddoreven.Whentheparitybitdisagreeswiththesumoftheotherbits,the
computerreportsanerror.Theprobabilityofaparitycheckdetectinganerroris50percent.
Partitionedfile
Passiveassault
Passive response
Passiveresponse
Password
Afileformatinwhichthefileisdividedintomultiplesubfilesandadirectoryisestablishedtolocate
eachsubfile
Intrudersattempttolearnsomecharacteristicofthedatabeingtransmitted
ScopeNote:Withapassiveassault,intrudersmaybeabletoreadthecontentsofthedatasothe
privacyofthedataisviolated.Alternatively,althoughthecontentofthedataitselfmayremain
secure,intrudersmayreadandanalyzetheplaintextsourceanddestinationidentifiersattachedtoa
messageforroutingpurposes,ortheymayexaminethelengthsandfrequencyofmessagesbeing
transmitted.
A response option in intrusion detection in which the system simply reports and records the
Aresponseoptioninintrusiondetectioninwhichthesystemsimplyreportsandrecordsthe
problemdetected,relyingontheusertotakesubsequentaction
Aprotected,generallycomputerencryptedstringofcharactersthatauthenticateacomputeruser
tothecomputersystem
Page 68 of 103
Term
Passwordcracker
Definition
Atoolthatteststhestrengthofuserpasswordsbysearchingforpasswordsthatareeasytoguess
Itrepeatedlytrieswordsfromspeciallycrafteddictionariesandoftenalsogeneratesthousands(and
insomecases,evenmillions)ofpermutationsofcharacters,numbersandsymbols.
Patch
Patchmanagement
Fixestosoftwareprogrammingerrorsandvulnerabilities
Anareaofsystemsmanagementthatinvolvesacquiring,testingandinstallingmultiplepatches
(codechanges)toanadministeredcomputersysteminordertomaintainuptodatesoftwareand
oftentoaddresssecurityrisk
ScopeNote:Patchmanagementtasksincludethefollowing:maintainingcurrentknowledgeof
availablepatches;decidingwhatpatchesareappropriateforparticularsystems;ensuringthat
patchesareinstalledproperly;testingsystemsafterinstallation;anddocumentingallassociated
procedures such as specific configurations required A number of products are available to
procedures,suchasspecificconfigurationsrequired.Anumberofproductsareavailableto
automatepatchmanagementtasks.Patchesaresometimesineffectiveandcansometimescause
moreproblemsthantheyfix.Patchmanagementexpertssuggestthatsystemadministratorstake
simplestepstoavoidproblems,suchasperformingbackupsandtestingpatchesonnoncritical
systemspriortoinstallations.Patchmanagementcanbeviewedaspartofchangemanagement.
Paybackperiod
Payload
Paymentsystem
Payrollsystem
Penetrationtesting
Performance
Thelengthoftimeneededtorecoupthecostofcapitalinvestment
ScopeNote:Financialamountsinthepaybackformulaarenotdiscounted.Notethatthepayback
perioddoesnottakeintoaccountcashflowsafterthepaybackperiodandthereforeisnota
measureoftheprofitabilityofaninvestmentproject.Thescopeoftheinternalrateofreturn(IRR),
netpresentvalue(NPV)andpaybackperiodistheusefuleconomiclifeoftheprojectuptoa
maximumoffiveyears.
The section of fundamental data in a transmission In malicious software this refers to the section
Thesectionoffundamentaldatainatransmission.Inmalicioussoftwarethisreferstothesection
containingtheharmfuldata/code.
Afinancialsystemthatestablishesthemeansfortransferringmoneybetweensuppliersandusersof
funds,ordinarilybyexchangingdebitsorcreditsbetweenbanksorfinancialinstitutions
Anelectronicsystemforprocessingpayrollinformationandtherelatedelectronic(e.g.,electronic
timekeepingand/orhumanresources[HR]system),human(e.g.,payrollclerk),andexternalparty
(e.g.,bank)interfaces
Inamorelimitedsense,itistheelectronicsystemthatperformstheprocessingforgenerating
payrollchecksand/orbankdirectdepositstoemployees.
Alivetestoftheeffectivenessofsecuritydefensesthroughmimickingtheactionsofreallife
attackers
In IT the actual implementation or achievement of a process
InIT,theactualimplementationorachievementofaprocess
Page 69 of 103
Term
Performancedriver
Definition
Ameasurethatisconsideredthe"driver"ofalagindicator
Itcanbemeasuredbeforetheoutcomeisclearand,therefore,iscalleda"leadindicator."
ScopeNote:Thereisanassumedrelationshipbetweenthetwothatsuggeststhatimproved
performanceinaleadingindicatorwilldrivebetterperformanceinthelaggingindicator.Theyare
alsoreferredtoaskeyperformanceindicators(KPIs)andareusedtoindicatewhethergoalsare
likelytobemet.
Performanceindicators Asetofmetricsdesignedtomeasuretheextenttowhichperformanceobjectivesarebeing
achievedonanongoingbasis
Performance
Performance
management
ScopeNote:Performanceindicatorscanincludeservicelevelagreements(SLAs),criticalsuccess
factors(CSFs),customersatisfactionratings,internalorexternalbenchmarks,industrybestpractices
andinternationalstandards.
In IT the ability to manage any type of measurement including employee team process
InIT,theabilitytomanageanytypeofmeasurement,includingemployee,team,process,
operationalorfinancialmeasurements
Performancetesting
Thetermconnotesclosedloopcontrolandregularmonitoringofthemeasurement.
Comparingthesystemsperformancetootherequivalentsystems,usingwelldefinedbenchmarks
Peripherals
Auxiliarycomputerhardwareequipmentusedforinput,outputanddatastorage
ScopeNote:Examplesofperipheralsincludediskdrivesandprinters.
Personaldigital
Alsocalledpalmtopandpocketcomputer,PDAisahandhelddevicethatprovidecomputing,
assistant(PDA)
Internet,networkingandtelephonecharacteristics.
Personalidentification Atypeofpassword(i.e.,asecretnumberassignedtoanindividual)that,inconjunctionwithsome
meansofidentifyingtheindividual,servestoverifytheauthenticityoftheindividual
number(PIN)
PervasiveIScontrol
PhaseofBCP
ScopeNote:PINshavebeenadoptedbyfinancialinstitutionsastheprimarymeansofverifying
customersinanelectronicfundstransfer(EFT)system.
GeneralcontroldesignedtomanageandmonitortheISenvironmentandwhich,therefore,affects
allISrelatedactivities
Astepbystepapproachconsistingofvariousphases
ScopeNote:PhaseofBCPisusuallycomprisedofthefollowingphases:preimplementationphase,
implementationphase,testingphase,andpostimplementationphase.
Phishing
Thisisatypeofelectronicmail(email)attackthatattemptstoconvinceauserthattheoriginatoris
genuine,butwiththeintentionofobtaininginformationforuseinsocialengineering
ScopeNote:Phishingattacksmaytaketheformofmasqueradingasalotteryorganizationadvising
Scope
Note: Phishing attacks may take the form of masquerading as a lottery organization advising
therecipientortheuser'sbankofalargewin;ineithercase,theintentistoobtainaccountand
personalidentificationnumber(PIN)details.Alternativeattacksmayseektoobtainapparently
innocuousbusinessinformation,whichmaybeusedinanotherformofactiveattack.
Page 70 of 103
Term
Phreakers
Piggybacking
Plainoldtelephone
service(POTS)
Plaintext
PlatformasaService
(PaaS)
PMBOK(Project
ManagementBodyof
Knowledge)
Pointofpresence
Pointofpresence
(POP)
Pointofsale(POS)
systems
Definition
Thosewhocracksecurity,mostfrequentlytelephoneandothercommunicationnetworks
1. Following an authorized person into a restricted access area
1.Followinganauthorizedpersonintoarestrictedaccessarea
2.Electronicallyattachingtoanauthorizedtelecommunicationslinktointerceptandpossiblyalter
transmissions
Awiredtelecommunicationssystem.
Digitalinformation,suchascleartext,thatisintelligibletothereader
Offersthecapabilitytodeployontothecloudinfrastructurecustomercreatedoracquired
applicationsthatarecreatedusingprogramminglanguagesandtoolssupportedbytheprovider
AprojectmanagementstandarddevelopedbytheProjectManagementInstitute(PMI)
AtelephonenumberthatrepresentstheareainwhichthecommunicationproviderorInternet
A
telephone number that represents the area in which the communication provider or Internet
serviceprovider(ISP)providesservice
Enablesthecaptureofdataatthetimeandplaceoftransaction
ScopeNote:POSterminalsmayincludeuseofopticalscannersforusewithbarcodesormagnetic
cardreadersforusewithcreditcards.POSsystemsmaybeonlinetoacentralcomputerormayuse
standaloneterminalsormicrocomputersthatholdthetransactionsuntiltheendofaspecified
periodwhentheyaresenttothemaincomputerforbatchprocessing.
PointtopointProtocol
(PPP)
Pointtopoint
TunnelingProtocol
(PPTP)
Policy
Aprotocolusedfortransmittingdatabetweentwoendsofaconnection
Aprotocolusedtotransmitdatasecurelybetweentwoendpointstocreateavirtualprivate
network(VPN).
1.Generally,adocumentthatrecordsahighlevelprincipleorcourseofactionthathasbeen
decidedon
Theintendedpurposeistoinfluenceandguidebothpresentandfuturedecisionmakingtobein
linewiththephilosophy,objectivesandstrategicplansestablishedbytheenterprisesmanagement
teams.
ScopeNote:Inadditiontopolicycontent,policiesneedtodescribetheconsequencesoffailingto
complywiththepolicy,themeansforhandlingexceptions,andthemannerinwhichcompliance
withthepolicywillbecheckedandmeasured.
2.Overallintentionanddirectionasformallyexpressedbymanagement
Polymorphism
(Objects)
Page 71 of 103
Term
Population
Port(Portnumber)
Portscanning
Portfolio
Posting
Definition
TheentiresetofdatafromwhichasampleisselectedandaboutwhichanISauditorwishestodraw
conclusions
Aprocessorapplicationspecificsoftwareelementservingasacommunicationendpointforthe
TransportLayerIPprotocols(UDPandTCP)
Theactofprobingasystemtoidentifyopenports
Agroupingof"objectsofinterest"(investmentprograms,ITservices,ITprojects,otherITassetsor
resources)managedandmonitoredtooptimizebusinessvalue
(TheinvestmentportfolioisofprimaryinteresttoValIT.ITservice,project,assetandotherresource
portfoliosareofprimaryinteresttoCOBIT.)
Theprocessofactuallyenteringtransactionsintocomputerizedormanualfiles
ScopeNote:Postingtransactionsmightimmediatelyupdatethemasterfilesormayresultinmemo
posting,inwhichthetransactionsareaccumulatedoveraperiodoftimeandthenappliedtomaster
file updating
fileupdating.
Preventiveapplication Applicationcontrolthatisintendedtopreventanerrorfromoccurring
control
Preventiveapplicationcontrolsaretypicallyexecutedatthetransactionlevel,beforeanactionis
performed.
Preventivecontrol
Aninternalcontrolthatisusedtoavoidundesirableevents,errorsandotheroccurrencesthatan
enterprisehasdeterminedcouldhaveanegativematerialeffectonaprocessorendproduct
Primenumber
PRINCE2(Projectsina
Controlled
Environment)
Principle
Anaturalnumbergreaterthan1thatcanonlybedividedby1anditself.
DevelopedbytheOfficeofGovernmentCommerce(OGC),PRINCE2isaprojectmanagement
methodthatcoversthemanagement,controlandorganizationofaproject.
Anenablerofgovernanceandofmanagement.Comprisesthevaluesandfundamentalassumptions
held by the enterprise the beliefs that guide and put boundaries around the enterprisessdecision
heldbytheenterprise,thebeliefsthatguideandputboundariesaroundtheenterprise
decision
making,communicationwithinandoutsidetheenterprise,andstewardshipcaringforassets
ownedbyanother.
ScopeNote:Examples:Ethicscharter,socialresponsibilitycharter.
Principleofleast
privilege/access
Privacy
Privatebranch
exchange(PBX)
Privatekey
p p
COBIT5perspective
Controlsusedtoallowtheleastprivilegeaccessneededtocompleteatask
Freedomfromunauthorizedintrusionordisclosureofinformationaboutanindividual
Atelephoneexchangethatisownedbyaprivatebusiness,asopposedtooneownedbyacommon
carrierorbyatelephonecompany
Amathematicalkey(keptsecretbytheholder)usedtocreatedigitalsignaturesand,dependingon
the algorithm to decrypt messages or files encrypted (for confidentiality) with the corresponding
thealgorithm,todecryptmessagesorfilesencrypted(forconfidentiality)withthecorresponding
publickey
Page 72 of 103
Term
Privatekey
cryptosystems
Definition
Usedindataencryption,itutilizesasecretkeytoencrypttheplaintexttotheciphertext.Privatekey
cryptosystems also use the same key to decrypt the ciphertext to the corresponding plaintext.
cryptosystemsalsousethesamekeytodecrypttheciphertexttothecorrespondingplaintext.
ScopeNote:Inthiscase,thekeyissymmetricsuchthattheencryptionkeyisequivalenttothe
decryptionkey.
Privilege
Probe
Problem
Problemescalation
procedure
Procedure
Process
Theleveloftrustwithwhichasystemobjectisimbued
Inspectanetworkorsystemtofindweakspots
InIT,theunknownunderlyingcauseofoneormoreincidents
Theprocessofescalatingaproblemupfromjuniortoseniorsupportstaff,andultimatelytohigher
levelsofmanagement
ScopeNote:Problemescalationprocedureisoftenusedinhelpdeskmanagement,whenan
unresolvedproblemisescalatedupthechainofcommand,untilitissolved.
