CISA Glossary Flashcards
Abend *
An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing.
Acceptable use policy
A policy that establishes an agreement between users and the enterprise and defines for all parties’ the ranges of use that are approved before gaining access to a network or the Internet
Access control *
The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises.
Access control list (ACL) *
An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals. Also referred to as access control tables.
Access control table *
An internalized computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals.
Access path *
The logical route an end user takes to access computerized information. Typically, it includes a route through the operating system, telecommunications software, selected application software and the access control system.
Access rights *
The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy.
Access servers *
Provides centralized access control for managing remote access dial-up servers.
Access method *
The technique used for selecting records in a file; one at a time, for processing, retrieval or storage. The access method is related to, but distinct from, the file organization, which determines how the records are stored.
Address *
Within computer storage, the code used to designate the location of a specified piece of data.
Address space *
The number of distinct locations that may be referred to with the machine address. For most binary machines it is equal to 2n, where n is the number of bits in the machine address.
Addressing *
The method used to identify the location of a participant in a network. Ideally, adressing specifies where the participant is located rather than who they are (name) or how to get there (routing).
Administrative audit
Verifies that appropriate policies and procedures exist, and that they have been implemented as management intended. This audit focuses on operational effectiveness and efficiency.
Administrative controls *
The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies.
Advanced Encryption Standard (AES)
Symmetric-key encryption system designed by Belgian mathematicians. Also known as the Rijndael, Advanced Encryption Standard (AES) replaces the outdated Data Encryption Standard (DES) previously used by the U.S. government. This is the de facto standard for many applications because AES is approved by the U.S. National Institute of Standards and Technology (NIST) for unclassified and certain classified information.
Adware *
A software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being used. In most cases, this is done without any notification to the user or without the user’s consent. The term adware may also refer to software that displays advertisements, whther or not it does so with the user’s consent; such programs display advertisements as an alternative to shareware registration fees. These are classified as adware in the sense of advertising supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, an dprovides the user with a specific service.
After-image
Changes to data in the database are held in a temporary file called the after-image journal. The transaction can be reversed (discarded) until the program writes the change into the master file. Also see before-image and ACID principle.
Agile development
A micromanagement methodology to force development within a series of short time boxes. Agile is used for the development of prototypes. The focus is on tactile knowledge in a person’s mind, rather than the use of formal SDLC design and development documentation.
Alpha *
The use of alphabetic characters or an alphabetic character string.
Alternative routing *
A service that allows the option of having an alternate route to complete a call when the marked destination is not available. In signalling, alternate routing is the process of allocating substitute routes for a given signaling traffic stream in case of failure(s) affecting the normal signalling links or routes of that traffic stream.
American Standard Code for Information Interchange *
See ASCII.
Analog *
A transmission signal that varies continuously in amplitude and time, and is generated in wave formation. Analog signals are used in telecommunications.
Antivirus software *
An application software deployed at multiple points in an IT architecture It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been infected.
Applet *
A program written in a portable, platform independent computer language such as Java, JavaScript or Visual Basic. An applet is usually embedded in a Hypertext Markup Langiage (HTML) page downloaded from web servers and then executed by a browser on client mahcines to run any web-based application (e.g. generate web page input forms, run audio/video programs, etc.). Applets can only perform a restricted set of operations, thus preventing, or at least minimizing, the possible security compromise of the host computers. However, applets expose the user’s machine to risk if not properly controlled by the browser, which should not allow an applet to access a machine’s information without prior authorization of the user.
Application *
A computer program or set of programs that perform the processing of records for a specific function. Contrasts with systems programs, such as an operating system or network control program, and with utility programs, such as copy or sort.
Application controls *
The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved (application). Note: The lowest level of control, usually governing system use or internal program controls. Application controls are easily subverted if higher-level controls governing the operating environment are missing or ineffective. Higher controls include general controls, pervasive controls, and detailed controls.
Application layer *
In the Open Systems Interconnection (OSI) communications model, the application layer provides services for an application program to ensure that effective communication woth another application program in a network is possible. The application layer is not the application that is doing the communication; there is a service layer that provides these services. Anew: the highest layer of the OSI model is layer 7. The Application layer runs problem-solving software for the user. This layer provides the interface between the user and the computer program.
Application program *
A program that processes business data through activities such as data entry, update or query. Contrasts with system programs, such as an operating system or network contorl program, and with utility programs such as copy or sort.
Application programming *
The act or function of developing and maintaining applications programs in production.
