ISACA Terminology Glossary Flashcards
Checksum
A checksum value is generated by algorithm and associated with an input value and/or whole input file.
The checksum value can be used to assess its corresponding input data or file at a later date and verify that the input has not been maliciously altered.
This verifies the INTEGRITY of the number/amount/file - it ensures that the number in the output file reflects the number in the input file and therefore the number was not altered/no unauthorized modifications occurred following input.
It is highly improbable that an unauthorized party could alter the input without also altering the corresponding checksum output. If a subsequent checksum value no longer matches the initial value, the input may have been altered or corrupted.
Acknowledgement (ACK)
A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly by the receiver without errors, or that the receiver is now ready to accept a transmission.
Example: Functional Acknowledgements used in EDI transactions - these serve as the audit trail for EDI transactions and are one of the main controls used in data mapping (what was received vs. what was sent - how do the data fields in the sender’s file map to the data fields configured in the receiver’s file/program).
USED FOR DATA MAPPING, NOT FOR AUTHENTICITY OF EDI TRANSACTIONS - AUTHORIZATION IS ACHIEVED BY VERIFYING THE SENDER AGAINST CONTRACTS.
Public Key Verification:
(1) Public Key
(2) Asymmetric Key (Public Key)
(3) Public Key Encryption
(4) Public Key Infrastructure (PKI)
(5) Public Key Cryptosystem
(6) Asymmetric Cipher
KEY VERIFICATION: USED FOR THE PROTECTION OF DATA (CONFIDENTIALITY OF DATA)
(1) Public Key: In an asymmetric cryptographic scheme, the key that may be widely published to enable the operation of the scheme.
(2) Asymmetric Key (Public Key): Cipher technique in which different cryptographic keys are used to encrypt and decrypt a message.
(3) Public Key Encryption: A cryptographic system that uses two keys: one is a public key, which is known to everyone, and the second is a private or secret key, which is only known to the recipient of the message.
(4) Public Key Infrastructure (PKI): A series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued.
(5) Public Key Cryptosystem: Public key cryptosystems combine a widely distributed public key and a closely held, protected private key. A message that is encrypted by the public key can only be decrypted by the mathematically related, counterpart private key. Conversely, only the public key can decrypt data that was encrypted by its corresponding private key.
(6) Asymmetric Cipher: Most implementations of asymmetric ciphers combine a widely distributed public key and a closely held, protected private key. A message that is encrypted by the public key can only be decrypted by the mathematically related, counterpart.
Note: “Cipher” is an algorithm for performing encryption or decryption (converts the original message [called “plain text”] into “ciphertext” using a key to determine how it is done.
Private Key Verification:
(1) Private Key
(2) Symmetric Key Encryption
(3) Private Key Cryptosystems
(4) Symmetric Cipher
KEY VERIFICATION: USED FOR THE PROTECTION OF DATA (CONFIDENTIALITY OF DATA)
(1) Private Key: A mathematical key (kept secret by the holder) used to create digital signatures and, depending on the algorithm, to decrypt messages or files encrypted (for confidentiality) with the corresponding public key.
(2) Symmetric Key Encryption: System in which a different key (or set of keys) is used by each pair of trading partners to ensure that no one else can read their messages. The same key is used for encryption and decryption.
(3) Private Key Cryptosystems: Private key cryptosystems involve secret, private keys. The keys are also known as symmetric ciphers because the same key both encrypts message plaintext from the sender and decrypts resulting ciphertext for a recipient.
(4) Symmetric Cipher: A symmetric cipher is an algorithm that encrypts data using a single key. In symmetric cryptographic algorithms, a single key is used for encipherment (encrypting) and decipherment (decrypting).
Note: “Cipher” is an algorithm for performing encryption or decryption (converts the original message [called “plain text”] into “ciphertext” using a key to determine how it is done.
Public/Private Key Verification:
(1) Encryption
(2) Encryption Key
(3) Decryption Key
(4) Key Length
(5) Cryptosystem
(1) Encryption: The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext).
