CISA Refresher 6 Flashcards
Audit Charter
document that states management’s objectives for and delegation of authority to IS audit. Should be approved at the highest levels of management, and should outline the overall authority scope, and responsibilities of the audit function. Should not significantly change over time.
Engagement Letter
a letter that formalizes the contract between the auditor and the client and outlines the responsibilities of both parties; focused on a particular audit exercise that is sought to be initiated in an organization with a specific objective in mind
Audit Plan
A list of the audit procedures the auditors need to perform to gather sufficient appropriate evidence on which to base their opinion on the financial statements; consists of both short-term and long-term planning
Sarbanes-Oxley Act of 2002
Law that requires companies to maintain adequate systems of internal control
Professional Independence
In all matters related to the audit, the IS auditor should be independent of the auditee in both attitude and appearance
Organizational Independence
The IS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment
Audit Risk
the risk that information may contain a material error that may go undetected during the course of the audit
Error Risk
the risk of errors occurring in the area being audited
Information Technology Assurance Framework (ITAF)
provides an integrated process (involving technical and non-technical aspects) for developing and deploying IT systems with intrinsic and appropriate security measures in order to meet the organizations mission
General standards
standards that establish the guiding principles under which the IT assurance profession operates; they apply to the conduct of all assignments, and deal with the IT audit and assurance professional’s ethics, independence, objectivity and due care, as well as knowledge, competency and skill
Performance standards
standards that establish baseline expectations in the conduct of IT assurance engagements; focused on the design of the assurance work, the conduct of the assurance, the evidence required, and the development of assurance and audit findings and conclusions
Reporting standards
standards that address the types of audit reports, means of communication, and information to be communicated at the conclusion of an audit
Risk analysis
part of audit planning, and helps identify risks and vulnerabilities so the IS auditor can determine the controls needed to mitigate those risks
Risk
the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization; the combination of the probability of an event and its consequence
Business Risk
a risk that may negatively impact the assets, processes or objectives of a specific business or organization
IT Risk
the risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise
Risk Assessment Process
- Identify Business Objectives
Internal controls
normally composed of policies, procedures, practices and organizational structures which are implemented to reduce risk to the organization; developed to provide reasonable assurance to management that the organization’s business objectives will be achieved and risk events will be prevented, or detected and corrected
Preventive controls
Controls that deter control problems before they occur
Detective controls
Controls that discover problems as soon as they arise
Corrective controls
Controls that remedy control problems that have been discovered
Control objectives
statements of the desired result or purpose to be achieved by implementing control activities (procedures)
IS Control objectives
provide a complete set of high-level requirements to be considered by management for effective control of each IT process
COBIT 5
a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT; helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use
COBIT 5 Principles
- Meeting stakeholder needs
Controls
include policies, procedures and practices established by management to provide reasonable assurance that specific objectives will be achieved
Compliance Audit
an audit that includes specific tests of controls to demonstrate adherence to specific regulator or industry standards
Financial Audit
an audit that assesses the accuracy of financial reporting
Operational Audit
an audit designed to evaluate the internal control structure in a given process or area
Integrated Audit
an audit that combines financial and operational audit steps
Administrative Audit
an audit oriented to assess issues related to the efficiency of operational productivity within an organization
IS Audit
an audit that collects and evaluates evidence to determine whether the information systems and related resources adequately safeguard assets, maintain data and system integrity and availability, provide relevant and reliable information, achieve organizational goals, consume resources efficiently, and have, in effect, internal controls that provide reasonable assurance that business, operational and control objectives will be met
Statement on Standards for Attestation Engagements (SSAE 16)
a widely known auditing standard developed by the AICPA that defines the professional standards used by a service auditor to assess the internal controls of a service organization
Forensic Audit
an audit specialized in discovering, disclosing and following up on frauds and crimes
Audit Program
identifies the scope, audit objectives and audit procedures to obtain sufficient, relevant and reliable evidence to draw and support audit conclusions and opinions; includes the audit strategy and audit plan
Audit Strategy
overall approach to the audit that considers the nature of the client, risk of significant misstatements, and other factors such as the number of client locations and past effectiveness of client controls
Audit Methodology
a set of documented audit procedures designed to achieve planned audit objectives; components include a statement of scope, statement of objectives, and a statement of audit programs
Risk-Based Auditing
an audit approach that is adapted to develop and improve the continuous audit process; used to assess risk and assist the IS auditor in making the decision to perform either compliance testing or substantive testing
Inherent Risk
the risk level or exposure of the process/entity to be audited without taking into account the controls that management has implemented
Control Risk
the risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls
Detection Risk
the risk that material errors or misstatements that have occurred will not be detected by the IS auditor
Overall Audit Risk
the probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred
Statistical Sampling Risk
the risk that incorrect assumptions are made about the characteristics of a population from which a sample is selected
Risk Mitigation
a risk response that includes applying appropriate controls to reduce the risks
Risk Acceptance
a risk response that includes knowingly and objectively not taking action, providing the risk clearly satisfies the organization’s policy and criteria
Risk Avoidance
a risk response that includes avoiding risks by not allowing actions that would cause the risks to occur
Risk transfer/sharing
a risk response that includes transferring the associated risks to other parties, e.g. insurers or suppliers
Audit objectives
refer to the specific goals that must be accomplished by the audit
Compliance Testing
evidence gathering for the purposes of testing an organization’s compliance with control procedures; determines if controls are being applied in a manner that complies with management policies and procedures
Substantive Testing
evidence gathering for the purposes of evaluating the integrity of individual transactions, data or other information; substantiates the integrity of actual processing
Evidence
any information used by the IS auditor to determine whether the entity or data being audited follows the established criteria or objectives, and supports audit conclusions
Sample
the subset of population members used to perform testing
Statistical Sampling
sampling that uses the laws of probability to select and evaluate the results of an audit sample, thereby permitting the auditor to quantify the sampling risk for the purpose of reaching a conclusion about the population
Nonstatistical Sampling
audit sampling that relies on the auditor’s judgment to determine sample size, select the sample, and/or evaluate the results for the purpose of reaching a conclusion about the population
Attribute Sampling
sampling used to estimate the proportion of a population that possesses a specified characteristic; the primary sampling method used for compliance testing
Stop-or-go Sampling
sampling that allows the audit test to be stopped at the earliest possible moment
Discovery Sampling
a sampling plan that is appropriate when the expected occurrence rate is extremely low, used when the auditor desires a specific chance of observing at least one example of occurrence
Variable Sampling
sampling that deals with population characteristics that vary, such as monetary values and weights, and provides conclusions related to deviations from the norm
Confidence Coefficient
a percentage expression of the probability that the characteristics of the sample are a true representation of the population
Level of Risk
equal to one minus the confidence coefficient
Precision
represents the acceptable range difference between the sample and the actual population
Expected Error Rate
an estimate stated as a percent of the errors that may exist
Sample mean
the sum of all sample values, divided by the size of the sample
Sample standard deviation
computes the variance of the sample values from the mean of the sample
Tolerable error rate
maximum misstatement or number of errors that can exist without an account being materially misstated
Population standard deviation
measures the relationship to the normal distribution
Computer-Assisted Audit Techniques (CAAT)
refer to audit software that uses auditor-supplied specifications to generate a program that performs audit functions, thereby automating or simplifying the audit process
Generalized Audit Software (GAS)
standard software designed to read, process, and write data with the help of functions performing specific audit routines and with self-made macros
Utility Software
subset of software that provides evidence to auditors about system control effectiveness
Test Data
using a sample set of data to assess whether logic errors exist in a program and whether the program meets its objectives
Compensating Control
A control that reduces the risk that an existing or potential control weakness will result in a failure to meet a control objective (e.g., avoiding misstatements).