Application programming interface (API) *
“A set of routines, protocols and tools referred to as ““building blocks”” used in business application software development. A good API makes it easier to develop a program by providing all of the building blocks related to functional characteristics of an operating system that applications need to specify, for example, when interfacing with the operating system (e.g., provided by Microsoft Windows, different versions of UNIX). A programer utilizes these APIs in developing applications that can operate effectively and efficiently on the platform chosen.”
Application service provider (ASP)
See software as a service (SaaS).
Application software tracing and mapping *
Specialized tools that can be used to analyze the flow of data through the processing logic of the application software and document the logic, paths, contorl conditions and processing sequence. Both the command language or job contorl statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons.
Artificial intelligence (AI) *
Advanced computer systems that can simulate human capabilities, such as analysis, based on a predetermined set of rules. Anew: An attempt to simulate human reasoning by using a computer program with a knowledge database and abstract procedures to measure cause-and-effect relationships.
Arythmetic logic unit (ALU) *
The area of the central processing unit that performs mathematical and analytical operations.
ASCII *
Representing 128 characters, the American Standard Code for Information Interchange (ASCII) code normally uses 7 bits. However, some variations of the ASCII code set allow 8 bits. This 8-bit ASCII code allows 256 characters to be represented.
Assembler *
A program that takes as input a program written in assembly language and translates it into machine code or machine language.
Assessment
A less formal process used to determine value or relevance to the intended use. Assessments may be internal or external. The results of an assessment are of low to moderate value. The results are used for internal purposes only. See audit and independent audit to compare the differences.
Asset
Anything of value. May be tangible or intangible in the form of information, skilled people, money, physical goods, products, resources, recipes, or procedures.
Assurance
A promise with supporting evidence given in a declaration or activity designed to instil confidence.
Asymmetric-key encryption *
A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message (see also public key encryption). Anew: an encryption system using two different keys. Both keys are mathematically related. Asymmetric-key encryption is not time sensitive. The private key is kept secret by the sender, and the public key is freely distributed to anyone who desires to communicate with the owner. Also known as public-key cryptography.
Asynchronous Transfer Mode (ATM) *
A high-bandwidth low-delay switching and multiplexing technology that allows integration of real-time voice and video as well as data. It is a data link layer protocol. ATM is a protocol-independent transport mechanism. It allows high-speed data transfer rates up to 155 Mbit/sec. The acronym ATM should not be confused with the alternate usage for ATM, which refers to an Automated Teller Machine.
Atomicity
A process used for database transaction integrity to ensure that the entire transaction is correctly processed or all the changes are backed out of the database. Anew: if an error or interruption occurs, all changes made up to that point are backed out.
Attestation
An affirmation by the signer that all statements are true and correct. The purpose is to certify that a declaration is genuine.
Attribute
In computer programming, an attribute is equivalent to a column in a database table. The attribute refers to a specific characteristic of a database entry.
Attribute sampling *
An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size). Anew: a technique used to estimate the rate of occurrence for a particular attribute within the subject population. In compliance testing, attribute sampling answers the question, “How many?”
Attribute-based access control (ABAC)
The most detailed level of access control, which matches the combined security of subject (user or program), object (data), and context of usage (need or purpose) to determine whether a request should be approved or denied. ABAC is used in mandatory access control, which also requires a centralized control approach.
Audit
A formal and systematic process of collecting evidence to test or confirm a statement or to confirm a record of transaction. Also see internal audit and independent audit.
Audit charter
A formal document issued by management to designate audit responsibility, authority, and accountability. The absence of a formal audit charter document would indicate a control weakness.
Audit committee
A committee of the board of directors composed of financially literate executives. The purpose of the audit committee is to challenge the assertions of management by using internal and external auditors.
Audit evidence *
The information used to support the audit opinion. Anew: aamples collected by the auditor to prove or disprove the audit findings. Every audit must use relevant evidence of dependable quality in sufficient quantity to generate a score of success or failure.
Audit objective *
The specific goal(s) of an audit. These often center on substantiating the existence of internal controls to minimize business risk. The audit objective(s) is the reason for the audit.
Audit plan
Detailed project plan containing a list of objectives, specific tasks in proper sequence, skills matrix, written copy of data collection procedures, written audit test procedures, and the forecast illustrating scope time and cost estimates. The audit plan is an essential document to be archived with the resulting audit report for proving integrity of the corresponding results.
Audit program *
A step-by-step set of audit procedures and instructions that should be performed to complete an audit.
Audit risk *
The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occured. Anew: the possibility that material errors may exist that the auditor is unable to detect.
Audit scope
The boundaries and limitations of the individual audit. Normally, particular systems or functions that will be reviewed during the audit.
Audit subject
The target to be audited. The audit subject may be a particular system, process, procedure, or department function.
