A single table used to cross-reference access rights that have been assigned to subjects (subject capabilities) with access rights that are assigned per objects (access control list).
A framework that dictates how subjects can access objects. Three access-control modes can be defined: discretionary, mandatory, and nondiscretionary.
Controls that ensure confidentiality, integrity, and availability of information systems and their associated data by limiting access to computer systems.
The logical route an end user or system takes to get to the information resource.
The authorization and approval granted to an information system to process in an operational environment within a predefined control environment.
TCP/IP network-layer protocol used to convert an IP address (logical address) into a physical address (DLC or MAC address).
A type of audit that assesses issues related to the efficiency of operational productivity.
Procedures that are used to ensure compliance with management policy.
Processes within systems to detect and act upon failed login events by automatically disabling the login either for a specific period of time or permanently.
A mathematical-based function that performs encryption and decryption.
Programs that detect, prevent, and sometimes remove virus files located within a computing system.
A program or set of programs specifically designed to perform a function or series of functions.
The act of developing, updating, and maintaining programs.
Resources, processes, products, or computer infrastructures that an organization has determined must be protected.
Also known as public-key cryptography, in which each party has respective key pairs that are mathematically related and known as public and private keys.
The process by which data integrity is ensured through the completion of an entire transaction or not at all.
The weakening or degradation of communication signals during transmission.
An assurance by an auditor on something for which the client is responsible.
The technique used for the selection or a sample containing certain attributes from a population for audit testing.
A set of documented audit procedures that ensures that the auditor achieves the planned audit objectives.
Objective that outlines the specific goals associated with an audit.
The risk that the information of financial reports might contain material errors or that the IS auditor might not detect an error that has occurred.
A trail of evidence that enables one to trace a series of events or information back to the source.
A report from an independent auditor that generally contains a description of the relevant policies and procedures, control objectives, and results of the auditor’s tests, and may result in an opinion on operating effectiveness, efficiency, and security of the organization.
The verification of a user’s identification.
The determination of whether a subject is allowed to have access to a particular resource. Generally, an authenticated user is compared against an access list to determine what level of access is authorized.
The reliable and timely access to information by authorized users, programs, or processes.
A collection of data stored on (usually removable) nonvolatile storage media for purposes of recovery, in case the original copy of data is lost or becomes inaccessible.
A management tool that clarifies an organization’s goals, and defines actions and the measurement of those actions to meet goals.
A basic network architecture in which all internal and external communications must pass through the perimeter bastion host, which is exposed to the external network.
The continuous, systematic process of evaluating the products, services, and work processes of organizations recognized as representing best practices for the purpose of organizational improvement.
A means of access control in which an individual’s identity is authenticated by a unique personal attribute, such as a fingerprint, retina scan, or hand geometry.
Testing that examines an aspect of the system with regard to the internal logical structure of the software.
A networking component that works at the data link layer (Layer 2) of the OSI model and connects two separate networks to form a logical network. Bridges examine the media access control (MAC) header of a data packet to determine where to forward the packet.
A network communication process in which a sending station sends a single packet to all stations on the network.
A type of system attack in which an intruder uses automated tools and electronic dictionaries to try to guess user and system passwords in an attempt to gain unauthorized access to the system.
Topology primarily used in smaller networks in which all devices are connected to a single communication line and all transmissions are received by all devices.
The identification of personnel, equipment, and detailed recovery procedures to ensure that the impact of an event to the business function is minimized.
A process used to identify an attempt to quantify the loss (over time) that can impact an asset from a given threat.
Provides an accelerated means of business process improvement through identifying, baselining, and prioritizing areas for improvement and implementing improvements.
The risk that a business will not achieve its stated business goals or objectives.
Process used during remote access in which an authorized user calls a remote server through a dial-up line, and the server disconnects and dials back to the user machine, based on the user ID and password, using a telephone number from its database.
Model that provides a framework for improving software life-cycle processes and specific metrics to improve the software process. The CMM was developed by Carnegie Melon’s Software Engineering Institute.