Audit Report
used by the auditor to report findings and recommendations to management
Control Self-Assessment (CSA)
A method/process by which management and staff of all levels collectively identify and evaluate risk and controls with their business areas. This may be under the guidance of a facilitator such as an auditor or risk manager; includes testing the design of automated application controls
Traditional Auditing Approach
any approach in which the primary responsibility for analyzing and reporting on internal control and risk is assigned to auditors, and to a lesser extent, controller departments and outside consultants
Integrated Auditing
the process whereby appropriate audit disciplines are combined to assess key internal controls over an operation, process or entity
Continuous Monitoring
provided by IS management and tools and typically based on automated procedures to meet fiduciary responsibilities
Continuous Auditing
“A methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors reports issued simultaneously with or a short period of time after the occurrence of the events underlying the subject matter”
Corporate Governance
the system by which business corporations are directed and controlled; a set of responsibilities and practices used by an organization’s management to provide strategic direction, thereby ensuring that goals are achievable, risks are properly addressed and organizational resources are properly utilized
Governance of Enterprise IT (GEIT)
the body of issues addressed in considering how IT is applied within the enterprise
IT Governance
a structure of relationships and processes used to direct and control the enterprise toward achievement of its goals by adding value while balancing risk vs. return over IT and its processes
IT Governance Focus Areas
- Strategic Alignment
Strategic Alignment
focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations
Value Delivery
executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT
Resource Management
the optimal investment it, and the proper management of, critical IT resources: applications, information, infrastructure and people
Performance Management
tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery
IT Balanced Scorecard (BSC)
a process management evaluation technique that can be applied to the IT governance process in assessing the IT functions and processes; supplements traditional financial evaluation with measures concerning user satisfaction, internal processes and the ability to innovate
IT Strategy Committee
As a committee of the board, it assists the board in overseeing the enterprise’s IT-related matters by ensuring that the board has the internal and external information it requires for effective IT governance decision making.
IT Steering Committee
a committee, comprised of a group of managers and staff representing various organizational units, set up to establish IT priorities and to ensure that the MIS function is meeting the needs of the enterprise
Information Security Governance
governance focused on specific value drivers: confidentiality, integrity, and availability of information, continuity of services and protection of information assets
Process Integration
integration of an organization’s management assurance processes for security
Enterprise Architecture (EA)
involves documenting an organization’s IT assets in a structured manner to facilitate understanding, management and planning for IT investments; involves both a current state and an optimized state
Zachman Framework for Enterprise Architecture
a model framework that is a starting point for many contemporary EA projects the helps move IT projects from abstract to physical using models and representations with progressively greater levels of detail
Federal Enterprise Architecture (FEA)
a business and performance based framework to support cross-agency collaboration, transformation and government-wide improvement
Strategic Planning
long-term direction an enterprise wants to take in leveraging information technology for improving its business processes
IT Portfolio Management
has an explicitly directive, strategic goal in determining what the enterprise will continue to invest in vs. what the enterprise will divest
Policy
high-level document that represents the corporate philosophy of an organization
Security Policy
policy that communicates a coherent security standard to users, management and technical staff
High-level Information Security Policy
policy that includes statements on confidentiality, integrity, and availability
Data Classification Policy
policy that should describe the classifications, levels of control at each classification and responsibilities of all potential users including ownership
Acceptable Use Policy
policy that includes information for all information resources and describes the organizational permissions for the usage of IT and information-related resources
End-user Computing Policy
policy that describes the parameters and usage of desktop, mobile computing and other tools by users
Access Control Policy
policy that describes the method for defining and granting access to users to various IT resources
Procedures
detailed steps defined and documented for implementing policies
Risk Management
the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization
Key performance indicators
The quantifiable metrics a company uses to evaluate progress toward critical success factors
Threat
any circumstance or event with the potential to cause harm (such as destruction, disclosure, modification of data and/or denial of service) to an information resource
Vulterabilities
characteristics of information resources that can be exploited by a threat to cause harm
Impact
the result of a threat agent exploiting a vulnerability
Residual Risk
the remaining level of risk once controls have been applied; can be used by management to further reduce risk by identifying those areas in which more control is needed
Qualitative Analysis
method that uses words or descriptive rankings to describe in the impact or likelihood of risk (high, medium, low)
Semi-quantitative Analysis
method that uses descriptive rankings that are associated with a numeric scale to describe the impact or likelihood of risk
Quantitative Analysis
method that uses numeric values to describe the likelihood and impact of risk, using data from several types of sources such as historic records, past experiences, industry practices and records, statistical theories, testing, and experiments (usually monetary terms)
IS Management
practices that reflect the implementation of policies and procedures developed for various IS-related management activities
Human Resource Management
organizational policies and procedures for recruiting, selecting, training and promoting staff, measuring staff performance, disciplining staff, succession planning, and staff retention
Sourcing
the way in which the organization will obtain the IS functions required to support the business (in-house, outsource)
Outsourcing
contractual agreements under which an organization hands over control of part or all of the functions of the IS department to an external party
Service Level Agreement (SLA)
a document that provides a company with a performance guarantee for services outsourced to a vendor
Benchmarking
A process of continuously measuring system results, comparing those results to optimal system performance (industry standards or best practices), and identifying steps and procedures to improve system performance
Cloud Computing
model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction
Statement on Standards for Attestation Engagements (SSAE 16)
provides a framework for three Service Organization Control (SOC) reporting options
SOC 1 Report
focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements
Governance of Outsourcing
the set of responsibilities, roles, objectives, interfaces and controls required to anticipate change and manage the introduction, maintenance, performance, costs and control of third-party provided services
Change Management
involves the use of a defined and documented process to identify and apply technology improvements at the infrastructure and application level that are beneficial to the organization and involve all levels of the organization impacted by the changes
Quality Management
one of the means by which IT department-based processes are controlled, measured and improved; may include: software development/maintenance/implementation, acquisition of hardware or software, day-to-day operations, service management, security, HR management, general administration
Ways to use performance measures
- Measure products/services
Systems development manager
responsible for programmers and analysts who implement new systems and maintain existing systems
Project manager
responsible for planning and executing IT projects and may report to a project management officer or to the development organization
Service desk (help desk)
unit within an organization that responds to technical questions and problems faced by users
End user
responsible for operations related to business application services; used to distinguish the person for whom the product was designed from the person who programs, services, or installs applications
End-user support manager
responsible as a liaison between the IS department and the end users
Data manager
responsible for the data architecture in larger IT environments and tasked with managing data as a corporate asset
Quality Assurance (QA) manager
responsible for negotiating and facilitating quality activities in all areas of information technology
Operations manager
responsible for computer operations personnel, including all staff required to run the data center efficiently and effectively
Control group
responsible for the collection, conversion and control of input, and the balancing and distribution of output to the user communicty
Media manager
