ISC Vocabulary for Brainscape a-i Flashcards
Access
A specific type of interaction between a subject and an object that results in the flow of information from one to the other. A subject’s right to use an object.
Access Control
- The process of limiting access to the resources of a system only to authorized programs, processes or other systems (in a network). Synonymous with controlled access and limited access.
- It enables authorized use of a resource while preventing unauthorized use or use in an unauthorized manner.
Access Control List
A list of the subjects that are permitted to access an object and the access rights of each subject.
Access Control Mechanism
Hardware or software features, operating procedures, management procedures, and various combinations of these designed to prevent and detect unauthorized access and to permit authorized access in an automated system.
Accountability
Accountability is the obligation to explain one’s actions or to justify what one does. Accountability is one of the primary objectives of financial reporting. It is information about how management discharged its stewardship responsibility to owners or to the citizenry regarding the use of resources entrusted to it. “Accountability requires governments to answer to the citizenry—to justify the raising of public resources and the purposes for which they are used.”(GASBCS 1.56)
Accounting System
An accounting system is a set of processes, procedures, and software tools designed to capture, process, store, and analyze financial data. Accounting systems are crucial for maintaining accurate financial records, ensuring compliance with financial regulations, and producing financial statements and reports.
Accreditation
- A management’s formal acceptance of the adequacy of a computer system’s security.
- The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls.
Accuracy
Accurate information is information that correctly and precisely represents a recorded event. Accurate calculations are prepared without errors and reprinted and copied as originally derived. Accuracy is an audit internal control objective. Accuracy controls are designed to ensure that dollar amounts are computed correctly. Examples of accuracy controls include use of a current approved price list, verification of multiplication and addition, matching of quantities ordered, received, and invoiced
Active Attack
An attack on the authentication protocol where the attacker transmits data to the claimant or verifier. Examples of active attacks include a man-in-the-middle, impersonation, and session hijacking.
Administrator
An administrator is a person appointed by the court to handle the affairs of a person who has died intestate (without a will) or a deceased person whose will did not establish a valid executor. The administrator is empowered by the court to administer an estate, to act for the estate, and to carry out the terms of the will. The administrator is empowered to marshal the assets and pay the debts of the estate, and distribute the remaining assets as specified in the will or, if intestate, to distribute the assets according to the laws of descent and distribution in that state. Administrators are empowered to sell assets to pay debts. It is a fiduciary relationship and has certain duties and liabilities; powers, duties, and liabilities are identical to those of executors.
Advanced Encryption Standard (AES)
The AES specifies a U.S. government-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called cipher text; decrypting the cipher text converts the data back into its original form, called plain text. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits. AES is an encryption algorithm for securing sensitive but unclassified material.
Adverse Opinion
An adverse opinion is an “overall” audit opinion which states that the financial statements donotpresent fairly the financial position or the results of operations or cash flows in conformity with an applicable financial reporting framework (AU-C 705.09). Auditors must have as much sufficient appropriate audit evidence to support an adverse opinion as for an unmodified opinion.An adverse opinion is warranted when the departure from an applicable financial reporting framework or the inconsistency is sufficiently material or sufficiently pervasive as to misrepresent the financial position or results of operations or cash flows or when the auditor believes the entity is not a going concern.An adverse opinion requires the disclosure of all the substantive reasons for the adverse opinion and the principal effects of the inconsistency on the financial statements, if known, or a statement in a separate emphasis-of-matter or other-matter paragraph preceding the opinion paragraph that the effects are not reasonably determinable.
Anomaly
Any condition which departs from the expected. This expectation can come from documentation (e.g., requirements specifications, design documents, user documents) or from perceptions or experiences. An anomaly is not necessarily a problem in the software, but a deviation from the expected, so that errors, defects, faults, and failures are considered anomalies.
Antivirus Software
Because of the danger of computer viruses and their effects, many reliable companies have created antivirus programs. These programs usually have most or all of the following functions:Virus protection—monitors computer activities in order to detect unauthorized or suspicious functions which may indicate a virus in operation.Virus identification—matches the specific virus with known types to ascertain its effects and the best course of recovery. This may also lend a clue as to the origin of the virus and includes scanning disks to locate viruses.Vaccination—utilities used to remove detected viruses from your system. Note: different utilities will be required to recover damaged files if a virus has been activated.
Application
An application is a computer program for performing a specific function, such as a payroll program.