USED FOR THE PROTECTION OF DATA (CONFIDENTIALITY OF DATA)
(2) Encryption Key: A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertext.
(3) Decryption Key: A digital piece of information used to recover plaintext from the corresponding ciphertext by decryption.
(4) Key Length: The size of the encryption key measured in bits.
(5) Cryptosystem: A pair of algorithms that take a key and convert plaintext to ciphertext and back.
Note: “Cipher” is an algorithm for performing encryption or decryption (converts the original message [called “plain text”] into “ciphertext” using a key to determine how it is done.
Digital Signature
A piece of information, a digitized form of signature, that provides sender authenticity, message integrity and non-repudiation.
A digital signature is generated using the sender’s private key or applying a one-way hash function.
Can ensure nonrepudiation (someone cannot deny something - i.e. the ability to ensure that a party to a contract/communication cannot deny authenticity of their signature on a document or sending of a message that they originated).
Gateway
A device (router, firewall) on a network that serves as an entrance to another network.
(1) Boundary
(2) Boundary Control
(3) Firewall
(1) Boundary: Logical and physical controls to define a perimeter between the organization and the outside world.
(2) Boundary Control: Establishes the interface between the would-be user of a computer system and the computer system itself; are individual-based, not role-based, controls.
(3) Firewall: A system or combination of systems that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment such as the Internet.
(1) Criticality Analysis
(2) Criticality
(3) Data Classification Scheme
(1) Criticality Analysis: An analysis to evaluate resources or business functions to identify their importance to the enterprise, and the impact if a function cannot be completed or a resource is not available.
(2) Criticality: The importance of a particular asset or function to the enterprise, and the impact if that asset or function is not available
Criticality of data is used in the identification and ranking of information assets during the RISK ASSESSMENT process.
(3) Data Classification Scheme: An enterprise scheme for classifying data by factors such as (1) data criticality, (2) sensitivity and (3) ownership (location of assets).
This will set the tone or scope of how to assess risk in relation to the organizational value of an asset.
Impact Analysis
A study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events.
In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. This assessment is used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the recovery strategy.
Intrusion Detection System (IDS)
Inspects network and host security activity to identify suspicious patterns that may indicate a network or system attack.
IDS is a DETECTIVE control.
Dry-Pipe Fire Extinguisher System (Fire Suppression System)
Refers to a sprinkler system that does not have water in the pipes during idle usage, unlike a fully charged fire extinguisher system that has water in the pipes at all times.
The dry-pipe system is activated at the time of the fire alarm and water is emitted to the pipes from a water reservoir for discharge to the location of the fire.
Fire Suppression System is a CORRECTIVE control.
(1) Application Software Tracing & Mapping
(2) Mapping
(3) Tracing
(1) Application Software Tracing & Mapping: Specialized tools that can be used to analyze the flow of data through the processing logic of the application software and document the logic, paths, control conditions and processing sequences.
Both the command language or job control statements and programming language can be analyzed.
This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons.
(2) Mapping: Diagramming data that are to be exchanged electronically, including how they are to be used and what business management systems need them.
(3) Tracing: Transaction reconciliation effort that involves following the transaction from the original source to its final destination.
IMPORTANT: In Electronic Funds Transfer (EFT) transactions, the direction of tracing may start from the Customer-printed copy of the receipt, proceed to checking the system audit trails and logs, and end with checking the master file records for daily transactions.
Service-Oriented Architecture (SOA)
A cloud-based library of proven, functional software applets that are able to be connected together to become a useful online application.
Relies on the principles of a distributed environment in which services encapsulate business logic as a “black box” and might be deliberately combined to depict real-world business processes.
Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services.
Table Look-Up
Used to ensure that input data agree with predetermined criteria stored in a table.
Input data is checked against predefined tables, which PREVENT any undefined data from being entered.
This is a PREVENTATIVE control.