responsible for recording, issuing, receiving, and safeguarding all program and data files that are maintained on removable media
Data Entry
The process of getting information into a database, usually done by people typing it in by way of data-entry forms designed to simplify the proces
Systems administrator
responsible for maintaining major multi-user computer systems, including LANs, WLANs, WANs, PANs, SANs, intranets and extranets, and mid-range and mainframe systems
Security Administrator
responsible for ensuring that the various users are complying with the corporate security policy and controls are adequate to prevent unauthorized access to the company assets
Quality Assurance (QA)
helps the IS department to ensure that personnel are following prescribed quality processes
Quality Control (QC)
responsible for conducting tests or reviews to verify and ensure that software is free from defects and meets user expectations
Database Administrator (DBA)
custodian of an organization’s data; defines and maintains the data structures in the corporate database system
Systems analyst
specialist who designs systems based on the needs of the user and are usually involved during the initial phase of the system development life cycle
Security architect
responsible for evaluating security technologies; design security aspects of the network topology, access control identity management and other security systems; and establish security policies and security requirements
Applications staff
responsible for developing and maintaining applications; should work in a test-only environment
Infrastructure staff
responsible for maintaining the systems software, including the operating system
Network administrator
responsible for key components of the infrastructure (routers, switches, firewalls, network segmentation, performance management, remote access, etc.); report to the director of the IPF or an end-user manager
Segregation of Diteis
avoids the possibility that a single person could be responsible for diverse and critical functions in such a way that errors or misappropriations could occur and not be detected in a timely manner an in the normal course of business processes
Duties that should be segregated
custody of the assets, authorization, recording transactions
Compensating controls
internal controls that are intended to reduce the risk of an existing or potential control weakness when duties cannot be appropriately segregated
Audit trails
help the IS and user departments as well as the IS auditor by providing a map to retrace the flow of a transaction; recreates the actual transaction flow from the point of origination to its existence on an updated file
Reconciliation
independent verification typically performed by the user that increases the level of confidence that the application processed successfully and the data are in proper balance
Exception reporting
Identifying data that is not within “normal limits” so that managers can follow up and take corrective action; should require evidence, such as initials on a report, noting that the exception has been handled properly
Transaction logs
a record of transactions (can be logged manually or automatically)
Request for proposal
A document specifying all the system requirements and soliciting a proposal from each vendor contacted
Business continuity
the ability of an organization to maintain its operations and services in the face of a disruptive event
Business continuity plan
Provides procedures for emergency responses, extended backup operations, and post-disaster recovery
Disaster recovery plan
a detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood
Restoration plan
a process to return operations to normality whether in a restored or new facility
IS business continuity planning
specifies how to resume business processes specifically related to IS in the face of a disruptive event; should be aligned with the strategy of the organization
Risk analysis calculation
how risk is calculated; uses either qualitative or quantitative means
Business Impact Analysis (BIA)
the activity in Business Continuity Management that identifies vital business functions and their dependencies; allows the organization to determine the maximum downtime possible and to quantify losses as they grow after a disruption, thus allowing the organization to make a decision on the technology used for protection and recovery of its key information assets
IT disaster recovery plan
typically details the process IT personnel will use to restore the computer systems
Disasters
disruptions that cause critical information resources to be inoperative for a period of time, adversely impacting organizational operations
Pandemic
an epidemic or outbreak of infectious diseases in humans that have the ability to spread rapidly over large areas
Business continuity policy
a document approved by top management that defines the extent and scope of the business continuity effort within the organization
Incident
any unexpected event, even if it causes no significant damage
Negligible incident
incident that causes no perceptible or significant damage
Minor incidents
incidents that, while not negligible, produce no negative material (of relative importance) or financial impact
Major incidents
incidents that cause a negative material impact on business processes and may affect other systems, departments or even outside clients
Crisis
a major incident that can have serious material impact on the continued functioning of the business and may also adversely impact other systems or third parties
Downtime cost
costs incurred during the period after a disaster in which the business is not functioning; cost grows quickly with time, where the impact of a disruption increases the longer it lasts
Recovery cost
cost of activating the business continuity plan (alternative corrective measures), which decreases with the target chosen for recovery time
Risk ranking
determination of risk based upon the impact derived from the critical recovery time period, as well as the likelihood that an adverse disruption will occur (critical, vital, sensitive, nonsensitive)
Desk-based evaluation/paper test
a paper walk-through of the BCP, involving major players in the plan’s execution who reason out what might happen in a particular type of service disruption
Preparedness test
localized version of a full BCP test, wherein actual resources are expanded in the simulation of a system crash
Full operational test
one step away from an actual service disruption; a full test of the BCP
Benefits realization
the process by which an organization evaluates technology solutions to business problems
Project portfolio
all of the projects (related or unrelated) being carried out in an organization at a given point in time
Program
a group of projects and time-bound tasks that are closely linked together through common objectives, a common budget, and intertwined schedules and strategies
Business case
document that provides the information required for an organization to decide whether a project should proceed
Project management
the application of knowledge, skills, tools, and techniques to a broad range of project activities to achieve a stated objective such as meeting the defined user requirements, budget and deadlines for an IS project
Influence project organization
a type of project organization in which the project manager has only a staff function without formal management authority; the PM can only advise peers and team members as to which activities should be completed
Pure project organization
a type of project organization in which the project manager has formal authority over those taking part in the project
Matrix project organization
a type of project organization in which management authority is shared between the project manager and the department heads
Specific, Measurable, Attainable, Realistic and Timely
SMART
Main objectives
objectives that will always be directly coupled with business success
Additional objectives
objectives that are not directly related to the main results of the project but may contribute to project success
Nonobjectives
objectives that add clarity to the scope, and project boundaries become clearer; these objectives shape the contours of the deliverables and help all parties to gain a clear understanding of what has to be done to avoid any ambiguities
Object breakdown structure (OBS)
a structure that represents the individual components of the solution and their relationships to each other in a hierarchical manner, either graphically or in a table
Work breakdown structure (WBS)
designed after the OBS has been compiled, this structures all the tasks that are necessary to build up the elements of the OBS during the project
Task list
a list of actions to be carried out in relation to work packages and includes assigned responsibilities and deadlines
Senior Management
management that demonstrates commitment to the project and approves the necessary resources to complete the project
User Management
management that assumes ownership of the project and resulting system, allocates qualified representatives to the team, and actively participates in business process redesign, system requirements definition, test case development, acceptance testing and user training
Project Steering Committee
group that provides overall direction and ensures appropriate representation of the major stakeholders in the project’s outcome; should be comprised of a senior representative from each relevant business area
Project Sponsor
person or group that provides funding for the project and works closely with the project manager to define the critical success factors and metrics for measuring the success of the project
Systems Development Management
management that provides technical support for hardware and software environments by developing, installing and operating the requested system
Project Manager