Application Controls
“Application controls” refers to the transactions and data relating to each computer-based application system and are, therefore, specific to each such application. The objectives of application controls, which may be manual or programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made therein. Application controls consist of input controls, processing controls, and output controls.
Application Program
Application programs are computer programs designed to perform a specific function directly for the user or for another application. Examples of application programs include word processors, database programs, and financial programs. The program processes specific files or performs specific functions such as receivables or payroll.
Application Software
Programs that perform specific tasks, such as word processing, database management, or payroll. Software that interacts directly with some non-software system (e.g., human, robot, etc.).
Asset
Assets are information resources that support an organization’s mission.
Asymmetric Keys
Two related keys, a public key and a private key that are used to perform complementary operations, such as encryption and decryption or signature generation and signature verification.
Attack
The act of trying to bypass security controls on a system. An attack may be active, resulting in the alteration of data, or passive, resulting in the release of data.Note:The fact that an attack is made does not necessarily mean that it will succeed. The degree of success depends on the vulnerability of the system or activity and the effectiveness of existing countermeasures.An attempt to obtain a subscriber’s token or to fool a verifier into believing that an unauthorized individual possesses a claimant’s token.
Attacker
A party who is not the claimant or verifier but wishes to successfully execute the authentication protocol as a claimant.
Audit Trail (Audit Log)
The audit trail (audit log) is the path left by a transaction when it is processed. The trail begins with the original source document or documents, proceeds through the transactions, entries, and posting of records, and is completed with the financial statements.Source document → Journal → Ledger → Financial statementsThe traditional audit trail is characterized by accessible records, observable activities, source documents, detailed chronological journals, and ledger summaries. For entities with highly complex information technology systems, the audit trail is partially or completely electronic.Information technology (IT) has impacted the audit trail in the following ways:Source documents may no longer be produced—access to documents is more difficult.Ledger summaries may be replaced by electronic master files.Printed data may not be available.Processing activities are difficult to observe—much of the processing is automated within the system.
Authenticate
- To verify the identity of a user, device, or other entity in a computer system, often as prerequisite to allowing access to resources in a system.
- To verify the integrity of data that have been stored, transmitted or otherwise exposed to possible unauthorized modification.
Authentication
Providing assurance regarding the identity of a subject or object, for example, ensuring that a particular user is who he claims to be.Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system.The process of establishing confidence in user identities.
Authorization
- Determining whether a subject is trusted to act for a given purpose, for example, allowed to read a particular file.
- The granting or denying of access rights to a user, program, or process.
Automation
Automation is the technology which allows machines to perform tasks once performed by humans via programmed commands, combined with automatic feedback control, to ensure proper execution of the instructions without human intervention.
Availability
The probability that a given resource will be usable during a given time period.The security goal that generates the requirement for protection against intentional or accidental attempts to:perform unauthorized deletion of data orotherwise cause of denial of service or data.It also refers to timely and reliable access to and use of data and information services for authorized users.
Availability (Trust Services Criteria)
Theavailabilitycriterion of Trust Services assesses whether the service organization’s system, product, or service is available for operation and use as committed or agreed to by a contract or service level agreement (SLA). This principle pertains to security-related criteria that may affect availability, monitoring such items as network performance and availability, site failover, and security incident handling.
Back Door
A hidden flaw in a system mechanism that can be triggered to circumvent the system’s security. Synonymous with trap door.
Backup
A backup, or the process of backing up, refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event (data deletion or corruption). A backup is a system, device, file, disk, or facility that can be used in the event of malfunction or when the original source of data is lost. Backups can be a simple form of disaster recovery and should be part of a disaster recovery plan; however, backups should not alone be considered disaster recovery.
Backup Controls
Backup controls are a set of controls that provide a safeguard against loss of important parts of a database such as control files, redo logs, and data files by providing a representative copy of the data. The controls also provide safeguards against application errors.
Backup Procedures
Backup procedures are the provisions made for the recovery of data files and program libraries, and for restart or replacement of computer equipment after the occurrence of a system failure or of a disaster.
Baseline
A version of software used as a starting point for later versions.
Batch Processing
In batch processing, items to be processed are collected in groups to permit fast and convenient processing (processed as a group). Records of all transactions affecting a particular master file (e.g., payroll) are accumulated over a period of time (e.g., one week) and are then arranged in sequence and processed against the master file.
Batch Total
Batch total is an input control, the sum of the number of items or total amount. Input is compared to processing; a mismatch of the number of items or sum of the totals (e.g., sum of invoice totals) between input and processing indicates that an item was lost or processed twice.
