ISC Vocabulary for Brainscape j Flashcards
1
Q
Just-in-Time Manufacturing
A
Just in time (JIT) is a manufacturing philosophy intended to promote the simplest, least costly means of production. Under ideal conditions, the company would receive raw materials just in time to go into production, manufacture parts just in time to be assembled into products, and complete products just in time to be shipped to customers. JIT shifts the production philosophy from a “push” approach to a “pull” approach. It eliminates the storage of inventories at all stages of the production process.
2
Q
Key
A
A long stream of seemingly random bits used with cryptographic algorithms. The keys must be known or guessed to forge a digital signature or decrypt an encrypted message.1. An input that controls the transformation of data by an encryption algorithm. It is a sequence of symbols that controls the operations of encryption and decryption.
3
Q
Least Privilege
A
The principle that requires that each subject be granted the most restrictive set of privileges needed for the performance of authorized tasks. The application of this principle limits the damage that can result from accident, error, or unauthorized use.
4
Q
Local Area Network (LAN)
A
A local area network (LAN) is a series of microcomputers linked together by cable and sometimes using a common storage device. This linkage allows the sharing of information and common processing. Two of the more common LAN configurations (structures) are ring and star. A star LAN structure has remote computers with direct access to a central computer. It looks like spokes connected to the hub. A ring LAN structure does not have a common hub, but it still can have a server. The LAN looks like a ring with each computer (node) connected to only two other computers.
5
Q
Log
A
A log is a record of the operations of data processing equipment that lists each job run, the time it required, operator actions, and other pertinent data.
6
Q
Logic Bomb
A
A logic bomb is a Trojan horse set to trigger at a particular condition, event, or command.
7
Q
Logical Access
A
Logical access describes how security software works to restrict access to a computer’s data. This type of restricted access is called “logical access” because the computer’s software interprets information, such as user ID and password, to determine who can have access to the computer’s records.
8
Q
Machine Learning
A
Machine learning (ML) is one application of artificial intelligence (AI), based around the idea that we should be able to give machines access to data and let them learn for themselves. For example, ML applications can read text and work out whether the person who wrote it is making a complaint or offering congratulations.
9
Q
Malicious Code
A
Malicious code refers to programs that are written intentionally to carry out annoying or harmful actions. They often masquerade as useful programs or are embedded into useful programs so that users are induced into activating them. Types of malicious code include Trojan horses, computer viruses, and worms.1. A virus, worm, Trojan horse, or other code-based entity that infects a host.
10
Q
Malware
A
Malware is a type of software designed to gain unauthorized access or to cause damage to a computer.
11
Q
Management Information System (MIS)
A
A management information system (MIS) provides managers with the information they need for planning, organizing, decision making, and controlling the activities of the entity. The system may include the formal financial accounting records and can include many other information items needed by management.
12
Q
Man-in-the-Middle Attack (MitM)
A
An attack on the authentication protocol run in which the attacker positions himself in between the claimant and verifier so that he can intercept and alter data traveling between them.
13
Q
Mantrap
A
A mantrap is a physical security access control system comprised of a small space with two sets of interlocking doors.
14
Q
Masquerading
A
An attempt to gain access to a computer system by posing as an authorized user. Synonymous with impersonation and mimicking.
15
Q
Master File
A
A master file is used in electronic data processing and contains relatively permanent information used for reference and updated periodically.
16
Q
Materiality
A
Information is material if omitting it or misstating it could influence decisions that users make on the basis of the financial information of a specific reporting entity. In other words, materiality is an entity-specific aspect of relevance based on the nature or magnitude or both of the items to which the information relates in the context of an individual entity’s financial report. Consequently, the FASB cannot specify a uniform quantitative threshold for materiality or predetermine what could be material in a particular situation.SFAC 8.3, QC11Materiality judgments are concerned with thresholds.Example:You would ask the following questions:Is an item of information, an omission, misstatement, or errorlargeenough, considering its nature and the attendant circumstances, that it is probable that the judgment of a reasonable person relying on the information would have been changed or influenced?Is the item important enough to matter?The relative, rather than absolute, size of the item determines whether or not it is material in a given situation. The auditor’s consideration of materiality is affected by the interaction of quantitative and qualitative factors.The concept of materiality is pervasive. It is related to the relevance and faithful representation of information and is critical to audit judgments regarding audit risk and disclosure.
17
Q
Materially Misstated
A
A material misstatement is an untrue statement that misrepresents the facts and which, by its magnitude or nature, influences the decision making of the user. A misstatement or misrepresentation is “material” if it relates to a matter upon which a party could be expected to rely in determining to engage in the conduct in question. The party who relies could be the plaintiff in a lawsuit of an investor or other user of financial data.
18
Q
Message Digest
A
The fixed size result of hashing a message.A cryptographic checksum, typically generated for a file that can be used to detect changes to the file; Secure Hash Algorithm-1 (SHA-1) is an example of a message digest algorithm.
19
Q
Metadata
A
Metadata repositories store data about data and databases. The metadata describes the data source, how it was captured, and what it represents.
