Glossary

Question 1

atomicity

Answer 1

The characteristic of a complex transaction whereby it is either performed completely as a single unit or not at all.

Question 2

attribute sampling

Answer 2

A sampling technique used to study the characteristics of a population to determine how many samples possess a specific characteristic. See also sampling.

Question 3

audit charter

Answer 3

A written document that defines the mission and goals of the audit program as well as roles and responsibilities

Question 4

802.11

Answer 4

The wireless network standard commonly known as “Wi-Fi” that can transport data up to 108 Mbit/sec up to a distance of 300 m.

Question 5

802.1X

Answer 5

A standard for network authentication and access control for devices designed to attach to a LAN or wireless LAN.

Question 6

acceptable use

Answer 6

Security policy that defines the types of activities that are acceptable and those that are not acceptable.

Question 7

access bypass

Answer 7

Any attempt by an intruder to bypass access controls in order to gain entry into a system.

Question 8

access control

Answer 8

Any means that detects or prevents unauthorized access and that permits authorized access.

Question 9

access control list (ACL)

Answer 9

An access control method where a list of permitted or denied users (or systems, or services, as the case may be) is used to control access.

Question 10

access control log

Answer 10

A record of attempted accesses.

Question 11

access control policy

Answer 11

Statement that defines the policy for the granting, review, and revocation of access to systems and work areas.

Question 12

access management

Answer 12

A formal business process that is used to control access to networks and information systems.

Question 13

access point

Answer 13

A device that provides communication services using the 802.11 (Wi-Fi) protocol standard.

Question 14

access review

Answer 14

A review of the users, systems, or other subjects that are permitted to access protected objects. The purpose of a review is to ensure that all subjects should still be authorized to have access.

Question 15

account lockout

Answer 15

An administrative lock that is placed on a user account when a predetermined event occurs, such as reaching an expiration date, or when there have been several unsuccessful attempts to access the user account.

Question 16

accumulation of privileges

Answer 16

A situation where an employee accumulates computer system access privileges over a long period of time, due to internal transfers or other privilege changes, and old access privileges are not removed.

Question 17

Address Resolution Protocol (ARP)

Answer 17

A standard network protocol used to obtain the address for another station on a local area network (LAN).

Question 18

administrative audit

Answer 18

An audit of operational efficiency.

Question 19

administrative control

Answer 19

Controls in the form of policies, processes, procedures, and standards.

Question 20

agile development

Answer 20

Software development process where a large project team is broken up into smaller teams, and project deliverables are broken up into smaller pieces, each of which can be attained in a few weeks.

Question 21

algorithm

Answer 21

In cryptography, a specific mathematical formula that is used to perform encryption, decryption, message digests, and digital signatures.

Question 22

annualized loss expectancy (ALE)

Answer 22

The expected loss of asset value due to threat realization. ALE is defined as SLE × ARO.

Question 23

annualized rate of occurrence (ARO)

Answer 23

An estimate of the number of times that a threat will occur every year.

Question 24

anti-malware

Answer 24

Software that uses various means to detect and block malware. See also antivirus software.

Question 25

antivirus software

Answer 25

Software that is designed to detect and remove viruses and other forms of malware.

Question 26

AppleTalk

Answer 26

The suite of protocols developed by Apple Computer used to transmit packets from one station to another over a network.

Question 27

appliance

Answer 27

A type of computer with preinstalled software that requires little or no maintenance.

Question 28

application firewall

Answer 28

A device used to control packets being sent to an application server, primarily to block unwanted or malicious content.

Question 29

application layer (OSI model)

Answer 29

Layer 7 of the OSI network model. See also OSI network model.

Question 30

application layer (TCP/IP model)

Answer 30

Layer 4 of the TCP/IP network model. The purpose of the application layer is the delivery of messages from one process to another on the same network or on different networks. See also TCP/IP network model.

Question 31

application programming language

Answer 31

See programming language.

Question 32

application server

Answer 32

A server that runs application software.

Question 33

architecture standard

Answer 33

A standard that defines technology architecture at the database, system, or network level.

Question 34

arithmetic logic unit (ALU)

Answer 34

The part of a central processing unit that performs arithmetic computations. See central processing unit (CPU).

Question 35

asset inventory

Answer 35

The process of confirming the existence, location, and condition of assets; also, the results of such a process.

Question 36

asset management

Answer 36

The processes used to manage the inventory, classification, use, and disposal of assets.

Question 37

asset value (AV)

Answer 37

The value of an IT asset, which is usually (but not necessarily) the asset’s replacement value.

Question 38

assets

Answer 38

The collection of property that is owned by an organization.

Question 39

asymmetric encryption

Answer 39

A method for encryption, decryption, and digital signatures that uses pairs of encryption keys, consisting of a public key and a private key.

Question 40

asynchronous replication

Answer 40

A type of replication where writing data to the remote storage system is not kept in sync with updates on the local storage system. Instead, there may be a time lag, and there is no guarantee that data on the remote system is identical to that on the local storage system. See also replication.

Question 41

Asynchronous Transfer Mode (ATM)

Answer 41

A LAN and WAN protocol standard for sending messages in the form of cells over networks. On an ATM network, all messages are transmitted in synchronization with a network-based time clock. A station that wishes to send a message to another station must wait for the time clock.

Question 42

audit logging

Answer 42

A feature in an application, operating system, or database management system where events are recorded in a separate log.

Question 43

audit methodology

Answer 43

A set of audit procedures that is used to accomplish a set of audit objectives.