Audit trail *
A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source. Anew: evidence that can be reassembled in chronological order to retrace a transaction or series of transactions.
Auditee
The persons and organization being audited.
Auditing standard
The mandatory examination procedures to be executed during an audit to ensure consistency of findings. The auditing standard specifies a minimum level of performance. Any deviations must be well documented, with justification as to why the standard was not followed.
Auditor
The person(s) performing the audit by gathering evidence, testing, and reporting the findings. Auditors should not be related to the subject of the audit, to prevent bias. Also see independence.
Auditor’s opinion
An overall score generated by the sufficient collection of evidence, effective testing, observations, and findings from the test results. It’s actually a score based on the relevance of the test results rather than an opinion.
Authentication *
The act of verifying the identity of a user and the user’s eligibility to access computerized information. Authentication is designed to protect against fraudulous logon activity. It can also refer to the verification of the correctness of a piece of data. Anew: the process of verifying a user’s identity. The user’s claim will be tested against a known reference. If a match occurs, the user is authenticated and allowed to proceed. A mismatch will deny the request.
Authentication header (AH)
Used in the IPsec protocol to provide integrity, authentication, and non-repudiation by means of encryption. The authentication header contains the security associations (SAs), which are used for covert tunnelling mode. The AH works with the encapsulated security protocol to both hide the internal IP address and encrypt the data payload.
Authenticode
Microsoft’s technique for software developers to digitally sign downloadable ActiveX applets. The authenticode design fails to provide any security from poorly written programs and does not protect the user from malicious programs designed to intentionally cause harm.
Authorization
The granting of a right or authority.
Availability
A term that refers to the accessibility and proper functioning of a system at the time frame required by the user.
Backbone *
The main communication channel of a digital network. The part of a network that handles the major traffic. Employs the highest-speed transmission paths in the network and may also run the longest distances. Smaller networks are attached to the backbone, and networks that connect directly to the end user or customer are called “access networks”. A backbone can span a geographical area of any size from a single building to an office complex to an entire country. Or, it can be as small as a backplane in a single cabinet.
Backdoor
A hidden software-access mechanism that will bypass normal security controls to grant access into a program. A root kit is the most powerful type of backdoor because it creates covert access paths into the system. Also see trapdoor.
Backup *
Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service.
Backup and recovery capability
The culmination of software, hardware, procedures, and data files that will permit timely recovery from a failure or disaster.
Badge *
A card or other device that is presented or displayed to obtain access to an otherwise restricted facility, as a symbol of authority (e.g. police) or as a simple means of identification. Also used in advertising and publicity.
Balanced scorecard
Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives. Anew: a management tool that aligns individual activities to the higher-level business objectives.
Bandwidth *
The range between the highest and the lowest transmittable frequencies. It equeates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).
Bar code *
A printed machine-readable code that consists of parrallel bars of varied width and spacing.
Base case *
A standardized body of data created for testing purposes. Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system.
Baseband *
A form of modulation in which data signals are pulsed directly on the transmission medium without frequency division and usually utilize a transceiver. The entire bandwidth of the transmission medium (e.g., coaxial cable) is utilized for a single channel. Anew: a single channel for data transmission. Coax cable is an example of a baseband technology.
Baseline
An agreed-upon reference point. Also see software baseline.
Bastion host
A gateway host fully exposed to an external connection such as the Internet. Bastion hosts are special-purpose systems designed with their own protection to withstand normal (average) attacks. Examples include a proxy server or firewall. If compromised, the bastion will be shut down.
Batch controls *
Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage. There are two main forms of batch controls: sequence control, which involves consecutively numbering the records in a batch so that the presence of each record can be confirmed, and control total, which is a total of the values in selected fields within the transaction. Anew: used to ensure the accuracy and correct formatting of input data. The batch controls include sequence numbering and run-to-run totals. The batch count will count the number of all the items to ensure that each transaction is processed. Batch totals can be used to verify the values within the transactions.
Batch processing *
The processing of a group of transactions at the same time. Transactions are collected and processed against the master files at a specified time.
Bayesian filter *
A method often employed by antispam software to filter spam based on probabilities. The messag eheader and every word or number are each considered a token and given a probability score. Then the entire message is given a spam probability score. A message with a high score will be flagged as spam and discarded, returned to its sender or put in a spam directory for further review by the independent recipient.
Before-image
A temporary record of work in progress. This database journal file contains the original data before a new transaction is written. A copy of the original data is retained in this “before” journal file in case the transaction fails. If the transaction fails, the change is discarded and the original data is kept. Related to the ACID principle and after-image transaction journal.
Benchmarking *
A systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting business. Examples include benchmarking of quality, logistic efficiency and various other metrics. Anew: a test to evaluate performance against a known workload or industry accepted standard. Using the Capability Maturity Model (CMM) is a form of benchmarking.