The continued monitoring of the network and associated hardware, to ensure that the expansion or reduction of resources takes place in parallel with the overall organizational growth or reduction.
Method employed on Ethernet networks in which a sending station lets all the stations on the network know that it intends to transmit data to avoid collisions.
Method employed on an Ethernet network in which devices on the network can detect collisions and retransmit if they occur.
The electrical/electronic components that control or direct all operations in the computer system.
Utilizes a single entity or system that is responsible for granting access to all users.
Maintains, issues, and revokes digital certificates that authenticate an individual’s identity.
A list maintained by a Certificate Authority that lists all digital certificates that have been revoked.
The technical evaluation that establishes the extent to which a computer system, application, or network design and implementation meets a prespecified set of security requirements in a certain operating environment.
Ensures that changes are documented, approved, and implemented with minimal disruption to the production environment and maximum benefits to the organization.
A governance structure that ensures that all affected parties and senior management are aware of both major and minor changes within the IT infrastructure.
Implemented in organizations as a way to provide a formal review and change-management process for systems and associated documentation.
Contains information associated with a change to the information system (that is, applications, network devices, documentation, policies, and so on). The information contained in the CR is used to evaluate the change’s impacts in the current environment.
A group of networked computers in which the server responds to requests from clients that are running independently on the network.
A type of fire-suppression system in which CO2, a chemical formula of carbon dioxide, is released, thereby reducing the oxygen content of the protected area below the point that it can support combustion.
Password that uses de facto or opinion-based information to verify an individual’s identity. Cognitive passwords are commonly used today as security questions associated with an account, in case the user has forgotten the password.
A basic recovery site, in that it has the required space for equipment and environmental controls (air conditioning, heating, power, and so on), but does not contain any equipment of connectivity.
The result when two or more stations on a network transmit at the same time.
A group of network devices connected to the same physical medium in such a way that if two devices access the media at the same time, a collision of the transmissions can occur.
A public database of discovered vulnerabilities according to naming and documentation standards.
A control that is used to reduce the risk or weakness within an existing control.
Involves an integrated series of activities focused on investigating and confirming whether products or services comply with internal policy or external guidelines or laws.
The evaluation of controls to ensure that they are being applied in a manner that complies with the internal or external guidelines.
Controls within a database to prevent integrity problems when two processes attempt to update the same data at the same time.
The assurance that the information will not be disclosed to unauthorized individuals, programs, or processes.
An agreement between employee and employer or, in some cases, partners that stipulates that the parties agree not to divulge confidential information that they might come in contact with during the course of the agreement.
Continued service in the event of a disaster.
The risk associated with systems availability and its capability to utilize backups to recover.
An agreement between or among two or more persons or entities (business, organizations, or government agencies) to do, or to abstain from doing, something in return for an exchange of consideration.
An audit framework that provides good practices for the management of IT governance internal controls and processes.
The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls.
A formal, documented, collaborative process in which management or work teams are directly involved in judging and monitoring the effectiveness of controls.
Controls designed to minimize the impact of a threat by identifying the cause of a problem and modifying the system to correct it.
The science of studying and breaking the secrecy of encryption algorithms and their necessary pieces.
The art and science of hiding the meaning of communication from unintended recipients by encrypting plain text into cipher text.
A system that uses mathematical functions (algorithms) and a key to encrypt and decrypt messages.
An information system that focuses on managing detailed customer information, which can include previous transactions and customer needs and requirements, allowing organizations to match customer needs to products and services.
A document that identifies the data elements (fields), their characteristics, and their use.
An encryption cipher (method of encrypting information) that uses a 56-bit key length.
The allocation of responsibility over data elements to ensure that they are kept confidential, complete, and accurate.
The individual responsible for defining data structures and for maintaining those structures in the organization’s database systems.
The primary functions of the DBMS are to reduce data redundancy, decrease access time, and provide security over sensitive data (records, fields, and transactions).
In decentralized or distributed administration, user and system access is given by individuals who are closer to the resources.
A defense methodology that is based on layered sets of compensating controls to reduce the risk of threats associated with assets.
