Appendix H

Definitions

This appendix is nonauthoritative and is included for informational purposes only.

For purposes of this guide, certain key terms are defined as follows:

access to personal information. The ability of the data subject to view personal information held by an entity. This ability may be complemented by an ability to update or correct the information. Access defines the intersection of identity and data, that is, who can do what to which data. Access is one of the fair information practice principles. Individuals must be able to find out what personal information an entity has on file about them and how the information is being used. Individuals need to be able to correct erroneous information in such records.

architecture. The design of the structure of a system, including logical components, and the logical interrelationships of a computer, its operating system, a network, or other elements.

authentication. The process of verifying the identity or other attributes claimed by or assumed of an entity (user, process, or device) or the process of verifying the source and integrity of data.

authorization. The process of granting access privileges to a user, program, or process by a person that has the authority to grant such access.

board, board of directors, or directors. Individuals with responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity. Depending on the nature of the entity, such responsibilities may be held by a board of directors or supervisory board for a corporation, a board of trustees for a not-for-profit entity, a board of governors or commissioners for a government entity, general partners for a partnership, or an owner for a small business.

business partner. An individual or business (and its employees), other than a vendor, who has some degree of involvement with the entity’s business dealings or agrees to cooperate, to any degree, with the entity (for example, a computer manufacturer who works with another company who supplies them with parts).

collection. The process of obtaining personal information from the individual directly (for example, through the individual’s submission of an Internet form or a registration form) or from another party such as a business partner.

commitments. Declarations made by management to customers regarding performance of the entity or its goods or services. Commitments can be communicated in written individualized agreements, standardized contracts, service-level agreements, or published statements (for example, a security practices statement). A commitment may relate to one or more trust services categories. Commitments may be made on many different aspects of the service being provided, including the following:

• Specification of the algorithm used in a calculation

• The hours a system will be available

• Published password standards

• Encryption standards used to encrypt stored customer data

component. One of the five elements of internal control, including the control environment, risk assessment, control activities, information and communication, and monitoring activities.

compromise. Refers to a loss of confidentiality, integrity, or availability of information, including any resultant impairment of (1) processing integrity or availability of systems or (2) the integrity or availability of system inputs or outputs.

contractor. An individual, other than an employee, engaged to provide services to an entity in accordance with the terms of a contract.

control. A policy or procedure that is part of internal control. Controls exist within each of the five COSO internal control components: control environment, risk assessment, control activities, information and communication, and monitoring.

control activity. An action established through policies and procedures to enable management’s directives to mitigate risks to the achievement of objectives are carried out.

consent. This privacy requirement is one of the fair information practice objectives. Individuals must be able to prevent the collection of their personal data, unless legally required. If an individual has a choice about the use or disclosure of his or her information, consent is the individual’s way of giving permission for the use or disclosure. Consent may be affirmative (for example, opting in) or implied (for example, not opting out). There are two types of consent:

• explicit consent. A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties.

• implied consent. When consent may reasonably be inferred from the action or inaction of the individual.

COSO. The Committee of Sponsoring Organizations of the Treadway Commission. COSO is a joint initiative of five private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. (See www.coso.org.)

cybersecurity objectives. The objectives that an entity establishes to address the cybersecurity risks that could otherwise threaten the achievement of the entity’s overall business objectives.

cybersecurity risk management examination. An examination engagement to report on whether (a) management’s description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and (b) the controls included in that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria. A cybersecurity risk management examination is performed in accordance with the attestation standards and this guide.

cybersecurity risk management examination report. The end product of the cybersecurity risk management examination, which includes manage-ment’s description of the entity’s cybersecurity risk management program, management’s assertion, and the practitioner’s report.

cyberspace. The interdependent network of information system infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.

data subjects. The individual about whom personal information is collected.

deficiency. Used to identify misstatements in which controls were not suitably designed or did not operate effectively.

description misstatement. Used when describing differences between (or omissions in) the presentation of the description of the cybersecurity risk management program and the description criteria.

design. As used in the COSO definition of internal control, the internal control system design is intended to provide reasonable assurance of the achievement of an entity’s objectives, if those controls operated as designed.