Batching
Batching is the grouping together of similar transactions or data so they can be processed by a computer system as a single unit or transmitted at a single point of time.
Big Data
Big data describes the large volume of data available to business on a day-to-day basis which is analyzed for insights that lead to better decisions and strategic business moves. Big data is often defined by the three “V’s”: volume, velocity, and variety.
Biometric
An image or template of a physiological attribute (e.g., a fingerprint) that may be used to identify an individual. Biometrics may be used to unlock authentication tokens and prevent repudiation of registration.
Biometric Security Systems
Biometric security systems measure physical traits that make each person unique. Such traits include speech patterns, eye and finger physiology, written signature dynamics, and other common physical traits. The ideal system must be reliable and yet flexible in handling minor changes in physical characteristics. Oftentimes, a lack of flexibility can create a problem for a person who cuts their finger or wakes up with a hoarse voice. The system also requires the user be physically present to gain access to the system.
Blockchain
Blockchain is a digitized, decentralized, public ledger of all cryptocurrency transactions. Completed blocks are recorded and added to the chain in chronological order, allowing market participants to keep track of digital currency transactions without central recordkeeping.
Bridges
A device that connects similar or dissimilar LANs together to form an extended LAN.
Brouters
Brouters are routers that can also bridge; they route one or more protocols and bridge all other network traffic.
Brute-Force Attack
“Brute force” is a type of attack under which every possible combination of cryptographic keys, passwords, user IDs, and PINs is tried in an attempt to break into a computer system or network.
Business Continuity Plan (BCP)
A business continuity plan (BCP) is the documentation of a predetermined set of instructions or procedures that describe how an organization’s business functions will be sustained during and after a significant disruption.
Business Impact Analysis (BIA)
A business impact analysis (BIA) is an analysis of an IT system’s requirements, processes, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.
Certification
The administrative act of approving a computer system for use in a particular application.A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Change Management
Change management in IT uses standardized methods, processes, and procedures to efficiently and promptly handle changes to the control IT infrastructure. Change management maintains the balance between needed changes and the potential negative impact of such changes on service. Changes in the IT infrastructure may arise reactively (responding to problems or externally imposed requirements such as legislative changes), proactively (seeking greater efficiency and effectiveness or implementing new business initiatives), or from service improvement initiatives and other programs or projects.
Check Digit
A check digit is a specific type of input control, consisting of a single digit at the end of an identification code that is computed from the other digits in a field. If the identification code is mis-keyed, a formula or algorithm will reveal that the check digit is not correct, and the field will not accept the entry.For example, the formula for a seven-digit account number could be the sum of double, add, double, add, double, add, and subtracted from the next multiple of 10. In this case, 123456 would have a check digit of 0 and the full account number would be 1234560 (2 + 2 + 6 + 4 + 10 + 6 = 30; the next multiple of 10 is 30, so 30 - 30 = 0). If 1233560 is keyed instead of 1234560, the formula will not produce the proper check digit and the account number will be rejected.There are many different formulas or algorithms for calculating check digits.
Checkpoint
A checkpoint is a place in a computer program where its status can be recorded or its information saved (dumped) and later execution can be resumed from that point rather than from the beginning of the program.
Ciphertext
The result of transforming plaintext with an encryption algorithm. Also known as cryptotext. It is encrypted (enciphered) data.
Client-Server
The client/server model states that a client (user), whether a person or a computer program, may access authorized services from a server (host) connected anywhere on the distributed computer system. The services provided include database access, data transport, data processing, printing, graphics, electronic mail, word processing, or any other service available on the system. These services may be provided by a remote mainframe using long haul communications or within the user’s workstation in real-time or delayed (batch) transaction mode. Such an open access model is required to permit true horizontal and vertical integration.
Cloud
“The cloud” is a metaphor for a global network, first used in reference to the telephone network and now commonly used to represent the internet. Clouds can be public, private, or hybrid.
Cloud Computing
Cloud computing is the delivery of computing services including servers, databases, storage, networking, software, and analytics over the internet—in other words, “the cloud”—offering flexible resources, economies of scale, and faster innovation.
COBIT
COBIT is issued by ISACA (the Information Systems Audit and Control Association) and stands for Control Objectives for Information and Related Technologies (COBIT). The COBIT framework focuses on information technology management and governance.
Code
Code is the instructions or statements of a computer program, a system of symbols to convert alphanumeric data into a transmittable form, or a set of rules for the manner in which data must be represented.