Defines a zone that has an “intermediate” level of security between a secure zone (normally the internal network) and an insecure zone (typically the Internet).
Any method an intruder uses to hinder or prevent the delivery of information services to authorized users.
Risk that results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist, when, in fact, they do.
Controls that are designed to detect and report the occurrence of an error, an omission, or malicious acts.
A common form of password attack in which an intruder uses a dictionary of common words and a computer program to guess passwords.
A procedure that backs up the files that have been changed or added since the last full backup.
A cryptographic method that ensures data integrity, authentication of the message, and nonrepudiation.
The plan followed by IS to recover an IT processing facility, or by business units to recover an operational facility.
An agreement between two parties that identifies the ownership of discoveries during the period of time that the two parties work together. A discovery agreement can be between partner companies or between employer and employee.
An access-control model in which access to data objects is granted to the subject at the data owner’s discretion.
TCP/IP protocol that resolves hostnames to IP addresses and IP addresses to hostnames through the use of domain name servers. Domain name servers have hierarchal distributed database systems that are queried for resolution.
Types of facilities similar to hot site facilities, with the exception that they are completely dedicated, self-developed recovery facilities.
The introduction of electromagnetic waves that interfere with electronic signals.
The electronic exchange of information, reducing paper, errors, and delays to promote a more efficient and effective data-exchange process.
An electronic payment process between buyers and sellers that reduces paper transactions and manual intervention.
Enables organizations to back up data directly from their systems to an electronic storage facility using computer programs (agents) and public networks (such as the Internet).
The process of transforming data into a form that is unreadable by anyone without a secret decryption key. Encryption is used to protect data while in transit over networks, protect data stored on systems, deter and detect accidental or intentional alterations of data, and verify the authenticity of a transaction or document.
Controls that are designed to mitigate the risk associated with naturally occurring events such as storms, earthquakes, hurricanes, tornadoes, and floods.
Information that is sufficient, reliable, relevant, and useful to achieve the audit objectives relating to the audit area.
A web-based system that is used to facilitate the exchange of information between an organization and external partners.
A metric used in a biometric system that measures the number of unauthorized individuals given access who should be rejected.
The generation of an alert by an event that does not represent a true threat.
A metric used in a biometric system that measures the number of authorized individuals who should be given access but are rejected.
A study that is implemented to identify and quantify the cost savings of a new system and estimate the payback schedule for costs incurred in implementing the system.
A protocol that enables users and systems to transfer files from one computer to another on the Internet.
An audit that is used to assess the correctness or accuracy of the organization’s financial statements.
A hardware or software device that restricts access between network segments by implementing rules that identify logical addresses, services, or ports and their level of access.
A type of “software” that is contained on a chip within the component of the computer hardware (motherboard, video card, modem, and so on).
A backup of all data files by copying them to a tape or other storage medium.
A method of communication in which both the sending and receiving stations can communicate simultaneously.
Used to provide an estimate of the size of an information system based on the number and complexity of a system’s inputs, outputs, and files (examples of function points), to calculate the resources required to develop the information system.
Tests the functionality of the system against the detailed requirements.
Used in a type of fire-suppression system in which pressurized halon gas is released. The halon gas interferes with the chemical reaction of a fire. Halon is banned and has been replaced by FM-200, NAF SIII, and NAF PIII.
A computer program that is employed to entice and trap intruders. Honey pots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals’ computer systems.
A facility that is a mirror image of the organization’s critical processing applications. It can be ready for use immediately or within a short period of time, and will contain the equipment, network, operating systems, and applications that are compatible with the primary facility that is being backed up.
Operates at the physical layer (Layer 1) of the OSI model and can serve as the center of a star topology. A hub can be considered a concentrator because hubs concentrate all network communications for the devices attached to them.
The result of a threat exercising a vulnerability resulting in the compromise of confidentiality, integrity, or availability of an information system.
A procedure that backs up only the files that have been added or changed since the last backup (whether full or differential).
