Chapter 2 Terms Flashcards
Acceptable Internet
Usage Policy
policy that prescribes the code of conduct that governs the behavior of a user while connected to the network/Internet
Acceptable Use Policy (AUP)
a comprehensive policy that includes information for all information resources and describes the organizational permissions for the usage of IT and information-related resources
Audit Trail
Provide a map to retrace the flow of a transaction
Benchmarking
A systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting business
Benefit Analysis (BA)
The user costs (or benefits) and business operational costs (or benefits) derived from the information system(s)
Black Swan Events
Those events that are a surprise, have a major effect and after the fact are often inappropriately rationalized with the benefit of hindsight
Budget
Allows for forecasting, monitoring and analyzing financial information
Business
Alignment
Involves making the services provided by the corporate IT function more closely reflect the requirements and desires of the business users
Business Continuity Policy
A document approved by top management that defines the extent and scope of the business continuity effort within the organization
Business Impact
Analysis (BIA)
Used to evaluate the critical processes and to determine time frames, priorities, resources and interdependencies
Business Process
Reengineering (BPR)
The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings
Business Reference Model
a function-driven framework that describes the functions and sub-functions performed by the government, independent of the agencies that actually perform them
Capability Maturity Model Integration (CMMI)
a process improvement approach that provides enterprises with the essential elements of effective processes
Chargeback
Provides all involved parties with a marketplace measure of the effectiveness and efficiency of the service provided by the information processing facility
Cloud Computing
A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction
COBIT Process Assessment Model (PAM)
developed to address the need to improve the rigor and reliability of IT process reviews
Compliance Management
Focuses on implementing processes that address legal and regulatory policy and contractual compliance requirements
Corporate Governance
a set of responsibilities and practices used by an organization’s management to provide strategic direction, thereby ensuring that goals are achievable, risk is properly addressed and organizational resources are properly utilized
Data Classification Policy
policy that should describe the classifications, levels of control at each classification and responsibilities of all potential users including ownership
Data Reference Model
a framework that describes the data and information that support program and business line operations
Disasters
Disruptions that cause critical information resources to be inoperative for a period of time, adversely impacting organizational operations
Enterprise Architecture (EA)
involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments
Federal Enterprise
Architecture (FEA)
a business and performance based framework to support cross-agency collaboration, transformation and government-wide improvement
Governance of Enterprise IT (GEIT)
a system in which all stakeholders, including the board, senior management, internal customers and departments such as finance, provide input into the decision-making process
Governance of
Outsourcing
The set of responsibilities, roles, objectives, interfaces and controls required to anticipate change and manage the introduction, maintenance, performance, costs and control of third-party provided services
High-Level Information Security Policy
policy that includes statements on confidentiality, integrity, and availability
Impact
The result of a threat agent exploiting a vulnerability
Information
Security Governance
a subset of corporate governance that provides strategic direction for security activities and ensures that objectives are achieved, that risk is appropriately managed and enterprise information resources are used responsibly
Information Security
Policy
communicates a coherent security standard to users, management and technical staff
Information Security Program
a set of activities that provide assurance that information assets are given a level of protection commensurate with their value or the risk their compromise poses to the organization
Initiating, Diagnosing, Establishing, Acting, and Learning (IDEAL) Model
forms an infrastructure to guide enterprises in planning and implementing an effective software process improvement program and consists of five phases
Insourced
Fully performed by the organization’s staff
Internal-Use
Software
Software that an entity has no substantive plans to market externally
IT Balanced Scorecard
BSC
a process management evaluation technique that can be applied to the GEIT process in assessing IT functions and processes
IT Resource Management
Focuses on maintaining an updated inventory of all IT resources and addresses the risk management process
Key Performance Indicator (KPI)
A measure that determines how well the process is performing in enabling the goal to be reached
Lean Six Sigma
Examines the measurement-oriented strategy focused on process improvement and defect reduction and the efficiency of these processes
Life Cycle Cost-Benefit Analysis
The assessment of following element to determine strategic direction for IT enterprise systems and overall IT portfolio management
Life Cycle Cost (LCC)
The estimated costs of maintenance/updates, failure, and maintaining interoperability with mainstream and emerging technologies
Life Cycle (LC)
A series of stages that characterize the course of existence of an organizational investment
Netiquette
a description of language that is considered appropriate to use while online
Organizational Change
Management
Involves use of a defined and documented process to identify and apply technology improvements at the infrastructure and application level that are beneficial to the organization and involve all levels of the organization impacted by the changes
Organizational Chart
Provides a clear definition of the department’s hierarchy and authorities
Outsourced
Fully performed by the vendor’s staff
Outsourcing
The mechanism that allows organizations to transfer the delivery of services to third parties
Performance
The service perceived by users and stakeholders
Performance
Measurement
the process of measuring, monitoring and reporting on information security processes to ensure that SMART (specific, measurable, attainable, realistic and timely) objectives are achieved
Performance Optimization
The process of both improving perceived service performance along with improving information security productivity to the highest level possible without unnecessary, additional investment in the IT infrastructure
Performance Reference Model
a framework to measure the performance of major IT investments and their contribution to program performance
Plan, Do, Check, Act (PDCA)
An iterative four-step management method used in business for the control and continuous improvement of processes and products
Policies
high-level documents that represent the corporate philosophy of an organization
Procedures
documented, defined steps for achieving policy objectives
Process Integration
the integration of an organization’s management assurance processes for security
Qualitative Risk Analysis
Uses words or descriptive rankings to describe the impacts or likelihood
Quality Assurance (QA)
A planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements
Quality Control (QC)
The observation techniques and activities used to fulfill requirements for quality
Quantitative Risk
Analysis
Use numeric values to describe the likelihood and impacts of risk, using data from several types of sources
Residual Risk
The remaining level of risk after controls have been applied
Resource Management
the process of utilizing information security knowledge and infrastructure efficiently and effectively
Risk Calculation
Probability of Occurrence x Magnitude of Impact
Root Cause Analysis
The process of diagnosis to establish the origins of events
Semi-Quantitative Risk Analysis
Descriptive rankings are associated with a numeric scale
Service Component Reference Model
a functional framework that classifies the service components that support business and performance objectives
Six Sigma
The implementation of a measurement-oriented strategy focused on process improvement and defect reduction
Six Sigma Defect
Anything outside customer specifications
Technical Reference Model
a framework that describes how technology supports the delivery, exchange and construction of service components
Vulnerabilities
Characteristics of information resources that can be exploited by a threat to cause harm
