CISM Vocabulary Flashcards
Administrative controls
policies, processes, procedures, standards
Annualized Loss Expectancy
ALE = SLExARO
architecture standard
defines technology architecture at the database, system, or network level
assessment
an examination that determines the effectiveness of a system or process
asset value
the value of an IT asset - usually but not always the Replacement Value
Asynchronous Replication
writing to data in a remote system is not synchronized with the local system.
No guarantee that remote system is identical to local system
Might be a time lag
Attestation of compliance
assertion of compliance to a law, standard or requirement
Typically signed by high ranking official
authentication
asserting an identity and providing proof of it
typically requires an ID (assertion) and a password (proof)
business email compromise
ceo fraud
perpetrator impersonates a CEO and gets company personnel to transfer large amounts of money, typically for a “secret merger” or “acquisition”
Business Impact Analysis
Study to identify the impact that different disaster scenarios will have on business operations
Business Recovery Plan
activities required to recover and resume critical business processes and activities
capability maturity model
measures relative maturity of an organization and its processes
capability maturity model for Development
CMMi-DEV
maturity model used to measure software development process maturity
certification practicer statement (CPS)
describes practices used by the CA to issue and manage digital certificates
Change Control Board
aka
Change Advisory Board
stakeholders from IT and Business who propose, discuss, approve changes to the IT systems
CIS Controls
framework maintained by the Center for Internet Security (CIS)
COBIT
published by ISACA
control framework for managing information systems and security
COSO
Committee of Sponsoring Organizations of the Treadway Commission
Organization providing control frameworks and guidance on enterprise risk management
COOP
Continuity of Operations Plan
activities required to continue critical and strategic business functions at alternate site
Control
Policy, Process or Procedure created to ensure desired outcomes or to avoid unwanted outcomes
Control Framework
Collection of controls organized in logical categories
Covered Entity
any organization that stores or processes information covered by HIPAA
Critical Path Methodology (CPM)
Technique used to identify the most critical path in a project to understand which tasks are most likely to affect the project schedule
Criticality Analysis (CA)
Study of each system and process, a consideration of the impact on the organization if it’s incapacitated, the likelihood of incapacitation and the estimated cost of mitigating the impact (risk)
Digital envelope
method of using two layers of encryption
symmetric key is used to encrypt a message and a public or private key is used to encrypt the symmetric key
Disaster
unexpected and unplanned event that results in the disruption of business operations
Dwell Time
amount of time from the start of an incident to the organization’s awareness of the incident
e-vaulting
backing up information to an off-site location, usually a 3rd-party service provider
Exposure Factor
financial loss resulting from realization of a threat.
expressed as a percentage of the asset’s total value
Facilities Classification
methods for assigning risk levels to facilities based based on their operational criticality or other risk factors
fiduciary
person who has a legal trust relationship with another party
fiduciary duty
highest standard of care that a fiduciary renders to a beneficiary
File Activity Monitoring (FAM)
monitoring the use of files on a computer as a way to detect indicators of compromise
File Integrity Monitoring (FIM)
periodically scanning file systems to detect changes to file contents or permissions that may indicate compromise
HITRUST
healthcare control framework and certification
servers as external attestation of an organization’s IT controls
Hybrid cryptography
cryptosystem that uses two or more iterations of cryptography
Impact
actual or expected result from a threat or disaster
incident
any event not part of standard operation of a service and that causes or may cause interruption or reduction in quality of service
Information Risk
business risk associated with use, ownership, operation, involvement, influence and adoption of information in an enterprise
ISMS
Information Security Management System
ISO/IEC 27001 - activities for managing information security in an organization
inherent risk
the risk that there are material weaknesses in existing business processes and no compensating controls to detect or prevent them
integrated audit
financial and operational audit
intrusion kill chain
intrusion model developed by Lockheed Martin
Phases are: reconnaissance weaponization delivery exploitation installation command and control actions on objective
ISAE 3402
International Standard on Assurance Engagement
external audit of a service provider
performed according to rules from International Auditing and Assurance Standards Board
ISO/IEC 20000
standard for IT service management (ITSM)
ISO/IEC 27001
standard for IT security management
ISO/IEC 27002
standard for IT security controls
ITIL
standard for IT service management
Key Performance Indicator (KPI)
Measure of business process’ performance and quality
Used to reveal trends related to efficiency and effectiveness of key processes in the organization
Key Risk Indicator (KRI)
measure of information risk
used to reveal trends related to levels of risk of security incidents in the organization
Maximum Tolerable Downtime (MTD)
Amount of time after a disaster, after which, an organization’s survival is at risk
Maximum Tolerable Outage (MTO)
Maximum period of time that an organization can tolerate operating in recovery mode
North American Reliability Corporation (NERC)
maintains resilience and security controls for use by public utitilities
North American Reliability Corporation Infrastructure Protection (NERC CIP)
Standards and Requirements defined by NERC to protect power plants and grids
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE)
Qualitative risk analysis methodology from Carnegie Mellon
orchestration
in context of SIEM, it is the scripted automated response when specific events occur
PCI-DSS
Security standard to protect credit card numbers in storage, processing and transmission.