Audit process that evaluates evidence to determine whether information systems and related resources adequately safeguard assets, maintain data and system integrity, provide relevant and reliable information, achieve organizational goals effectively, consume resources efficiently, and have in effect internal controls that provide reasonable assurance that business, operation, and control objectives will be met.
A membership organization that provides the auditing community with guidance in the form of auditing guidelines, standards, and polices specific to information systems (IS) auditing.
The possibility that a material error could occur, assuming that there are no related internal controls to prevent or detect the error.
Components used to pass instructions or information to the computer and to generate output from the computer. These types of devices include the keyboard, the mouse (input), and monitors/terminal displays.
Audit that combines the testing of controls as well as substantive testing for the completeness, validity, and integrity of the information.
The assurance of accuracy and reliability of data, and the prevention of unauthorized data modification (intentional or unintentional).
A program that is designed to detect changes to systems, applications, and data. Integrity checkers compute a binary number for each selected program, called a cyclical redundancy check (CRC). When initially installed, an integrity checker scans the system, places these results in a database file, and then compares subsequent checks against the database to determine whether the files have changed.
Tests used for testing modules that pass data between them and are used to validate the interchange of data and the connection among multiple system components.
Controls designed to safeguard the assets and reliability of financial data and records.
Objectives that define the desired purpose or outcome associated with the implementation of the internal controls.
The combination of organizational structure, policies and procedures, and best practices that are implemented to reduce risk and ensure that business goals are achieved.
A large, interconnected network comprised of a series of smaller commercial, academic, and government networks that use the TCP/IP protocol.
A protocol in the TCP/IP suite used in communicating data from one computer to another. The IP protocol uses unique addresses (IP number) to identify networks and hosts, to route packets to destination computers.
The capability for hardware and software from different vendors to work together efficiently and effectively.
A network (usually web based) that is accessible by internal users of an organization and that can contain internal calendaring, web email, and information designed specifically for the authorized internal users.
Designed to gather evidence of systems or network attacks. An IDS can be network based (detects network attacks) or host based (detects attacks on a host).
A software or hardware device that is capable of detecting both known and unknown attacks, and preventing them from being successful.
Standards that define the mandatory requirements for IS auditing and reporting, as well as provide a minimum level of performance for auditors.
Code created to provide guidance in the professional and personal conduct of members of the association (ISACA) and its certification holders.
The governance structure responsible for reviewing issues such as new and ongoing projects, major equipment acquisitions, and the review and approval of IT budgets.
Provides levels of authority and tasks that a specific individual should perform.
Delivery that reduces the overall cycle time associated with manufacture and inventory by creating products and services based on customer demand.
Quantifiable measurements that are created as long-term measurements of an organization’s operational activities against its goals.
Private or nonpublic packet-based switched networks contained within a limited area, providing services within a particular organization or group.
The policies and electronic access controls that are designed to restrict access to resources such as software and data files.
Large general-purpose computers that support large user populations simultaneously. A mainframe environment, as opposed to a client/server environment, is generally more controlled with regard to access and authorization to programs; the entire processing function takes place centrally on the mainframe.
All subjects and objects have security labels, and the decision for access is determined by the operating or security system.
An error that should be considered significant to any party concerned with the item in question.
The importance of an event, observation, or information with regard to its relevance to the audit objectives.
User requests (messages) can be prioritized, queued, and processed on remote servers.
Application interfaces that provide integration between otherwise distinct applications by allowing access to higher- or lower-level services.
Essentially, a smaller mainframe. Minicomputers provide similar capabilities but support a smaller user population and generally have less processing power than a mainframe.
A communications device that converts data from digital format to analog format for transmission.
Links more than one processor (CPU) sharing the same memory, to execute programs simultaneously.
Allows computing systems to run two or more applications concurrently by allocating a certain amount of processing power to each application.
Enables operating systems to run several processes in rapid sequence within a single program, or to execute (run) different parts, or threads, of a program simultaneously.
An agreement between two parties that restricts the information that one or both of the parties may disclose about one another.
Provides proof of the origin of data and protects the sender against a false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent.
The structuring of data within a database that minimizes redundancy.