20
Q
Middleware
A
Middleware is software that lies between an operating system and the applications running on it. It enables communication and data management for distributed applications, like cloud-based applications (e.g., web servers, application servers, and content management systems).
21
Q
Mission-Critical System
A
A mission-critical system is a system supporting a core business activity or process.
22
Q
Misstatement
A
A misstatement is a difference between the measurement or evaluation of the underlying subject matter and the appropriate measurement or evaluation of the underlying subject matter in accordance with (or based on) the criteria—for instance, a difference in amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be presented fairly in accordance with an applicable financial reporting framework. Misstatements can arise from fraud or error. Misstatements can be intentional or unintentional, qualitative or quantitative, and include omissions. (AU-C 200).In certain engagements, a misstatement may be referred to as adeviation, exception,orinstance of noncompliance.(AT-C 105.10)
23
Q
Modem
A
A modem is an electronic device that allows a computer terminal to send its electronic signals via an audio signal over a telephone line. Using a modem, one computer can communicate with another by phone.The word “modem” is derived from the contraction of “modulator” and “demodulator.” In the modem, the modulator converts digital pulses, characteristic of a computer’s output, to audio tones capable of being transmitted over a common telephone line. A demodulator in the modem reverses the process at the receiving end.
24
Q
Monitoring Activities
A
Monitoring is one of the key components of the COSOInternal Control – Integrated Framework.Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, standard-setting bodies, or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.
25
Network
A network is a collection of computers and other hardware components interconnected by communication channels that allow sharing of resources and information.
26
Nonrepudiation
With high assurance, an authentication asserted to be genuine that cannot subsequently be refuted. It is the security service by which the entities involved in the communication cannot deny having participated. This service provides proof of the integrity and origin of data that can be verified by a third party. Nonrepudiation of origin is protection against a sender of a message later denying transmission.1. Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information. A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.
27
Object Code
Object code is a form of computer output from a translation process that changes the code from one language to another. For example, source code languages, such as COBOL, must be translated into object code languages, such as machine language, before they can be executed. The process of translation into object code is an internal computer function.
28
Online Transaction
An online transaction is processed with other computers or networks immediately through the internet. The transaction is processed without delay as it is initiated and executed. Input or initiation equipment (e.g., a cash register) is in direct and open communication with the CPU (central processing unit) of the processing computer system.
29
Operating System
An operating system is a software program that controls the overall operation of a computer system. Its functions include controlling the execution of computer programs, scheduling, debugging, assigning storage areas, managing data, and controlling input and output.
30
Operational Effectiveness
Operational effectiveness can refer to both a “macro” and a “micro” definition: Macro: Operational effectiveness on a macro level refers to whether or not an organization is performing its key processes and activities better than its competitors. Micro: From a process and internal control standpoint, operational effectiveness refers to whether or not a process or control is being performed correctly.
31
Outsourcing
Outsourcing is the use of sources outside the company to provide certain services or products that could be produced within the company. It is perhaps most commonly associated with the decision to use outside suppliers to provide the traditional output of certain service centers (e.g., management information systems) but has also been used for manufacturing.
32
Passive Attack
An attack against an authentication protocol where the attacker intercepts data traveling along the network between the claimant and verifier but does not alter the data (i.e., eavesdropping).
33
Passphrase
A sequence of characters, longer than the acceptable length of a password, that is transformed by a password system into a virtual password of acceptable length.
34
Passwords
A password is a string of characters (alpha, numeric, or special) that allows an individual to access a computer or a multiuser computer system. These systems usually contain sensitive or restricted material. The password is traditionally user-definable to allow the user to create an individual secret code.
35
Patch
A patch (sometimes called a “fix”) is a “repair job” for a piece of programming. A patch is the immediate solution that is provided to users; it can sometimes be downloaded from the software maker's website. The patch is not necessarily the best solution for the problem, and the product developers often find a better solution to provide when they package the product for its next release. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a binary file or object module). In larger operating systems, a special program is provided to manage and track the installation of patches.
36
Penetration Testing
The portion of security testing in which the evaluators attempt to circumvent the security features of a computer system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.
37
Performance Measurement
The process of developing measurable indicators that can be systematically tracked to assess progress made in achieving predetermined goals and using such indicators to assess progress in achieving these goals.
38
Perimeter-Based Security
The techniques of securing a network by controlling accesses to all entry and exit points of the network.
39
Personal Identification Number (PIN)
A 4- to 12-character alphanumeric code or password used to authenticate an identity, commonly used in banking applications.
40
Phishing
Phishing is the practice of sending fraudulent emails that resemble emails from reputable sources. The aim is to steal sensitive data like credit card numbers and login information.
41
Physical Security
Physical security is the application of physical barriers and control procedures as preventive measures or countermeasures against threats to resources and sensitive information.
42
Piggybacking
Piggybacking occurs when a perpetrator latches on to a legitimate user who is logging in to a system. The legitimate user unknowingly carries the perpetrator with him/her as he/she is allowed into the system.
43
Plaintext
Plain, unencrypted (unciphered) text or data.
44
Planning
Planning is a basic management function involving formulation of one or more detailed plans to achieve optimum balance of needs or demands with the available resources. The planning process: identifies the goals or objectives to be achieved, formulates strategies to achieve them, arranges or creates the means required, and implements, directs, and monitors all steps in their proper sequence.