A document containing a detailed description of the steps necessary to perform specific operations
Adocumentcontainingadetaileddescriptionofthestepsnecessarytoperformspecificoperations
inconformancewithapplicablestandards.Proceduresaredefinedaspartofprocesses.
Generally,acollectionofactivitiesinfluencedbytheenterprisespoliciesandproceduresthattakes
inputsfromanumberofsources,(includingotherprocesses),manipulatestheinputsandproduces
outputs
ScopeNote:Processeshaveclearbusinessreasonsforexisting,accountableowners,clearrolesand
responsibilitiesaroundtheexecutionoftheprocess,andthemeanstomeasureperformance.
Processgoals
Astatementdescribingthedesiredoutcomeofaprocess.
ScopeNote:Anoutcomecanbeanartifact,asignificantchangeofastateorasignificantcapability
improvementofotherprocesses.
improvement
of other processes
Processmaturity
assessment
COBIT5perspective
AsubjectiveassessmenttechniquederivedfromtheSoftwareEngineeringInstitute(SEI)capability
maturitymodelintegration(CMMI)conceptsanddevelopedasaCOBITmanagementtool
p
g
p
p
g
p
ItprovidesmanagementwithaprofileofhowwelldevelopedtheITmanagementprocessesare.
ScopeNote:Itenablesmanagementtoeasilyplaceitselfonascaleandappreciatewhatisrequired
ifimprovedperformanceisneeded.Itisusedtosettargets,raiseawareness,capturebroad
consensus,identifyimprovementsandpositivelymotivatechange.
Processmaturity
Process
maturity
attribute
Productionprogram
Page 73 of 103
Term
Productionsoftware
Definition
Softwarethatisbeingusedandexecutedtosupportnormalandauthorizedorganizational
operations
ScopeNote:Productionsoftwareistobedistinguishedfromtestsoftware,whichisbeing
developedormodified,buthasnotyetbeenauthorizedforusebymanagement.
Professional
Provenlevelofability,oftenlinkedtoqualificationsissuedbyrelevantprofessionalbodiesand
competence
compliancewiththeircodesofpracticeandstandards
Professionaljudgement Theapplicationofrelevantknowledgeandexperienceinmakinginformeddecisionsaboutthe
coursesofactionthatareappropriateinthecircumstancesoftheISauditandassurance
engagement
Professionalskepticism Anattitudethatincludesaquestioningmindandacriticalassessmentofauditevidence
ScopeNote:Source:AmericanInstituteofCertifiedPublicAccountants(AICPA)AU230.07
Professionalstandards ReferstostandardsissuedbyISACA.
Program
Thetermmayextendtorelatedguidelinesandtechniquesthatassisttheprofessionalin
implementingandcomplyingwithauthoritativepronouncementsofISACA.Incertaininstances,
standardsofotherprofessionalorganizationsmaybeconsidered,dependingonthecircumstances
andtheirrelevanceandappropriateness.
Astructuredgroupingofinterdependentprojectsthatisbothnecessaryandsufficienttoachievea
desiredbusinessoutcomeandcreatevalue
Theseprojectscouldinclude,butarenotlimitedto,changesinthenatureofthebusiness,business
processesandtheworkperformedbypeopleaswellasthecompetenciesrequiredtocarryoutthe
work,theenablingtechnology,andtheorganizationalstructure.
Thefunctionresponsibleforsupportingprogramandprojectmanagers,andgathering,assessing
andreportinginformationabouttheconductoftheirprogramsandconstituentprojects
Programandproject
managementoffice
(PMO)
ProgramEvaluation
Aprojectmanagementtechniqueusedintheplanningandcontrolofsystemprojects
andReviewTechnique
(PERT)
Programflowchart
Showsthesequenceofinstructionsinasingleprogramorsubroutine
Programnarrative
Project
Projectmanagement
Project
management
officer(PMO)
ScopeNote:Thesymbolsusedinprogramflowchartsshouldbetheinternationallyaccepted
standard.Programflowchartsshouldbeupdatedwhennecessary.
Providesadetailedexplanationofprogramflowcharts,includingcontrolpointsandanyexternal
input
Astructuredsetofactivitiesconcernedwithdeliveringadefinedcapability(thatisnecessarybutnot
sufficient,toachievearequiredbusinessoutcome)totheenterprisebasedonanagreedon
scheduleandbudget
The individual function responsible for the implementation of a specified initiative for supporting
Theindividualfunctionresponsiblefortheimplementationofaspecifiedinitiativeforsupporting
theprojectmanagementroleandadvancingthedisciplineofprojectmanagement
Page 74 of 103
Term
Projectportfolio
Projectteam
Promiscuousmode
Protectiondomain
Protocol
Protocolconverter
Protocol
converter
Protocolstack
Definition
Thesetofprojectsownedbyacompany
ScopeNote:Itusuallyincludesthemainguidelinesrelativetoeachproject,includingobjectives,
costs,timelinesandotherinformationspecifictotheproject.
Groupofpeopleresponsibleforaproject,whosetermsofreferencemayincludethedevelopment,
acquisition,implementationormaintenanceofanapplicationsystem
ScopeNote:Theprojectteammembersmayincludelinemanagement,operationallinestaff,
externalcontractorsandISauditors.
Allowsthenetworkinterfacetocaptureallnetworktrafficirrespectiveofthehardwaredeviceto
whichthepacketisaddressed
Theareaofthesystemthattheintrusiondetectionsystem(IDS)ismeanttomonitorandprotect
Therulesbywhichanetworkoperatesandcontrolstheflowandpriorityoftransmissions
Hardwaredevices,suchasasynchronousandsynchronoustransmissions,thatconvertbetweentwo
Hardware
devices such as asynchronous and synchronous transmissions that convert between two
differenttypesoftransmission
Asetofutilitiesthatimplementaparticularnetworkprotocol
ScopeNote:Forinstance,inWindowsmachinesaTransmissionControlProtocol/InternetProtocol
(TCP/IP)stackconsistsofTCP/IPsoftware,socketssoftwareandhardwaredriversoftware.
Prototyping
Proxy server
Proxyserver
Theprocessofquicklyputtingtogetheraworkingmodel(aprototype)inordertotestvarious
aspectsofadesign,illustrateideasorfeaturesandgatherearlyuserfeedback
ScopeNote:Prototypingusesprogrammedsimulationtechniquestorepresentamodelofthefinal
systemtotheuserforadvisementandcritique.Theemphasisisonenduserscreensandreports.
Internalcontrolsarenotapriorityitemsincethisisonlyamodel.
A server that acts on behalf of a user
Aserverthatactsonbehalfofauser
ScopeNote:Typicalproxiesacceptaconnectionfromauser,makeadecisionastowhetherthe
userorclientIPaddressispermittedtousetheproxy,perhapsperformadditionalauthentication,
andcompleteaconnectiontoaremotedestinationonbehalfoftheuser.
Publickey
Publickey
cryptosystem
Inanasymmetriccryptographicscheme,thekeythatmaybewidelypublishedtoenablethe
operationofthescheme
Usedindataencryption,itusesanencryptionkey,asapublickey,toencrypttheplaintexttothe
ciphertext.Itusesthedifferentdecryptionkey,asasecretkey,todecrypttheciphertexttothe
correspondingplaintext.
ScopeNote:Incontrasttoaprivatekeycryptosystem,thedecryptionkeyshouldbesecret;
however the encryption key can be known to everyone In a public key cryptosystem two keys are
however,theencryptionkeycanbeknowntoeveryone.Inapublickeycryptosystem,twokeysare
asymmetric,suchthattheencryptionkeyisnotequivalenttothedecryptionkey.
Page 75 of 103
Term
Publickeyencryption
Definition
Acryptographicsystemthatusestwokeys:oneisapublickey,whichisknowntoeveryone,andthe
second is a private or secret key, which is only known to the recipient of the message
secondisaprivateorsecretkey,whichisonlyknowntotherecipientofthemessage
SeealsoAsymmetricKey.
Publickey
infrastructure(PKI)
Publicswitched
telephonenetwork
(PSTN)
Quality
Aseriesofprocessesandtechnologiesfortheassociationofcryptographickeyswiththeentityto
whomthosekeyswereissued
Acommunicationssystemthatsetsupadedicatedchannel(orcircuit)betweentwopointsforthe
durationofthetransmission.
Beingfitforpurpose(achievingintendedvalue)
ScopeNote:COBIT5perspective
Qualityassurance(QA) Aplannedandsystematicpatternofallactionsnecessarytoprovideadequateconfidencethatan
item or product conforms to established technical requirements (ISO/IEC 24765)
itemorproductconformstoestablishedtechnicalrequirements.(ISO/IEC24765)
Qualitymanagement Asystemthatoutlinesthepoliciesandproceduresnecessarytoimproveandcontrolthevarious
system(QMS)
processesthatwillultimatelyleadtoimprovedenterpriseperformance
Queue
Agroupofitemsthatiswaitingtobeservicedorprocessed
Quickship
Arecoverysolutionprovidedbyrecoveryand/orhardwarevendorsandincludesapreestablished
contracttodeliverhardwareresourceswithinaspecifiednumberamountofhoursafteradisaster
occurs
RACIchart
Radiowave
interference
Randomaccess
memory(RAM)
Rangecheck
Ransomware
ScopeNote:Thequickshipsolutionusuallyprovidesenterpriseswiththeabilitytorecoverwithin
72ormorehours.
IllustrateswhoisResponsible,Accountable,ConsultedandInformedwithinanorganizational
framework
Thesuperpositionoftwoormoreradiowavesresultinginadifferentradiowavepatternthatis
more difficult to intercept and decode properly
moredifficulttointerceptanddecodeproperly
Thecomputersprimaryworkingmemory
ScopeNote:EachbyteofRAMcanbeaccessedrandomlyregardlessofadjacentbytes.
Rangechecksensurethatdatafallwithinapredeterminedrange
Malwarethatrestrictsaccesstothecompromisedsystemsuntilaransomdemandissatisfied
Rapidapplication
development
Amethodologythatenablesenterprisestodevelopstrategicallyimportantsystemsfaster,while
reducingdevelopmentcostsandmaintainingqualitybyusingaseriesofprovenapplication
developmenttechniques,withinawelldefinedmethodology
Realtimeanalysis
Analysisthatisperformedonacontinuousbasis,withresultsgainedintimetoaltertheruntime
system
Realtimeprocessing Aninteractiveonlinesystemcapabilitythatimmediatelyupdatescomputerfileswhentransactions
are initiated through a terminal
areinitiatedthroughaterminal
Reasonableassurance Alevelofcomfortshortofaguarantee,butconsideredadequategiventhecostsofthecontroland
thelikelybenefitsachieved
Reasonablenesscheck Comparesdatatopredefinedreasonabilitylimitsoroccurrenceratesestablishedforthedata
Page 76 of 103
Term
Reciprocalagreement
Record
Record,screenand
reportlayouts
Recovery
Recoveryaction
Recovery
action
Recoverypoint
objective(RPO)
Recoverystrategy
Definition
Emergencyprocessingagreementbetweentwoormoreenterpriseswithsimilarequipmentor
applications
ScopeNote:Typically,participantsofareciprocalagreementpromisetoprovideprocessingtimeto
eachotherwhenanemergencyarises.
Acollectionofrelatedinformationthatistreatedasaunit
ScopeNote:Separatefieldswithintherecordareusedforprocessingoftheinformation.
Recordlayoutsprovideinformationregardingthetypeofrecord,itssizeandthetypeofdata
containedintherecord.Screenandreportlayoutsdescribewhatinformationisprovidedand
necessaryforinput.
Thephaseintheincidentresponseplanthatensuresthataffectedsystemsorservicesarerestored
toaconditionspecifiedintheservicedeliveryobjectives(SDOs)orbusinesscontinuityplan(BCP)
Execution of a response or task according to a written procedure
Executionofaresponseortaskaccordingtoawrittenprocedure
Determinedbasedontheacceptabledatalossincaseofadisruptionofoperations
Itindicatestheearliestpointintimethatisacceptabletorecoverthedata.TheRPOeffectively
quantifiesthepermissibleamountofdatalossincaseofinterruption.
Anapproachbyanenterprisethatwillensureitsrecoveryandcontinuityinthefaceofadisasteror
othermajoroutage
ScopeNote:Plansandmethodologiesaredeterminedbytheenterprise'sstrategy.Theremaybe
morethanonemethodologyorsolutionforanenterprise'sstrategy.
Recoverytesting
Recoverytime
objective(RTO)
Redologs
Redundancycheck
RedundantArrayof
InexpensiveDisks
(RAID)
Redundantsite
Examplesofmethodologiesandsolutionsinclude:contractingforhotsiteorcoldsite,buildingan
internalhotsiteorcoldsite,identifyinganalternateworkarea,aconsortiumorreciprocal
agreement contracting for mobile recovery or crate and ship and many others
agreement,contractingformobilerecoveryorcrateandship,andmanyothers.