person that provides day-to-day management and leadership of the project, ensures that project activities remain in line with the overall direction, ensures appropriate representation of the affected departments, ensures that the project adheres to local standards, ensures that deliverables meet the quality expectations of key stakeholders, resolves interdepartmental conflicts, and monitors and controls costs and the project timetable
Systems Development Project Team
group that completes assigned tasks, communicates effectively with users by actively involving them in the development process, works according to local standards and advises the project manager of necessary project plan deviations
User Project Team
group that completes assigned tasks, communicates effectively with the systems developers by actively involving themselves in the development process as subject matter experts (SMEs), works according to local standards and advises the project manager of expected and actual project plan deviations
Security Officer
person that ensures that system controls and supporting processes provide an effective level of protection, based on the data classification set in accordance with corporate security policies and procedures
Quality Assurance (QA)
personnel who review results and deliverables within each phase of a project and at the end of each phase, and confirm compliance with requirements
Software size estimation
relates to methods of determining the relative physical size of the application software to be developed
Function Point Analysis (FPA)
a multiple-point technique widely used for estimating complexity in developing large business applications
Critical path method (CPM)
the sequence of activities whose sum of activity time is longer than that for any other path through the network; if everything goes according to schedule, the duration gives the shortest possible completion time for the overall project
Time slack
the difference between the latest possible completion time of each activity that will not delay the completion of the overall project and the earliest possible completion time based on all predecessor activities
Gantt chart
chart that aids in the scheduling of activities needed to complete a project; shows when an activity should begin and when it should end along a timeline
PERT (Program Evaluation Review Technique)
technique that uses three different estimates of each activity duration in lieu of using a single number for each activity duration (as used by CPM); the three estimates are then reduced to a single number and then the classic CPM algorithm is applied
Timebox management
a project management technique for defining and deploying software deliverables within a relatively short and fixed period of time, and with predetermined specific resources
Earned value analysis (EVA)
consists of comparing the following metrics at regular intervals during the project: budget to date, actual spending to date, estimate to complete and estimate at completion
Postproject review
formal process in which lessons learned and an assessment of project management processes used are documented to allow reference, in the future, by other project managers or users working on projects of similar size and scope
Postimplementation review
process typically completed once the project has been in use for some time - long enough to realize its business benefits and costs, and measure the project’s overall success and impact on the business units
Key business dirvers
the attributes of a business function that drive the behavior and implementation of that business function to achieve the strategic business goals of the company
V-Model
modified Waterfall model that provides for back references for VERIFICATION and VALIDATION
Waterfall model
an SDLC approach that assumes the various phases of a project can be completed sequentially - one phase leads (falls) into the next phase
Iterative Approach
method in which business requirements are developed and tested in iterations until the entire application is designed, built and tested
Feasibility study
a study concerned with analyzing the benefits and solutions for the identified problem area
Requirements definition
concerned with identifying and specifying the business requirements of the system chosen for development during the feasibility study
Request for Proposal (RFP)
written request asking contractors to propose solutions and prices that fit customer’s requirements; this method is more applicable in system integration projects when the requirement is more toward a solution and related support and maintenance
Invitation to Tender
written request asking contractors to propose solutions and prices that fit customer’s requirements; this method is more applicable where procurement of hardware, network, database, etc. is involved and when the product and related services are known in advance
Entity Relationship Diagram (ERD)
these diagrams show how the entities that make up a relational database are linked together. Using cardinality the relationships are displayed using a straight line to link the entities, which are represented by a rectangle
Entities
groupings of like data elements or instances that may represent actual physical objects or logical constructs
Attributes
properties or characteristics common to all or some of the instances of the entity
Primary Key
uniquely identifies each instance of the entity
Relationships
depict how two entities are associated (and, in some cases, how instances of the same entity are associated)
Foreign Key
one or more attributes held in one entity that map to the primary key of a related entity
Software baseline
the cutoff point in the design; also referred to as design freeze
Test Plan
developed early in the life cycle and refined until the actual testing phase, this identifies the specific portions of the system to be tested
Bottom-up
a testing strategy that begins testing of atomic units, such as programs or modules, and work upward until a complete system testing has taken place
Top-down testing
a testing strategy where the component at the top of the component hierarchy is tested first, with lower level components being simulated by stubs; tested components are then used to test lower level components; the process is repeated until the lowest level components have been tested
Unit testing
testing of an individual program or module
Interface or integration testing
a hardware or software test that evaluates the connection of two or more components that pass information from one area to another
System testing
a series of tests designed to ensure that modified programs, objects, database schema, etc., which collectively constitute a new or modified system, function properly
Recovery testing
checking the system’s ability to recover after a software or hardware failure
Security testing
making sure that the modified/new system includes provisions for appropriate access controls and does not introduce any security holes that might compromise other systems
Load testing
testing an application with large quantities of data to evaluate its performance during peak hours
Volume testing
studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records (data) that the application can process
Stress testing
studying the impact on the application by testing with an incremental number of concurrent users/services on the application to determine the maximum number of concurrent users/services the application can process; should be carred out ina test environment using live workloads
Performance testing
comparing the system’s performance to other equivalent systems using well-defined benchmarks
Quality assurance testing (QAT)
testing that focuses on the documented specifications and the technology employed; verifies that the application works as documented by testing the logical design and the technology itself
User acceptance testing (UAT)
testing that supports the process of ensuring that the system is production-ready and satisfies all documented requirements; focuses on functional aspect of the application
Alpha testing
testing that is performed only by users within the organization developing the software
Beta testing
a form of user acceptance testing that generally involves a limited number of external users
Pilot testing
preliminary test that focuses on specific and predetermined aspects of a system; provides a limited evaluation of the system
White box testing
testing that assesses the effectiveness of software program logic
Black box testing
an integrity-based form of testing associated with testing components of an information system’s “functional” operating effectiveness without regard to any specific internal program structure
Function/validation testing
used to test the functionality of the system against the detailed requirements to ensure that the software that has been built is traceable to customer requirements
Regression testing
the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors
Parallel testing
the process of feeding test data into two systems - modified system and and alternative system - and comparing the results
Sociability testing
tests to confirm that the new or modified system can operate in its target environment without adversely impacting existing systems
System configuration
consists of defining, tracking and controlling changes in a purchased system to meet the needs of the business
Implementation
the actual operation of the new information system is established and tested
Site acceptance testing
a full-system test conducted on the actual operations environment
Data migration
the moving of data from the original application system into the newly implemented system
Data conversion
the conversion of existing data into the new required format, coding and structure while preserving the meaning and integrity of the data
Changeover
refers to an approach to shift users from using the application from the existing (old) system to the replacing (new) system
Parallel changeover
a changeover approach that includes running the old system, then running both the old and new systems in parallel, and finally fully changing over to the new system after gaining confidence in the working of the new system
