Terms Flashcards
Abend
An abnormal end to a computer job; termination of a task prior to its completion because of an error
condition that cannot be resolved by recovery facilities while the task is executing.
Acceptable interruption window
The maximum period of time that a system can be unavailable before compromising the
achievement of the enterprise’s business objectives.
Acceptable Use policy
A policy that establishes an agreement between users and the enterprise and defines for all parties’
the ranges of use that are approved before gaining access to a network or the Internet.
Access control
The processes, rules and deployment mechanisms that control access to information systems,
resources and physical access to premises.
Access control list (ACL)
An internal computerized table of access rules regarding the levels of computer access permitted to
logon IDs and computer terminals.<br></br><br></br><strong>Scope Notes: </strong>Also referred to as access
control tables.
Access control table
An internal computerized table of access rules regarding the levels of computer access permitted to
logon IDs and computer terminals.
Access Method
The technique used for selecting records in a file, one at a time, for processing, retrieval or
storage.The access method is related to, but distinct from, the file organization, which determines
how the records are stored.
Access path
The logical route that an end user takes to access computerized
information.<br></br><br></br><strong>Scope Notes: </strong>Typically includes a route through the
operating system, telecommunications software, selected application software and the access control
system.
Access rights
The permission or privileges granted to users, programs or workstations to create, change, delete or
view data and files within a system, as defined by rules established by data owners and the
information security policy.
Access server
Provides centralized access control for managing remote access dial-up services
Accountability
The ability to map a given activity or event back to the responsible party.
Accountable party
The individual, group or entity that is ultimately responsible for a subject matter, process or
scope.<br></br><br></br><strong>Scope Notes: </strong>Within the IT Assurance Framework (ITAF), the term
“management” is equivalent to “accountable party.”
Acknowledgment (ACK)
A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly
by the receiver without errors, or that the receiver is now ready to accept a transmission.
Active recovery site (Mirrored)
A recovery strategy that involves two active sites, each capable of taking over the other’s workload in
the event of a disaster.<br></br><br></br><strong>Scope Notes: </strong>Each site will have enough idle
processing power to restore data from the other site and to accommodate the excess workload in the
event of a disaster.
Active response
A response in which the system either automatically, or in concert with the user, blocks or otherwise
affects the progress of a detected attack.<br></br><br></br><strong>Scope Notes: </strong>Takes one of
three forms: amending the environment, collecting more information or striking back against the
user
Activity
The main actions taken to operate the COBIT process.
Address
Within computer storage, the code used to designate the location of a specific piece of data
Address space
The number of distinct locations that may be referred to with the machine address
<br></br><br></br><strong>Scope Notes:</strong> For most binary machines, it is equal to 2n, where n is the
number of bits in the machine address.
Addressing
The method used to identify the location of a participant in a network.<br></br><br></br><strong>Scope
Notes: </strong>Ideally, specifies where the participant is located rather than who they are (name)
or how to get there (routing).
Adjusting period
The calendar can contain “real” accounting periods and/or adjusting accounting periods. The “real”
accounting periods must not overlap and cannot have any gaps between them. Adjusting accounting
periods can overlap with other accounting periods.<br></br><br></br><strong>Scope Notes: </strong>For
example, a period called DEC-93 can be defined that includes 01-DEC-1993 through 31-DEC-1993. An
adjusting period called DEC31-93 can also be defined that includes only one day: 31-DEC-1993
through 31-DEC-1993.
Administrative contro
The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence
to regulations and management policies.
Adware
A software package that automatically plays, displays or downloads advertising material to a
computer after the software is installed on it or while the application is being
used.<br></br><br></br><strong>Scope Notes: </strong>In most cases, this is done without any notification to
the user or without the user’s consent. The term adware may also refer to software that displays
advertisements, whether or not it does so with the user’s consent; such programs display
advertisements as an alternative to shareware registration fees. These are classified as adware in the
sense of advertising supported software, but not as spyware. Adware in this form does not operate
surreptitiously or mislead the user, and it provides the user with a specific service.