Atesttocheckthesystemsabilitytorecoverafterasoftwareorhardwarefailure
Theamountoftimeallowedfortherecoveryofabusinessfunctionorresourceafteradisaster
occurs
Filesmaintainedbyasystem,primarilyadatabasemanagementsystem(DBMS),forthepurposeof
reapplyingchangesfollowinganerrororoutagerecovery
Detectstransmissionerrorsbyappendingcalculatedbitsontotheendofeachsegmentofdata
Providesperformanceimprovementsandfaulttolerantcapabilitiesviahardwareorsoftware
solutions,bywritingtoaseriesofmultiplediskstoimproveperformanceand/orsavelargefiles
simultaneously
ArecoverystrategyinvolvingtheduplicationofkeyITcomponents,includingdataorotherkey
businessprocesses,wherebyfastrecoverycantakeplace
Page 77 of 103
Term
Reengineering
Definition
Aprocessinvolvingtheextractionofcomponentsfromexistingsystemsandrestructuringthese
components to develop new systems or to enhance the efficiency of existing systems
componentstodevelopnewsystemsortoenhancetheefficiencyofexistingsystems
ScopeNote:Existingsoftwaresystemscanbemodernizedtoprolongtheirfunctionality.An
exampleisasoftwarecodetranslatorthatcantakeanexistinghierarchicaldatabasesystemand
transposeittoarelationaldatabasesystem.Computeraidedsoftwareengineering(CASE)includes
asourcecodereengineeringfeature.
Registeredports
Registeredports1024through49151:ListedbytheIANAandonmostsystemscanbeusedby
ordinaryuserprocessesorprogramsexecutedbyordinaryusers
Registrationauthority Theindividualinstitutionthatvalidatesanentity'sproofofidentityandownershipofakeypair
(RA)
Regressiontesting
Atestingtechniqueusedtoretestearlierprogramabendsorlogicalerrorsthatoccurredduringthe
initialtestingphase
Regulation
Rulesorlawsdefinedandenforcedbyanauthoritytoregulateconduct
Regulatory
Regulatory
Rules or laws that regulate conduct and that the enterprise must obey to become compliant
Rulesorlawsthatregulateconductandthattheenterprisemustobeytobecomecompliant
requirements
Relationaldatabase
Thegeneralpurposeofadatabaseistostoreandretrieverelatedinformation.
managementsystem
(RDBMS)
ScopeNote:Databasemanagementsystemshaveevolvedfromhierarchaltonetworktorelational
models.Today,themostwidelyaccepteddatabasemodelistherelationalmodel.Therelational
modelhasthreemajoraspects:structures,operationsandintegrityrules.AnOracledatabaseisa
collectionofdatathatistreatedasaunit.
Relevantaudit
Auditevidenceisrelevantifitpertainstotheauditobjectivesandhasalogicalrelationshiptothe
evidence
findingsandconclusionsitisusedtosupport.
Relevantinformation Relatingtocontrols,tellstheevaluatorsomethingmeaningfulabouttheoperationoftheunderlying
controlsorcontrolcomponent.Informationthatdirectlyconfirmstheoperationofcontrolsismost
relevant.Informationthatrelatesindirectlytotheoperationofcontrolscanalsoberelevant,butis
less relevant than direct information
lessrelevantthandirectinformation.
ScopeNote:RefertoCOBIT5informationqualitygoals
Reliableauditevidence Auditevidenceisreliableif,intheISauditor'sopinion,itisvalid,factual,objectiveandsupportable.
Reliableinformation
Informationthatisaccurate,verifiableandfromanobjectivesource
ScopeNote:RefertoCOBIT5informationqualitygoals
Remediation
Aftervulnerabilitiesareidentifiedandassessed,appropriateremediationcantakeplacetomitigate
oreliminatethevulnerability
Remoteaccessservice Referstoanycombinationofhardwareandsoftwaretoenabletheremoteaccesstotoolsor
(RAS)
informationthattypicallyresideonanetworkofITdevices
ScopeNote:OriginallycoinedbyMicrosoftwhenreferringtotheirbuiltinNTremoteaccesstools,
Scope
Note: Originally coined by Microsoft when referring to their built in NT remote access tools
RASwasaserviceprovidedbyWindowsNTwhichallowedmostoftheservicesthatwouldbe
availableonanetworktobeaccessedoveramodemlink.Overtheyears,manyvendorshave
providedbothhardwareandsoftwaresolutionstogainremoteaccesstovarioustypesofnetworked
information.Infact,mostmodernroutersincludeabasicRAScapabilitythatcanbeenabledforany
dialupinterface.
Page 78 of 103
Term
Definition
RemoteAuthentication Atypeofserviceprovidinganauthenticationandaccountingsystemoftenusedfordialupand
Dialin User Service
DialinUserService
remote access security
remoteaccesssecurity
(RADIUS)
Remotejobentry(RJE) Thetransmissionofjobcontrollanguage(JCL)andbatchesoftransactionsfromaremoteterminal
location
Remoteprocedurecall ThetraditionalInternetserviceprotocolwidelyusedformanyyearsonUNIXbasedoperating
(RPC)
systemsandsupportedbytheInternetEngineeringTaskForce(IETF)thatallowsaprogramonone
computertoexecuteaprogramonanother(e.g.,server)
ScopeNote:Theprimarybenefitderivedfromitsuseisthatasystemdeveloperneednotdevelop
specificproceduresforthetargetedcomputersystem.Forexample,inaclientserverarrangement,
theclientprogramsendsamessagetotheserverwithappropriatearguments,andtheserver
returnsamessagecontainingtheresultsoftheprogramexecuted.CommonObjectRequestBroker
Architecture (CORBA) and Distributed Component Object Model (DCOM) are two newer object
Architecture(CORBA)andDistributedComponentObjectModel(DCOM)aretwonewerobject
orientedmethodsforrelatedRPCfunctionality.
Removablemedia
Repeaters
Replay
Replication
Repository
Representation
Repudiation
Anytypeofstoragedevicethatcanberemovedfromthesystemwhileisrunning
Aphysicallayerdevicethatregeneratesandpropagateselectricalsignalsbetweentwonetwork
segments
ScopeNote:Repeatersreceivesignalsfromonenetworksegmentandamplify(regenerate)the
signaltocompensateforsignals(analogordigital)distortedbytransmissionlossduetoreductionof
signalstrengthduringtransmission(i.e.,attenuation)
Theabilitytocopyamessageorstreamofmessagesbetweentwopartiesandreplay(retransmit)
themtooneormoreoftheparties
Initsbroadcomputingsense,involvestheuseofredundantsoftwareorhardwareelementsto
provide availability and faulttolerant capabilities
provideavailabilityandfaulttolerantcapabilities
Inadatabasecontext,replicationinvolvesthesharingofdatabetweendatabasestoreduce
workloadamongdatabaseservers,therebyimprovingclientperformancewhilemaintaining
consistencyamongallsystems.
Anenterprisedatabasethatstoresandorganizesdata
Asignedororalstatementissuedbymanagementtoprofessionals,wheremanagementdeclares
thatacurrentorfuturefact(e.g.,process,system,procedure,policy)isorwillbeinacertainstate,
tothebestofmanagementsknowledge.
Thedenialbyoneofthepartiestoatransaction,orparticipationinallorpartofthattransaction,or
ofthecontentofcommunicationrelatedtothattransaction
Page 79 of 103
Term
Reputationrisk
Definition
Thecurrentandprospectiveeffectonearningsandcapitalarisingfromnegativepublicopinion
ScopeNote:Reputationriskaffectsabanksabilitytoestablishnewrelationshipsorservices,orto
continueservicingexistingrelationships.Itmayexposethebanktolitigation,financiallossora
declineinitscustomerbase.AbanksreputationcanbedamagedbyInternetbankingservicesthat
areexecutedpoorlyorotherwisealienatecustomersandthepublic.AnInternetbankhasagreater
reputationriskascomparedtoatraditionalbrickandmortarbank,becauseitiseasierforits
customerstoleaveandgotoadifferentInternetbankandsinceitcannotdiscussanyproblemsin
personwiththecustomer.
Requestforcomments AdocumentthathasbeenapprovedbytheInternetEngineeringTaskForce(IETF)becomesanRFC
(RFC)
andisassignedauniquenumberoncepublished
Requestforproposal
Request
for proposal
(RFP)
Requirements
definition
Residualrisk
Resilience
Resource
ScopeNote:IftheRFCgainsenoughinterest,itmayevolveintoanInternetstandard.
A document distributed to software vendors requesting them to submit a proposal to develop or
Adocumentdistributedtosoftwarevendorsrequestingthemtosubmitaproposaltodevelopor
provideasoftwareproduct
Atechniqueusedinwhichtheaffectedusergroupsdefinetherequirementsofthesystemfor
meetingthedefinedneeds
ScopeNote:Someofthesearebusiness,regulatory,andsecurityrelatedrequirementsaswellas
developmentrelatedrequirements.
Theremainingriskaftermanagementhasimplementedariskresponse
Theabilityofasystemornetworktoresistfailureortorecoverquicklyfromanydisruption,usually
withminimalrecognizableeffect
Anyenterpriseassetthatcanhelptheorganizationachieveitsobjectives
ScopeNote:COBIT5perspective
Resource optimization Oneofthegovernanceobjectives.Involveseffective,efficientandresponsibleuseofall
Resourceoptimization
One of the governance objectives Involves effective efficient and responsible use of all
resourceshuman,financial,equipment,facilities,etc.
ScopeNote:COBIT5perspective
InaResponsible,Accountable,Consulted,Informed(RACI)chart,referstothepersonwhomust
ensurethatactivitiesarecompletedsuccessfully
Returnoninvestment Ameasureofoperatingperformanceandefficiency,computedinitssimplestformbydividingnet
(ROI)
incomebythetotalinvestmentovertheperiodbeingconsidered
Returnoriented
Anexploittechniqueinwhichtheattackerusescontrolofthecallstacktoindirectlyexecutecherry
attacks
pickedmachineinstructionsimmediatelypriortothereturninstructioninsubroutineswithinthe
existingprogramcode
Reverseengineering
Asoftwareengineeringtechniquewherebyanexistingapplicationsystemcodecanberedesigned
andcodedusingcomputeraidedsoftwareengineering(CASE)technology
Responsible
Page 80 of 103
Term
Ringconfiguration
Definition
Usedineithertokenringorfiberdistributeddatainterface(FDDI)networks,allstations(nodes)are
connected to a multistation access unit (MSAU), that physically resembles a startype topology.
connectedtoamultistationaccessunit(MSAU),thatphysicallyresemblesastartypetopology.
ScopeNote:AringconfigurationiscreatedwhenMSAUsarelinkedtogetherinforminganetwork.
Messagesinthenetworkaresentinadeterministicfashionfromsenderandreceiverviaasmall
frame,referredtoasatokenring.Tosendamessage,asenderobtainsthetokenwiththeright
priorityasthetokentravelsaroundthering,withreceivingnodesreadingthosemessages
addressedtoit.
Ringtopology
Atypeoflocalareanetwork(LAN)architectureinwhichthecableformsaloop,withstations
attachedatintervalsaroundtheloop
ScopeNote:Inringtopology,signalstransmittedaroundtheringtaketheformofmessages.Each
stationreceivesthemessagesandeachstationdetermines,onthebasisofanaddress,whetherto
accept or process a given message However after receiving a message each station acts as a
acceptorprocessagivenmessage.However,afterreceivingamessage,eachstationactsasa
repeater,retransmittingthemessageatitsoriginalsignalstrength.
Risk
Riskacceptance
Thecombinationoftheprobabilityofaneventanditsconsequence.(ISO/IEC73)
Iftheriskiswithintheenterprise'srisktoleranceorifthecostofotherwisemitigatingtheriskis
higherthanthepotentialloss,theenterprisecanassumetheriskandabsorbanylosses
Riskaggregation
Theprocessofintegratingriskassessmentsatacorporateleveltoobtainacompleteviewonthe
overallriskfortheenterprise
1.AprocessbywhichfrequencyandmagnitudeofITriskscenariosareestimated
Riskanalysis
2.Theinitialstepsofriskmanagement:analyzingthevalueofassetstothebusiness,identifying
threatstothoseassetsandevaluatinghowvulnerableeachassetistothosethreats
ScopeNote:Itofteninvolvesanevaluationoftheprobablefrequencyofaparticularevent,aswell
astheprobableimpactofthatevent.
Riskappetite
Theamountofrisk,onabroadlevel,thatanentityiswillingtoacceptinpursuitofitsmission
Riskassessment
Aprocessusedtoidentifyandevaluateriskanditspotentialeffects
ScopeNote:Riskassessmentsareusedtoidentifythoseitemsorareasthatpresentthehighestrisk,
vulnerabilityorexposuretotheenterpriseforinclusionintheISannualauditplan.
Riskassessmentsarealsousedtomanagetheprojectdeliveryandprojectbenefitrisk.
Riskavoidance
Risk
avoidance
Riskculture
Riskevaluation
Theprocessforsystematicallyavoidingrisk,constitutingoneapproachtomanagingrisk
The
process for systematically avoiding risk constituting one approach to managing risk
Thesetofsharedvaluesandbeliefsthatgovernsattitudestowardrisktaking,careandintegrity,
anddetermineshowopenlyriskandlossesarereportedanddiscussed
Theprocessofcomparingtheestimatedriskagainstgivenriskcriteriatodeterminethesignificance
oftherisk.[ISO/IECGuide73:2002]
Page 81 of 103
Term
Riskfactor
Riskindicator
Riskmanagement
Definition
Aconditionthatcaninfluencethefrequencyand/ormagnitudeand,ultimately,thebusinessimpact
of ITrelated events/scenarios
ofITrelatedevents/scenarios
Ametriccapableofshowingthattheenterpriseissubjectto,orhasahighprobabilityofbeing
subjectto,ariskthatexceedsthedefinedriskappetite
1.Thecoordinatedactivitiestodirectandcontrolanenterprisewithregardtorisk
ScopeNote:IntheInternationalStandard,theterm"control"isusedasasynonymfor"measure."
(ISO/IECGuide73:2002)
2.Oneofthegovernanceobjectives.Entailsrecognizingrisk;assessingtheimpactandlikelihoodof
thatrisk;anddevelopingstrategies,suchasavoidingtherisk,reducingthenegativeeffectoftherisk
and/ortransferringtherisk,tomanageitwithinthecontextoftheenterprisesriskappetite.