45
Platform as a Service (PaaS)
Platform as a service (PaaS) is a computing platform (operating system and other services) delivered as a service over the internet by a provider. An example is an application development environment that can be subscribed to and used immediately.
46
Predictive Analytics
Predictive analytics technology uses data, statistical algorithms, and machine-learning techniques to identify the likelihood of future outcomes based on historical data (e.g., fraud detection).
47
Pretty Good Privacy (PGP)
Pretty good privacy (PGP) is a cryptographic software application for the protection of computer files and electronic mail. It combines the convenience of the Rivest-Shamir-Adelman (RSA) public key algorithm with the speed of the secret-key IDEA algorithm, digital signature, and key management.
48
Preventive Controls
Preventive controls are internal controls designed to prevent or minimize the chance of errors and fraud.
49
Privacy
Privacy is the right of an individual to self-determine the degree to which the individual is willing to share with others information about themselves that may be compromised by unauthorized exchange of such information among other individuals or organizations. It is the right of individuals and organizations to control the collection, storage, and dissemination of their information or information about themselves.
50
Privacy (Trust Services Criteria)
The privacy criterion of Trust Services assesses whether the personal information that the service organization collects, uses, retains, discloses, and disposes of is in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the AICPA.
51
Private Key
The undisclosed key in a matched key pair—private key and public key—used in public key cryptographic systems. A cryptographic key used with a public key cryptographic algorithm, uniquely associated with an entity, and not made public. In an asymmetric (public) key cryptosystem, the key of an entity's key pair that is known only by that entity. A private key may be used to: compute the corresponding public key, make a digital signature that may be verified by the corresponding public signature, decrypt data encrypted by the corresponding public key, or compute a piece of common shared secret information together with other information. The private key is used to generate a digital signature.
52
Probability
Probability theory is a branch of mathematics that studies the likelihood of occurrence of random events in order to predict behavior. Probability is the measure of how likely an event is. Probabilities can be measured using the following formula: P(E) = The number of ways that an event can occur ÷ The total number of possible outcomes Probability is the likelihood of the occurrence of any event in the realm of chances, of the ratio of favorable outcomes to the total number of possible outcomes, both favorable and unfavorable. It is the degree of confidence that we may reasonably have in the occurrence of a particular event. An a priori definition allows us to compute the probability of an outcome without experimentation in a “fair game.” For example, with a 6-sided die, we know that the probability of rolling any particular number is 1/6 since there are six possible outcomes when a die is thrown. Thus, if an experiment has n equally likely outcomes and r of the outcomes are in event E, then the probability of E, i.e., P(E) is r ÷ n. A relative frequency definition defines probability of an event E as the proportion of n trials that result in E. If the number of trials n is large, then the proportion of trials resulting in E is a good estimate of the probability that E will occur.
53
Processing
Processing is carrying out a specific task. It describes a stream of activity, the execution of a computer program, or the application of a specific, systematic, prescribed series of steps to achieve a desired effect. Processing describes the performance of specific operations to data. It applies to both manual and computerized accounting. Processing is frequently used to refer to the following: “Accounting processing,” which is the analysis and recording of financial data and preparation of reports and one of the five functions that should be segregated (also called “execution”) “Computer processing,” which is the performance of specific commands to data (e.g., retrieve, sort, calculate, summarize, compare) and is the step between input and storage and/or output In a flowchart, a process is shown in a box. Processing controls (a subset of application controls) are designed to provide reasonable assurance that the processing operations have been performed as intended or expected. Such controls include control totals (run-to-run, hash, financial totals, and record counts), file and operator logs, and limit and reasonableness tests.
54
Processing Integrity (Trust Services Criteria)
The processing integrity criterion of Trust Services assesses whether the service organization’s system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely, and authorized.
55
Program
A program is a plan for solving a problem, or a computer routine or set of instructions arranged in proper sequence to cause a computer to perform a particular process.To program is to devise a plan for solving a problem, or to write a computer routine.
56
Public (Asymmetric) Key Encryption
Public key encryption uses “key pairs,” a public key and a mathematically related private key. Given the public key, it is infeasible to find the private key. The private key is kept secret while the public key may be shared with others. A message encrypted with the public key can only be decrypted with the private key. A message can be digitally signed with the private key, and anyone can verify the signature with the public key.
57
Public Key
The key in a matched key pair—private key and public key—that is made public, for example, posted in a public directory, for public key cryptography. A cryptographic key used with a public key cryptographic algorithm, uniquely associated with an entity, and that may be made public. In an asymmetric (public) key cryptosystem, that key of an entity's key pair that may be publicly known. A public key may be used to: verify a digital signature that is signed by the corresponding private key, encrypt data that may be decrypted by the corresponding private key, and compute a piece of shared information by other parties. The public key is used to verify a digital signature. This key is mathematically linked with a corresponding private key. The public part of an asymmetric key pair that is typically used to verify signatures or encrypt data.