Phased changeover
a changeover approach where the older system is broken into deliverable modules; the first module of the older system is phased out using the first module of the new system, then the second module is replaced, and so on until the last module is replaced
Abrupt changeover
a changeover approach where the newer system is changed over from the older system on a cutoff date and time, and the older system is discontinued once the changeover to the new system takes place
Certification
the process by which an assessor organization performs a comprehensive assessment against a standard of management and operational and technical controls in an information system
Accreditation
the official management decision (given by a senior official) to authorize operation of an information system and to explicitly accept the risk to the organization’s operations, assets, or individuals based on the implementation of an agreed-upon set of requirements and security controls
Postproject review
internal review to assess and critique the project process
Postimplementation review
review to assess and measure the value the project has on the business (benefits realization)
Business risk
risk related to the likelihood that the new system may not meet the users’ business needs, requirements and expectations
Project risk
risk that the project activities to design and develop the system exceed the limits of the financial resources set aside for the project and, as a result, it may be completed late, if ever
Electronic commerce (e-commerce)
the buying and selling of goods online, usually via the Internet
Business-to-consumer
applies to any business that sells its products or services to consumers over the internet
Business-to-business
applies to businesses buying from and selling to each other over the Internet
Business-to-employee
when administrative transactions are conducted over the Internet between a business and its employees, such as payroll and benefits
Business-to-government
online transactions between businesses and governmental agencies
Electronic Data Interchange (EDI)
replaces the traditional paper document exchange (purchase orders, invoices, material release schedules), the proper controls and edits need to be built within each company’s application system to allow this communication to take place
Value-added network (VAN)
use computerized message switching and storage capabilities to provide electronic mailbox services similar to a post office
Mail servers
hosts that deliver, forward and store mail
Clients
interface with users and allow users to read, compose, send and store email messages
Point-of-sale (POS) system
system that enables the capture of data at the time and place that sales transactions occur
Electronic funds transfer (EFT)
a computerized cash payments system that transfers funds without the use of checks, currency, or other paper documents
e-finance
a new means of delivering financial services electronically
Automated teller machine (ATM)
a specialized form of the POS terminal that is designed for the unattended use by a customer of a financial institution
Interactive voice response (IVR)
a phone technology that allows a computer to detect voice and touch tones using a normal phone call
Imaging system
system that stores, retrieves and processes graphic data, such as pictures, charts and graphs, instead of or in addition to text data
Artificial intelligence
the science of designing and programming computer systems to do intelligent things and to simulate human thought processes suchs as reasoning and understanding language
Expert systems
systems that allow the user to specify certain basic assumptions or formulas and then uses these assumptions or formulas to analyze arbitrary events
Business intelligence (BI)
a broad field of IT that encompasses the collection and analysis of information to assist decision making and assess organizational performance
Data architecture
a system that consists of individual databases contributing to a central repository from which data may be either drawn directly to supply an EHR workstation or sent to a warehouse that performs sophisticated analysis on data to supply decision support
Context diagrams
diagrams that outline the major processes of an organization and the external parties with which the business interacts
Swim-lane diagrams
diagrams that deconstruct business processes
Decision support system
an interactive system that provides the user with easy access to decision models and data from a wide range of sources in order to support semi-structured decision-making tasks typically for business purposes
Customer relationship management (CRM)
an emphasis on the importance of focusing on information relating to transaction data, preferences, purchase patterns, status, contact history, demographic information, and service trends of customers rather than on products
Operational CRM
concerned with maximizing the utility of the customer’s service experience while also capturing useful data about the customer interaction
Analytical CRM
seeks to analyze information captured by the organization about its customers and their interactions with the organization into information that allows greater value to be obtained from the customer base
Agile development
a system development strategy that refers to a family of similar development processes that espouse a nontraditional way of developing complex systems
Scrum
an agile process that aims to move planning and directing tasks from the project manager to the team, leaving the project manager to work on removing the obstacles to the team, achieving their objectives
Prototyping
aka heuristic or evolutionary development, the process of creating a system through controlled trial and error procedures to reduce the level of risk in developing the system
Rapid application development (RAD)
a methodology that enables organizations to develop strategically important systems quickly while reducing development costs and maintaining quality
Object-oriented system development (OOSD)
the process of solution specification and modeling where data and procedures can be grouped into an entity known as an object
Component-based development
the process of assembling applications from cooperating packages of executable software that make their services available through defined interfaces
Web-based application development
a software development approach designed to achieve easier and more effective integration of code modules within and between enterprises
Reengineering
a process of updating an existing system by extracting and reusing design and program components
Reverse engineering
the process of studying and analyzing an application, a software application or a product to see how it functions and to use that information to develop a similar system
Project Phases of Physical Architecture Analysis
- Review of existing architecture
Project Phases of Planning the Implementation of Infrastructure
- Procurement phase
System maintenance practices
the processes of managing change to application systems while maintaining the integrity of both the production source and executable code
Change management
a systematic way of approving and executing changing in order to assure maximum security, stability and availability of information technology services
Configuration management
procedures throughout the software life cycle to identify, define and baseline software items in the system and thus provide a basis for problem management, change management and release management
Code generators
tools, often incorporated with CASE products, that generate program code based on parameters defined by a systems analyst or on data/entity flow diagrams developed by the design module of a CASE product
Computer-aided software engineering (CASE)
the use of automated tools to aid in the software development process
Upper CASE
CASE products used to describe and document business and application requirements
Middle CASE
CASE products used for developing the detailed designed
Lower CASE
CASE products involved with the generation of program code and database definitions
4GL
fourth-generation language; nonprocedural language that enables users and programmers to access data in a database
Business process reengineering (BPR)
the process of responding to competitive and economic pressures, and customer demands to survive in the current business environment; usually done by automating system processes so that there are fewer manual interventions and manual controls
Benchmarking
a continuous, systematic process for evaluating the products, services, or work processes of organizations recognized as a world-class “reference” in a globalized world
ISO 9126
an international standard to assess the quality of software products that provides the definition of the characteristics and associated quality evaluation process to be used when specifying the requirements for, and evaluating the quality of, software products throughout their life cycle
Capability maturity model (CMM)
a five-level model laying out a generic path to process improvement (maturity) for software development in organizations
ISO/IEC 15504
a series of documents that provide guidance on process improvement, benchmarking and assessment including detailed guidance that can be leveraged to create enterprise best practices
Levels of the CMM
- Incomplete process
Application controls
controls over input, processing, and output functions
Input authorization
verifies that all transactions have been authorized and approved by management
Batch balancing
comparison of the items or documents actually processed against a predetermined control total
Data validation
a process to identify data errors, incomplete or missing data and inconsistencies among related data items
Processing controls