ScopeNote:COBIT5perspective
Riskmap
A(graphic)toolforrankinganddisplayingriskbydefinedrangesforfrequencyandmagnitude
Riskmitigation
Riskowner
Themanagementofriskthroughtheuseofcountermeasuresandcontrols
Thepersoninwhomtheorganizationhasinvestedtheauthorityandaccountabilityformakingrisk
baseddecisionsandwhoownsthelossassociatedwitharealizedriskscenario
ScopeNote:Theriskownermaynotberesponsiblefortheimplementationofrisktreatment.
Riskportfolioview
Riskreduction
Riskresponse
1.Amethodtoidentifyinterdependenciesandinterconnectionsamongrisk,aswellastheeffectof
riskresponsesonmultipletypesofrisk
2.Amethodtoestimatetheaggregateimpactofmultipletypesofrisk(e.g.,cascadingand
coincidentalthreattypes/scenarios,riskconcentration/correlationacrosssilos)andthepotential
coincidental
threat types/scenarios risk concentration/correlation across silos) and the potential
effectofriskresponseacrossmultipletypesofrisk
Theimplementationofcontrolsorcountermeasurestoreducethelikelihoodorimpactofarisktoa
levelwithintheorganizationsrisktolerance.
Riskavoidance,riskacceptance,risksharing/transfer,riskmitigation,leadingtoasituationthatas
muchfutureresidualrisk(currentriskwiththeriskresponsedefinedandimplemented)aspossible
(usuallydependingonbudgetsavailable)fallswithinriskappetitelimits
Riskscenario
Thetangibleandassessablerepresentationofrisk
Risksharing
ScopeNote:Oneofthekeyinformationitemsneededtoidentify,analyzeandrespondtorisk
(COBIT5ProcessAPO12)
ScopeNote:SeeRisktransfer
Page 82 of 103
Term
Riskstatement
Definition
Adescriptionofthecurrentconditionsthatmayleadtotheloss;andadescriptionoftheloss
Source: Software Engineering Institute (SEI)
Source:SoftwareEngineeringInstitute(SEI)
ScopeNote:Forarisktobeunderstandable,itmustbeexpressedclearly.Suchatreatmentmust
includeadescriptionofthecurrentconditionsthatmayleadtotheloss;andadescriptionofthe
loss.
Risktolerance
Risktransfer
Risktreatment
Rootcauseanalysis
Rootkit
Rotatingstandby
Roundingdown
Router
RS232interface
RSA
Rulebase
Theacceptablelevelofvariationthatmanagementiswillingtoallowforanyparticularriskasthe
enterprisepursuesitsobjectives
Theprocessofassigningrisktoanotherenterprise,usuallythroughthepurchaseofaninsurance
policyorbyoutsourcingtheservice
ScopeNote:Alsoknownasrisksharing
Theprocessofselectionandimplementationofmeasurestomodifyrisk(ISO/IECGuide73:2002)
Aprocessofdiagnosistoestablishtheoriginsofevents,whichcanbeusedforlearningfrom
consequences,typicallyfromerrorsandproblems
Asoftwaresuitedesignedtoaidanintruderingainingunauthorizedadministrativeaccesstoa
computersystem
Afailoverprocessinwhichtherearetwonodes(asinidlestandbybutwithoutpriority)
ScopeNote:Thenodethatenterstheclusterfirstownstheresourcegroup,andthesecondwilljoin
asastandbynode.
Amethodofcomputerfraudinvolvingacomputercodethatinstructsthecomputertoremovesmall
amountsofmoneyfromanauthorizedcomputertransactionbyroundingdowntothenearest
wholevaluedenominationandreroutingtheroundedoffamounttotheperpetratorsaccount
Anetworkingdevicethatcansend(route)datapacketsfromonelocalareanetwork(LAN)orwide
A
networking device that can send (route) data packets from one local area network (LAN) or wide
areanetwork(WAN)toanother,basedonaddressingatthenetworklayer(Layer3)intheopen
systemsinterconnection(OSI)model
ScopeNote:Networksconnectedbyrouterscanusedifferentorsimilarnetworkingprotocols.
Routersusuallyarecapableoffilteringpacketsbasedonparameters,suchassourceaddresses,
,p
pp
(p
)
destinationaddresses,protocolandnetworkapplications(ports).
Aninterfacebetweendataterminalequipmentanddatacommunicationsequipmentemploying
serialbinarydatainterchange
ApublickeycryptosystemdevelopedbyR.Rivest,A.ShamirandL.Adlemanusedforboth
encryptionanddigitalsignatures
ScopeNote:TheRSAhastwodifferentkeys,thepublicencryptionkeyandthesecretdecryption
key The strength of the RSA depends on the difficulty of the prime number factorization For
key.ThestrengthoftheRSAdependsonthedifficultyoftheprimenumberfactorization.For
applicationswithhighlevelsecurity,thenumberofthedecryptionkeybitsshouldbegreaterthan
512bits.
Thelistofrulesand/orguidancethatisusedtoanalyzeeventdata
Page 83 of 103
Term
Runinstructions
Runtoruntotals
Safeguard
Salamitechnique
Samplingrisk
Definition
Computeroperatinginstructionswhichdetailthestepbystepprocessesthataretooccursoan
application system can be properly executed; also identifies how to address problems that occur
applicationsystemcanbeproperlyexecuted;alsoidentifieshowtoaddressproblemsthatoccur
duringprocessing
Provideevidencethataprogramprocessesallinputdataandthatitprocessedthedatacorrectly
Apractice,procedureormechanismthatreducesrisk
Amethodofcomputerfraudinvolvingacomputercodethatinstructsthecomputertosliceoffsmall
amountsofmoneyfromanauthorizedcomputertransactionandreroutethisamounttothe
perpetratorsaccount
TheprobabilitythatanISauditorhasreachedanincorrectconclusionbecauseanauditsample,
ratherthantheentirepopulation,wastested
ScopeNote:Whilesamplingriskcanbereducedtoanacceptablylowlevelbyusinganappropriate
samplesizeandselectionmethod,itcanneverbeeliminated.
Sampling stratification Theprocessofdividingapopulationintosubpopulationswithsimilarcharacteristicsexplicitly
Samplingstratification
The process of dividing a population into subpopulations with similar characteristics explicitly
defined,sothateachsamplingunitcanbelongtoonlyonestratum
Scheduling
Amethodusedintheinformationprocessingfacility(IPF)todetermineandestablishthesequence
ofcomputerjobprocessing
Scopecreep
Alsocalledrequirementcreep,thisreferstouncontrolledchangesinaprojectsscope.
Scopingprocess
Screeningrouters
SecureElectronic
Transaction(SET)
SecureMultipurpose
InternetMail
Extensions(S/MIME)
SecureShell(SSH)
SecureSocketsLayer
Secure
Sockets Layer
(SSL)
ScopeNote:Scopecreepcanoccurwhenthescopeofaprojectisnotproperlydefined,
documentedandcontrolled.Typically,thescopeincreaseconsistsofeithernewproductsornew
featuresofalreadyapprovedproducts.Hence,theprojectteamdriftsawayfromitsoriginal
purpose.Becauseofonestendencytofocusononlyonedimensionofaproject,scopecreepcan
alsoresultinaprojectteamoverrunningitsoriginalbudgetandschedule.Forexample,scopecreep
canbearesultofpoorchangecontrol,lackofproperidentificationofwhatproductsandfeatures
arerequiredtobringabouttheachievementofprojectobjectivesinthefirstplace,oraweak
project manager or executive sponsor
projectmanagerorexecutivesponsor.
Identifyingtheboundaryorextenttowhichaprocess,procedure,certification,contract,etc.,
applies
Arouterconfiguredtopermitordenytrafficbasedonasetofpermissionrulesinstalledbythe
administrator
Astandardthatwillensurethatcreditcardandassociatedpaymentorderinformationtravelssafely
andsecurelybetweenthevariousinvolvedpartiesontheInternet.
Providescryptographicsecurityservicesforelectronicmessagingapplications:authentication,
messageintegrityandnonrepudiationoforigin(usingdigitalsignatures)andprivacyanddata
security(usingencryption)toprovideaconsistentwaytosendandreceiveMIMEdata.(RFC2311)
Networkprotocolthatusescryptographytosecurecommunication,remotecommandlineloginand
remotecommandexecutionbetweentwonetworkedcomputers
A protocol that is used to transmit private documents through the Internet
AprotocolthatisusedtotransmitprivatedocumentsthroughtheInternet
ScopeNote:TheSSLprotocolusesaprivatekeytoencryptthedatathataretobetransferred
throughtheSSLconnection.
Securityadministrator Thepersonresponsibleforimplementing,monitoringandenforcingsecurityrulesestablishedand
authorizedbymanagement
Page 84 of 103
Term
SecurityasaService
(SecaaS)
Securityawareness
Definition
Thenextgenerationofmanagedsecurityservicesdedicatedtothedelivery,overtheInternet,of
specialized informationsecurity services.
specializedinformationsecurityservices.
Theextenttowhicheverymemberofanenterpriseandeveryotherindividualwhopotentiallyhas
accesstotheenterprise'sinforma onunderstand:
Securityandthelevelsofsecurityappropriatetotheenterprise
Theimportanceofsecurityandconsequencesofalackofsecurity
Theirindividualresponsibilitiesregardingsecurity(andactaccordingly)
Securityawareness
campaign
ScopeNote:ThisdefinitionisbasedonthedefinitionforITsecurityawarenessasdefinedin
ImplementationGuide:HowtoMakeYourOrganizationAwareofITSecurity,EuropeanSecurity
Forum(ESF),London,1993
Apredefined,organizednumberofactionsaimedatimprovingthesecurityawarenessofaspecial
targetaudienceaboutaspecificsecurityproblem
Securityawareness
coordinator
Eachsecurityawarenessprogramconsistsofanumberofsecurityawarenesscampaigns.
Each
security awareness program consists of a number of security awareness campaigns
Theindividualresponsibleforsettingupandmaintainingthesecurityawarenessprogramand
coordinatingthedifferentcampaignsandeffortsofthevariousgroupsinvolvedintheprogram
He/sheisalsoresponsibleformakingsurethatallmaterialsareprepared,advocates/trainersare
trained,campaignsarescheduled,eventsarepublicizedandtheprogramasawholemoves
forward.
Securityawareness
program
Aclearlyandformallydefinedplan,structuredapproach,andsetofrelatedactivitiesand
procedureswiththeobjectiveofrealizingandmaintainingasecurityawareculture
ScopeNote:Thisdefinitionclearlystatesthatitisaboutrealizingandmaintainingasecurityaware
culture,meaningattainingandsustainingsecurityawarenessatalltimes.Thisimpliesthatasecurity
awareness program is not a one time effort but a continuous process
awarenessprogramisnotaonetimeeffort,butacontinuousprocess.
Securityforum
Responsibleforinformationsecuritygovernancewithintheenterprise
ScopeNote:Asecurityforumcanbepartofanexistingmanagementbody.Becauseinformation
securityisabusinessresponsibilitysharedbyallmembersoftheexecutivemanagementteam,the
forumneedstoinvolveexecutivesfromallsignificantpartsoftheenterprise.Typically,asecurity
g
p
p
yp
y
y
forumhasthefollowingtasksandresponsibilities:
Definingasecuritystrategyinlinewiththebusinessstrategy
Identifyingsecurityrequirements
Establishingasecuritypolicy
Drawingupanoverallsecurityprogramorplan
Approvingmajorinitiativestoenhanceinformationsecurity
Reviewingandmonitoringinformationsecurityincidents
R i i
d
it i i f
ti
it i id t
Monitoringsignificantchangesintheexposureofinformationassetstomajorthreats
Page 85 of 103
Term
Securityincident
Securitymanagement
Definition
Aseriesofunexpectedeventsthatinvolvesanattackorseriesofattacks(compromiseand/or
breach of security) at one or more sites
breachofsecurity)atoneormoresites
Asecurityincidentnormallyincludesanestimationofitslevelofimpact.Alimitednumberofimpact
levelsaredefinedand,foreach,thespecificactionsrequiredandthepeoplewhoneedtobe
notifiedareidentified.
Theprocessofestablishingandmaintainingsecurityforacomputerornetworksystem
ScopeNote:Thestagesoftheprocessofsecuritymanagementincludepreventionofsecurity
problems,detectionofintrusions,andinvestigationofintrusionsandresolution.Innetwork
management,thestagesare:controllingaccesstothenetworkandresources,findingintrusions,
identifyingentrypointsforintrudersandrepairingorotherwiseclosingthoseavenuesofaccess.