Developed by consortium of credit card companies
Policy
Specifies what must be done or not done in an organization
Defines who is responsible for monitoring and enforcing policy
Population
Complete set of entities, transactions or events that are the subject of an audit
Process
collection of procedures that perform a business function
Responsible, Accountable, Consulted, Informed (RACI) Chart
Tool to assign roles to people and groups according to their responsibilities
Recovery Capacity Objective (RCapO)
Processing and/or Storage capacity of an alternate system as compared to the normal system.
Usually expressed as a percentage compared to the primary processing site
Recovery Capacity Objection (RCO)
Measure of the consistency and integrity of processing at a recovery site, compared to the primary site.
Calculated as 1 - (number of inconsistent objects) / (number of objects)
Recovery Consistency Objective (RCO)
Measure of the consistency and integrity of processing at a recovery site, compared to the primary site.
Calculated as 1 - (number of inconsistent objects) / (number of objects)
Recovery Point Objective (RPO)
Period of acceptable data loss from an incident.
Usually measured in hours or days
Recovery Time Objective (RTO)
Time from the onset of an outage until the resumption of service.
Usually measured in hours or days
Reperformance
audit technique where an IS auditor repeats actual tasks done by auditees in order to confirm they were performed correctly
Replication (aka Synchronous replication)
activity where data written to a storage system is also copied to another storage system.
Result is the presence of up-to-date data on two or more storage systems, each of which could be in different locations
Residual Risk
risk that remains after being reduced through other risk treatments
Response Document
Required action of personnel after a disaster strikes.
Includes business recovery plan, occupant emergency plan, emergency communication plan, contact lists, disaster recovery plan, continuity of operations plan, security incident response plan
Risk
event scenario that can result in property damage or disruption
Risk Appetite (Risk Tolerance)
level of risk an organization is willing to accept to pursue its mission and before action is needed to treat the risk
Risk Capacity
Objective amount of loss an organization can tolerate without its existence being called into question
Risk Treatments
mitigate
avoid
transfer
accept
Roadmap
steps needed to achieve strategic objective
Sample
portion of a population that’s selected for auditing
Sample Mean
sum of all samples divided by number of samples
Sample Standard Deviation
measures the spread of values in the sample
Computation of the variance of sample values from the sample mean
Sarbanes Oxley
law requiring public corporations to enact controls, perform internal and external audits
SAS 70
Statement of Accounting Standards No. 70
external audit of a service provider
Security Incident
event where the confidentiality, integrity or availability of information has been compromised
Service Delivery Objective (SDO)
level of service needed after an event, compared to normal business operations
Single Loss Expectancy (SLE)
financial loss when a threat is realized
SLE = AV x EF
Snapshot
a continuous auditing technique
Uses special audit modules embedded in online applications, that sample specific transactions
Standard
defines technologies, protocols, suppliers, methods used by an IT organization
Statements on Standards for Attestation Engagements No. 16 (SSAE 16)
Audit standard superseded by SSAE 18
Statements on Standards for Attestation Engagements No. 18 (SSAE 18)
Audit standard for financial service provider audits
Performed by AICPA (American Institute of CPAs)
System and Organization Controls 1 (SOC1)
External audit of a service provider
SOC1 audit is performed according to the SSAE 18 standard
System and Organization Controls 2 (SOC2)
External audit of a service provider on one or more of the following trust principles:
security availability processing integrity confidentiality privacy
SOC 2 audits performed according to audit standards from the AICPA
System and Organization Controls 3 (SOC3)
external audit of a service provider like SOC 2
Stratified Sampling
sampling technique where population is divided into classes (strata) based on the value of one of the attributes
Samples selected from each class (strata)
The Open Group Architecture Framework (TOGAF)
lifecycle architecture framework
used for the design, plan, implementation and governance of a security architecture
Threat modeling
activity of looking for potential threats in a business process, information system or application
Zachman Framework
architecture framework used to describe IT architecture in increasing levels of details
Procedure
Written sequence of instructions to perform a task