Cold Site
A cold site is a location that provides everything necessary to quickly install computer equipment in the event of a disaster striking an organization.
Completeness
Completeness is an audit internal control objective. Completeness controls are designed to ensure that all valid transactions are recorded and none omitted. Example: Completeness controls include periodic accounting for the number sequence of prenumbered forms to ascertain that all validly used forms have been recorded (e.g., shipping documents).
Computer Fraud
Misrepresentation, alteration, or disclosure of data in order to obtain something of value (usually for monetary gain). A computer system must have been involved in the perpetration or cover-up of the act or series of acts. A computer system might have been involved through improper manipulation of input data; output or results; applications programs; data files; computer operations; communications; or computer hardware, systems software, or firmware.
Computer Security
Computer security is the protection of a computer system’s assets and its information from unauthorized use, disclosure, alteration, manipulation, and destruction.
Computer Virus
A computer virus is a segment of executable code that attaches itself to an executable system component. Viruses are contagious and are easily spread from one system to another when those systems share programs or files. Many viruses lie dormant for long periods of time, doing nothing other than copying themselves to other files and systems. Viruses do not usually leave any external signs of their presence, so when they trigger, they can cause unexpected and widespread damage. A virus may destroy or alter data or programs, take control of the computer, destroy the hard disk’s file allocation table (FAT), make it impossible to boot the system, intercept and change transmissions, or print messages to the screen. As the virus spreads, it takes up disk space, clogs communications, and hinders system performance.
Computing Security Methods
Computing security methods are security safeguards implemented within the IS, using the networking, hardware, software, and firmware of the IS. This includes the following:the hardware, firmware, and software that implements security functionality andthe design, implementation, and verification techniques used to ensure that system assurance requirements are satisfied.
Confidentiality
A concept that applies to data that must be held in confidence and that describes the status and degree of protection that must be provided for such data about individuals as well as organizations.Ensuring that data is disclosed only to authorized subjects.The security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage, during processing, and while in transit. It is assurance that information is not disclosed to unauthorized individuals, processes, or devices. It is preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Confidentiality (Trust Services Criteria)
Theconfidentialitycriterion of Trust Services assesses whether the service organization’s information that is designated “confidential” is protected as committed or agreed to in the contract. Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations (e.g., company personnel, business plans, intellectual property, or internal price lists).
Configuration
The configuration is the relative or functional arrangement of components in a computer system.
Configuration Control
Configuration control is the process of controlling modifications to the system’s hardware, firmware, software, and documentation that provided sufficient assurance that the system is protected against the introduction of improper modifications prior to, during, and after system implementation.
Configuration Management
Configuration management is a procedure for applying technical and administrative direction and surveillance to:identify and document the functional and physical characteristics of an item or system,control any changes to such characteristics, andrecord and report the change, process, and implementation status.The configuration management process must be carefully tailored to the capacity, size, scope, phase of the life cycle, maturity, and complexity of the system involved. Configuration management is the process of controlling the software and documentation so they remain consistent as they are developed or changed. It is the management of security features and assurances through control of changes made to a system’s hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the development and operational life of the system.
Consistency (Data)
The quality of data can be measured using the criterion of consistency: The data should reflect the same information across all systems, and the systems should be in sync with each other across the enterprise.
Consolidation
Consolidation is a reporting procedure in which the financial statements of the parent and the subsidiary are combined. The financial statements are prepared by the parent, not by the subsidiary. Consolidation is a reporting procedure only. It does not affect the accounting records of either the parent or the subsidiary.All majority-owned subsidiaries must be consolidated with the parent unless control does not rest with the majority owner (e.g., if the subsidiary is in legal reorganization or bankruptcy).
Contingency Plan
A contingency plan is a plan for responding to the loss or failure of a system. The plan describes the necessary steps to take in order to ensure the continuity of core business processes. It includes emergency response, backup operations, and post-disaster recovery. It is synonymous with a disaster plan and emergency plan.
Continuous Monitoring
Continuous monitoring is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational environment.Continuous monitoring, as defined in the 2009 COSOGuidance on Monitoring Internal Control Systems,serves as both a preventive and a corrective control, and ensures:operational effectiveness and efficiency,reliability of financial reporting, andcompliance with applicable laws and regulations.
Control Activities
AU-C 315.21 and .A102–.A103 state that control activities are the policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks that threaten the achievement of the entity’s objectives. Control activities have various objectives and are applied at various organizational and functional levels.