Securitymetrics
Security perimeter
Securityperimeter
Securitypolicy
Securityprocedures
Securitysoftware
Securitystandards
Securitytesting
Security/transaction
Security/transaction
risk
Astandardofmeasurementusedinmanagementofsecurityrelatedactivities
The boundary that defines the area of security concern and security policy coverage
Theboundarythatdefinestheareaofsecurityconcernandsecuritypolicycoverage
Ahighleveldocumentrepresentinganenterprisesinformationsecurityphilosophyand
commitment
Theformaldocumentationofoperationalstepsandprocessesthatspecifyhowsecuritygoalsand
objectivessetforwardinthesecuritypolicyandstandardsaretobeachieved
Softwareusedtoadministersecurity,whichusuallyincludesauthenticationofusers,accessgranting
accordingtopredefinedrules,monitoringandreportingfunctions
Practices,directives,guidelines,principlesorbaselinesthatstatewhatneedstobedoneandfocus
areasofcurrentrelevanceandconcern;theyareatranslationofissuesalreadymentionedinthe
securitypolicy
Ensuringthatthemodifiedornewsystemincludesappropriatecontrolsanddoesnotintroduceany
securityholesthatmightcompromiseothersystemsormisusesofthesystemoritsinformation
Thecurrentandprospectiverisktoearningsandcapitalarisingfromfraud,errorandtheinabilityto
The
current and prospective risk to earnings and capital arising from fraud error and the inability to
deliverproductsorservices,maintainacompetitiveposition,andmanageinformation
ScopeNote:Securityriskisevidentineachproductandserviceoffered,anditencompasses
productdevelopmentanddelivery,transactionprocessing,systemsdevelopment,computing
systems,complexityofproductsandservicesandtheinternalcontrolenvironment.Ahighlevelof
y
y
gp
,p
y
securityriskmayexistwithInternetbankingproducts,particularlyifthoselinesofbusinessarenot
adequatelyplanned,implementedandmonitored.
Segregation/separation Abasicinternalcontrolthatpreventsordetectserrorsandirregularitiesbyassigningtoseparate
ofduties(SoD)
individualstheresponsibilityforinitiatingandrecordingtransactionsandforthecustodyofassets
ScopeNote:Segregation/separationofdutiesiscommonlyusedinlargeITorganizationssothatno
Scope
Note: Segregation/separation of duties is commonly used in large IT organizations so that no
singlepersonisinapositiontointroducefraudulentormaliciouscodewithoutdetection.
Sensitivity
Ameasureoftheimpactthatimproperdisclosureofinformationmayhaveonanenterprise
Page 86 of 103
Term
Sequencecheck
Definition
Verificationthatthecontrolnumberfollowssequentiallyandanycontrolnumbersoutofsequence
are rejected or noted on an exception report for further research
arerejectedornotedonanexceptionreportforfurtherresearch
Sequentialfile
ScopeNote:Canbealphaornumericandusuallyutilizesakeyfield
Acomputerfilestorageformatinwhichonerecordfollowsanother
Servicebureau
Servicecatalogue
ScopeNote:Recordscanbeaccessedsequentiallyonly.Itisrequiredwithmagnetictape.
Acomputerfacilitythatprovidesdataprocessingservicestoclientsonacontinualbasis
StructuredinformationonallITservicesavailabletocustomers
Servicedelivery
objective(SDO)
Servicedesk
Service level
Servicelevel
agreement(SLA)
ScopeNote:COBIT5perspective
Directlyrelatedtothebusinessneeds,SDOisthelevelofservicestobereachedduringthealternate
processmodeuntilthenormalsituationisrestored
ThepointofcontactwithintheITorganizationforusersofITservices
An agreement preferably documented between a service provider and the customer(s)/user(s) that
Anagreement,preferablydocumented,betweenaserviceproviderandthecustomer(s)/user(s)that
definesminimumperformancetargetsforaserviceandhowtheywillbemeasured
Serviceprovider
ServiceSetIdentifier
(SSID)
Serviceuser
Service
user
Serviceoriented
architecture(SOA)
Servlet
Sessionborder
controller(SBC)
Shell
Anorganizationsupplyingservicestooneormore(internalorexternal)customers
A32characteruniqueidentifierattachedtotheheaderofpacketssentoverawirelesslocalarea
network(WLAN)thatactsasapasswordwhenamobiledevicetriestoconnecttothebasestation
subsystem(BSS).
ScopeNote:TheSSIDdifferentiatesoneWLANfromanothersoallaccesspointsandalldevices
attemptingtoconnecttoaspecificWLANmustusethesameSSID.Adevicewillnotbepermittedto
jointheBSSunlessitcanprovidetheuniqueSSID.BecauseanSSIDcanbesniffedinplaintextfroma
packet,itdoesnotsupplyanysecuritytothenetwork.AnSSIDisalsoreferredtoasanetwork
name,becauseitisanamethatidentifiesawirelessnetwork.
The organization using the outsourced service
Theorganizationusingtheoutsourcedservice.
Acloudbasedlibraryofproven,functionalsoftwareappletsthatareabletobeconnectedtogether
tobecomeausefulonlineapplication
AJavaappletorasmallprogramthatrunswithinawebserverenvironment
ScopeNote:AJavaservletissimilartoacommongatewayinterface(CGI)program,butunlikeaCGI
program,oncestarted,itstaysinmemoryandcanfulfillmultiplerequests,therebysavingserver
executiontimeandspeedinguptheservices.
ProvidesecurityfeaturesforvoiceoverIP(VoIP)trafficsimilartothatprovidedbyfirewalls
ScopeNote:SBCscanbeconfiguredtofilterspecificVoIPprotocols,monitorfordenialofservice
(DOS)attacks,andprovidenetworkaddressandprotocoltranslationfeatures.
Theinterfacebetweentheuserandthesystem
Page 87 of 103
Term
Shellprogramming
Significantdeficiency
Definition
Ascriptwrittenfortheshell,orcommandlineinterpreter,ofanoperatingsystem;itisoften
considered a simple domainspecific programming language
consideredasimpledomainspecificprogramminglanguage
ScopeNote:Typicaloperationsperformedbyshellscriptsincludefilemanipulation,program
executionandprintingtext.Usually,shellscriptreferstoscriptswrittenforaUNIXshell,while
command.com(DOS)andcmd.exe(Windows)commandlinescriptsareusuallycalledbatchfiles.
ManyshellscriptinterpretersdoubleasacommandlineinterfacesuchasthevariousUNIXshells,
WindowsPowerShellortheMSDOScommand.com.Others,suchasAppleScript,addscripting
capabilitytocomputingenvironmentslackingacommandlineinterface.Otherexamplesof
programminglanguagesprimarilyintendedforshellscriptingincludedigitalcommandlanguage
(DCL)andjobcontrollanguage(JCL).
Adeficiencyoracombinationofdeficiencies,ininternalcontrol,thatislessseverethanamaterial
weakness,yetimportantenoughtomeritattentionbythoseresponsibleforoversight
ScopeNote:Amaterialweaknessisasignificantdeficiencyoracombinationofsignificant
Scope
Note: A material weakness is a significant deficiency or a combination of significant
deficienciesthatresultsinmorethanaremotelikelihoodofanundesirableevent(s)notbeing
preventedordetected.
Signonprocedure
Theprocedureperformedbyausertogainaccesstoanapplicationoroperatingsystem
Simplefailover
ScopeNote:Iftheuserisproperlyidentifiedandauthenticatedbythesystemssecurity,theywill
beabletoaccessthesoftware.
Afailoverprocessinwhichtheprimarynodeownstheresourcegroup
SimpleMailTransfer
Protocol (SMTP)
Protocol(SMTP)
SimpleObjectAccess
Protocol(SOAP)
Singlefactor
authentication(SFA)
Singlepointoffailure
ScopeNote:Thebackupnoderunsanoncriticalapplication(e.g.,adevelopmentortest
environment)andtakesoverthecriticalresourcegroup,butnotviceversa.
Thestandardelectronicmail(email)protocolontheInternet
Aplatformindependentformattedprotocolbasedonextensiblemarkuplanguage(XML)enabling
applicationstocommunicatewitheachotherovertheInternet
ScopeNote:UseofSOAPmayprovideasignificantsecurityrisktowebapplicationoperations
becauseuseofSOAPpiggybacksontoawebbaseddocumentobjectmodelandistransmittedvia
yp
(
) (p
) p
,
y
HyperTextTransferProtocol(HTTP)(port80)topenetrateserverfirewalls,whichareusually
configuredtoacceptport80andport21FileTransferProtocol(FTP)requests.Webbased
documentmodelsdefinehowobjectsonawebpageareassociatedwitheachotherandhowthey
canbemanipulatedwhilebeingsentfromaservertoaclientbrowser.SOAPtypicallyreliesonXML
forpresentationformattingandalsoaddsappropriateHTTPbasedheaderstosendit.SOAPforms
thefoundationlayerofthewebservicesstack,providingabasicmessagingframeworkonwhich
moreabstractlayerscanbuild.ThereareseveraldifferenttypesofmessagingpatternsinSOAP,but
b f th
byfarthemostcommonistheRemoteProcedureCall(RPC)pattern,inwhichonenetworknode
t
i th R
t P
d
C ll (RPC) tt
i hi h
t
k d
(the client) sends a request message to another node (the server), and the server immediately sends
AuthenticationprocessthatrequiresonlytheuserIDandpasswordtograntaccess
Aresourcewhoselosswillresultinthelossofserviceorproduction
Page 88 of 103
Term
Skill
Slacktime(float)
SMART
Smartcard
Sniff
Sniffing
Socialengineering
Software
Definition
Thelearnedcapacitytoachievepredeterminedresults
ScopeNote:COBIT5perspective
Timeintheprojectschedule,theuseofwhichdoesnotaffecttheprojectscriticalpath;the
minimumtimetocompletetheprojectbasedontheestimatedtimeforeachprojectsegmentand
theirrelationships
ScopeNote:Slacktimeiscommonlyreferredtoas"float"andgenerallyisnot"owned"byeither
partytothetransaction.
Specific,measurable,attainable,realisticandtimely,generallyusedtodescribeappropriatelyset
goals
Asmallelectronicdevicethatcontainselectronicmemory,andpossiblyanembeddedintegrated
circuit
ScopeNote:Smartcardscanbeusedforanumberofpurposesincludingthestorageofdigital
Scope
Note: Smart cards can be used for a number of purposes including the storage of digital
certificatesordigitalcash,ortheycanbeusedasatokentoauthenticateusers.
Theactofcapturingnetworkpackets,includingthosenotnecessarilydestinedforthecomputer
runningthesniffingsoftware
Theprocessbywhichdatatraversinganetworkarecapturedormonitored
Anattackbasedondeceivingusersoradministratorsatthetargetsiteintorevealingconfidentialor
sensitiveinformation
Programsandsupportingdocumentationthatenableandfacilitateuseofthecomputer
ScopeNote:Softwarecontrolstheoperationofthehardwareandtheprocessingofdata.
Offersthecapabilitytousetheprovidersapplicationsrunningoncloudinfrastructure.The
applicationsareaccessiblefromvariousclientdevicesthroughathinclientinterfacesuchasaweb
browser(e.g.,webbasedemail).
Softwareasaservice,
Software
as a service Theacronymusedtorefertothethreeclouddeliverymodels
The acronym used to refer to the three cloud delivery models
platformasaservice
andinfrastructureasa
service(SPI)
Softwareasaservice
(SaaS)
Sourcecode
Thelanguageinwhichaprogramiswritten
ScopeNote:Sourcecodeistranslatedintoobjectcodebyassemblersandcompilers.Insomecases,
sourcecodemaybeconvertedautomaticallyintoanotherlanguagebyaconversionprogram.
Sourcecodeisnotexecutablebythecomputerdirectly.Itmustfirstbeconvertedintoamachine
language.
Sourcecodecompare Providesassurancethatthesoftwarebeingauditedisthecorrectversionofthesoftware,by
program
providingameaningfullistingofanydiscrepanciesbetweenthetwoversionsoftheprogram
Sourcedocument
Theformusedtorecorddatathathavebeencaptured
ScopeNote:Asourcedocumentmaybeapieceofpaper,aturnarounddocumentoranimage
displayedforonlinedatainput.
Page 89 of 103
Term
Sourcelinesofcode
(SLOC)
Sourcerouting
specification
Spam
Spanningport
Spearphishing
Splitdatasystems
Splitdomainname
Split
domain name
system(DNS)
Splitknowledge/split
key
Spoofing
Definition
Oftenusedinderivingsinglepointsoftwaresizeestimations
Atransmissiontechniquewherethesenderofapacketcanspecifytheroutethatpacketshould
followthroughthenetwork
Computergeneratedmessagessentasunsolicitedadvertising
Aportconfiguredonanetworkswitchtoreceivecopiesoftrafficfromoneormoreotherportson
theswitch
Anattackwheresocialengineeringtechniquesareusedtomasqueradeasatrustedpartytoobtain
importantinformationsuchaspasswordsfromthevictim
Aconditioninwhicheachofanenterprisesregionallocationsmaintainsitsownfinancialand
operationaldatawhilesharingprocessingwithanenterprisewide,centralizeddatabase
ScopeNote:Splitdatasystemspermiteasysharingofdatawhilemaintainingacertainlevelof
autonomy.
An implementation of DNS that is intended to secure responses provided by the server such that
AnimplementationofDNSthatisintendedtosecureresponsesprovidedbytheserversuchthat
differentresponsesaregiventointernalvs.externalusers
Asecuritytechniqueinwhichtwoormoreentitiesseparatelyholddataitemsthatindividually
conveynoknowledgeoftheinformationthatresultsfromcombiningtheitems;aconditionunder
whichtwoormoreentitiesseparatelyhavekeycomponentsthatindividuallyconveynoknowledge
oftheplaintextkeythatwillbeproducedwhenthekeycomponentsarecombinedinthe
cryptographicmodule
Fakingthesendingaddressofatransmissioninordertogainillegalentryintoasecuresystem
SPOOL(simultaneous Anautomatedfunctionthatcanbebasedonanoperatingsystemorapplicationinwhichelectronic
peripheraloperations databeingtransmittedbetweenstorageareasarespooledorstoreduntilthereceivingdeviceor
online)
storageareaispreparedandabletoreceivetheinformation
ScopeNote:Spoolallowsmoreefficientelectronicdatatransfersfromonedevicetoanotherby
Scope
Note: Spool allows more efficient electronic data transfers from one device to another by
permittinghigherspeedsendingfunctions,suchasinternalmemory,tocontinueonwithother
operationsinsteadofwaitingontheslowerspeedreceivingdevice,suchasaprinter.