controls that ensure that data in a file/database remain complete and accurate until changed as a result of authorized processing or modification routines
File controls
controls that ensure that only authorized processing occurs to stored data files
Output controls
controls that provide assurance that the data delivered to users will be presented, formatted and delivered in a consistent and secure manner
Business process control assurance
involves evaluating controls at the process and activity level
Segregation of duties
implementing control procedures to clearly divide authority and responsibility within the information system function to prevent employees from perpetrating and concealing fraud
Data integrity testing
set of substantive tests that examines accuracy, completeness, consistency and authorization of data presently held in a system
Generalized audit software (GAS)
uses auditor-supplied specifications to generate a program that performs audit functions, thereby automating or simplifying the audit process
Computer assisted audit techniques
refer to audit software, often called generalized audit software (GAS), that uses auditor- supplied specifications to generate a program that performs audit functions, thereby automating or simplifying the audit process
Snapshots
technique that involves taking “pictures” of the processing path that a transaction follows, from the input to the output stage
Audit hooks
technique that involves embedding hooks in application systems to function as red flags and to induce IS auditors to act before an error or irregularity gets out of hand
Wired equivalent privacy
a key encryption technique for wireless networks that uses keys both to authenticate network clients ant to encrypt data in the transit; has been demonstrated to have numerous flaws and has been deprecated in favor of newer standards
Functional acknowledgments
standard EDI transactions that tell trading partners that their electronic documents were received; used as an audit trail for electronic data interchange (EDI) transactions
IS Operations
responsible for the ongoing support of an organization’s computer and information systems environment
IS Management
has the overall responsibility for all operations within the IS department
IT Service Management
a concept that comprises processes and procedures for efficient and effective delivery of IT services to business
Delta release
a release that contains only those items that have undergone changes since the last release
Service Level Agreement
an agreement between the IT organization and the customer that details the service(s) to be provided; the IT organization could be an internal IT department or an external IT service provider, and the customer is the business
Service level management
the process of defining, agreeing upon, documenting and managing levels of service that are required and cost justified
Exception reports
automated reports that identify all applications that did not successfully complete or otherwise malfunctioned
System and application logs
logs generated from various systems and applications that should be considered to identify all application problems and provide additional, useful information regarding activities performed on the computer since most abnormal system and application events will generate a record in the logs
Operator problem reports
manual reports that are used by operators to log computer operations problems and their resolutions
Operator work schedules
schedules that are generally maintained manually by IS management to assist in human resource planning
Job scheduling
a major function within the IS department that includes scheduling jobs that must be run, the sequence of job execution and the conditions that cause program execution
Job scheduling software
system software used by installations that process a large number of batch routines
Incident management
focuses on providing increased continuity of service by reducing or removing the adverse effect of disturbances to IT services, and covers almost all nonstandard operations of IT services
Problem management
aims to resolve issues through the investigation and in-depth analysis of a major incident, or several incidents that are similar in nature, in order to identify the root cause
Change control procedures
part of change management that are established to control the movement of applications from the test environment, where development and maintenance occurs, to the quality assurance (QA) environment, to the production environment
Release management
the process responsible for planning, scheduling and controlling the movement of releases to test and live environments; primary objective is to ensure that the integrity of the live environment is protected and that the correct components are released
Information security management
ensures continuous IT operation and security of business process and data
Media sanitization
establishes the controls, techniques and processes necessary to preserve the confidentiality of sensitive information stored on media to be reused, transported, or discarded; involves the eradication of information recorded on storage media to the extent of providing reasonable assurance that residual content cannot be salvaged or restored
Central processing unit (CPU)
executes commands from a computer’s hardware and software; the principal computer chip that contains several processing components, which determines the computer’s operating speed; the “brain” of a computer
Random access memory (RAM)
temporary memory a computer uses to store information while it is processing; memory is volatile
Read-only memory
form of primary memory that holds items that can be read but not erased or changed by normal computer input; memory is nonvolatile
Print servers
servers that allow businesses to consolidate printing resources for cost-savings
File servers
servers that provide for organization-wide access to files and programs
Application (program) servers
servers that host the software programs that provide application access to client computers, including the processing of the application business logic and communication with the application’s database
Web servers
servers that provide information and services to external customers and internal employees through web pages
Proxy servers
servers that provide an intermediate link between users and resources; servers that access services on a user’s behalf
Database servers
servers that store raw data and act as a repository for storing information rather than presenting it to be usable
Appliances
provide a specific service and normally would not be capable of running other services; these devices are significantly smaller, faster, and very efficient
Universal serial bus
a serial bus standard that interfaces devices with a host; was designed to allow connection of many peripherals to a single standardized interface socket; allows devices to be connected and disconnected without rebooting
Memory card / flash drive
a solid-state electronic data storage device used with digital cameras, handheld and mobile computers, telephones, music players, video game consoles and other electronics
Radio frequency identification (RFID)
uses radio waves to identify tagged objects within a limited radius
Capacity management
the planning and monitoring of computing and network resources to ensure that the available resources are used efficiently and effectively
Capacity planning
the process of ensuring that the resource provision can always meet business requirements
Architecture
a number of layers of circuitry and logic, arranged in a hierarchical structure that interacts with the computer’s operating system
Operating system (OS)
contains programs that interface between the user, processor and applications software; provides the primary means of managing the sharing and use of computer resources such as processors, real memory, auxiliary memory and I/O devices
Access control software
software designed to prevent unauthorized access to data, unauthorized use of system functions and programs, and unauthorized updates/changes to data, and to detect or prevent unauthorized attempts to access computer resources
Data communications software
software that is used to transmit messages or data from one point to another, which may be local or remote
Data management
capabilities that are enabled by the system software components that enact and support the definition, storage, sharing and processing of user data, and deal with file management
Database management system (DBMS)
system software that aids in organizing, controlling and using the data needed by application programs
Data dictionary / directory system (DD/DS)
helps define and store source and object forms of all data definitions for external schemas, conceptual schemas, the internal schema and all associated mappings
Hierarchical database model
model where there is a hierarchy of parent and child data segments (parent-child relationships) that are 1:N relationships between record types
Network database model
a flexible way of representing objects and their relationships (each entity can have multiple relationships); rarely used in current environments
Relational database model
a relational model based on the set theory and relational calculations that allows the definition of data structures, storage/retrieval operations and integrity constraints
Data normalization
a technique to make complex databases more efficient by eliminating as much redundant data as possible
Utility programs
system software used to perform maintenance and routines that frequently are required during noromal processing operations
concurrent licensing
where a number of users can access the software on the network at one time
Digital rights management
refers to access control technologies that can be used by hardware manufacturers, publishers, copyright holders and individuals to impose limitations on the usage of digital content and devices
Packet switching
a technology in which users share common carrier resources