A storage facility that is located away from the organization’s processing facility, used for off-site tape storage.
Developed in the early 1980s as a proof-of-concept model that all vendors could use to ensure that their products could communicate and interact. The OSI model contains seven layers, each with specific functions. Each layer has its own responsibilities with regard to tasks, processes, and services.
A program that provides an interface for the user, processor, and applications software.
Evaluates the internal control structure in a given process or area.
Controls used in day-to-day operations to ensure that the operation is meeting business objectives.
A contractual arrangement between the organization and a third party for various services such as development, processing, or hosting.
A process of testing applications in which test data is fed into both the new and old systems, and the results are compared.
A character string (usually encrypted) that is used as part of a user or systems credentials to authenticate to the computer system.
The application of knowledge, skill, and tools to circumvent the security controls associated with an asset.
Handheld portable devices that can be used for an individual organization, including the maintenance of tasks, contact lists, calendars, and expense managers.
Controls that limit access to facilities, computers, and telecommunications equipment and other assets of the organization’s infrastructure.
A method used by unauthorized users to gain access to a physical location by closely following an authorized user in.
Controls that are designed to prevent problems before they arise, monitor both operations and inputs, and prevent errors, omissions, or malicious acts from occurring.
The process of recording, monitoring, and documenting incidents to resolve them.
A project-management technique for developing an estimate of development project duration. A PERT chart depicts task, duration, and dependency information.
The application of skills, tools, best practices, and knowledge to meet the requirements of a project.
A system-development technique that uses a process to rapidly develop and test code through trial and error. In general, prototyping reduces the time required to deploy applications through iterative development and testing.
A system that incorporates public-key cryptography, digital certificates, and standards that enable key maintenance. Key maintenance includes user identification, key distribution, and revocation through the use of digital certificates.
Ensures that the organization is following prescribed quality standards.
The application of tests or reviews to verify that information systems are free from defects and meet the expectation of the organization.
Arrangements between two or more organizations with similar equipment and applications. The organizations agree to provide computer time (and sometimes facility space) to one another in the event of an emergency.
Performs registration duties to offload some of the work from the CAs. The RA can confirm individual identities, distribute keys, and perform maintenance functions, but it cannot issue certificates.
A program-testing methodology in which portions of test scenarios are rerun to ensure that changes or corrections have not introduced new errors to the existing modules. Regression testing should use data from previous tests to obtain accurate conclusions regarding the effects of changes or corrections to a program, and to ensure that those changes and corrections have not introduced new errors to the existing modules.
Services that provide remote-access capabilities from a user location to where a computing device appears; they emulate a direct connection to the device. Examples include Telnet and remote access through a VPN.
A function call in client/server computing that enables clients to request that a particular function or set of functions be performed on a remote computer.
Terminal-emulation protocol that enables users to log in to remote systems and use resources as if they were connected locally.
The risk remaining after controls have been implemented to reduce risk.
The possibility of a threat exercising a vulnerability to cause loss or damage to assets.
The process of identifying risk in the organization, quantifying the impact of potential threats, and providing cost/benefit justification for the implementation of controls.
A process that reviews threats and vulnerabilities to determine the degree of risk they have on organizational assets if they occur.
An audit technique that prioritizes audit engagements through the identification of high-risk areas within the organization.
The process of assessing risk, taking steps to reduce risk to an acceptable level (mitigation), and maintaining that acceptable level of risk.
Reducing risk to an acceptable level by implementing controls.
A network device that links two or more physically separate network segments and that works at the network layer (Layer 3) of the OSI model. A router is used to direct or route traffic on a network.
A type of access control that is generally used between networks or applications and that involves a set of rules from which incoming requests can be matched and either accepted or rejected.
A report verifying that all transmitted data has been read and processed.
An audit that describes the use of controls within a service provider’s organization.
A SAS 70 Type II includes an opinion on the items in Type I and whether the controls that were tested were operating effectively to provide reasonable assurance that the control objectives were achieved.
An integrated audit in which the auditor must evaluate controls around a client’s information system and the entries that are processed through that system.