Best evidence
Refers to evidence that specifically proves or disproves a particular point. The best evidence is both independent and objective. The worst evidence is subjective or circumstantial evidence.
Binary code *
A code whose representation is limited to 0 and 1.
Biometric management
Management isn’t a policy; management is the enforcement/ overseeing of the policy concerning the intended use of biometric data with corresponding standards and procedures. Management includes identifying how data is collected, stored, protected, transmitted, used, and disposed of.
Biometric sensor
Special acquisition device used to create unique minutiae data representing an individual user. Sensors convert physical attributes into electrical signals, which are recorded as attribute scores for each individual user.
Biometric system
A combined assembly of hardware and software that uses biometric templates, acquisition sensors, a biometric template generator, an encrypted database of biometric template data, and a complete matcher to determine whether an individual is actually a legitimate authorized user.
Biometric template
Minutiae data created by the biometric system’s acquisition sensor, it represents unique characteristics of the legitimate authorized user that are trustworthy enough to be used for authentication.
Biometric template generator
The system sensor that acquires a biometric image and converts it into biometric minutiae for digital storage or comparison.
Biometric template matcher
Compares a biometric image template just acquired by the sensor to the biometric minutiae already stored inside the biometrics database. A match between the two templates will authenticate the individual, allowing access through the physical door or barrier.
Biometrics *
A security technique that verifies an individual’s identity by analyzing a unique physical attribute, such as a handprint. Anew: a technical process to verify a user’s identity based on unique physical characteristics.
Bitstream imaging
A special bit-by-bit backup of physical media, which records all the contents, including deleted files and current contents of swap space or slack space. Also known as physical backup. Bitstream backups are used in forensic analysis and may be used in electronic discovery. Also see logical backup.
Black-box testing *
A testing approach thatfocuses on the functionality of the application or product and does not require knowledge of the code of intervals. Anew: tests the functionality of compiled software by comparing the input and output, without understanding the internal process that creates the output. The internal logic is hidden from the tester. The term black box refers to the software being in non-readable machine format (compiled code). Almost all commercially available software is tested by using the black-box technique.
Blackout
The complete failure of electrical power.
Boot strapping (boot)
The initial loading of software to start a computer. Also see initial program load (IPL).
Bot-net
Remote-controlled robot network created from compromised computers owned by unsuspecting users. Unsuspecting victims may even be located behind a firewall on a corporate network. This bot-net operates a distributed attack against other systems or delivers email spam messages against other systems. Bot-nets are known to be as large as hundreds of thousands or even millions of systems.
Bridge *
A device that connects two similar networks together. Anew: a network device or software process that connects similar networks together. Network switching is based on a bridging process to join users into logical network segments. A standard bridge will forward all data packets to the other users in the subnet. A bridge operates at the OSI Data-Link layer (layer 2).
Broadband *
Multiple channels are formed by dividing the transmission medium into discrete frequency segments. Broadband generally requires the use of a modem. Anew: aultiple communication channels that are multiplexed over a single cable. DSL is an example of broadband transmitted on a different frequency and sharing the same physical wire with the voice telephone circuit.
Broadcast
A network transmission by one computer to all computers on the network. Ethernet uses broadcast technology to transmit data packets, which are seen by all the computers on the network.
Brouters *
Devices that perform the functions of both bridge and a router. A brouter operates at both the data link and the network layers. It connects same data link type local area network (LAN) segments as well as different data link ones, which is a significant advantage. Like a bridge, it forwards packets based on the data link layer address to a different network of the same type. Also, whenever required, it processes and forwards messages to a different data link type network based on the network protocol address. When connecting same data link type networks, it is as fast as a bridge and is able to connect different data link type networks.
Brownout
Low voltage for an extended period of time.
Brute force attack
An attempt to overpower the system or to try every possible combination until access is granted.
Buffer *
Memory reserved to temporarily hold data to offset differences between the operating speeds of different devices, such as a printer and a computer. In a program, buffers are reserved areas of random access memory (RAM) that hold data while they are being processed. Anew: a temporary memory location used to stage data before or after processing.
Bus *
Common path or channel between hardware devices. Can be located between computers internal to a computer or between external computers in a communications network. Anew: a shared connection used in common by other devices. Examples include the power bus and the computer data bus.
Bus configuration *
All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes. This architecture is reliable in very small networks, as well as easy to use and understand. This configuration requires the least amount of cable to connect the computers together and, therefore, is less expensive than other cabling arrangements. It is also easy to extend, and two cables can be easily joined with a computer to make a longer cable for more computers to join the network. A repeater can also be used to extend a bus configuration.
