Key Terms Flashcards
What is access control?
The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises
What is a vulnerability scanner?
A piece of software designed to scan a system to determine what services the system is running and whether any unnecessary open ports, operating systems and applications, or back doors can be exploited because of a lack of patching or other flaw.
What is a vulnerability assessment?
An assessment that attempts to discover all potential weaknesses for an asset. Often designed for a third party to come into an organisation, take stock of the assets that will be covered within the scope of the assessment, conduct scans and other tests against those assets, and provide a report of the vulnerabilities that have been found.
What is a vulnerability?
A weakness in a system or asset, such as a flaw in software code; it can also be considered to be a lack of protection for an asset, such as an unlocked server room door.
What is threat modeling?
A threat assessment that attempts to determine all possible vectors of attack and includes risk factors that may affect the ability of a threat actor to initiate or complete a threat event.
What are the 5-whys?
A technique used to determine an issue’s root causes. It involves asking the question “Why?” repeatedly until the root causes are identified.
What is A/B testing?
A statistical way of comparing two (or more) techniques, typically an incumbent against a new rival. A/B testing aims to determine not only which technique performs better but also whether the difference is statistically significant. A/B testing usually considers only two techniques using one measurement but can be applied to any finite number of techniques and measures.
What is a threat actor/agent?
An entity that has the intent to initiate a threat event. This doesn’t have to be a person; it could also be in nature, in the case of a natural disaster.
What is Acceptable interruption window (AIW)?
The maximum period of time that a system can be unavailable before compromising the achievement of the enterprise’s business objectives
What is Abend?
An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing
What is Acceptance criteria?
Criteria that a solution must satisfy to be accepted by customers
What is Acceptance testing?
Testing performed to determine whether a customer, acquirer, user, or their designee should accept a solution
What is a Access control list?
An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals
What is a Access control table?
An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals
What are Access rights?
The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy
What is access risk?
The risk that information may be divulged or made available to recipients without authorized access from the information owner, reflecting a loss of confidentiality
What is a Action plan reappraisal (APR)?
A bounded set of appraisal activities performed to address nonsystemic weaknesses that lead to a limited set of unsatisfied practice groups in an appraisal. The APR includes:
Conducting an eligibility analysis
Gaining authorization from ISACA
Reviewing and obtaining approval to proceed from the Appraisal Sponsor
Modifying the existing appraisal plan
Conducting a reappraisal of unsatisfied practice groups
Reporting the results to ISACA
What is an Advanced persistent threat (APT)?
An adversary that possesses sophisticated levels of expertise and significant resources, which allow them to create opportunities to achieve their objectives by using multiple attack vectors, e.g., cyber, physical and deception. These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission themselves to carry out these objectives in the future. An advanced persistent threat (APT):
Pursues its objectives repeatedly over an extended period of time
Adapts to defenders’ efforts to resist it
Is determined to maintain the level of interaction needed to execute its objectives
What is an audit?
A formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate or efficiency and effectiveness targets are being met
What is an auditable unit?
The subjects, units or systems that are capable of being defined and evaluated
Scope Notes: Auditable units may include:
Policies, procedures and practices
Cost centers, profit centers and investment centers
General ledger account balances
Information systems (manual and computerized)
Major contracts and programs
Organizational units, such as product or service lines
Functions, such as information technology (IT), purchasing, marketing, production, finance, accounting and human resources (HR)
Transaction systems for activities, such as sales, collection, purchasing, disbursement, inventory and cost accounting, production, treasury, payroll, and capital assets
Financial statements
Laws and regulations
What is audit risk?
What is a Business continuity plan (BCP)?
A plan used by an enterprise to respond to the disruption of critical business processes
What is a business dependency assessment? (BDA)
A process of identifying resources critical to the operation of a business process
What is a Business function?
An activity that an enterprise does, or needs to do, to achieve its objectives
What is a business impact analysis?
The process of evaluating the criticality and sensitivity of information assets by determining the impact of losing the support of any resource to an enterprise. This establishes the escalation of a loss over time, identifies the minimum resources needed to recover and prioritizes the recovery of processes and the supporting system.
Scope Notes: This process captures income loss, unexpected expense, legal issues (regulatory compliance or contractual), interdependent processes and loss of public reputation or public confidence.
What is a CASB?
Software or appliances that are positioned between an enterprise technology infrastructure and a cloud service provider (CSP)
What is compartmentalisation?
A process for protecting very high-value assets or environments where trust is an issue. Access to an asset requires two or more processes, controls or individuals.
What is compliance risk?
The probability and consequences of an enterprise failing to comply with laws, regulations or the ethical standards and codes of conduct applicable to the enterprise’s industry
What is continuous risk and control monitoring?
A process that includes:
Developing a strategy to regularly evaluate selected information and technology (I&T)-related controls/metrics
Recording and evaluating I&T-related events and the effectiveness of the enterprise in dealing with those events
Recording changes to I&T-related controls or changes that affect I&T-related risk
Communicating the current risk and control status to enable information-sharing decisions involving the enterprise