A protocol that provides confidentiality through symmetric encryption such as the Data Encryption Standard (DES). This is an application-/session-layer protocol often used for secure communication between web browsers and servers.
The risk that unauthorized access to data will adversely affect the integrity, confidentiality, and availability of that data.
The separation of tasks between individuals to reduce the likelihood of fraudulent or malicious acts.
Outlines a guaranteed level of service for information systems or business processes.
A protocol within the TCP/IP suite that provides standard electronic (email) transfer services.
A type of network attack in which an intruder uses automated tools to collect packets on the network. These packets can be reassembled into messages and can include email, names and passwords, and system information.
The likelihood that software will not meet the application user’s business needs, requirements, or expectations.
A special-purpose network in which different types of data storage are associated with servers and users.
Plan outlining the goals and objectives of the organization.
Type of test that is used to substantiate the integrity of actual processing through transaction verification, recalculation, and verification.
Computer that has a large capacity of processing speed and power. Supercomputers generally perform a small number of very specific functions that require extensive processing power (decryption, modeling, and so on).
The improvement of an organization’s product and service design, purchasing, invoicing and distribution. Supply chain management generally serves the common goals of reducing costs and improving customer service.
A framework or methodology that is used in the acquisition, implementation, maintenance, and disposition of information systems. The SDLC uses a structured approach to minimize risk and maximize return on investment, and ensure that the new system meets the application user’s business requirements and expectations.
Software that provides remote-access capabilities with a user interface as if that user were sitting on the console of the device being accessed. As an example, Microsoft Terminal Services connects to the remote device and displays the desktop of the remote device as if the user were sitting at the console.
A potential danger (hazard) to information systems; the hazard is something that increases the likelihood of loss.
The connectivity of the network cabling and devices. Network topologies commonly fall into the categories of bus, star, ring, and mesh.
Agreement that protects the trade secrets of an organization from disclosure.
An intruder uses tools capable of monitoring network traffic to determine traffic volume, patterns, and start and end points. This analysis gives intruders a better understanding of the communication points and potential vulnerabilities.
Applications or programs that monitor and process database transactions.
Transport-layer protocol that establishes a reliable, full-duplex data-delivery service that many TCP/IP applications use. TCP is a connection-oriented protocol, which means that it guarantees both the delivery of data and the order of the packets: They will be delivered in the same order as they were sent.
A malicious program that masquerades as another program or that is even embedded within a program. Trojan horse programs or code can delete files, shut down the systems, or send system and network information to an email or Internet address.
A type of authentication that requires authentication by two of the following three methods: something the user knows, something the user possesses, or something the user is. A smart card requiring a user’s PIN is an example of two-factor authentication.
Can provide enough short-term power to either shut down systems gracefully in the event of a power failure or keep mission-critical systems operating until power returns. A UPS contains batteries that continue to charge as the system has power and provides battery backup power in case of a failure.
A testing technique that is used for testing individual modules (program logic) that tests the control structure and design of the module.
Transport-layer protocol (TCP/IP) that provides connectionless delivery of data on the network. UDP does not provide error-recovery services and is primarily used for broadcasting data on the network.
A sampling technique used to identify the average or total value of a population based on a sample.
Creates encrypted links over untrusted networks and enables remote users to access the organization’s network securely using encrypted packets sent via virtual connections.
A malicious program that infects computer systems. The virus can damage computer systems through reconfiguration and file deletion. A virus requires a carrier program, such as email, for replication and further propagation.
A weakness in internal controls that can be exploited by a threat to gain unauthorized access to information or disrupt systems.
Used for recovery in the event of an emergency. A warm site usually contains a portion of the equipment and applications required for recovery. In a warm site recovery, it is assumed that computer equipment and operating software can be procured quickly.
Process of testing logical paths through the software using test cases that exercise specific sets of conditions and loops.
A network that provides connectivity for LANs that are geographically dispersed by providing network connectivity and services across large distances.
A data-communications interface specification developed to describe how data passes into and out of switched packet networks.