Bus topology
An early type of networking in which all the computers were connected on a single cable in a linear fashion.
Business case *
Documentation of the rationale for making a business investment, used both to support a business decision on whther to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle.
Business continuity (BC) manager
A specific manager with the authority of a vice president or director assigned to lead planning and exercises. Usually this person reports to the chief executive officer (CEO), chief operating officer (COO), or holds a leadership position in the program management office. Unlike departmental managers, the BC manager has authority across departmental boundaries.
Business continuity plan (BCP) *
A plan used by an organization to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems. Anew: an organizational plan to continue core revenue-generating operations following a crisis or disaster. The objective of business continuity planning is to ensure uninterrupted revenue for business survival.
Business impact analysis (BIA) *
A process to determine the impact of losing the support of any resource. The BIA assessment study will establish the escalation of that loss over time. It is predicated on the fact that senior management, when provided reliable data to document the potential impact of a lost resource, can make the appropriate decision. Anew: the process of determining the actual steps to produce the desired product or service, as in use by the organization. The intention is to provide management with accurate information about how the business processes are performed.
Business performance indicators
Business performance can be measured by a variety of indicators, including return on investment (ROI), gross profit margin (GPM), capital gains, market share, production cost, and debt ratio.
Business process reengineering (BPR) *
The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings. Anew: the process of streamlining existing operations in an effort to improve efficiency and reduce cost. Benefits may be derived by eliminating unnecessary steps as the organization has progressed through the learning curve, or by expanding capability for more work.
Business risk *
A probable situation with uncertain frequency and magnitude of loss (or gain). Anew: the inherent potential for harm in the business or industry itself, as the organization attempts to fulfil its objectives. Business risks may be regulatory, contractual, or financial.
Bypass label processing (BLP) *
A technique of reading a computer file while bypassing the internal file/data set label. This process could result in bypassing of the security access control system. Anew: an attempt to circumvent mandatory access controls by bypassing the electronic security control label. Examples include writing data to a read-only file, or accessing a file that would be off-limits because of its higher security rating.
Bytecode
See pseudo-code.
Cable plant
A physical collection of network cables contained inside the building.
Cache
A high-speed buffer used to temporarily stage data before or after processing.
Candidate key
Rows of data used with search attributes to find all matching records within the database. For example, searching the database to find the name of every hotel in Grapevine, Texas.
Capability Maturity Model (CMM) *
CMM for software, from the Software Engineering Institute (SEI), is a model used by many organizations to identify best practices useful in helping them assess and increase the maturity of their software development processess. Anew: developed by the Software Engineering Institute to benchmark the maturity of systems and management processes. Maturity levels range from 0 to 5. Level 5 is completely documented and optimized for continuous improvement.
Capacity monitoring
The process of continuously monitoring utilization in the environment against existing resource capacity. The objective is to ensure optimum use and expansion of services before an outage occurs.
Capacity stress testing
Testing an application with large quantities of data to evaluate its performance during peak periods. Also called volume testing.
Central processing unit (CPU) *
Computer hardware that houses the electronic circuits that contorl/direct all operations of the computer system.
Certificate
A written assurance or official record representing that an event has or has not occurred. Certificates can be stored as electronic records or physical documents, signed by the party providing a declaration of authenticity.
Certificate authority (CA) *
A trusted third party that serves authentication infrastructures or organizations and registers entities and issues them certificates. Anew: the trusted issuer of digital certificates using public- and private-key pairs. The certificate authority is responsible for verifying the authenticity of the user’s identity.
Certificate revocation list (CRL) *
An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility. The CRL details digital certificates that are no longer valid. The time gap between two updates is very critical and is also a risk in digital certification. Anew: a list maintained by the certificate authority, of certificates that are revoked or expired.
Certification
A comprehensive technical evaluation process to establish compliance to a minimum requirement.
Certification practice statement (CPS)
A detailed set of procedures specifying how the certificate authority governs its operation. It provides an understanding of the value and set certificate authority’s value trustworthiness of certificates issued by a given certificate authority (CA).
Chain of custody
Refers to the mandatory security and integrity requirements used in the evidence life cycle. The custodian of evidence must prove that the evidence has been kept secure with a high degree of integrity and has not been tampered with.
Change control board (CCB)
A management review process to ensure awareness and control of changes in the IT environment. A change control board provides separation of duties.
Change control process (CCP)
A formal review of proposed changes using a systematic methodology.
Change management
“A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or ““soft”” elements of change.”
Channel Service Unit/Digital Service Unit (CSU/DSU) *
Interfaces at the physical layer of the open systems interconnection (OSI) reference model, data terminal equipment (DTE) to data circuit terminating equipment (DCE), for switched carrier networks.