Spyware
Softwarewhosepurposeistomonitoracomputerusersactions(e.g.,websitesvisited)andreport
theseactionstoathirdparty,withouttheinformedconsentofthatmachinesownerorlegitimate
user
ScopeNote:Aparticularlymaliciousformofspywareissoftwarethatmonitorskeystrokestoobtain
passwordsorotherwisegatherssensitiveinformationsuchascreditcardnumbers,whichitthen
transmitstoamaliciousthirdparty.Thetermhasalsocometorefermorebroadlytosoftwarethat
subvertsthecomputersoperationforthebenefitofathirdparty.
SQL injection
SQLinjection
Resultsfromfailureoftheapplicationtoappropriatelyvalidateinput.Whenspeciallycrafteduser
Results
from failure of the application to appropriately validate input When specially crafted user
controlledinputconsistingofSQLsyntaxisusedwithoutpropervalidationaspartofSQLqueries,it
ispossibletogleaninformationfromthedatabaseinwaysnotenvisagedduringapplicationdesign.
(MITRE)
Page 90 of 103
Term
Stagegate
Stakeholder
Definition
Apointintimewhenaprogramisreviewedandadecisionismadetocommitexpenditurestothe
next set of activities on a program or project, to stop the work altogether, or to put a hold on
nextsetofactivitiesonaprogramorproject,tostoptheworkaltogether,ortoputaholdon
executionoffurtherwork
Anyonewhohasaresponsibilityfor,anexpectationfromorsomeotherinterestintheenterprise.
ScopeNote:Examples:shareholders,users,government,suppliers,customersandthepublic
Standard
Standingdata
Star topology
Startopology
Statefulinspection
Staticanalysis
Amandatoryrequirement,codeofpracticeorspecificationapprovedbyarecognizedexternal
standardsorganization,suchasInternationalOrganizationforStandardization(ISO)
Permanentreferencedatausedintransactionprocessing
ScopeNote:Thesedataarechangedinfrequently,suchasaproductpricefileoranameand
addressfile.
A type of local area network (LAN) architecture that utilizes a central controller to which all nodes
Atypeoflocalareanetwork(LAN)architecturethatutilizesacentralcontrollertowhichallnodes
aredirectlyconnected
ScopeNote:Withstartopology,alltransmissionsfromonestationtoanotherpassthroughthe
centralcontrollerwhichisresponsibleformanagingandcontrollingallcommunication.Thecentral
controlleroftenactsasaswitchingdevice.
Afirewallarchitecturethattrackseachconnectiontraversingallinterfacesofthefirewallandmakes
suretheyarevalid.
Analysisofinformationthatoccursonanoncontinuousbasis;alsoknownasintervalbasedanalysis
Statisticalsampling
Amethodofselectingaportionofapopulation,bymeansofmathematicalcalculationsand
probabilities,forthepurposeofmakingscientificallyandmathematicallysoundinferences
regardingthecharacteristicsoftheentirepopulation
Statutory requirements Lawscreatedbygovernmentinstitutions
Statutoryrequirements
Laws created by government institutions
Storageareanetworks Avariationofalocalareanetwork(LAN)thatisdedicatedfortheexpresspurposeofconnecting
(SANs)
storagedevicestoserversandothercomputingdevices
ScopeNote:SANscentralizetheprocessforthestorageandadministrationofdata.
Theprocessofdecidingontheenterprisesobjectives,onchangesintheseobjectives,andthe
policiestogoverntheiracquisitionanduse
Strengths,weaknesses, Acombinationofanorganizationalauditlistingtheenterprisesstrengthsandweaknessesandan
opportunitiesand
environmentalscanoranalysisofexternalopportunitiesandthreats
threats(SWOT)
Strategicplanning
Structured
programming
StructuredQuery
Language(SQL)
Subjectmatter
Atopdowntechniqueofdesigningprogramsandsystemsthatmakesprogramsmorereadable,
more reliable and more easily maintained
morereliableandmoreeasilymaintained
Theprimarylanguageusedbybothapplicationprogrammersandendusersinaccessingrelational
databases
ThespecificinformationsubjecttoanISauditorsreportandrelatedprocedures,whichcaninclude
thingssuchasthedesignoroperationofinternalcontrolsandcompliancewithprivacypracticesor
standardsorspecifiedlawsandregulations(areaofactivity)
Page 91 of 103
Term
Substantivetesting
Sufficientaudit
evidence
Sufficientevidence
Definition
Obtainingauditevidenceonthecompleteness,accuracyorexistenceofactivitiesortransactions
during the audit period
duringtheauditperiod
Auditevidenceissufficientifitisadequate,convincingandwouldleadanotherISauditortoform
thesameconclusions.
Themeasureofthequantityofauditevidence;supportsallmaterialquestionstotheauditobjective
andscope
Sufficientinformation
ScopeNote:Seeevidence
Informationissufficientwhenevaluatorshavegatheredenoughofittoformareasonable
conclusion.Forinformationtobesufficient,however,itmustfirstbesuitable.
Suitableinformation
ScopeNote:RefertoCOBIT5informationqualitygoals
Relevant(i.e.,fitforitsintendedpurpose),reliable(i.e.,accurate,verifiableandfromanobjective
source)andtimely(i.e.,producedandusedinanappropriatetimeframe)information
ScopeNote:RefertoCOBIT5informationqualitygoals
Supervisorycontrol
anddataacquisition
(SCADA)
Supplychain
management(SCM)
Systemsusedtocontrolandmonitorindustrialandmanufacturingprocesses,andutilityfacilities
Surgesuppressor
Suspensefile
Filtersoutelectricalsurgesandspikes
Acomputerfileusedtomaintaininformation(transactions,paymentsorotherevents)untilthe
properdispositionofthatinformationcanbedetermined
Switches
Symmetrickey
encryption
Synchronize(SYN)
Synchronous
transmission
Aconceptthatallowsanenterprisetomoreeffectivelyandefficientlymanagetheactivitiesof
design,manufacturing,distribution,serviceandrecyclingofproductsandserviceitscustomers
ScopeNote:Oncetheproperdispositionoftheitemisdetermined,itshouldberemovedfromthe
Scope
Note: Once the proper disposition of the item is determined it should be removed from the
suspensefileandprocessedinaccordancewiththeproperproceduresforthatparticular
transaction.Twoexamplesofitemsthatmaybeincludedinasuspensefilearereceiptofapayment
fromasourcethatisnotreadilyidentifiedordatathatdonotyethaveanidentifiedmatchduring
migrationtoanewapplication.
Typicallyassociatedasadatalinklayerdevice,switchesenablelocalareanetwork(LAN)segments
tobecreatedandinterconnected,whichhastheaddedbenefitofreducingcollisiondomainsin
Ethernetbasednetworks.
Systeminwhichadifferentkey(orsetofkeys)isusedbyeachpairoftradingpartnerstoensure
thatnooneelsecanreadtheirmessages
Thesamekeyisusedforencryptionanddecryption.SeealsoPrivateKeyCryptosystem.
Aflagsetintheinitialsetuppacketstoindicatethatthecommunicatingpartiesaresynchronizing
the sequence numbers used for the data transmission
thesequencenumbersusedforthedatatransmission
Blockatatimedatatransmission
Page 92 of 103
Term
Systemdevelopment
life cycle (SDLC)
lifecycle(SDLC)
Systemexit
Systemflowchart
Systemhardening
Systemnarrative
Systemofinternal
control
Systemsoftware
Definition
Thephasesdeployedinthedevelopmentoracquisitionofasoftwaresystem
ScopeNote:SDLCisanapproachusedtoplan,design,develop,testandimplementanapplication
systemoramajormodificationtoanapplicationsystem.TypicalphasesofSDLCincludethe
feasibilitystudy,requirementsstudy,requirementsdefinition,detaileddesign,programming,
testing,installationandpostimplementationreview,butnottheservicedeliveryorbenefits
realizationactivities.
Specialsystemsoftwarefeaturesandutilitiesthatallowtheusertoperformcomplexsystem
maintenance
ScopeNote:Useofsystemexitsoftenpermitstheusertooperateoutsideofthesecurityaccess
controlsystem.
Graphicrepresentationsofthesequenceofoperationsinaninformationsystemorprogram
ScopeNote:Informationsystemflowchartsshowhowdatafromsourcedocumentsflowthrough
Scope
Note: Information system flowcharts show how data from source documents flow through
thecomputertofinaldistributiontousers.Symbolsusedshouldbetheinternationallyaccepted
standard.Systemflowchartsshouldbeupdatedwhennecessary.
Aprocesstoeliminateasmanysecurityrisksaspossiblebyremovingallnonessentialsoftware
programs,protocols,servicesandutilitiesfromthesystem
Providesanoverviewexplanationofsystemflowcharts,withexplanationofkeycontrolpointsand
systeminterfaces
Thepolicies,standards,plansandprocedures,andorganizationalstructuresdesignedtoprovide
reasonableassurancethatenterpriseobjectiveswillbeachievedandundesiredeventswillbe
preventedordetectedandcorrected
ScopeNote:COBIT5perspective
Acollectionofcomputerprogramsusedinthedesign,processingandcontrolofallapplications
ScopeNote:Theprogramsandprocessingroutinesthatcontrolthecomputerhardware,including
theoperatingsystemandutilityprograms
Systemtesting
Systemsacquisition
process
Systemsanalysis
Tablelookup
Tangibleasset
Tapemanagement
system(TMS)
Testingconductedonacomplete,integratedsystemtoevaluatethesystem'scompliancewithits
specifiedrequirements
ScopeNote:Systemtestprocedurestypicallyareperformedbythesystemmaintenancestaffin
theirdevelopmentlibrary.
Proceduresestablishedtopurchaseapplicationsoftware,oranupgrade,includingevaluationofthe
supplier'sfinancialstability,trackrecord,resourcesandreferencesfromexistingcustomers
Thesystemsdevelopmentphaseinwhichsystemsspecificationsandconceptualdesignsare
developed based on end user needs and requirements
developedbasedonenduserneedsandrequirements
Usedtoensurethatinputdataagreewithpredeterminedcriteriastoredinatable
Anyassetsthathasphysicalform
Asystemsoftwaretoolthatlogs,monitorsanddirectscomputertapeusage
Page 93 of 103
Term
Taps
Definition
Wiringdevicesthatmaybeinsertedintocommunicationlinksforusewithanalysisprobes,local
area network (LAN) analyzers and intrusion detection security systems
areanetwork(LAN)analyzersandintrusiondetectionsecuritysystems
Target
Personorassetselectedastheaimofanattack
Tcpdump
Anetworkmonitoringanddataacquisitiontoolthatperformsfiltertranslation,packetacquisition
andpacketdisplay
Technical
Referstothesecurityoftheinfrastructurethatsupportstheenterpriseresourceplanning(ERP)
infrastructuresecurity networkingandtelecommunications,operatingsystems,anddatabases
Technology
infrastructure
Technology
infrastructureplan
Telecommunications
Technology,humanresources(HR)andfacilitiesthatenabletheprocessinganduseofapplications
Teleprocessing
Aplanforthetechnology,humanresourcesandfacilitiesthatenablethecurrentandfuture
processinganduseofapplications
Electroniccommunicationbyspecialdevicesoverdistancesorarounddevicesthatprecludedirect
interpersonalexchange
Using telecommunications facilities for handling and processing of computerized information
Usingtelecommunicationsfacilitiesforhandlingandprocessingofcomputerizedinformation
Telnet
Networkprotocolusedtoenableremoteaccesstoaservercomputer
TerminalAccess
ControllerAccess
ControlSystemPlus
(TACACS+)
Termsofreference
Testdata
ScopeNote:Commandstypedarerunontheremoteserver.
Anauthenticationprotocol,oftenusedbyremoteaccessservers
Adocumentthatconfirmsaclient'sandanISauditor'sacceptanceofareviewassignment
Simulatedtransactionsthatcanbeusedtotestprocessinglogic,computationsandcontrolsactually
programmedincomputerapplications
Individual programs or an entire system can be tested
Individualprogramsoranentiresystemcanbetested.
Testgenerators
Testprograms
Testtypes
ScopeNote:ThistechniqueincludesIntegratedTestFacilities(ITFs)andBaseCaseSystem
Evaluations(BCSEs).
Softwareusedtocreatedatatobeusedinthetestingofcomputerprograms
Programsthataretestedandevaluatedbeforeapprovalintotheproductionenvironment
ScopeNote:Testprograms,throughaseriesofchangecontrolmoves,migratefromthetest
environmenttotheproductionenvironmentandbecomeproductionprograms.
Testtypesinclude:
ChecklisttestCopiesofthebusinesscontinuityplan(BCP)aredistributedtoappropriatepersonnel
forreview
StructuredwalkthroughIdentifiedkeypersonnelwalkthroughtheplantoensurethattheplan
accurately reflects the enterprise's ability to recover successfully
accuratelyreflectstheenterprise'sabilitytorecoversuccessfully
SimulationtestAlloperationalandsupportpersonnelareexpectedtoperformasimulated
emergencyasapracticesession
ParallelTestCriticalsystemsarerunatalternatesite(hot,cold,warmorreciprocal)
CompleteinterruptiontestDisasterisreplicated,normalproductionisshutdownwithrealtime
recoveryprocess
Page 94 of 103
Term
Testing
Thirdparty review
Thirdpartyreview
Threat
Threatagent
Threatanalysis
Threatevent
Threatvector
Throughput
Timelines
Timelyinformation
Token
Definition
Theexaminationofasamplefromapopulationtoestimatecharacteristicsofthepopulation
An independent audit of the control structure of a service organization, such as a service bureau,
Anindependentauditofthecontrolstructureofaserviceorganization,suchasaservicebureau,
withtheobjectiveofprovidingassurancetotheusersoftheserviceorganizationthattheinternal
controlstructureisadequate,effectiveandsound
Anything(e.g.,object,substance,human)thatiscapableofactingagainstanassetinamannerthat
canresultinharm
ScopeNote:Apotentialcauseofanunwantedincident(ISO/IEC13335)
Methodsandthingsusedtoexploitavulnerability
ScopeNote:Examplesincludedetermination,capability,motiveandresources.