Baseband
the signals are directly injected on the communication link so that one single channel is available on that link for transmitting signals; the entire capacity of the communication channel is used to transmit one data signal and communication can move in only one direction at a time
Broadband network
different carrier frequencies defined within the available band, can carry analog signals as if they were placed on separate baseband channels
Telecommunications
the electronic transmission of data, sound and images between connected end systems
Personal area networks (PANs)
microcomputer network used for communications among computer devices being used by an individual person (typical range of 33 ft)
Local area networks (LANs)
computer networks that cover a limited area such as a home, office or campus with higher data transfer rates
Wide area networks (WANs)
computer networks that cover a broad area such as a city, region, nation or an international link
Metropolitan area networks (MANs)
WANs that are limited to a city or region; higher data transfer rates than WANs
Storage area networks (SANs)
a variation of LANs and are dedicated to connecting storage devices to servers and other computing devices
Network services
functional features made possible by appropriate OS applications that allow orderly utilization of the resources on the network
Copper (twisted-pair) circuits
two insulated wires are twisted around each other, with current flowing through them in opposite directions
Fiber-optic systems
glass fibers are used to carry binary signals as flashes of light
Radio systems (wireless)
data are communicated between devices using low-powered systems that broadcast and receive electromagnetic signals representing data
Microwave radio systems
provide line-of-site transmission of voice and data through the air
Satellite radio link systems
contain several receiver/amplifier/transmitter sections called transponders; sends narrow beams of microwave signals between Earth and a satellite
LAN topologies
define how networks are organized from a physical standpoint
Protocols
define how information transmitted over the network is interpreted by systems
Switch
a data link level device that can divide and interconnect network segments and help to reduce collision domains in Ethernet-based networks
Star topology
a network topology in which all computers and other devices are connected to a central host computer; all communications between network devices must pass through the host computer
Bus topology
a networking configuration in which all devices are connected to a central high-speed cable called the bus or backbone
Ring topology
a network configuration in which the computers and peripherals are laid out in a configuration resembling a circle; data flows around the circle from device to device in one direction only
Repeaters
physical layer devices that extend the range of a network or connect two separate network segments together
Hubs
physical layer devices that serve as the center of a star topology network or network concentrator
Bridges
data link layer devices developed to connect LANs or create two separate LAN or WAN network segments from a single segment to reduce collision domains
Routers
data link layer devices that link two or more physically separate network segments; operate by examining network addresses and making intelligent decisions to direct packets to their destination
Gateways
devices that are protocol converters; typically connect and convert between LANs and the mainframe or the Internet
Message switching
sends a complete message to the concentration point for storage and routing to the destination point as soon as a communications path becomes available
Packet switching
a sophisticated means of maximizing transmission capacity of networks; breaks a message into transmission units (called packets) and routing them individually through the network, depending on the availability of a channel for each packet
Circuit switching
a physical communications channel is established between communicating equipment, through a circuit-switched network
Virtual circuits
a logical circuit between two network devices that provides for reliable data communications
Modem
convert computer digital signals into analog data signals and analog data back to digital; make it possible to use analog lines as transmission media for digital networks
Multiplexor
a physical layer device used when a physical circuit has more bandwidth capacity than required by individual signals; can allocate portions of its total bandwidth and use each portion as a separate signal link
Point-to-point protocol (PPP)
provides a single, preestablished WAN communication path from the customer premises to a remote network, usually reached through a carrier network such as a telephone company
Virtual private network (VPN)
extends the corporate network securely via encrypted packets sent out via virtual connections over the public Internet to distant offices, home workers, salespeople, and business partners
Wireless wide area networking
the process of linking different networks over a large geographical area to allow wider IT resource sharing and connectivity
Wireless LANs (WLANs)
connects computers and other components to the network using an access point device (wireless)
Wireless PANs (WPANs)
short-range wireless networks that connect wireless devices to one another (ex: Bluetooth)
Bluetooth
a wireless protocol that connects devices within a range of up to 49 ft and has become a feature on some PDAs, mobile phones, mice, printers, etc.
Ad hoc networks
networks designed to dynamically connect remote devices such as cell phones, laptops, and PDAs; have shifting network topologies and maintain random network configurations, relying on a system of mobile routers connected by wireless links to enable devices to communicate
Wireless application protocol (WAP)
a general term used to describe the multilayered protocol and related technologies that bring Internet content to wireless mobile devices such as PDAs and cell phones
Transmission Control Protocol/Internet Protocol (TCP/IP)
protocol that connects computers to the Internet; tells computers how to exchange information over the Internet
Uniform resource locator (URL)
identifies the address on the www where a specific resource is located
Cookie
a message kept in the web browser for the purpose of identifying users and possibly preparing customized web pages for them
Applets
programs downloaded from web servers that execute in web browsers on client machines to run any web based application
Bookmark
a marker or address that identifies a document or a specific place in a document
Network access point (NAP)
a traffic concentration spot, usually the point of convergence for Internet access by many Internet service providers
Internet Service Provider (ISP)
a company that provides the communication lines and services for connecting users
Domain name system (DNS)
a distributed database system that translates hostnames to IP addresses and IP addresses to hostnames
File transfer protocol (FTP)
a protocol that supports one of the most popular uses of the Internet, downloading files (i.e. transferring files from a computer on the Internet to the user’s computers)
Transborder data flow
refers to data transmission between two countries
Latency
the delay that a message or packet will experience on its way from source to destination
Throughput
the quantity of useful work made by the system per unit of time
Client-server
a network architecture in which each computer or process on the network is either a server (a source of services and data) or a client (a user of these services and data that relies on servers to obtain them)
Thin client
a client that relies on another host for the majority of processing and hard disk resources necessary to run applications and share files over the network
Thick client
application processes most or all of its business logic on local computing resources (e.g., the desktop PC)
Middleware
a class of software employed by client-server applications that serves as the glue between two otherwise distinct application and provides services such as identification, authentication, authorization, directories and security; resides between the application and the network and manages the interaction between the GUI on the front end and data servers on the back end
Recovery point objective (RPO)
determined based on the acceptable data loss in case of disruption of operations and indicates the earliest point in time in which it is acceptable to recover the data; effectively quantifies the permissible amount of data loss in case of interruption (measured in time)
Recovery time objective (RTO)
determined based on the acceptable downtime in case of a disruption of operations and indicates the earliest point in time at which the business operations must resume after a disaster
Recovery strategy
identifies the best way to recover a system in case of interruption, including disaster, and provides guidance based on which detailed recovery procedures can be developed
Cold site
facility with the space and basic infrastructure adequate to support resumption of operations, but lacking any IT or communications equipment, programs, data or office support
Mobile site
packaged, modular processing facility mounted on transportable vehicles and kept ready to be delivered and set up at a location that may be specified upon activation
Warm site
facility with the space and basic infrastructure, and some or all of the required IT and communications equipment installed
Reciprocal agreement
agreement between separate, but similar, companies to temporarily share their IT facilities in the even that one company loses processing capability
Hot site
facility with space and basic infrastructure and all of the IT and communications equipment required to support the critical applications, along with office furniture and equipment for use by the staff
Mirrored site