Check digit *
A numeric value, which has been calculated mathematically, is added to data to ensure that original data have not been altered or that an incorrect, but valid match has occurred. Check digit control is effective in detecting transposition and transcription errors.
Checklist *
A list of items that is used to verify the completeness of a task or goal. Used in quality assurance (and, in general, in information systems audit) to check process compliance, code standardization and error prevention, and other items for which consistency processes or standards have been defined.
Checksum *
“A mathematical value that is assigned to a file and used to ““test”” the ffile at a later date to verify that the data contained in the file have not been maliciously changed. A cryptographic checksum is created by performing a complicated series of mathematical operations (known as a cryptographic algorithm) that translates the data in the file into a fixed string of digits called a hash value, which is then used as the checksum. Without knowing which cryptographic algorithm was used to create the hash value, it is highly unlikely that an authorized person would be able to change data without inadvertently changing the corrosponding checksum. Cryptographic checksums are used in data transmission and data storage. Cryptographic checksums are also known as message authentication codes, integrity check-values, modification detection codes or message integrity codes.”
Ciphertext *
Information generated by an encryption algorithm to protect the plaintext and that is unintelligible to the unauthorized reader. Anew: an encrypted message displayed in unreadable text that appears as gibberish. The message is displayed in cipher form.
Circuit switching
All communications are transmitted over a dedicated circuit such as a T1 leased line telephone circuit. Circuit switching is the opposite of packet switching.
Circuit-level gateway
Refers to a proxy firewall. No data packets are forwarded between the internal and external network, except by the proxy application. The proxy application is required to complete the data transmission circuit.
Classified information
Data is ranked somewhere in a protection scheme (aka protection plan) that has been clearly identified to the users and includes handling procedures on how the information should be controlled. Also see unclassified information.
Clear text
A message that is completely readable to a human. The message can be clearly read.
Client
A person or organization with the authority to request an audit. The auditor’s report of findings is presented to the client at the conclusion of the audit. The client may be internal or external to the auditee.
Client-server *
A group of computers connected by a communication network, in which the client is the requesting machine and the server is the supplying machine the supplying machine. Software is specialized at both ends. Processing may take place on either the client or the server, but it is transparenct to the user.
Closed system
Software containing methods and programming of a proprietary design, which remains the property of the software creator. Most commercial software is closed system. Closed systems can exchange data to other programs by using a specific application programming interface (API). Microsoft Windows is an example of a closed system containing proprietary design.
Cloud computing *
A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned nd released with minimal management effort or service provider interaction. Anew: application software hosted by remote vendor and offered across the Internet to subscribers. Cloud computing is a variation of the application service provider (ASP) and software as a service (SaaS) models. Security issues are a major concern because specific details of the communications network, network servers, internal software application, and vendor’s operation may not be known by the user. Auditors need to remain aware that cloud computing may cut operating expense, bypass IT controls, fuel an individual’s political agenda, circumvent management, or violate data control requirements.
Coaxial cable *
Composed of an insulated wirre that runs through the middle of each cable, a second wire that surrounds the insulation of the inner wire like a sheath, and the outer insulation which wraps the second wire. Has a greater transmission capacity that standard twisted-pair cables, but has a limited range of effective distance.
Cohesion *
The extent to which a system unit–subroutine, program, module, component, subsystem–performs a single dedicated function. Generally, the more cohesive are units, the easier it is to maintain and enhance a system because it is easier to determine where and how to apply a change.
Cold site *
An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the facility that physical components of the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the users have to move from their main computing location to the alternative computer facility. Anew: a physical location that can be used for disaster recovery of non-critical processes. The cold site is no more than a building with basic utility service. The entire computing environment must be shipped in and then assembled. The cold site will be ready for production use in weeks or months.
Committee of Sponsoring Organizations (COSO)
A voluntary association of governments (members) engaged in regulating the integrity of financial transactions worldwide. COSO is based on London’s banking system for investment, stock trading, and transaction controls. COSO represents the foundation of auditing laws and audit controls worldwide. ISACA represents a narrow derivative of IT-specific controls attempting to implement an IT-only portion of the COSO control model. COSO controls are used in conjunction with those of the International Organization for Standardization (ISO) and the Organization for Economic Cooperation and Development (OECD), which specify the details and interpretation of laws each country needs to adopt in support of world trade.
Common Criteria
An international standard (ISO 15408) for testing criteria of computer security controls. All ISO member countries are expected to use the Common Criteria standard with testing performed by an ISO 17025-certified laboratory testing facility. Common Criteria is currently in use by Canada, France, Germany, the Netherlands, the United Kingdom, and the United States.