design-only cybersecurity risk management examination. An examination engagement to report on (a) whether management’s description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and (b) the suitably of the design of controls implemented within that program to achieve the entity’s cybersecurity objectives.

deviation. Used to identify misstatements in which the operation of a control was not effective in a specific instance. A deviation may, individually or in combination with other deviations, result in a deficiency.

disclosure. The release, transfer, provision of access to, or divulgence in any other manner of information outside the entity holding the information. Disclosure is often used interchangeably with the terms sharing and onward transfer.

disposal. A phase of the data lifecycle that pertains to how an entity removes or destroys data or information.

environmental protections and safeguards. Controls and other activities implemented by the entity to detect, prevent, and manage the risk of casualty damage to the physical parts of the information system (for example, protections from fire, flood, wind, earthquake, power surge, or power outage).

entity. A legal entity or management operating model of any size established for a particular purpose. A legal entity may, for example, be a business enterprise, a not-for-profit organization, a government body, or an academic institution. The management operating model may follow product or service lines, divisions, or operating units, with geographic markets providing for further subdivisions or aggregations of performance.

entity-wide. Activities that apply across the entity—most commonly in relation to entity-wide controls.

external parties (or external users). Individuals, other than internal users, who are authorized by customers, entity management, or other authorized parties to interact with the entity’s information system.

information and systems. Refers to information in electronic form during its use, processing, transmission, and storage and systems that use such information to process, transmit or transfer, and store information.

information assets. Data and the associated software and infrastructure used to process, transmit, and store information.

infrastructure. The collection of physical or virtual resources that supports an overall IT environment, including the server, storage, and network components.

inherent limitations. Those limitations present in all internal control systems. The limitations relate to the preconditions of internal control, external events beyond the entity’s control, limits of human judgment, the reality that breakdowns can occur, and the possibility of management override and collusion.

inherent risks. Risks to the achievement of objectives in the absence of any actions management might take to alter either the risk likelihood or impact.

inherent cybersecurity risks. Inherent risks arising from cybersecurity threats and vulnerabilities of information assets that would prevent the entity’s cybersecurity objectives from being achieved.

internal control. A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

internal users. Personnel whose job function causes them to be members of the people component of the information system.

management override. Management’s overruling of prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an enhanced presentation of an entity’s financial condition, compliance status, or cybersecurity risk management program.

outsourced service providers. A service provider vendor that performs business processes, operations, or controls on behalf of the entity when such business processes, operations, or controls are necessary to achieve the entity’s objectives.

personal information. Information that is, or can be about or related to, an identifiable individual.

policy[ies]. Management or board member statements of what should be done to effect control. Such statements may be documented, explicitly stated in communications, or implied through actions and decisions. Policies serve as the basis for procedures.

privacy commitments. Declarations made by management regarding the performance of a system processing personal information. Such commitments can be communicated in written agreements, standardized contracts, service level agreements, or published statements (for example, a privacy practices statement). In addition, privacy commitments may be made on many different aspects of the service being provided, including the following:

• Types of information processed by the system

• Employees, third parties, and other persons that can access the information

• Conditions under which information can be processed without consent

Examples of privacy commitments include the following:

• The organization will not process or transfer information without obtaining the data subject’s consent.

• The organization will provide a privacy notice to customers once in 6 months or when there is a change in the organization’s business policies.

• The organization will respond to access requests within 10 working days of receiving the request from its customers.

privacy notice. A written communication by entities that collect personal information, to the individuals about whom personal information is collected, about the entity’s (a) policies regarding the nature of the information that they will collect and how that information will be used, retained, disclosed, and disposed of or anonymized and (b) commitment to adhere to those policies. A privacy notice also includes information about such matters as the purpose of collecting the information, the choices that individuals have related to their personal information, the security of such information, and how individuals can contact the entity with inquiries, complaints, and disputes related to their personal information. When a user entity collects personal information from individuals, it typically provides a privacy notice to those individuals.

report users. Intended users of the practitioner’s report in accordance with AT-C section 205, Examination Engagements (AICPA, Professional Standards). There may be a broad range of report users for a general purpose report, but only a limited number of specified parties for a report that is restricted in accordance with paragraph .64 of AT-C section 205.

retention. A phase of the data lifecycle that pertains to how long an entity stores information for future use or reference.