fully redundant site with real-time data replication from the production site
Cluster
a type of software (agent) that is installed on every server (node) in which the application runs and includes management software that permits control of an tuning the cluster behavior
Active-passive cluster
the application runs on only one (active) node, while the other (passive) nodes are used only if the application fails on the active node
Active-active cluster
the application runs on every node of the cluster; cluster agents coordinate the information processing between all of the nodes, providing load balancing and coordinating concurrent data access
Redundant array of independent disks (RAID)
way to protect data against disk failure by breaking up data and writing data to a series of multiple disks to simultaneously improve performance and/or save large files
IT Disaster recovery plan
a well-structured collection of processes and procedures intended to make the disaster response and recover effort swift, efficient and effective to achieve the synergy between recovery teams (IT specifically)
Virtual tape libraries (VTLs)
systems that consist of disk storage and software that control backup and recovery data sets and behave like a conventional tape library, however data is stored on a disk array
Host-based replication
replication is executed at the host (server) level by a special software running on this server and on the target server
Disk-array based replication
the replication is performed at the disk array level, completely hidden from servers and application
Snapshots
technology that is very flexible, allowing making different types of momentary copies of volumes or file systems
Full backup
type of backup that scheme copies all files and folders to the backup media, creating one backup set
Incremental backup
type of backup that copies the files and folders that changes or are new since the last incremental or full backup
Differential backup
type of backup that copies all files and folders that have been added or changed since a full backup was performed; faster and requires less media capacity than a full backup
Grandfather-Father-Son backup method
a backup method in which daily backups (sons) are made over the course of a week, the final backup during the week becomes the backup for that week (father), the earlier daily backup media are then rotated for reuse as backup media for the second week, at the end of the month, the final weekly backup is retained as the backup for that month (grandfather)
IS Operations
responsible for the ongoing support of an organization’s computer and information systems environment
IS Management
has the overall responsibility for all operations within the IS department
IT Service Management
a concept that comprises processes and procedures for efficient and effective delivery of IT services to business
Delta release
a release that contains only those items that have undergone changes since the last release
Service Level Agreement
an agreement between the IT organization and the customer that details the service(s) to be provided; the IT organization could be an internal IT department or an external IT service provider, and the customer is the business
Service level management
the process of defining, agreeing upon, documenting and managing levels of service that are required and cost justified
Exception reports
automated reports that identify all applications that did not successfully complete or otherwise malfunctioned
System and application logs
logs generated from various systems and applications that should be considered to identify all application problems and provide additional, useful information regarding activities performed on the computer since most abnormal system and application events will generate a record in the logs
Operator problem reports
manual reports that are used by operators to log computer operations problems and their resolutions
Operator work schedules
schedules that are generally maintained manually by IS management to assist in human resource planning
Job scheduling
a major function within the IS department that includes scheduling jobs that must be run, the sequence of job execution and the conditions that cause program execution
Job scheduling software
system software used by installations that process a large number of batch routines
Incident management
focuses on providing increased continuity of service by reducing or removing the adverse effect of disturbances to IT services, and covers almost all nonstandard operations of IT services
Problem management
aims to resolve issues through the investigation and in-depth analysis of a major incident, or several incidents that are similar in nature, in order to identify the root cause
Change control procedures
part of change management that are established to control the movement of applications from the test environment, where development and maintenance occurs, to the quality assurance (QA) environment, to the production environment
Release management
the process responsible for planning, scheduling and controlling the movement of releases to test and live environments; primary objective is to ensure that the integrity of the live environment is protected and that the correct components are released
Information security management
ensures continuous IT operation and security of business process and data
Media sanitization
establishes the controls, techniques & processes necessary to preserve the confidentiality of sensitive info stored on media to be reused, transported, or discarded; involves the eradication of information recorded on storage media to the extent of providing reasonable assurance dat residual content cannot be salvaged or restored
Central processing unit (CPU)
executes commands from a computer’s hardware and software; the principal computer chip that contains several processing components, which determines the computer’s operating speed; the “brain” of a computer
Random access memory (RAM)
temporary memory a computer uses to store information while it is processing; memory is volatile
Read-only memory
form of primary memory that holds items that can be read but not erased or changed by normal computer input; memory is nonvolatile
Print servers
servers that allow businesses to consolidate printing resources for cost-savings
File servers
servers that provide for organization-wide access to files and programs
Application (program) servers
servers that host the software programs that provide application access to client computers, including the processing of the application business logic and communication with the application’s database
Web servers
servers that provide information and services to external customers and internal employees through web pages
Proxy servers
servers that provide an intermediate link between users and resources; servers that access services on a user’s behalf
Database servers
servers that store raw data and act as a repository for storing information rather than presenting it to be usable
Appliances
provide a specific service and normally would not be capable of running other services; these devices are significantly smaller, faster, and very efficient
Universal serial bus
a serial bus standard that interfaces devices with a host; was designed to allow connection of many peripherals to a single standardized interface socket; allows devices to be connected and disconnected without rebooting
Memory card / flash drive
a solid-state electronic data storage device used with digital cameras, handheld and mobile computers, telephones, music players, video game consoles and other electronics
Radio frequency identification (RFID)
uses radio waves to identify tagged objects within a limited radius
Capacity management
the planning and monitoring of computing and network resources to ensure that the available resources are used efficiently and effectively
Capacity planning
the process of ensuring that the resource provision can always meet business requirements
Architecture
a number of layers of circuitry and logic, arranged in a hierarchical structure that interacts with the computer’s operating system
Operating system (OS)
contains programs that interface between the user, processor and applications software; provides the primary means of managing the sharing and use of computer resources such as processors, real memory, auxiliary memory and I/O devices
Access control software
software designed to prevent unauthorized access to data, unauthorized use of system functions and programs, and unauthorized updates/changes to data, and to detect or prevent unauthorized attempts to access computer resources
Data communications software
software that is used to transmit messages or data from one point to another, which may be local or remote
Data management
capabilities that are enabled by the system software components that enact and support the definition, storage, sharing and processing of user data, and deal with file management
Database management system (DBMS)
system software that aids in organizing, controlling and using the data needed by application programs
Data dictionary / directory system (DD/DS)
helps define and store source and object forms of all data definitions for external schemas, conceptual schemas, the internal schema and all associated mappings
Hierarchical database model
model where there is a hierarchy of parent and child data segments (parent-child relationships) that are 1:N relationships between record types
Network database model
a flexible way of representing objects and their relationships (each entity can have multiple relationships); rarely used in current environments
Relational database model
a relational model based on the set theory and relational calculations that allows the definition of data structures, storage/retrieval operations and integrity constraints
Data normalization
a technique to make complex databases more efficient by eliminating as much redundant data as possible
