ISC Glossary

Question 1

Abstraction

Answer 1

Hiding the complexity of tasks to limit user access to relevant information, enhancing security by controlling access to sensitive data.

Users only get access to what they need to do their job.

Question 2

Acceptance Criteria

Answer 2

Measurable and specific criteria established by management to objectively evaluate changes to systems or processes.

Question 3

Application Logs

Answer 3

Logs recording application data, such as user access, executed functions, and errors.

Question 4

Assessment Procedures

Answer 4

Objectives with assessment objects and methods, such as examination, interviewing, and testing.

Question 5

Attestation Risk

Answer 5

In an examination or review attest engagement, attestation risk is the risk that the practitioner expresses an inappropriate opinion or conclusion, respectively, when the subject matter information or assertion is materially misstated.

Question 6

Availability

Answer 6

The ability of a business to perform its functions or meet business objectives, including system availability (accessibility of business data and normal IT system operations) and availability of human capital (personnel being ready and able to perform normal operations).

Question 7

BIA Report

Answer 7

A comprehensive report that assesses risks and potential impacts of disruptions at the department, business unit, or product level to form a company-wide business impact analysis (BIA).

Question 8

Blockchain

Answer 8

A control system originally designed to govern the creation and distribution of cryptocurrencies like Bitcoin. It ensures the immutability and security of transaction through decentralized validation.

Question 9

Breach Notification

Answer 9

A requirement added by HITECH to HIPAA, obligating covered entities to notify individuals affected by a data breach within 60 days of discovery.

Question 10

Buffer Overflow

Answer 10

A type of cyberattack in which attackers overload a program’s temporary storage with more inputs than it is designed to hold.

Question 11

Business Continuity Plans

Answer 11

Plans focused on keeping the business operational during a disaster, including contingency and mitigation procedures for all business processes, such as relocating facilities, managing human resources, and maintaining customer and supplier relationships.

Question 12

Business Impact Analysis (BIA)

Answer 12

An assessment process that identifies essential business units, departments, and processes crucial to an entity’s survival and evaluates the impact of failure or disruption on the organization.

Question 13

Change Advisory Board (CAB)

Answer 13

A formal board responsible for reviewing, approving, and planning for system changes, ensuring separate environments for testing, staging, and production.

Question 14

Change Management Controls

Answer 14

Measures put in place to minimize risks during the change management process, including policies, standardized change requests, impact assessment, and ongoing monitoring.

Question 15

Change Management Process

Answer 15

Steps to successfully manage change, from identification and approval to implementation and monitoring.

Question 16

Change Request

Answer 16

A formal proposal for making changes to a system or process, often submitted for review and approval by a change advisory board.

Question 17

Cold Site

Answer 17

An off-site location with electrical connections and other physical requirements for data processing but which lacks actual equipment. It requires one to three days to become operational and is the least costly form of off-site location for disaster recovery.

Question 18

Common Vulnerabilities and Exposures (CVE) List

Answer 18

A nomenclature and dictionary of security-related software flaws. Classification schemes are used to assess the likelihood of exploitation and the impact of vulnerabilities.

Question 19

Common Vulnerability Scoring System (CVSS)

Answer 19

A system for measuring the relative severity of software flaw vulnerabilities. Classification schemes are used to assess the likelihood of exploitation and the impact of vulnerabilities.

Question 20

Communication Plan

Answer 20

A plan outlining the process and stakeholders to be notified during incident response.

Question 21

Community Cloud

Answer 21

A cloud infrastructure shared by multiple organizations for a common interest, such as regulatory compliance or collaboration.

Question 22

Compliance Objectives

Answer 22

Objectives related to adhering to governmental laws and regulations, including industry standards such as NIST, U.S. regulations like HIPAA, and international laws like GDPR.

Question 23

Composite Primary Key

Answer 23

When more than one attribute is required to uniquely identify each record in a table, they form a composite primary key.