58
Public Key Certificate
An identifying digital certificate that typically includes the public key, information about the identity of the party holding the corresponding private key, and the operational period for the certificate, authenticated by the digital signature of the certification authority (CA) that issued the certificate. In addition, the certificate may contain other information about the signing party or information about the recommended uses for the public key. A subscriber is an individual or business entity that has contracted with a CA to receive a digital certificate verifying an identity for digitally signing electronic messages.1. A digital document issued and digitally signed by the private key of a certification authority that binds the name of a subscriber to a public key. The certificate indicates that the subscriber identified in the certificate has sole control and access to the private key.
59
Public Key Infrastructure
Public key infrastructure is a series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued
60
Qualified Opinion
A qualified opinion states that except for the effects of the matter to which the qualification relates, the financial statements present fairly, in all material respects, the financial position, results of operations, and cash flow in accordance with accounting standards generally accepted in the United States or an applicable financial reporting framework. A qualified opinion is warranted when the matter is material enough to prevent an unmodified opinion but not sufficiently material to require an adverse opinion or disclaimer of opinion. Such a qualified opinion is expressed when there is one of the following: Lack of sufficient appropriate evidence that does not warrant a disclaimer of opinion Restriction of scope that does not warrant a disclaimer of opinion Departure from GAAP that does not warrant an adverse opinion A qualified opinion requires disclosure of all substantive reasons for the qualification in one or more separate emphasis-of-matter or other-matter paragraph(s) preceding the opinion paragraph. The words “except for” and a reference to the emphasis-of-matter or other-matter paragraph(s) should appear in the opinion paragraph.
61
Quality Assurance QA
Quality assurance (QA) is any systematic process designed to prevent mistakes and defects in manufactured products, thus avoiding problems when delivering products or services to customers. QA establishes and maintains a set requirements for developing or manufacturing reliable products. A quality assurance system is meant to increase customer confidence and a company's credibility, while also improving work processes and efficiency, and it enables a company to better compete with others.
62
Ransomware
Ransomware is a type of malicious software designed to extort money by blocking access to files or the computer system until the ransom is paid.
63
Real-Time Processing
Real-time processing is an e-business term that describes the situation where a user sends in transactions and awaits a response from a distant computer before continuing.
64
Reasonableness Check
A reasonableness check is an edit check of logical correctness of the relationships among the values in an input data set, or the value of an input item with the values of a related data item in a master file. For example, a journal entry that debits selling expense and credits sales revenue is not logical, while a journal entry that debits accounts receivable and credits sales revenue is logical. A salary increase of $1 per month is not logical for any employee while a salary increase of $1,000 per month would only be logical for employees whose salaries were over a certain level.
65
Reciprocal Agreement
A reciprocal agreement is an agreement that allows two organizations to back up each other.
66
Reconciliation
Reconciliation is an action to bring two related balances into agreement, to identify differences between two related balances (as, for example, the cash balance per the accounting records and the balance per the bank statement), and to detect errors or items that were included in the preparation of one balance omitted from the other. Reconciliation is also applied to any two balances that should agree (i.e., accounts payable or receivable per the accounting records and per the creditor/debtor, investment balances per the records and per the trustee, etc.).
67
Record
A record is a set of logically related data items that describes specific attributes of an entity, such as all payroll data relating to a single employee.
68
Recovery Procedures
Recovery procedures are the actions necessary to restore a system's computational and processing capability and data files after a system failure.
69
Redundancy
A concept that can constrain the failure rate and protects the integrity of data. Redundancy makes confidentiality goal harder to achieve. If there are multiple sites with backup data, then confidentiality could be broken if any of the sites gets compromised. Also, purging some of the data on a backup tape could be difficult to do.
70
Redundancy (Server and Hardware)
With redundancy, critical servers and hardware components (e.g., power supplies, network connections) can be duplicated to ensure that if one fails, another can take over seamlessly. This is commonly used in high-availability clusters or redundant server configurations.
71
Redundant Data Check
A redundant data check is an edit check that requires the inclusion of two identifiers in each input record (e.g., the customer's account number and the first five letters of the customer's name). If these input values do not match those on the record, the record will not be updated.
72
Referential Integrity
Referential integrity refers to the relationship between data tables and ensuring that relationships between data exist and are used as they are defined.
73
Registration Authority (RA)
A trusted entity that establishes and vouches for the identity of a subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but is has a relationship to the CSP(s).
74
Reliability
The probability of a given system performing its mission adequately for a specified period of time under the expected operating conditions. The extent to which a computer program can be expected to perform its intended function, with the required precision, on a consistent basis.1. Extent to which a program can be expected to perform its intended function, with the required precision, on a consistent basis.
75
Remote Maintenance
Maintenance activities conducted by individuals communicating externally to an information system security practitioner.
76
Representations
Any conduct or written or oral statement capable of being turned into a statement of fact is a representation. This term is used with respect to lawsuits (usually re: conduct), audits (re: financial statements), and agent/agency (conduct). False representations can be basis for allegation of fraud, negligence, or malpractice, and can result in liability.
77
Revision
A revision is a change to a baseline configuration item that encompasses error correction, minor enhancements, or adaptations but to which there is no change in the functional capabilities.