Anevaluationofthetype,scopeandnatureofeventsoractionsthatcanresultinadverse
consequences;identificationofthethreatsthatexistagainstenterpriseassets
ScopeNote:Thethreatanalysisusuallydefinesthelevelofthreatandthelikelihoodofit
Scope
Note: The threat analysis usually defines the level of threat and the likelihood of it
materializing.
Anyeventduringwhichathreatelement/actoractsagainstanassetinamannerthathasthe
potentialtodirectlyresultinharm
Thepathorrouteusedbytheadversarytogainaccesstothetarget
Thequantityofusefulworkmadebythesystemperunitoftime.Throughputcanbemeasuredin
instructionspersecondorsomeotherunitofperformance.Whenreferringtoadatatransfer
operation,throughputmeasurestheusefuldatatransferrateandisexpressedinkbps,Mbpsand
Gbps.
Chronologicalgraphswhereeventsrelatedtoanincidentcanbemappedtolookforrelationshipsin
complexcases
ScopeNote:Timelinescanprovidesimplifiedvisualizationforpresentationtomanagementand
othernontechnicalaudiences.
other
non technical audiences
Producedandusedinatimeframethatmakesitpossibletopreventordetectcontroldeficiencies
beforetheybecomematerialtoanenterprise
ScopeNote:RefertoCOBIT5informationqualitygoals
Adevicethatisusedtoauthenticateauser,typicallyinadditiontoausernameandpassword
ScopeNote:Atokenisusuallyadevicethesizeofacreditcardthatdisplaysapseudorandom
numberthatchangeseveryfewminutes.
Tokenringtopology
Atypeoflocalareanetwork(LAN)ringtopologyinwhichaframecontainingaspecificformat,called
thetoken,ispassedfromonestationtothenextaroundthering
ScopeNote:Whenastationreceivesthetoken,itisallowedtotransmit.Thestationcansendas
Scope
Note: When a station receives the token it is allowed to transmit The station can send as
manyframesasdesireduntilapredefinedtimelimitisreached.Whenastationeitherhasnomore
framestosendorreachesthetimelimit,ittransmitsthetoken.Tokenpassingpreventsdata
collisionsthatcanoccurwhentwocomputersbegintransmittingatthesametime.
Page 95 of 103
Term
Tolerableerror
Definition
Themaximumerrorinthepopulationthatprofessionalsarewillingtoacceptandstillconcludethat
the test objective has been achieved. For substantive tests, tolerable error is related to
thetestobjectivehasbeenachieved.Forsubstantivetests,tolerableerrorisrelatedto
professionalsjudgementaboutmateriality.Incompliancetests,itisthemaximumrateofdeviation
fromaprescribedcontrolprocedurethattheprofessionalsarewillingtoaccept
Toplevelmanagement Thehighestlevelofmanagementintheenterprise,responsiblefordirectionandcontrolofthe
enterpriseasawhole(suchasdirector,generalmanager,partner,chiefofficerandexecutive
manager)
Topology
Thephysicallayoutofhowcomputersarelinkedtogether
ScopeNote:Examplesoftopologyincludering,starandbus.
Totalcostofownership Includestheoriginalcostofthecomputerplusthecostof:software,hardwareandsoftware
(TCO)
upgrades,maintenance,technicalsupport,training,andcertainactivitiesperformedbyusers
Transaction
Business events or information grouped together because they have a single or similar purpose
Businesseventsorinformationgroupedtogetherbecausetheyhaveasingleorsimilarpurpose
ScopeNote:Typically,atransactionisappliedtoacalculationoreventthatthenresultsinthe
updatingofaholdingormasterfile.
Transactionlog
Amanualorautomatedlogofallupdatestodatafilesanddatabases
Transactionprotection Alsoknownas"automatedremotejournalingofredologs,"adatarecoverystrategythatissimilar
toelectronicvaultingexceptthatinsteadoftransmittingseveraltransactionbatchesdaily,the
archivelogsareshippedastheyarecreated
TransmissionControl AconnectionbasedInternetprotocolthatsupportsreliabledatatransferconnections
Protocol(TCP)
ScopeNote:Packetdataareverifiedusingchecksumsandretransmittediftheyaremissingor
corrupted.Theapplicationplaysnopartinvalidatingthetransfer.
Transmission Control ProvidesthebasisfortheInternet;asetofcommunicationprotocolsthatencompassmediaaccess,
TransmissionControl
Provides the basis for the Internet; a set of communication protocols that encompass media access
Protocol/Internet
packettransport,sessioncommunication,filetransfer,electronicmail(email),terminalemulation,
Protocol(TCP/IP)
remotefileaccessandnetworkmanagement
Transparency
Referstoanenterprisesopennessaboutitsactivitiesandisbasedonthefollowingconcepts:
Howthemechanismfunctionsiscleartothosewhoareaffectedbyorwanttochallenge
ggovernancedecisions.
Acommonvocabularyhasbeenestablished.
Relevantinformationisreadilyavailable.
ScopeNote:Transparencyandstakeholdertrustaredirectlyrelated;themoretransparencyinthe
governanceprocess,themoreconfidenceinthegovernance.
Page 96 of 103
Term
TransportLayer
Security (TLS)
Security(TLS)
Definition
AprotocolthatprovidescommunicationsprivacyovertheInternet.Theprotocolallows
client/server applications to communicate in a way that is designed to prevent eavesdropping,
client/serverapplicationstocommunicateinawaythatisdesignedtopreventeavesdropping,
tampering,ormessageforgery.(RFC2246)
TripleDES(3DES)
ScopeNote:TransportLayerSecurity(TLS)iscomposedoftwolayers:theTLSRecordProtocoland
theTLSHandshakeProtocol.TheTLSRecordProtocolprovidesconnectionsecuritywithsome
encryptionmethodsuchastheDataEncryptionStandard(DES).TheTLSRecordProtocolcanalsobe
usedwithoutencryption.TheTLSHandshakeProtocolallowstheserverandclienttoauthenticate
eachotherandtonegotiateanencryptionalgorithmandcryptographickeysbeforedatais
exchanged.
Unauthorizedelectronicexit,ordoorway,outofanauthorizedcomputerprogramintoasetof
maliciousinstructionsorprograms
AblockciphercreatedfromtheDataEncryptionStandard(DES)cipherbyusingitthreetimes
Trojan horse
Trojanhorse
Trapdoor
Trustedprocess
Trustedsystem
Tunnel
Tunnelmode
Tunneling
Tuple
Twistedpair
Twofactor
authentication
Uncertainty
Unicode
Uniformresource
locator(URL)
ScopeNote:Unlikeviruses,theydonotreplicatethemselves,buttheycanbejustasdestructiveto
asinglecomputer.
Aprocesscertifiedassupportingasecuritygoal
Asystemthatemployssufficienthardwareandsoftwareassurancemeasurestoallowtheirusefor
processingarangeofsensitiveorclassifiedinformation
ThepathsthattheencapsulatedpacketsfollowinanInternetvirtualprivatenetwork(VPN)
Usedtoprotecttrafficbetweendifferentnetworkswhentrafficmusttravelthroughintermediateor
untrustednetworks.TunnelmodeencapsulatestheentireIPpacketwithandAHorESPheaderand
anadditionalIPheader.
Commonlyusedtobridgebetweenincompatiblehosts/routersortoprovideencryption,amethod
bywhichonenetworkprotocolencapsulatesanotherprotocolwithinitself
ScopeNote:WhenprotocolAencapsulatesprotocolB,aprotocolAheaderandoptionaltunneling
headersareappendedtotheoriginalprotocolBpacket.ProtocolAthenbecomesthedatalinklayer
ofprotocolB.ExamplesoftunnelingprotocolsincludeIPSec,PointtopointProtocolOverEthernet
(PPPoE)andLayer2TunnelingProtocol(L2TP).
Aroworrecordconsistingofasetofattributevaluepairs(columnorfield)inarelationaldata
structure
Alowcapacitytransmissionmedium;apairofsmall,insulatedwiresthataretwistedaroundeach
othertominimizeinterferencefromotherwiresinthecable
Theuseoftwoindependentmechanismsforauthentication,(e.g.,requiringasmartcardanda
password)typicallythecombinationofsomethingyouknow,areorhave
Thedifficultyofpredictinganoutcomeduetolimitedknowledgeofallcomponents
Astandardforrepresentingcharactersasintegers
ScopeNote:Unicodeuses16bits,whichmeansthatitcanrepresentmorethan65,000unique
characters;thisisnecessaryforlanguagessuchasChineseandJapanese.
Thestringofcharactersthatformawebaddress
Page 97 of 103
Term
Unittesting
Definition
Atestingtechniquethatisusedtotestprogramlogicwithinaparticularprogramormodule
ScopeNote:Thepurposeofthetestistoensurethattheinternaloperationoftheprogram
performsaccordingtospecification.Itusesasetoftestcasesthatfocusonthecontrolstructureof
theproceduraldesign.
Universaldescription, Awebbasedversionofthetraditionaltelephonebook'syellowandwhitepagesenabling
discoveryand
businessestobepubliclylistedinpromotinggreaterecommerceactivities
integration(UDDI)
UniversalSerialBUS
Anexternalbusstandardthatprovidescapabilitiestotransferdataatarateof12Mbps
(USB)
ScopeNote:AUSBportcanconnectupto127peripheraldevices.
UNIX
Amultiuser,multitaskingoperatingsystemthatisusedwidelyasthemastercontrolprogramin
workstationsandespeciallyservers
Ahostisreferredtoasuntrustworthybecauseitcannotbeprotectedbythefirewall;therefore,
Untrustworthyhost
hosts on trusted networks can place only limited trust in it
hostsontrustednetworkscanplaceonlylimitedtrustinit.
Uploading
ScopeNote:Tothebasicborderfirewall,addahostthatresidesonanuntrustednetworkwhere
thefirewallcannotprotectit.Thathostisminimallyconfiguredandcarefullymanagedtobeas
secureaspossible.Thefirewallisconfiguredtorequireincomingandoutgoingtraffictogothrough
theuntrustworthyhost.
Theprocessofelectronicallysendingcomputerizedinformationfromonecomputertoanother
computer
ScopeNote:Whenuploading,mostoftenthetransferisfromasmallercomputertoalargerone.
Userawareness
UserDatagram
User
Datagram
Protocol(UDP)
Userinterface
impersonation
Usermode
Userprovisioning
Utilityprograms
Utilityscript
Atrainingprocessinsecurityspecificissuestoreducesecurityproblems;usersareoftenthe
weakestlinkinthesecuritychain.
A connectionless Internet protocol that is designed for network efficiency and speed at the expense
AconnectionlessInternetprotocolthatisdesignedfornetworkefficiencyandspeedattheexpense
ofreliability
ScopeNote:Adatarequestbytheclientisservedbysendingpacketswithouttestingtoverify
whethertheyactuallyarriveatthedestination,notwhethertheywerecorruptedintransit.Itisup
totheapplicationtodeterminethesefactorsandrequestretransmissions.
Canbeapopupadthatimpersonatesasystemdialog,anadthatimpersonatesasystemwarning,
oranadthatimpersonatesanapplicationuserinterfaceinamobiledevice.
Usedfortheexecutionofnormalsystemactivities
Aprocesstocreate,modify,disableanddeleteuseraccountsandtheirprofilesacrossIT
infrastructureandbusinessapplications
Specializedsystemsoftwareusedtoperformparticularcomputerizedfunctionsandroutinesthat
arefrequentlyrequiredduringnormalprocessing
ScopeNote:Examplesofutilityprogramsincludesorting,backingupanderasingdata.
Asequenceofcommandsinputintoasinglefiletoautomatearepetitiveandspecifictask
ScopeNote:Theutilityscriptisexecuted,eitherautomaticallyormanually,toperformthetask.In
UNIX,theseareknownasshellscripts.
Page 98 of 103
Term
Utilitysoftware
Vaccine
ValIT
Validitycheck
Value
Valuecreation
Definition
Computerprogramsprovidedbyacomputerhardwaremanufacturerorsoftwarevendorandused
in running the system
inrunningthesystem
ScopeNote:Thistechniquecanbeusedtoexamineprocessingactivities;totestprograms,system
activitiesandoperationalprocedures;toevaluatedatafileactivity;and,toanalyzejobaccounting
data.
Aprogramdesignedtodetectcomputerviruses
ThestandardframeworkforenterprisestoselectandmanageITrelatedbusinessinvestmentsand
ITassetsbymeansofinvestmentprogramssuchthattheydelivertheoptimalvaluetothe
enterprise
BasedonCOBIT.