Alert situation
The point in an emergency procedure when the elapsed time passes a threshold and the interruption
is not resolved. The enterprise entering into an alert situation initiates a series of escalation steps.
Allocation entry
A recurring journal entry used to allocate revenues or costs.<br></br><br></br><strong>Scope Notes:
</strong>For example, an allocation entry could be defined to allocate costs to each department
based on head count.
Alpha
The use of alphabetic characters or an alphabetic character string
Alternate facilities
Locations and infrastructures from which emergency or backup processes are executed, when the
main premises are unavailable or destroyed.<br></br><br></br><strong>Scope Notes: </strong>Includes
other buildings, offices or data processing centers
Alternate process
Automatic or manual process designed and established to continue critical business processes from
point-of-failure to return-to-normal.
Alternative routing
A service that allows the option of having an alternate route to complete a call when the marked
destination is not available <br></br><br></br><strong>Scope Notes:</strong> In signaling, alternate routing is
the process of allocating substitute routes for a given signaling traffic stream in case of failure(s)
affecting the normal signaling links or routes of that traffic stream.
American Standard Code for Information Interchange
See ASCII
Amortization
The process of cost allocation that assigns the original cost of an intangible asset to the periods
benefited; calculated in the same way as depreciation
Analog
A transmission signal that varies continuously in amplitude and time and is generated in wave
formation.<br></br><br></br><strong>Scope Notes: </strong>Analog signals are used in telecommunications
Analytical technique
The examination of ratios, trends, and changes in balances and other values between periods to
obtain a broad understanding of the enterprise’s financial or operational position and to identify
areas that may require further or closer investigation.<br></br><br></br><strong>Scope Notes:
</strong>Often used when planning the assurance assignment
Anomaly
Unusual or statistically rare.
Anomaly detection
Detection on the basis of whether the system activity matches that defined as abnormal
Anonymity
The quality or state of not being named or identified.
Antivirus software
An application software deployed at multiple points in an IT architecture. It is designed to detect and
potentially eliminate virus code before damage is done and repair or quarantine files that have
already been infected.
Appearance
The act of giving the idea or impression of being or doing something
Appearance of independence
Behavior adequate to meet the situations occurring during audit work (interviews, meetings,
reporting, etc.).<br></br><br></br><strong>Scope Notes: </strong>An IS auditor should be aware that
appearance of independence depends on the perceptions of others and can be influenced by
improper actions or associations
Applet
A program written in a portable, platform-independent computer language, such as Java, JavaScript
or Visual Basic.<br></br><br></br><strong>Scope Notes: </strong>An applet is usually embedded in an
HyperText Markup Language (HTML) page downloaded from web servers and then executed by a
browser on client machines to run any web-based application (e.g., generate web page input forms,
run audio/video programs, etc.). Applets can only perform a restricted set of operations, thus
preventing, or at least minimizing, the possible security compromise of the host computers. However,
applets expose the user’s machine to risk if not properly controlled by the browser, which should not
allow an applet to access a machine’s information without prior authorization of the user.
Application
A computer program or set of programs that performs the processing of records for a specific
function.<br></br><br></br><strong>Scope Notes: </strong>Contrasts with systems programs, such as an
operating system or network control program, and with utility programs, such as copy or sort
Application acquisition review
An evaluation of an application system being acquired or evaluated, that considers such matters as:
appropriate controls are designed into the system; the application will process information in a
complete, accurate and reliable manner; the application will function as intended; the application will
function in compliance with any applicable statutory provisions; the system is acquired in compliance
with the established system acquisition process
Application benchmarking
The process of establishing the effective design and operation of automated controls within an
application.
Application controls
The policies, procedures and activities designed to provide reasonable assurance that objectives
relevant to a given automated solution (application) are achieved.
Application development review
An evaluation of an application system under development that considers matters such as:
appropriate controls are designed into the system; the application will process information in a
complete, accurate and reliable manner; the application will function as intended; the application will
function in compliance with any applicable statutory provisions; the system is developed in
compliance with the established system development life cycle process.