78
Risk (IT)
Risk is a measure derived from the probability of failure occurring and the severity of failure modes. It is the likelihood that a vulnerability may be exploited or that a threat may become harmful, and the probability that one or more adverse events will occur.Risk is the level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
79
Risk Analysis
Risk analysis is the process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. It is a part of risk management.Risk analysis is a technique to identify and assess factors that may jeopardize the success of a project or achievement of a goal. This technique also helps define preventive measures to reduce the probability of these factors from occurring and identify countermeasures to successfully deal with these constraints when they develop. Risk analysis is a part of risk management and is synonymous with risk assessment.
80
Risk Assessment
Risk assessment is a systematic process of evaluating the potential risks that are involved in an audit or attestation engagement. Risk assessment is one of the five components of internal control and the second level of the COSO pyramid depicting the structure of internal control. It is the identification and analysis of the risks that an entity faces in achieving its objectives and the determination of how those risks will be managed. All entities face risks from both internal and external sources. To be able to perform a risk assessment, the entity must have established its objectives. Risk assessment procedures refer to the audit procedures performed to obtain an understanding of the entity and its environment, including the entity's internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and relevant assertion levels. Note: COSO is the Committee of Sponsoring Organizations of the Treadway Commission, the National Commission on Fraudulent Financial Reporting.
81
Risk Management
A method of management that concentrates on identifying and controlling the areas of events that cause unwanted change. The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis; cost benefit analysis; gap analysis; sensitivity analysis; SWOT analysis; selection, implementation, testing, and security evaluation of safeguards; management reviews; and overall security review. The ongoing process of assessing the risk to mission/business as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate, cost-effective controls to achieve and maintain an acceptable level of risk. The process of managing risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system. It includes risk assessment; cost-benefit analysis; the selection, implementation, and assessment of security controls; and the formal authorization to operate the system. The process considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.
82
Risk of Material Misstatement (RMM)
The risk of material misstatement (RMM) is the combination of inherent risk (IR) and control risk (CR) for an entity. The auditor should also be concerned with the risk of material misstatement due to fraud, which involves consideration of known external and internal factors affecting the entity that: create incentives for management and others to perpetrate fraud, provide the opportunity for fraud to occur, and indicate a culture that enables rationalization of fraudulent activities.
83
Rivest-Shamir-Adleman (RSA) Algorithm
A public key signature algorithm can be used to generate digital signatures, encrypt messages, and provide key management for Data Encryption Standard and other secret key algorithms.
84
Role
A predefined set of rules establishing the allowed interactions between a user and the system.
85
Role-based access control (RBAC)
Role-based access control (RBAC) restricts network access based on a person's role within an organization and has become one of the main methods for advanced access control. The roles in RBAC refer to the levels of access that employees have to the network.
86
Routers
A router keeps a record of network node addresses and current network status, and it extends LANs.
87
Rule-based Security Policy
A security policy based on global rules imposed for all subjects. These rules usually rely on a comparison of the sensitivity of the objects being accessed and the possession of corresponding attributes by the subjects requesting access.
88
Sarbanes-Oxley Act of 2002 (SOX)
The Sarbanes-Oxley Act of 2002 (SOX), also known as the Public Company Accounting Reform and Investor Protection Act, was enacted to develop new or enhanced standards for all U.S. public company boards, management, and public accounting firms.
89
Scalability
The ability to move application software source code and data, without significant modification, into systems and environments that have a variety of performance characteristics and capabilities.
90
Schema
A schema is a description of the types of data elements that are in the database, the relationships among the data elements, and the structure or overall logical model used to organize and describe the data.
91
Script
A script is a sequence of commands, often residing in a text file, which can be interpreted and executed automatically. Unlike compiled programs, which execute directly on a computer processor, a script must be processed by another program that carries out the indicated actions.
92
Secret (Symmetric) Key Encryption
The traditional method used for encryption. The same key is used for both encryption and decryption. Only the party or parties that exchange secret messages know the secret key. The biggest problem with symmetric key encryption is securely distributing the keys. Public key techniques are now often used to distribute the symmetric keys.
93
Secure Hash Algorithm
An algorithm that can generate a condensed message representation of a message or a data file, called a message digest.
94
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
Secure sockets layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. SSL is based on public key cryptography, used to generate a cryptographic session that is private to a web server and a client browser. SSL works by using a public key to encrypt data that is transferred over the SSL connection. Most web browsers support SSL, and many websites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with HTTPS instead of HTTP.TLS is an Internet standard based on SSL version 3.0. There are only minor differences between SSL and TLS.
95
Security
Security is the preservation of the authenticity, integrity, confidentiality, and ensured service of any sensitive or non-sensitive computer system-valued function and/or information element.Security is a system property and much more than a set of functions and mechanisms. Information system security is a system characteristic as well as a set of mechanisms that span the system both logically and physically.
96
Security (Trust Services Criteria)
The security criterion of Trust Services assesses whether the service organization’s system is protected, both logically and physically, against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.
97
Security Controls
Security controls are the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
98
Security Features
The security-relevant functions, mechanisms, and characteristics of system hardware and software. Security features are a subset of system security safeguards.