risk. The possibility that an event will occur and adversely affect the achievement of objectives.

risk of material misstatement. The risk that management’s description of the entity’s cybersecurity risk management program is not presented in accordance with the description criteria or that controls within that program were not effective to achieve the entity’s cybersecurity objectives.

risk response. The decision to accept, avoid, reduce, or share a risk.

risk tolerance. The acceptable variation relative to performance to the achievement of objectives.

security event. An occurrence, arising from actual or attempted unauthorized access or use by internal or external parties, that impairs or could impair the availability, integrity, or confidentiality of information or systems, result in unauthorized disclosure or theft of information or other assets, or cause damage to systems.

security incident. A security event that requires action on the part of an entity in order to protect information assets and resources.

senior management. The CEO or equivalent organizational leader and senior management team.

service provider. A vendor (such as a service organization) engaged to provide services to or on behalf of the entity. Service providers include outsourced services providers as well as vendors that provide services not associated with business functions such as janitorial, legal, and audit services.

SOC 2 examination. An examination engagement to report on the fairness of the presentation of management’s description of the service organization’s system, the suitability of the design of the controls included in the description, and, when a type 2 report is being issued, the operating effectiveness of those controls. The SOC 2 examination is performed in accordance with the attestation standards and AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®).

stakeholder. Parties that are affected by the entity, such as shareholders, investors, the communities in which the entity operates, employees, customers, and suppliers.

subsequent events. Events or transactions that occur after the specified period of time covered by the engagement, but prior to the period end date of management’s description, that could have a significant effect on the description of the entity’s cybersecurity risk management program.

system. Refers to the infrastructure, software, people, processes, and data that are designed, implemented, and operated to work together to achieve one or more specific business objectives (for example, delivery of services or production of goods) in accordance with management-specified requirements. As used in this document, systems include manual, automated, and partially automated systems that are used for information processing, manufacturing and production, inventory management and distribution, information storage, and support functions within an organization.

system boundaries. The specific aspects of an entity’s infrastructure, software, people, procedures, and data necessary to perform a function or provide a service. When the systems for multiple functions or services share aspects, infrastructure, software, people, procedures, and data, the systems will overlap, but the boundaries of each service’s system will differ. In an engagement that addresses the confidentiality and privacy criteria, the system boundaries cover, at a minimum, all the system components as they relate to the life cycle of the confidential and personal information within well-defined processes and informal ad hoc procedures.

system components. Refers to the individual elements of a system. System components can be classified into the following five categories: infrastructure, software, people, processes, and data.

system requirements. Specifications regarding how the system should function to meet the entity’s commitments to customers and relevant laws, regulations, and guidelines of industry groups, such as business or trade associations. Requirements are often specified in the entity’s system policies and procedures, system design documentation, contracts with customers, and government regulations. Examples of system requirements are as follows:

• Employee fingerprinting and background checks established in government banking regulations

• System edits that restrict the values accepted for system input, which are defined in application design documents

• Maximum acceptable intervals between periodic reviews of workforce member logical access, as documented in the security policy manual

• Data definition and tagging standards, including any associated metadata requirements, established by industry groups or other bodies, such as the Simple Object Access Protocol

• Business processing rules and standards established by regulators, for example, security requirements under the Health Insurance Portability and Accountability Act (HIPAA)

System requirements may result from the entity’s commitments relating to security, availability, processing integrity, confidentiality, or privacy. For example, a commitment to programmatically enforce segregation of duties between data entry and data approval creates system requirements regarding user access administration.

third party. An individual or organization other than the entity and its employees. Third parties may be customers, vendors, business partners, or others.

trust services. A set of professional attestation and advisory services performed by CPAs based on a core set of criteria that address an entity’s objectives related to security, availability, processing integrity, confidentiality, or privacy.

unauthorized access. Access to information or system components that (a) has not been approved by a person designated to do so by management and (b) compromises segregation of duties, confidentiality commitments, or otherwise increases risks to the information or system components beyond the levels approved by management (that is, access is inappropriate).

vendor. An individual or business (and its employees) that is engaged to provide goods or services to the entity. Depending on the services a vendor provides (for example, if it operates certain controls on behalf of the entity that are necessary to achieve the entity’s cybersecurity objectives), it might also be a service provider.