Question 24

Corrective Controls

Answer 24

Measures implemented to rectify known vulnerabilities in response to security incidents, self-assessments, or changes in industry practices.

Question 25

Covert Channels

Answer 25

A type of cyberattack transmitting data using methods not originally intended for data transmission by the system designers.

Question 26

Cryptography

Answer 26

The practice of secure communication techniques, converting plaintext into ciphertext using encryption algorithms.

Question 27

Data Center

Answer 27

A facility that houses computer systems and related components, such as telecommunications and storage systems, with advanced security measures and climate control.

Question 28

Data Classification Scheme

Answer 28

Categorizing data based on sensitivity (e.g., internal, public, sensitive, confidential) to understand implications in case of data loss or compromise.

Question 29

Data Flow Diagram (DFD)

Answer 29

A visual representation to describe the flow of data through a process.

Question 30

Data Loss Prevention (DLP) Systems

Answer 30

Tools that prevent sensitive data from being leaked or accessed by unauthorized users.

Question 31

Data Management Process

Answer 31

Securely managing the entire life cycle of data, from identification and classification to disposal.

Question 32

Data Mapping

Answer 32

Identifying software applications that access data based on sensitivity levels and consolidating devices and software into separate networks based on sensitivity.

Question 33

Data Minimization

Answer 33

A GDPR principle stating that data processing must be limited to what is necessary for the purpose

Question 34

Data Model

Answer 34

Conceptual representations of the data structures in an information system.

Question 35

Data Privacy Framework

Answer 35

Published by NIST in early 2020 to protect individuals’ data used in data processing applications. It is designed to be industry-agnostic and consider cultural and individual privacy constructs.

Question 36

Database Elements

Answer 36

References to table names, attribute names, or criteria used in SQL queries.

Question 37

Database Management System (DBMS)

Answer 37

Software that manages databases, enabling users to interact with the data by storing, retrieving, updating, and deleting information.

Question 38

Decentralized Blockchain

Answer 38

A blockchain that is not under the control of a central authority, providing resistance to alteration and enabling multiparty transaction validation.

Question 38

Database Schema

Answer 38

Defines how data is organized within a relational database.

A set of instructions to tell the database engine how to organize data to be in compliance with the data models.

Question 39

Deficiencies in Design

Answer 39

Refers to either necessary controls that are missing existing controls that are not designed properly in a SOC 2 engagement.

Question 40

Description Criteria

Answer 40

The criteria used to determine whether the description of the service organization’s system is presented fairly and includes relevant information.

Question 41

Design Factors and Focus Areas

Answer 41

Customization options within the COBIT core model that allow organizations to tailor the application of the framework to their specific needs.

Question 42

Detective Measures

Answer 42

Security measures that focus on identifying and detecting potential threats or breaches after they occur, such as monitoring and incident response systems.

Question 43

Deviations in Operations of Controls

Answer 43

Occurs when properly designed controls either do not operate as designed or are performed by unauthorized or incompetent individuals in a SOC 2 engagement.

Question 44

Device Spoofing

Answer 44

Attacker introduce fake devices to gain unauthorized access to networks.

Question 45

Discretionary Access Control (DAC)

Answer 45

A security model where access permissions are determined and granted at the discretion of the data owner or administrator.

Question 46

Domain Name System (DNS) Filtering

Answer 46

Blocking access to specific domains by filtering domain name system requests.

Question 47

Encapsulation

Answer 47

An object-oriented programming principle where data and methods are encapsulated within a class, controlling access and providing data integrity.

Question 48

Endpoint Detection and Response (EDR) Systems

Answer 48

Security solutions that monitor and respond to threats on individual devices or endpoints.

Question 49

Enterprise Log Management Process

Answer 49

Addresses the entire like cycle of audit logs, from collection to disposal, for incident response, accountability, compliance, and process improvement.

Question 50

Environment Runtime

Answer 50

IT infrastructure that supports the running of a particular codebase in real time.

Question 51

Executive Committee

Answer 51

A committee within the board of directors responsible for strategic decision making.