99
Security Perimeter
A boundary within which security controls are applied to protect assets. A security perimeter typically includes a security kernel, some trusted-code facilities, hardware, and possibly some communications channels.
100
Security Policy
The security policy is the statement of required protection of the information objects.
101
Security Software
Security software is computer software that restricts data access to authorized personnel. This access is called logical access because it interprets information (user IDs and passwords) and determines who can have access to the computer records and what they can do.By way of contrast, physical access is locked doors that prevent unauthorized people from entering the computer area.
102
Segregation (or Separation) of Duties
To achieve adequate internal control in a business enterprise, the primary functions of the business should be identified. The duties of these functions should be outlined and control procedures designed to achieve adequate internal control. In designing control procedures, the duties involved in accomplishing these functions should be separated as much as possible to attain control—the duties should be segregated.
103
Sequence Check
A sequence check is an edit check that determines if a batch of input data is in the proper numerical or alphabetical sequence.
104
Service Bureau
A service bureau is an outside organization that provides an organization with data processing or other services.
105
Shoulder Surfing
Stealing passwords or PINs by looking over someone's shoulder.
106
Smart Card
A small computer in the shape of a credit card used to identify and authenticate its owner.
107
SOC 1 Type 1 Report
SOC 1® Type 1 reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
108
SOC 1 Type 2 Report
SOC 1® Type 2 reports on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
109
SOC 2 Type 1 Report
In a SOC 2® Type 1 report, the service auditor provides an opinion as to whether the service organization’s description “fairly presents” the system that was designed and implemented, and whether the controls were suitably designed to meet the criteria as of a specified date
110
SOC 2 Type 2 Report
In a SOC 2® Type 2 report, the service auditor provides an opinion on whether the service organization’s description “fairly presents” the system that was designed and implemented; the controls were suitably designed to meet the criteria; the controls operated effectively during the specified period of time; and the service organization is in compliance with the commitments in its statement of privacy practices, if the report covers the privacy principle.
111
SOC 3 Report
SOC 3® reports are “public-facing” documents that give a high-level overview of information in the SOC 2® report. A SOC 2 report contains sensitive information about specific systems and network controls which should stay confidential; therefore, a SOC 3 report summarizes the non-sensitive content in a SOC 2 report for users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2 report.
112
Social Engineering
Social engineering is a tactic designed to trick an individual or entity into revealing sensitive information. Social engineering can be combined with threats like ransomware and malware to make a person more likely to click on links, download malware, or trust a malicious source.
113
Software
Software constitutes the instructions that turn hardware, circuits and chips, into a computer. Without the software, the computer is an expensive doorstop. There are two basic categories of software: system software and application software. In personal computers, system software includes the operating system (such as DOS, the Macintosh operating system, OS/2, and Windows) and system utilities like backup programs (such as BrightStar ARCserve Backup by CA, Inc.; Backup Exec and NetBackup by Symantec; and OpenView Storage Data Protector by Hewlett-Packard) and file management programs (such as Windows Explorer and ExplorerXP). This software runs the computer but does not perform any specific problem-solving functions. In mainframe computers, this may be MVS, AS400 OS, or other systems. Application software provides specific problem-solving or work tasks such as word processing, spreadsheets, database management, inventory management, deposit accounting, and payroll. Application software will not run unless system software is present to run the computer itself. The application software will call many functions from the system software (such as routines) to move the data (such as a letter) from the RAM (or working memory) to the disk (or storage device).
114
Software as a Service (SaaS)
Software as a service (SaaS) is an application delivered over the internet by a provider (also called a hosted application). The application does not have to be purchased, installed, or run on users’ computers.
115
Source Code
Source code is a computer language, such as COBOL or FORTRAN, that is an input to a translation process. A source code or source language must be translated into object code language (such as machine language) before it can be executed.
116
Spoofing
The deliberate inducement of a user or resource to take an incorrect action. Assuming the characteristics of another computer system or user, for purposes of deception. Using various techniques to subvert IP-based access control by masquerading as another system by using their IP address.
117
Stakeholder
An individual or group with an interest in the success of an organization in delivering intended results and maintaining the viability of the organization's products and services. Stakeholders influence plans, programs, products, and services.
118
Standard
An established basis of performance used to determine quality and acceptability.
119
Strategic Planning
A strategic plan outlines where an organization is headed over the next year or more, how it will get there, and how management will know that goals have been met.
120
Structured Query Language (SQL)
Structured query language (SQL) is a domain-specific language used in programming and designed for managing data held in a relational database management system (RDBMS). SQL is particularly useful in handling structured data, i.e., data incorporating relations among entities and variables.
121
Subject
An active entity—e.g., a process or device acting on behalf of a user, or in some cases the actual user—that can make a request to perform an operation on an object. An active entity, generally in the form of a person, process, or device that causes information to flow among objects or changes the system state. The person whose identity is bound in a particular credential.
122
Subschema
A subschema is part of a schema—a logical description of all the items in a database together with a logical description of the relationship between the items—that is used for an individual application program.