Application implementation review
An evaluation of any part of an implementation project.<br></br><br></br><strong>Scope Notes:
</strong>Examples include project management, test plans and user acceptance testing (UAT)
procedures.
Application layer
In the Open Systems Interconnection (OSI) communications model, the application layer provides
services for an application program to ensure that effective communication with another application
program in a network is possible.<br></br><br></br><strong>Scope Notes: </strong>The application layer is
not the application that is doing the communication; a service layer that provides these services.
Application maintenance review
An evaluation of any part of a project to perform maintenance on an application
system.<br></br><br></br><strong>Scope Notes: </strong>Examples include project management, test plans
and user acceptance testing (UAT) procedures.
Application or managed service provider (ASP/MSP)
A third party that delivers and manages applications and computer services, including security
services to multiple users via the Internet or a private network.
Application program
A program that processes business data through activities such as data entry, update or
query.<br></br><br></br><strong>Scope Notes: </strong>Contrasts with systems programs, such as an
operating system or network control program, and with utility programs such as copy or sort
Application programming
The act or function of developing and maintaining application programs in production.
Application programming interface (API)
A set of routines, protocols and tools referred to as “building blocks” used in business application
software development.<br></br><br></br><strong>Scope Notes: </strong>A good API makes it easier to
develop a program by providing all the building blocks related to functional characteristics of an
operating system that applications need to specify, for example, when interfacing with the operating
system (e.g., provided by Microsoft Windows, different versions of UNIX). A programmer utilizes
these APIs in developing applications that can operate effectively and efficiently on the platform
chosen.
Application proxy
A service that connects programs running on internal networks to services on exterior networks by
creating two connections, one from the requesting client and another to the destination service.
Application security
Refers to the security aspects supported by the application, primarily with regard to the roles or
responsibilities and audit trails within the applications.
Application service provider (ASP)
Also known as managed service provider (MSP), it deploys, hosts and manages access to a packaged
application to multiple parties from a centrally managed facility.<br></br><br></br><strong>Scope Notes:
</strong>The applications are delivered over networks on a subscription basis.
Application software tracing and mapping
Specialized tools that can be used to analyze the flow of data through the processing logic of the
application software and document the logic, paths, control conditions and processing
sequences.<br></br><br></br><strong>Scope Notes: </strong>Both the command language or job control
statements and programming language can be analyzed. This technique includes program/system:
mapping, tracing, snapshots, parallel simulations and code comparisons.
Application system
An integrated set of computer programs designed to serve a particular function that has specific
input, processing and output activities.<br></br><br></br><strong>Scope Notes: </strong>Examples include
general ledger, manufacturing resource planning and human resource (HR) management
Architecture
Description of the fundamental underlying design of the components of the business system, or of
one element of the business system (e.g., technology), the relationships among them, and the
manner in which they support enterprise objectives.
Arithmetic logic unit (ALU)
The area of the central processing unit that performs mathematical and analytical operations
Artificial intelligence
Advanced computer systems that can simulate human capabilities, such as analysis, based on a
predetermined set of rules
ASCII
Representing 128 characters, the American Standard Code for Information Interchange (ASCII) code
normally uses 7 bits. However, some variations of the ASCII code set allow 8 bits. This 8-bit ASCII code
allows 256 characters to be represented.
Assembler
A program that takes as input a program written in assembly language and translates it into machine
code or machine language
Assembly Language
A low-level computer programming language which uses symbolic code and produces machine
instructions.
Assessment
A broad review of the different aspects of a company or function that includes elements not covered
by a structured assurance initiative.<br></br><br></br><strong>Scope Notes: </strong>May include
opportunities for reducing the costs of poor quality, employee perceptions on quality aspects,
proposals to senior management on policy, goals, etc.
Asset
Something of either tangible or intangible value that is worth protecting, including people,
information, infrastructure, finances and reputation.