Programmedcheckingofdatavalidityinaccordancewithpredeterminedcriteria
Therelativeworthorimportanceofaninvestmentforanenterprise,asperceivedbyitskey
stakeholders expressed as total life cycle benefits net of related costs adjusted for risk and (in the
stakeholders,expressedastotallifecyclebenefitsnetofrelatedcosts,adjustedforriskand(inthe
caseoffinancialvalue)thetimevalueofmoney
Themaingovernanceobjectiveofanenterprise,achievedwhenthethreeunderlyingobjectives
(benefitsrealization,riskoptimizationandresourceoptimization)areallbalanced
ScopeNote:COBIT5perspective
Valueaddednetwork Adatacommunicationnetworkthataddsprocessingservicessuchaserrorcorrection,data
(VAN)
translationand/orstoragetothebasicfunctionoftransportingdata
Variablesampling
Asamplingtechniqueusedtoestimatetheaverageortotalvalueofapopulationbasedona
sample;astatisticalmodelusedtoprojectaquantitativecharacteristic,suchasamonetaryamount
Verification
Vertical defense in
Verticaldefensein
depth
Virtuallocalarea
network(VLAN)
Checksthatdataareenteredcorrectly
Controls are placed at different system layers: hardware operating system application database or
Controlsareplacedatdifferentsystemlayers:hardware,operatingsystem,application,databaseor
userlevels
LogicalsegmentationofaLANintodifferentbroadcastdomains
ScopeNote:AVLANissetupbyconfiguringportsonaswitch,sodevicesattachedtotheseports
maycommunicateasiftheywereattachedtothesamephysicalnetworksegment,althoughthe
g
g
p y
devicesarelocatedondifferentLANsegments.AVLANisbasedonlogicalratherthanphysical
connections.
Virtualorganizations
Organizationthathasnoofficialphysicalsitepresenceandismadeupofdiverse,geographically
dispersedormobileemployees
Virtualprivatenetwork Asecureprivatenetworkthatusesthepublictelecommunicationsinfrastructuretotransmitdata
(VPN)
ScopeNote:Incontrasttoamuchmoreexpensivesystemofownedorleasedlinesthatcanonlybe
used by one company VPNs are used by enterprises for both extranets and wide areas of intranets
usedbyonecompany,VPNsareusedbyenterprisesforbothextranetsandwideareasofintranets.
Usingencryptionandauthentication,aVPNencryptsalldatathatpassbetweentwoInternetpoints,
maintainingprivacyandsecurity.
Page 99 of 103
Term
Definition
Virtualprivatenetwork AsystemusedtoestablishVPNtunnelsandhandlelargenumbersofsimultaneousconnections.This
(VPN) concentrator
(VPN)concentrator
system provides authentication, authorization and accounting services.
systemprovidesauthentication,authorizationandaccountingservices.
Virtualization
Virus
Theprocessofaddinga"guestapplication"anddataontoa"virtualserver,"recognizingthatthe
guestapplicationwillultimatelypartcompanyfromthisphysicalserver
Aprogramwiththeabilitytoreproducebymodifyingotherprogramstoincludeacopyofitself
ScopeNote:Avirusmaycontaindestructivecodethatcanmoveintomultipleprograms,datafiles
ordevicesonasystemandspreadthroughmultiplesystemsinanetwork.
Virussignaturefile
Voicemail
VoiceoverInternet
Voiceover
Internet
Protocol(VoIP)
Volatiledata
Vulnerability
Vulnerabilityanalysis
Vulnerabilityevent
Thefileofviruspatternsthatarecomparedwithexistingfilestodeterminewhethertheyare
infectedwithavirusorworm
Asystemofstoringmessagesinaprivaterecordingmediumwhichallowsthecalledpartytolater
retrievethemessages
Also called IP Telephony Internet Telephony and Broadband Phone a technology that makes it
AlsocalledIPTelephony,InternetTelephonyandBroadbandPhone,atechnologythatmakesit
possibletohaveavoiceconversationovertheInternetoroveranydedicatedInternetProtocol(IP)
networkinsteadofoverdedicatedvoicetransmissionlines
Datathatchangesfrequentlyandcanbelostwhenthesystem'spowerisshutdown
Aweaknessinthedesign,implementation,operationorinternalcontrolofaprocessthatcould
exposethesystemtoadversethreatsfromthreatevents
Aprocessofidentifyingandclassifyingvulnerabilities
Anyeventduringwhichamaterialincreaseinvulnerabilityresults
Notethatthisincreaseinvulnerabilitycanresultfromchangesincontrolconditionsorfromchanges
inthreatcapability/force.
ScopeNote:FromJones,J.;"FAIRTaxonomy,"RiskManagementInsight,USA,2008
Vulnerability scanning An
Vulnerabilityscanning
Anautomatedprocesstoproactivelyidentifysecurityweaknessesinanetworkorindividualsystem
automated process to proactively identify security weaknesses in a network or individual system
Walkthrough
Wardialer
Athoroughdemonstrationorexplanationthatdetailseachstepofaprocess
Softwarepackagesthatsequentiallydialtelephonenumbers,recordinganynumbersthatanswer
Warmsite
Similartoahotsitebutnotfullyequippedwithallofthenecessaryhardwareneededforrecovery
Waterfalldevelopment Alsoknownastraditionaldevelopment,aprocedurefocuseddevelopmentcyclewithformalsign
offatthecompletionofeachlevel
Webhosting
Thebusinessofprovidingtheequipmentandservicesrequiredtohostandmaintainfilesforoneor
morewebsitesandprovidefastInternetconnectionstothosesites
ScopeNote:Mosthostingis"shared,"whichmeansthatwebsitesofmultiplecompaniesareonthe
same server to share/reduce costs
sameservertoshare/reducecosts.
Term
Webpage
Webserver
Definition
Aviewablescreendisplayinginformation,presentedthroughawebbrowserinasingleview,
sometimes requiring the user to scroll to review the entire page
sometimesrequiringtheusertoscrolltoreviewtheentirepage
ScopeNote:Anenterprise'swebpagemaydisplaytheenterpriseslogo,provideinformationabout
theenterprise'sproductsandservices,orallowacustomertointeractwiththeenterpriseorthird
partiesthathavecontractedwiththeenterprise.
UsingtheclientservermodelandtheWorldWideWeb'sHyperTextTransferProtocol(HTTP),Web
Serverisasoftwareprogramthatserveswebpagestousers.
Alanguageformattedwithextensiblemarkuplanguage(XML)
WebServices
DescriptionLanguage
(WSDL)
Usedtodescribethecapabilitiesofawebserviceascollectionsofcommunicationendpoints
capableofexchangingmessages;WSDListhelanguageusedbyUniversalDescription,Discoveryand
Integration(UDDI).SeealsoUniversalDescription,DiscoveryandIntegration(UDDI).
Web site
Website
Wellknowports
Whiteboxtesting
Wideareanetwork
(WAN)
Wideareanetwork
(WAN)switch
Consists of one or more web pages that may originate at one or more web server computers
Consistsofoneormorewebpagesthatmayoriginateatoneormorewebservercomputers
ScopeNote:Apersoncanviewthepagesofawebsiteinanyorder,ashe/shewouldreada
magazine.
Wellknownports0through1023:ControlledandassignedbytheInternetAssignedNumbers
Authority(IANA),andonmostsystemscanbeusedonlybysystem(orroot)processesorby
programsexecutedbyprivilegedusers.Theassignedportsusethefirstportionofthepossibleport
numbers.Initially,theseassignedportswereintherange0255.Currently,therangeforassigned
portsmanagedbytheIANAhasbeenexpandedtotherange01023.
Atestingapproachthatusesknowledgeofaprogram/modulesunderlyingimplementationand
codeintervalstoverifyitsexpectedbehavior
Acomputernetworkconnectingdifferentremotelocationsthatmayrangefromshortdistances,
such as a floor or building to extremely long transmissions that encompass a large region or several
suchasafloororbuilding,toextremelylongtransmissionsthatencompassalargeregionorseveral
countries
AdatalinklayerdeviceusedforimplementingvariousWANtechnologiessuchasasynchronous
transfermode,pointtopointframerelaysolutions,andintegratedservicesdigitalnetwork(ISDN).
ScopeNote:WANswitchesaretypicallyassociatedwithcarriernetworksprovidingdedicatedWAN
switchingandrouterservicestoenterprisesviaT1orT3connections.
g
p
Term
Definition
WiFiProtectedAccess Aclassofsystemsusedtosecurewireless(WiFi)computernetworks
(WPA)
ScopeNote:WPAwascreatedinresponsetoseveralseriousweaknessesthatresearchersfoundin
theprevioussystem,WiredEquivalentPrivacy(WEP).WPAimplementsthemajorityoftheIEEE
802.11istandard,andwasintendedasanintermediatemeasuretotaketheplaceofWEPwhile
802.11iwasprepared.WPAisdesignedtoworkwithallwirelessnetworkinterfacecards,butnot
necessarilywithfirstgenerationwirelessaccesspoints.WPA2implementsthefullstandard,butwill
notworkwithsomeoldernetworkcards.Bothprovidegoodsecuritywithtwosignificantissues.
First,eitherWPAorWPA2mustbeenabledandchoseninpreferencetoWEP;WEPisusually
presentedasthefirstsecuritychoiceinmostinstallationinstructions.Second,inthe"personal"
mode,themostlikelychoiceforhomesandsmalloffices,apassphraseisrequiredthat,forfull
security,mustbelongerthanthetypicalsixtoeightcharacterpasswordsusersaretaughtto
employ.
WiFiprotectedaccess Aclassofsystemsusedtosecurewireless(WiFi)computernetworks.
(WPA)
ScopeNote:WPAwascreatedinresponsetoseveralseriousweaknessesthatresearchersfoundin
theprevioussystem,WiredEquivalentPrivacy(WEP).WPAimplementsthemajorityoftheIEEE
802.11istandard,andwasintendedasanintermediatemeasuretotaketheplaceofWEPwhile
802.11iwasprepared.WPAisdesignedtoworkwithallwirelessnetworkinterfacecards,butnot
necessarilywithfirstgenerationwirelessaccesspoints.WPA2implementsthefullstandard,butwill
p
g
y
g
notworkwithsomeoldernetworkcards.Bothprovidegoodsecuritywithtwosignificantissues.
First,eitherWPAorWPA2mustbeenabledandchoseninpreferencetoWEP;WEPisusually
presentedasthefirstsecuritychoiceinmostinstallationinstructions.Second,inthe"personal"
mode,themostlikelychoiceforhomesandsmalloffices,apassphraseisrequiredthat,forfull
security,mustbelongerthanthetypicalsixtoeightcharacterpasswordsusersaretaughtto
employ.
WiFiprotectedaccess Wirelesssecurityprotocolthatsupports802.11iencryptionstandardstoprovidegreatersecurity.
II (WPA2)
II(WPA2)
This protocol uses Advanced Encryption Standards (AES) and Temporal Key Integrity Protocol (TKIP)
ThisprotocolusesAdvancedEncryptionStandards(AES)andTemporalKeyIntegrityProtocol(TKIP)
forstrongerencryption.
WindowsNT
AversionoftheWindowsoperatingsystemthatsupportspreemptivemultitasking
WiredEquivalent
AschemethatispartoftheIEEE802.11wirelessnetworkingstandardtosecureIEEE802.11wireless
Privacy(WEP)
networks(alsoknownasWiFinetworks)
Wireless computing
Wirelesscomputing
Wirelesslocalarea
network(WLAN)
ScopeNote:Becauseawirelessnetworkbroadcastsmessagesusingradio,itisparticularly
p
g
g
p
y
susceptibletoeavesdropping.WEPwasintendedtoprovidecomparableconfidentialitytoa
traditionalwirednetwork(inparticular,itdoesnotprotectusersofthenetworkfromeachother),
hencethename.Severalseriousweaknesseswereidentifiedbycryptanalysts,andWEPwas
supersededbyWiFiProtectedAccess(WPA)in2003,andthenbythefullIEEE802.11istandard
(alsoknownasWPA2)in2004.Despitetheweaknesses,WEPprovidesalevelofsecuritythatcan
detercasualsnooping.
The ability of computing devices to communicate in a form to establish a local area network (LAN)
Theabilityofcomputingdevicestocommunicateinaformtoestablishalocalareanetwork(LAN)
withoutcablinginfrastructure(wireless),andinvolvesthosetechnologiesconvergingaroundIEEE
802.11and802.11bandradiobandservicesusedbymobiledevices
Twoormoresystemsnetworkedusingawirelessdistributionmethod
Term
Wiretapping
Definition
Thepracticeofeavesdroppingoninformationbeingtransmittedovertelecommunicationslinks
WorldWideWeb
(WWW)
WorldWideWeb
Consortium(W3C)
AsubnetworkoftheInternetthroughwhichinformationisexchangedbytext,graphics,audioand
video
Aninternationalconsortiumfoundedin1994ofaffiliatesfrompublicandprivateorganizations
involvedwiththeInternetandtheweb
X.500
ScopeNote:TheW3C'sprimarymissionistopromulgateopenstandardstofurtherenhancethe
economicgrowthofInternetwebservicesglobally.
Aprogrammednetworkattackinwhichaselfreplicatingprogramdoesnotattachitselfto
programs,butratherspreadsindependentlyofusersaction
Adevicesthatallowstheacquisitionofinformationonadrivewithoutcreatingthepossibilityof
accidentallydamagingthedrive
Theuseofhardwareorsoftwaretopreventdatatobeoverwrittenordeleted
A protocol for packetswitching networks
Aprotocolforpacketswitchingnetworks
Aninterfacebetweendataterminalequipment(DTE)anddatacircuitterminatingequipment(DCE)
forterminalsoperatinginthepacketmodeonsomepublicdatanetworks
Astandardthatdefineshowglobaldirectoriesshouldbestructured
Zerodayexploit
ScopeNote:X.500directoriesarehierarchicalwithdifferentlevelsforeachcategoryofinformation,
suchascountry,stateandcity.
Avulnerabilitythatisexploitedbeforethesoftwarecreator/vendorisevenawareofit'sexistence
Worm
Writeblocker
Writeprotect
X.25
X
25
X.25Interface