123
Subsidiary
A subsidiary is a corporation controlled, directly or indirectly, by another (parent) corporation where the control is usually by ownership of a majority (greater than 50%) of the outstanding voting stock. Power to control may also exist with a lesser percentage of ownership (i.e., by contract, lease, agreement with other stockholders, or court decree). A subsidiary may be consolidated or unconsolidated with the parent for reporting purposes (FASB ASC 810-10-20) but is usually accounted for by the parent by the equity method.
124
System
System is a generic term used to mean either a major application or a general support system.
125
System Analysis
System analysis is a rigorous and systematic approach to decision making in which all of the available alternatives are described in detail and the merits of each alternative are very carefully analyzed to allow the selection of the best alternative. It is a determination of information needs within an entity to determine the objectives and specifications needed for the design of an information system.
126
System and Organization Controls (SOC) Reports
SOC (system and organization controls) reports provide user management with information about the service organization’s internal controls to assist in assessing and addressing the risks associated with an outsourced service. The reports are intended to meet the needs of the user entities and the CPAs that audit the user entities’ financial statements in evaluating the effectiveness of the service organization’s controls on the user entities’ financial statements.
127
System Capacity
System capacity is the memory and storage space of a computer or the processing speed of a network.
128
System Development Life Cycle (SDLC)
SDLC is an approach normally used in the development of large, highly structured computer application systems. The approach includes steps of problem definition, feasibility study, program development, programmer testing, user testing and acceptance, implementation, and continuing evaluation of the suitability of the software and surrounding manual systems to accomplish its designed objectives.This approach requires the entity to monitor the application system and to identify when it is no longer adequate. When it is deemed inadequate, a new cycle starts. There are several phases involved in the system development, and internal auditor involvement is encouraged to help ensure that the process includes all needed parties and steps and that controls are built into the system before (not after) implementation.
129
System Flowchart
A system flowchart is a diagram (a graphic depiction using uniform symbols) of the flow of data through a series of operations in a system showing data source, inputs, processes, and output. It usually refers to an automated data processing system but could be used for a manual system.
130
System Integrity
The quality that a system has when it performs its intended functioning in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.
131
Systems Analyst
A systems analyst is responsible for developing a company's information system. The analyst's job generally involves designing computer applications and preparing specifications for computer programming.
132
Telecommunications
Telecommunication is any transmission, emission, or reception of signs, signals, writing, images, sounds or other information by wire, radio, visual, or any electromagnetic systems.
133
Telnet
A protocol used for (possibly remote) login to a computer host.
134
Terminal
Terminals are used to communicate with a remote computer, mainframe computer, or one or more server computers over a local or wide-area network. Terminals have a keyboard and a screen or monitor, and are used for input and output. Originally, all terminals were “dumb” terminals, capable only of communicating with a central computer. Applications for dumb terminals include banking and retailing, where data can be input from each terminal but all records are kept centrally. Smart or intelligent terminals have, in addition to the communications capabilities, some limited computing and storage ability. Smart terminals depend on the server for most applications. Thin clients are inexpensive computers with limited memory that are used as intelligent terminals.
135
Test
Testing is the process of exercising a product to identify differences between expected and actual behavior.
136
Test Case
A set of test inputs, execution conditions, and expected results developed for a particular objective, e.g., to exercise a particular program path.
137
Testing
Testing is activities related to determining whether system-testing objectives are being met during hardware and software development. Testing can take place at a variety of levels, such as the module, component, or system levels. Testing is also related to the various types of verification, validation, and evaluation of whether or not a system satisfies its acceptance criteria. This process enables the customer to determine whether or not to accept the system.
138
Text Mining
Text mining uses machine learning or natural language processing technology to comb through documents—emails, blogs, Twitter feeds, surveys, competitive intelligence, and more—to help analyze large amounts of information and discover new topics and term relationships.
139
Threat
A threat is any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service.
140
Time Bomb
A Trojan horse set to trigger at a particular time.
141
Token
A token is an object that represents something else, such as another object (either physical or virtual). A security token is a physical device, such as a special smart card, that together with something that a user knows, such as a PIN, will enable authorized access to a computer system or network.
142
Token Device
A device used for generating passwords based on some information (e.g., time, date, and personal identification number) that is valid for only a brief period (e.g., one minute).
143
Traffic Analysis
The inference of information from observation of traffic flows (presence, absence, amount, direction, and frequency).
144
Transaction
SFAC 6.137 GASB N50.101 A transaction is a particular kind of external event, namely, an external event involving transfer of something of value between two or more entities. In exchange and exchange-like transactions, each party receives and gives up essentially equal values. State and local governments and not-for-profit entities also frequently engage in nonexchange transactions, in which a government/not-for-profit gives (or receives) value without directly receiving (or giving) equal value in return.
145
Transaction Processing System
A transaction processing system (TPS) is a completely programmed and automated system, treating every problem in exactly the same way. This type of system is used in accounting information systems (AIS) so that each transaction is processed in an identical, and therefore objective, manner.
146
Transmission Control Protocol - Internet Protocol (TCP - IP)
Transmission Control Protocol/Internet Protocol (TCP/IP) is the basic communication language or protocol of the internet that may also be used as a communications protocol in private networks such as intranets. The messages of a file are assembled into smaller packets that are sent over the internet and received by the TCP layer that reassembles the packets into the original message.