Assurance
Pursuant to an accountable relationship between two or more parties, an IT audit and assurance professional is engaged to issue a written communication expressing a
conclusion about the subject matters for which the accountable party is responsible. Assurance refers to a number of related activities designed to provide the reader or user of the report with a level of assurance or comfort over the subject matter. <br></br><br></br><strong>Scope Notes: </strong>Assurance engagements could include support for audited financial statements, reviews of controls, compliance with required standards and practices, and compliance with agreements, licenses, legislation and regulation.
Assurance initiative
An objective examination of evidence for the purpose of providing an assessment on risk
management, control or governance processes for the enterprise.<br></br><br></br><strong>Scope Notes:
</strong>Examples may include financial, performance, compliance and system security
engagements
Asymmetric key (public key)
A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message
<br></br><br></br><strong>Scope Notes:</strong> See public key encryption
Asynchronous Transfer Mode (ATM)
A high-bandwidth low-delay switching and multiplexing technology that allows integration of realtime voice and video as well as data. It is a data link layer protocol.<br></br><br></br><strong>Scope Notes:
</strong>ATM is a protocol-independent transport mechanism. It allows high-speed data transfer
rates at up to 155 Mbit/s. The acronym ATM should not be confused with the alternate usage for
ATM, which refers to an automated teller machine.
Asynchronous transmission
Asynchronous transmission
Attest reporting engagement
An engagement in which an IS auditor is engaged to either examine management’s assertion
regarding a particular subject matter or the subject matter directly.<br></br><br></br><strong>Scope Notes:
</strong>The IS auditor’s report consists of an opinion on one of the following: The subject matter.
These reports relate directly to the subject matter itself rather than to an assertion. In certain
situations management will not be able to make an assertion over the subject of the engagement. An
example of this situation is when IT services are outsourced to third party. Management will not
ordinarily be able to make an assertion over the controls that the third party is responsible for.
Hence, an IS auditor would have to report directly on the subject matter rather than on an assertion
Attitude
Way of thinking, behaving, feeling, etc
Attribute sampling
Method to select a portion of a population based on the presence or absence of a certain characteristic
Audit
Formal inspection and verification to check whether a standard or set of guidelines is being followed,
records are accurate, or efficiency and effectiveness targets are being met.<br></br><br></br><strong>Scope
Notes: </strong>May be carried out by internal or external groups
Audit accountability
Performance measurement of service delivery including cost, timeliness and quality against agreed
service levels.
Audit authority
A statement of the position within the enterprise, including lines of reporting and the rights of access
Audit charter
A document approved by those charged with governance that defines the purpose, authority and
responsibility of the internal audit activity.<br></br><br></br><strong>Scope Notes: </strong>The charter
should:<br></br><br></br>- Establish the internal audit funtion’s position within the enterprise<br></br><br></br>-
Authorise access to records, personnel and physical properties relevant to the performance of IS
audit and assurance engagementsDefine the scope of audit function’s activities
Audit evidence
The information used to support the audit opinion.
Audit expert systems
Expert or decision support systems that can be used to assist IS auditors in the decision-making
process by automating the knowledge of experts in the field.<br></br><br></br><strong>Scope Notes:
</strong>This technique includes automated risk analysis, systems software and control objectives
software packages.
Audit objective
The specific goal(s) of an audit.<br></br><br></br><strong>Scope Notes: </strong>These often center on
substantiating the existence of internal controls to minimize business risk.
Audit plan
- A plan containing the nature, timing and extent of audit procedures to be performed by
engagement team members in order to obtain sufficient appropriate audit evidence to form an
opinion.<br></br><br></br><strong>Scope Notes: </strong>Includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work, and topics such as budget, resource
allocation, schedule dates, type of report and its intended audience and other general aspects of the
work<br></br><br></br>2. A high-level description of the audit work to be performed in a certain period of
time.