Question 44

audit objective

Answer 44

The purpose or goals of an audit. Generally, the objective of an audit is to determine if controls exist and are effective in some specific aspect of business operations in an organization.

Question 45

audit procedures

Answer 45

The step-by-step instructions and checklists required to perform specific audit activities. Procedures may include a list of people to interview and questions to ask them, evidence to request, audit tools to use, sampling rates, where and how evidence will be archived, and how evidence will be evaluated.

Question 46

audit program

Answer 46

The plan for conducting audits over a long period.

Question 47

audit report

Answer 47

The final, written product of an audit. An audit report will include a description of the purpose, scope, and type of audit performed; persons interviewed; evidence collected; rates and methods of sampling; and findings on the existence and effectiveness of each control.

Question 48

audit scope

Answer 48

The process, procedures, systems, and applications that are the subject of an audit.

Question 49

authentication

Answer 49

The process of asserting one’s identity and providing proof of that identity. Typically, authentication requires a user ID (the assertion) and a password (the proof). However, authentication can also require stronger means of proof, such as a digital certificate, token, smart card, or biometric.

Question 50

authorization

Answer 50

The process whereby a system determines what rights and privileges a user has.

Question 51

automated workpapers

Answer 51

Data that has been captured by computer-assisted audit techniques. See also computer-assisted audit technique (CAAT).

Question 52

automatic control

Answer 52

A control that is enacted through some automatic mechanism that requires little or no human intervention.

Question 53

availability management

Answer 53

The IT function that consists of activities concerned with the availability of IT applications and services. See also IT service management (ITSM).

Question 54

back door

Answer 54

A section of code that permits someone to bypass access controls and access data or functions. Back doors are commonly placed in programs during development but are removed before programming is complete.

Question 55

background check

Answer 55

The process of verifying an employment candidate’s employment history, education records, professional licenses and certifications, criminal background, and financial background.

Question 56

back-out plan

Answer 56

A procedure used to reverse the effect of a change that was not successful.

Question 57

backup

Answer 57

The process of copying important data to another media device in the event of a hardware failure, error, or software bug that causes damage to data.

Question 58

backup media rotation

Answer 58

Any scheme used to determine how backup media is to be reused.

Question 59

balanced scorecard

Answer 59

A management tool that is used to measure the performance and effectiveness of an organization.

Question 60

barbed wire

Answer 60

Coiled or straight wire with sharp barbs that may be placed along the top of a fence or wall to prevent or deter passage by unauthorized personnel.

Question 61

benchmark

Answer 61

The practice of measuring a process in order to compare its performance and quality with the same process as performed by another firm. The purpose is to discover opportunities for improvement that may result in lower cost, fewer resources, and higher quality.

Question 62

biometrics

Answer 62

Any use of a machine-readable characteristic of a user’s body that uniquely identifies the user. Biometrics can be used for strong authentication. Types of biometrics include voice recognition, fingerprint, hand scan, palm vein scan, iris scan, retina scan, facial scan, and handwriting. See also authentication, strong authentication.

Question 63

blackmail

Answer 63

An attempt to extort money from an individual or organization through a threat of exposure.

Question 64

blackout

Answer 64

A complete loss of electric power for more than a few seconds.

Question 65

blade server

Answer 65

A type of computer architecture where a main chassis equipped with a power supply, cooling, network, and console connectors contains several slots that are fitted with individual computer modules called blades. Each blade is an independent computer system.

Question 66

block cipher

Answer 66

An encryption algorithm that operates on blocks of data.

Question 67

Bluetooth

Answer 67

A short-range airlink standard for data communications between peripherals and low-power consumption devices.

Question 68

bollard

Answer 68

A barrier that prevents the entry of vehicles into protected areas.

Question 69

Border Gateway Protocol (BGP)

Answer 69

A TCP/IP routing protocol that is used to transmit network routing information from one network router to another in order to determine the most efficient path through a large network.

Question 70

bot

Answer 70

A type of malware in which agents are implanted by other forms of malware and which are programmed to obey remotely issued instructions. See also botnet.

Question 71

botnet

Answer 71

A collection of bots that are under the control of an individual. See also bot.

Question 72

bridge

Answer 72

An Ethernet network device that is used to interconnect two or more Ethernet networks.

Question 73

broadcast address

Answer 73

The highest numeric IP address in an IP subnet. When a packet is sent to the network’s broadcast address, all active stations on the network will receive it.

Question 74

brownout

Answer 74

A sustained drop in voltage that can last from several seconds to several hours.

Question 75

budget

Answer 75

A plan for allocating resources over a certain time period.

Question 76

bug sweeping

Answer 76

The practice of electronically searching for covert listening devices.

Question 77

bus

Answer 77

A component in a computer that provides the means for the different components of the computer to communicate with each other.

Question 78

bus topology

Answer 78

A network topology where each station is connected to a central cable.

Question 79

business case

Answer 79

An explanation of the expected benefits to the business that will be realized as a result of a program or project.

Question 80

business continuity planning (BCP)

Answer 80

The activities required to ensure the continuation of critical business processes.

Question 81

business functional requirements

Answer 81

Formal statements that describe required business functions that a system must support.

Question 82

business impact analysis (BIA)

Answer 82

A study that is used to identify the impact that different disaster scenarios will have on ongoing business operations.

Question 83

business process reengineering

Answer 83

The set of activities related to the process of making changes to business processes.

Question 84

business realization

Answer 84

The result of strategic planning, process development, and systems development, which all contribute toward a launch of business operations to reach a set of business objectives.

Question 85

business recovery plan

Answer 85

The activities required to recover and resume critical business processes and activities. See also response document.