Communication processor *
A computer embedded in a communications system that generally performs basic tasks of classifying network traffic and enforcing network polic functions. An example is the message data processor of a digital divide network (DDN) switching center. More advanced communications processors may perform additional functions.
Comparison program *
A program for the examination of data, using logical or conditional tests to determine or to identify similarities or differences.
Compensating control *
An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions. Anew: an internal control that reduces the potential for loss by error or omission. Supervisory review and audit trails are compensating controls for a lack of separation of duties.
Compile
An automated process used by software developers to convert human-readable computer programs into executable machine language. Compiled computer software runs faster than interpreted program scripts. Compiled computer programs cannot be read by humans.
Compiler *
A program that translates programming languge (source code) into machine executable instructions (object code).
Completed connected (mesh) configuration *
A network topology in which devices are connected with many redundant interconnections between network nodes (primarily used for backbone networks).
Completeness check *
A procedure designed to ensure that no fields are missing from a record.
Compliance audit
A type of audit that determines whether internal controls are present and functioning effectively.
Compliance testing *
Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period. Anew: the testing of internal controls to determine whether they are functioning correctly.
Components (as in component-based development) *
Cooperating packages of executable software that make their services available through defined interfaces. Components used in developing systems may be commercial off-the-shelf software (COTS) or may be purposely built. However, the goal of component-based development is to ultimately use as many predeveloped, pretested components as possible.
Compouter Emergency Response Team (CERT) *
A group of people integrated at the organization with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems.
Comprehensive audit *
An audit designed to determine the accuracy of financial records as well as to evaluate the internal controls of a function or department.
Computer console
Physical access to the computer’s primary input/output terminal, usually the video display and keyboard. Access to the computer console is a security risk that must be controlled.
Computer forensics *
The application of the scientific method to digital media to establish factual information for judicial review. This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. As a discipline, it combines elements of law and computer science to collect and analyze data from information systems (e.g., personal computers, networks, wireless communications and digital storage devices) in a way that is admissible as evidence in a court of law.
Computer sequence checking
Verifies that the control number follows sequentially and that any control numbers out of sequence are rejected or noted on an exception report for further research.
Computer-aided software engineering (CASE) *
The use of software packages that aid in the development of all phases of an information system. System analysis, design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access.
Computer-assisted audit tools (CAAT) *
Any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities. Anew: the family of automated test software using a computerized audit procedure with specialized utilities.
Concurrency control *
Refers to a class of controls used in a database management system (DBMS) to ensure that transactions are processed in an atomic, consistent, isolated and durable manner (ACID). This implies that only serial and reciverable schedules are permitted, and that committed transactions are not discarded when undoing aborted transactions.
Confidence coefficient
The quantified probability of error. A confidence coefficient of 95 percent is considered a high level of confidence in IS auditing.
Confidentiality
The protection of information held in secret for the benefit of authorized users.
Configuration management *
The control of changes to a set of configuration items over a system life cycle. Anew: an administrative process of being able to prove the documented design as built, by verifying the correct version of all the individual components used in final construction. The three elements of configuration management are control, accounting, and reporting.
Console log *
An automated detail report of computer system activity.
Constructive Cost Model (COCOMO)
An early software project estimation technique used to forecast the time and effort required to develop a software program based on size and complexity.
Contingency planning
Process of developing advance arrangements and procedures that enable an enterprise tto rrespond to an event that could occur of arrangements an o espond occur by chance or unforeseen circumstances.
Continuity *
“Preventing, mitigating and recovering from disruption. The terms ““business resumption planning,”” ““disaster recovery planning”” and ““contingency planning”” also may be used in this context; they all concentrate on the recovery aspects of continuity.”
Continuity of operations
Pre-emptive activities designed to ensure the continuous operation of core processes, utilities, and lifeline services. Vendors involved in lifeline medical services, power utilities, communications, national infrastructure supply-chains, or food and water are expected to provide their services without interruption regardless of whether they generate revenue or not.
Continuous auditing approach
This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.
Continuous improvement *
The goals of continuous improvement (Kaizen) include the elimination of waste, defined as “activities that add cost, but do not add value;” just-in-time delivery; production load leveling of amounts and types; standardized work; paced moving lines; right-sized equipment. A closer definition of the Japanese usage of Kaizen is “to take it apart and put back together in a better way.” What is taken apart is usually a process, system, product or service. Kaizen is a daily activity whose purpose goes beyond improvement. It is also a process that, when done correctly, humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how to do rapid experiments using the scientific method and how to learn to see and eliminate waste in business processes.