Audit program
A step-by-step set of audit procedures and instructions that should be performed to complete an
audit
Audit responsibility
The roles, scope and objectives documented in the service level agreement (SLA) between management and audit
Audit risk
The risk of reaching an incorrect conclusion based upon audit findings.<br></br><br></br><strong>Scope
Notes: </strong>The three components of audit risk are:<br></br><br></br>- Control risk<br></br><br></br>-
Detection risk<br></br><br></br>- Inherent risk
Audit sampling
The application of audit procedures to less than 100 percent of the items within a population to obtain audit evidence about a particular characteristic of the population.
Audit trail
A visible trail of evidence enabling one to trace information contained in statements or reports back
to the original input source
Audit universe
An inventory of audit areas that is compiled and maintained to identify areas for audit during the
audit planning process.<br></br><br></br><strong>Scope Notes: </strong>Traditionally, the list includes all
financial and key operational systems as well as other units that would be audited as part of the
overall cycle of planned work. The audit universe serves as the source from which the annual audit
schedule is prepared. The universe will be periodically revised to reflect changes in the overall risk
profile
Auditability
The level to which transactions can be traced and audited through a system.
Auditable unit
Subjects, units or systems that are capable of being defined and evaluated.<br></br><br></br><strong>Scope
Notes: </strong>Auditable units may include:<li>Policies, procedures and practices</li><li>Cost
centers, profit centers and investment centers</li><li>General ledger account
balances</li><li>Information systems (manual and computerized)</li><li>Major contracts and
programs </li><li>Organizational units, such as product or service lines </li><li>Functions, such as
information technology (IT), purchasing, marketing, production, finance, accounting and human
resources (HR)</li><li>Transaction systems for activities, such as sales, collection, purchasing,
disbursement, inventory and cost accounting, production, treasury, payroll, and capital
assets</li><li>Financial statements</li><li>Laws and regulations</li>
Authentication
- The act of verifying identity, i.e., user, system.<br></br><br></br><strong>Scope Notes:</strong> Risk: Can
also refer to the verification of the correctness of a piece of data.<br></br><br></br>2. The act of verifying the
identity of a user, the user’s eligibility to access computerized information.<br></br><br></br><strong>Scope
Notes: </strong>Assurance: Authentication is designed to protect against fraudulent logon activity. It
can also refer to the verification of the correctness of a piece of data.
Automated application controls
Controls that have been programmed and embedded within an application
Availability
Ensuring timely and reliable access to and use of information
Awareness
Being acquainted with, mindful of, conscious of and well informed on a specific subject, which implies
knowing and understanding a subject and acting accordingly.
Accountability of governance
Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs,
conditions and options; setting direction through prioritization and decision making; and monitoring
performance, compliance and progress against plans. In most enterprises, governance is the
responsibility of the board of directors under the leadership of the chairperson.
<br></br><br></br><strong>Scope Notes: </strong>COBIT 5 perspective
Alignment
A state where the enablers of governance and management of enterprise IT support the goals and
strategies of the enterprise<br></br><br></br><strong>Scope Notes: </strong>COBIT 5 perspective
Application architecture
Description of the logical grouping of capabilities that manage the objects necessary to process
information and support the enterprise’s objectives.<br></br><br></br><strong>Scope Notes: </strong>COBIT
5 perspective
Architecture board
A group of stakeholders and experts who are accountable for guidance on enterprise-architecturerelated matters and decisions, and for setting architectural policies and standards
<br></br><br></br><strong>Scope Notes: </strong>COBIT 5 perspective
Advanced Encryption Standard (AES)
A public algorithm that supports keys from 128 bits to 256 bits in size
Advanced persistent threat (APT)
An adversary that possesses sophisticated levels of expertise and significant resources which allow it
to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800-
61).<br></br><br></br><strong>Scope Notes: </strong>The APT:<br></br><br></br>1. pursues its objectives
repeatedly over an extended period of time<br></br><br></br>2. Adapts to defenders’ efforts to resist it<br></br><br></br>3. is determined to maintain the level of interaction needed to execute its objectives
Adversary
A threat agent
Assertion
Any formal declaration or set of declarations about the subject matter made by
management.<br></br><br></br><strong>Scope Notes: </strong>Assertions should usually be in writing and
commonly contain a list of specific attributes about the subject matter or about a process involving
the subject matter.