147
Transport Layer Security (TLS)
Transport layer security (TLS) is an authentication and security protocol widely implemented in browsers and web servers. TLS is similar to the older SSL protocol and is effectively SSL version 3.1.
148
Trapdoor
A hidden flaw in a system mechanism that can be triggered to circumvent the system's security.
149
Trojan Horse
A computer program that conceals harmful code. A Trojan horse usually masquerades as a useful program that a user would wish to execute. A computer program with an apparent or actual useful function that contains additional (hidden) functions that surreptitiously bypass the legitimate authorizations of the invoking process to the detriment of security or integrity. It is a program which performs a useful function, but also performs an unexpected action as well. A useful or seemingly useful program that contains hidden code of a malicious nature. When the program is invoked, so is the undesired function whose effects may not become immediately obvious. It is a non-self-replicating program that seems to have a useful purpose, but in reality has a different, malicious purpose. The name stems from an ancient exploit of invaders gaining entry to the city of Troy by concealing themselves in the body of a hollow wooden horse, presumed to be left behind by the invaders as a gift to the city.
150
Trust Services
Trust Services consist of professional attestation and advisory services based on principles and criteria that address the risk and opportunities of IT-enabled systems and privacy programs, including electronic commerce (e-commerce) systems. Trust Services principles and criteria are issued by the AICPA and the Canadian Institute of Chartered Accountants (CICA) and are organized into four broad areas: policies, communications, procedures, and monitoring.
151
Unauthorized Access
A person gains logical or physical access without permission to a network, system, application, data, or other resource.
152
Unstructured Data
Unstructured data is qualitative data stored in its native form and processed only when required. Examples are pictures, email text, audio and video files, social media sites, blogs, survey responses, and online reviews.
153
User
Individual or (system) process authorized to access an information system.
154
User ID
A unique symbol or character string that is used by a system to identify a specific user.
155
Utility Program
A utility program is used to perform routine tasks that are needed often by many different processing applications. Sorting of records is performed in every application (payroll, inventory, A/Rs, A/Ps, etc.); therefore, it is more efficient to have one utility program that sorts records that can be called by any program. This is also true of copying records, backing up files, printing reports, and many other common functions. These programs can be furnished by the computer hardware manufacturer in a package along with the operating system. For this reason, they are often included in a general term “firmware” because the manufacturer provides it.
156
Validation
Validation is verifying data and transactions' accuracy, completeness, and integrity within an organization's financial and business systems.
157
Verification
The process of comparing two levels of system specifications for proper correspondence (e.g., security policy models with top-level specification, top-level specification with source code, or source code with object code). This process may or may not be automated.
158
Version
A new release of commercial software reflecting major changes made in functions. It is a change to a baseline configuration item that modifies its functional capabilities. As functional capabilities are added to, modified within, or deleted from a baseline configuration item, its version identifier changes.
159
Virtual Private Network (VPN)
A virtual private network (VPN) is a network that controls access to an extranet by encryption and authentication technology.
160
Virtualization
Virtualization is the act of creating a virtual rather than a physical version of a computing environment, including computer hardware, operating system, and storage devices.
161
Vulnerability
A weakness in system security procedures, system design, implementation, internal controls, etc. that could be accidentally triggered or intentionally exploited and result in a violation of the system's security policy. A condition or weakness in (or absence of) security procedures, technical controls, physical controls, or other controls that could be exploited by a threat. A weakness in a system, application, or network that is subject to exploitation or misuse. Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
162
Vulnerability Assessment
A measurement of vulnerability that includes the susceptibility of a particular system to a specific attack and the opportunities available to a threat agent to mount that attack.1. Formal description and evaluation of the vulnerabilities in an information system.
163
Warm Site
A warm site is an environmentally conditioned workspace that is partially equipped with IT and telecommunications equipment to support relocated IT operations in the event of a significant disruption.
164
Web Server
A computer that provides World Wide Web (WWW) services on the Internet. It includes the hardware, operating system web server software, transmission control protocol/internet protocol (TCP/IP), and the website content (web pages). If the web server is used internally and not by the public, it may be known as an “intranet server.”
165
Wide Area Network (WAN)
WAN is an acronym for Wide Area Network. A communications network that connects geographically separated areas. It can cover several sites that are geographically distant. A WAN may span different cities or even different continents.
166
Wireless Local Area Network (WLAN)
A type of local area network (LAN) that uses high-frequency radio waves rather than wires to communicate between nodes.
167
Worm
An independent computer program that reproduces by copying itself from one system to another while traveling from machine to machine across the network. Unlike computer viruses, worms do not require human involvement to propagate. Most worms and viruses are closely related—they both spread and reproduce, and their effects can be identical. A program that copies itself from system to system via the network. A self-replicating program. Unlike a virus, it is self-contained and does not require a host program to replicate or any user intervention. Worms commonly utilize network services to propagate onto other computer systems. Although nowadays worms are associated with malicious code, the concept was originally introduced in the context of building useful applications. A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
