Key Terms

Question 1

What is access control?

Answer 1

The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises

Question 2

What is a vulnerability scanner?

Answer 2

A piece of software designed to scan a system to determine what services the system is running and whether any unnecessary open ports, operating systems and applications, or back doors can be exploited because of a lack of patching or other flaw.

Question 3

What is a vulnerability assessment?

Answer 3

An assessment that attempts to discover all potential weaknesses for an asset. Often designed for a third party to come into an organisation, take stock of the assets that will be covered within the scope of the assessment, conduct scans and other tests against those assets, and provide a report of the vulnerabilities that have been found.

Question 4

What is a vulnerability?

Answer 4

A weakness in a system or asset, such as a flaw in software code; it can also be considered to be a lack of protection for an asset, such as an unlocked server room door.

Question 5

What is threat modeling?

Answer 5

A threat assessment that attempts to determine all possible vectors of attack and includes risk factors that may affect the ability of a threat actor to initiate or complete a threat event.

Question 6

What are the 5-whys?

Answer 6

A technique used to determine an issue’s root causes. It involves asking the question “Why?” repeatedly until the root causes are identified.

Question 6

What is A/B testing?

Answer 6

A statistical way of comparing two (or more) techniques, typically an incumbent against a new rival. A/B testing aims to determine not only which technique performs better but also whether the difference is statistically significant. A/B testing usually considers only two techniques using one measurement but can be applied to any finite number of techniques and measures.

Question 6

What is a threat actor/agent?

Answer 6

An entity that has the intent to initiate a threat event. This doesn’t have to be a person; it could also be in nature, in the case of a natural disaster.

Question 7

What is Acceptable interruption window (AIW)?

Answer 7

The maximum period of time that a system can be unavailable before compromising the achievement of the enterprise’s business objectives

Question 8

What is Abend?

Answer 8

An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing

Question 9

What is Acceptance criteria?

Answer 9

Criteria that a solution must satisfy to be accepted by customers

Question 10

What is Acceptance testing?

Answer 10

Testing performed to determine whether a customer, acquirer, user, or their designee should accept a solution

Question 11

What is a Access control list?

Answer 11

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals

Question 12

What is a Access control table?

Answer 12

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals

Question 13

What are Access rights?

Answer 13

The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy

Question 14

What is access risk?

Answer 14

The risk that information may be divulged or made available to recipients without authorized access from the information owner, reflecting a loss of confidentiality

Question 15

What is a Action plan reappraisal (APR)?

Answer 15

A bounded set of appraisal activities performed to address nonsystemic weaknesses that lead to a limited set of unsatisfied practice groups in an appraisal. The APR includes:

Conducting an eligibility analysis

Gaining authorization from ISACA

Reviewing and obtaining approval to proceed from the Appraisal Sponsor

Modifying the existing appraisal plan

Conducting a reappraisal of unsatisfied practice groups

Reporting the results to ISACA

Question 16

What is an Advanced persistent threat (APT)?

Answer 16

An adversary that possesses sophisticated levels of expertise and significant resources, which allow them to create opportunities to achieve their objectives by using multiple attack vectors, e.g., cyber, physical and deception. These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission themselves to carry out these objectives in the future. An advanced persistent threat (APT):

Pursues its objectives repeatedly over an extended period of time

Adapts to defenders’ efforts to resist it

Is determined to maintain the level of interaction needed to execute its objectives

Question 17

What is an audit?

Answer 17

A formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate or efficiency and effectiveness targets are being met

Question 18

What is an auditable unit?

Answer 18

The subjects, units or systems that are capable of being defined and evaluated

Scope Notes: Auditable units may include:

Policies, procedures and practices

Cost centers, profit centers and investment centers

General ledger account balances

Information systems (manual and computerized)

Major contracts and programs

Organizational units, such as product or service lines

Functions, such as information technology (IT), purchasing, marketing, production, finance, accounting and human resources (HR)

Transaction systems for activities, such as sales, collection, purchasing, disbursement, inventory and cost accounting, production, treasury, payroll, and capital assets

Financial statements

Laws and regulations

Question 19

What is audit risk?

Question 20

What is a Business continuity plan (BCP)?

Answer 20

A plan used by an enterprise to respond to the disruption of critical business processes

Question 21

What is a business dependency assessment? (BDA)

Answer 21

A process of identifying resources critical to the operation of a business process

Question 22

What is a Business function?

Answer 22

An activity that an enterprise does, or needs to do, to achieve its objectives

Question 23

What is a business impact analysis?

Answer 23

The process of evaluating the criticality and sensitivity of information assets by determining the impact of losing the support of any resource to an enterprise. This establishes the escalation of a loss over time, identifies the minimum resources needed to recover and prioritizes the recovery of processes and the supporting system.

Scope Notes: This process captures income loss, unexpected expense, legal issues (regulatory compliance or contractual), interdependent processes and loss of public reputation or public confidence.

Question 24

What is a CASB?

Answer 24

Software or appliances that are positioned between an enterprise technology infrastructure and a cloud service provider (CSP)

Question 25

What is compartmentalisation?

Answer 25

A process for protecting very high-value assets or environments where trust is an issue. Access to an asset requires two or more processes, controls or individuals.

Question 26

What is compliance risk?

Answer 26

The probability and consequences of an enterprise failing to comply with laws, regulations or the ethical standards and codes of conduct applicable to the enterprise’s industry

Question 27

What is continuous risk and control monitoring?

Answer 27

A process that includes:

Developing a strategy to regularly evaluate selected information and technology (I&T)-related controls/metrics

Recording and evaluating I&T-related events and the effectiveness of the enterprise in dealing with those events

Recording changes to I&T-related controls or changes that affect I&T-related risk

Communicating the current risk and control status to enable information-sharing decisions involving the enterprise