Contraband software
Any system utility or special software not required in the specific performance of a person’s job duties. A tightly controlled software policy prevents any excuses for violating separation of duties. Examples of contraband software include password crackers, network discovery tools, CAAT software, traffic generators, disk-wiping utilities, or known hacking software. Violations should be grounds for immediate termination following the conclusion of an investigation.
Control
The power to regulate or restrict activities. IS controls are used as a safeguard to prevent loss, error, or omission.
Control environment
A space designed to protect assets by using sufficient physical and technical controls to prevent unauthorized access or compromise. The computer room is a control environment.
Control group *
Members of the operations area that are responsible for the collection, logging and submission of input for the various user groups.
Control objective
A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process.
Control risk *
The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. Anew: the risk that errors may be introduced, or not identified and corrected in a timely manner. The risk of losing control.
Control section *
The area of the central processing unit (CPU) that executes sofwtare, allocates internal memory and transfers operations between the arithmetic-logic, internal storage and output sections of the computer.
Control self-assessment
A formal review executed by the user to assess the effectiveness of controls. The purpose of the control self-assessment is to induce ownership by the user and to facilitate improvement.
Cookie *
A message kept in the web browser for the purpose of identifying users and possibly preparing customized web pages for them. The first time a cookie is set, a user may be required to go through a registration process. Subsequent to this, whenever the cookie’s message is sent to the server, a customized view based on that user’s preferences can be produced. The browser’s implementation of cookie’s has, however, brought several security concerns, allowing breaches of security and the theft of personal information (e.g., user passwords that validate the user’s identity and enable restricted web services).
Corporate governance *
The system by which enterprises are directed and controlled. The board of directors are responsible for the governance of their organization. It consists of the leadership and organizational structures and processes that ensure the organization sustains and extends strategies and objectives.
Corrective control *
Designed to correct errors, omissions and unauthorized uses and intrusions, once they are detected. Anew: a control designed to minimize the impact of an error by repairing the condition or executing an alternative procedure. Examples of corrective controls include data restoration from tape backup, hot sites, and automated fail-over systems.
Cost of asset
The capital expense of an asset may be measured as total ownership cost (TOC). The cost of the asset is the cumulative total expense based on purchase price, delivery cost, implementation cost, and effective downtime.
Countermeasure *
Any process that directly reduces a threat or vulnerability.
Coupling *
Measure of interconnectivity among structure of software programs. Coupling depends on the interface complexity between modules. This can be defined as the point at which entry or reference is made to a module, and what data pass across the interface. In application software design, it is preferable to strive for the lowest possible coupling between modules. Simple connectivity among modules results in software that is easier to understand and maintain, and less prone to a ripple or domino effect caused when errors occur at one location and propagate through the system.
Cracker
A malicious computer attacker who attempts to break into a system. Synonymous with the term malicious hacker.
Crash dump
A special diagnostic file created when a computer system crashes. The contents represent the data being processed at the time of the crash, including contents of the memory registers and tasks running when the crash occurred. Crash dump files vary according to the operating system. Contents of this file are extremely valuable in forensic analysis.
Critical infrastructure
Systems whose incapacity or destruction would have a debilitating effect on the economic security of an enterprise, community or nation.
Critical Path Methodology (CPM)
The path of execution that accomplishes the minimum, yet most important objectives of the project. The critical path is the longest single route through a network diagram and the shortest time to accomplish the main objectives. Critical path items represent mandatory tasks that, if not accomplished, would wreck the project.
Critical success factor (CSF)
A process that must occur perfectly every single time in order to be successful. To fail a critical success factor would be a show stopper. Anew: The most important issue or action for management to achieve control over and within its IT processes.
Cross-site scripting (XSS)
Very common programming technique that allows one program, such as a shopping cart, to drive another website. The shopping cart sends a transaction approval message to a different website, which provides access or a file to download. XSS creates a serious vulnerability unless strong cryptographic controls are used to authenticate that the request is actually valid. Static passwords will not protect against XSS attacks.
Crossover error rate (CER)
In biometrics, crossover error rate refers to adjusting sensitivity of the system to specifically favour either speed or increased accuracy. The most common error in biometrics is false rejection (type 1 error, aka. FRR), which poses little risk to an organization’s security requirements. The greater risk of breach occurs when an illegitimate user is accepted in error (type 2 error, aka FAR, or false acceptance rate). The crossover rate indicates the level of favouritism protecting against either FRR or FAR. Also see equal error rate. Note that ISACA may confuse the terminology of CER and EER in documentation and on exam questions. These are definitely different settings.
Cryptographic system
The implementation of a computer program using a cryptographic algorithm and keys to encrypt and decrypt messages.