Assurance engagement
An objective examination of evidence for the purpose of providing an assessment on risk
management, control or governance processes for the enterprise.<br></br><br></br><strong>Scope Notes:
</strong>Examples may include financial, performance, compliance and system security
engagements
Attack
An actual occurrence of an adverse event
Attack mechanism
A method used to deliver the exploit. Unless the attacker is personally performing the attack, an
attack mechanism may involve a payload, or container, that delivers the exploit to the target.
Attack vector
A path or route used by the adversary to gain access to the target (asset).<br></br><br></br><strong>Scope
Notes: </strong>There are two types of attack vectors: ingress and egress (also known as data
exfiltration)
Attenuation
Reduction of signal strength during transmission
Audit subject matter risk
Risk relevant to the area under review: <br></br><br></br>- Business risk (customer capability to pay, credit
worthiness, market factors, etc.)<br></br><br></br>- Contract risk (liability, price, type, penalties, etc.)<br></br><br></br>- Country risk (political, environment, security, etc.)<br></br><br></br>- Project risk (resources, skill
set, methodology, product stability, etc.)<br></br><br></br>- Technology risk (solution, architecture,
hardware and software infrastructure network, delivery channels, etc.).<br></br><br></br><strong>Scope
Notes: </strong>See inherent risk
Auditor’s opinion
A formal statement expressed by the IS audit or assurance professional that describes the scope of
the audit, the procedures used to produce the report and whether or not the findings support that
the audit criteria have been met.<br></br><br></br><strong>Scope Notes: </strong>The types of opinions
are:<br></br><br></br>- Unqualified opinion: Notes no exceptions or none of the exceptions noted
aggregate to a significant deficiency<br></br><br></br>- Qualified opinion: Notes exceptions aggregated to a
significant deficiency (but not a material weakness)<br></br><br></br>- Adverse opinion: Notes one or more
significant deficiencies aggregating to a material weakness
Authenticity
Undisputed authorship
Application containerization
A mechanism that is used to isolate applications from each other within the context of a running
operating system instance. In much the same way that a logical partition (LPAR) provides
segmentation of system resources in mainframes, a computing environment employing containers
segments and isolates the underlying system services so that they are logically sequestered from
each other.
asymmetric cipher
Most implementations of asymmetric ciphers combine a widely distributed public key and a closely
held, protected private key. A message that is encrypted by the public key can only be decrypted by
the mathematically related, counterpart
Backbone
The main communication channel of a digital network. The part of a network that handles the major
traffic <br></br><br></br><strong>Scope Notes: </strong>Employs the highest-speed transmission paths in
the network and may also run the longest distances. Smaller networks are attached to the backbone,
and networks that connect directly to the end user or customer are called “access networks.” A
backbone can span a geographic area of any size from a single building to an office complex to an
entire country. Or, it can be as small as a
backplane in a single cabinet.
Backup
Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals
are destroyed or out of service.
Backup center
An alternate facility to continue IT/IS operations when the primary data processing (DP) center is
unavailable.
Badge
A card or other device that is presented or displayed to obtain access to an otherwise restricted
facility, as a symbol of authority (e.g., the police), or as a simple means of
identification.<br></br><br></br><strong>Scope Notes: </strong>Also used in advertising and publicity.
Balanced scorecard (BSC)
Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures
organized into four categories that includes traditional financial measures, but adds customer,
internal business process, and learning and growth perspectives.
Bandwidth
The range between the highest and lowest transmittable frequencies. It equates to the transmission
capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).
Bar code
A printed machine-readable code that consists of parallel bars of varied width and spacing.
Base case
A standardized body of data created for testing purposes.<br></br><br></br><strong>Scope Notes:
</strong>Users normally establish the data. Base cases validate production application systems and
test the ongoing accurate operation of the system.
