Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CRISC > Terms and Definitions > Flashcards

Terms and Definitions Flashcards

1
Q

Acceptable use policy (AUP)

A

A policy that establishes an agreement between users and the enterprise that defines, for all parties, the ranges of use that are approved before gaining access to a network or the Internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access control

A

The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access control list (ACL)

A

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals

Scope Notes: Also referred to as access control table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Access control table

A

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Access method

A

The technique used for selecting records in a file, one at a time, for processing, retrieval or storage. The access method is related to, but distinct from, the file organization, which determines how the records are stored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Access rights

A

The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Administrative controls

A

The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Anonymous File Transfer Protocol (AFTP)

A

A method of downloading public files using the File Transfer Protocol (FTP). AFTP does not require users to identify themselves before accessing files from a particular server. In general, users enter the word “anonymous” when the host prompts for a username. Anything can be entered for the password, such as the user’s email address or simply the word “guest.” In many cases, an AFTP site will not prompt a user for a name and password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Antivirus software

A

An application software deployed at multiple points in an IT architecture. It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been infected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Application

A

A computer program or set of programs that performs the processing of records for a specific function

Scope Notes: Applications contrast with systems programs, such as an operating system or network control program, and with utility programs, such as copy or sort.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Application controls

A

The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Application layer

A

The application layer provides services for an application program to ensure that effective communication with another application program in a network is possible in the Open Systems Interconnection (OSI) communications model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Application programming interface (API)

A

A set of routines, protocols and tools referred to as building blocks used in business application software development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Artificial intelligence (AI)

A

An advanced computer system that can simulate human capabilities, such as analysis, based on a predetermined set of rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Asymmetric key (public key)

A

A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message

Scope Notes: See public key encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Audit evidence

A

The information used to support the audit opinion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Audit objective

A

The specific goal(s) of an audit

Scope Notes: These often center on substantiating the existence of internal controls to minimize business risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Audit plan

A
  1. A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion.

Scope Notes: Includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work. It also includes topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the work.

  1. A high-level description of the audit work to be performed in a certain period of time
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Audit program

A

A step-by-step set of audit procedures and instructions that should be performed to complete an audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Audit risk

A

The risk of reaching an incorrect conclusion based upon audit findings

Scope Notes: The three components of audit risk are:

Control risk
Detection risk
Inherent risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Audit trail

A

A logical path linking a sequence of events, in the form of data, used to trace the transactions that have affected the contents of a record

Source : ISO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Authentication

A

The act of verifying the identity of a user, the users eligibility to access computerized information

Scope Notes: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Backup

A

The files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Balanced scorecard (BSC)

A

A coherent set of performance measures organized into four categories that include traditional financial measures and customer, internal business process and learning and growth perspectives. Developed by Robert S. Kaplan and David P. Norton.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Benchmarking

A

A systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting business

Scope Notes: Examples include benchmarking of quality, logistic efficiency and various other metrics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Biometrics

A

A security technique that verifies an individual’s identity by analyzing a unique physical attribute, such as a handprint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Black box testing

A

A testing approach that focuses on the functionality of the application or product and does not require knowledge of the code intervals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Broadband

A

Multiple channels that are formed by dividing the transmission medium into discrete frequency segments

Scope Notes: Broadband generally requires the use of a modem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Brouter

A

A device that performs the functions of both a bridge and a router

Scope Notes: A brouter operates at both the data link and network layers. It connects same data link type LAN segments as well as different data link ones, which is a significant advantage. Like a bridge, it forwards packets based on the data link layer address to a different network of the same type. Also, it processes and forwards messages to a different data link type network based on the network protocol address whenever required. When connecting same data link type networks, it is as fast as a bridge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Bus

A

A common path or channel between hardware devices

Scope Notes: Can be located between internal computer components or between external computers in a communication network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Bus configuration

A

A configuration in which all devices (nodes) are linked along one communication line where transmissions are received by all attached nodes

Scope Notes: This architecture is reliable in very small networks, as well as easy to use and understand. This configuration requires the least amount of cable to connect the computers together and, therefore, is less expensive than other cabling arrangements. It is also easy to extend, and two cables can be easily joined with a connector to make a longer cable to allow more computers to join the network. A repeater can also be used to extend a bus configuration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Business case

A

Documentation of the rationale for making a business investment that is used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Business continuity plan (BCP)

A

A plan used by an enterprise to respond to the disruption of critical business processes (depends on the contingency plan for the restoration of critical systems)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Business impact analysis (BIA)

A

The process of evaluating the criticality and sensitivity of information assets by determining the impact of losing the support of any resource to an enterprise. This establishes the escalation of a loss over time, identifies the minimum resources needed to recover and prioritizes the recovery of processes and the supporting system.

Scope Notes: This process captures income loss, unexpected expense, legal issues (regulatory compliance or contractual), interdependent processes and loss of public reputation or public confidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Business process reengineering (BPR)

A

The thorough analysis and significant redesign of business processes and management systems to establish a better-performing structure that is more responsive to the customer base and market conditions while yielding material cost savings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Business risk

A

The probability that a situation with uncertain frequency and magnitude of loss (or gain) could prevent the enterprise from meeting its business objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Capability Maturity Model Integration (CMMI)

A

An integrated model of best practices that enable businesses to improve performance by improving their processes. Product teams developed the model with global members from across the industry. The CMMI provides a best-practice framework for building, improving and sustaining process capability.

See CMMI product suite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Card swipe

A

A physical control technique that uses a secured card or ID to gain access to a highly sensitive location

Scope Notes: If built correctly, card swipes act as a preventive control over physical access to sensitive locations. After a card has been swiped, the application attached to the physical card swipe device logs all card users who try to access the secured location. In this way, the card swipe device prevents unauthorized access and logs all attempts to enter the secured location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Central processing unit (CPU)

A

Computer hardware that houses the electronic circuits that control/direct all operations of a computer system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Certificate (Certification) authority (CA)

A

A trusted third party that serves authentication infrastructures or enterprises, registers entities and issues entities certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Certificate revocation list (CRL)

A

An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility

Scope Notes: The CRL details digital certificates that are no longer valid. The time gap between two updates is critical and poses a risk in digital certificate verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Certification practice statement (CPS)

A

A detailed set of rules governing the certificate authority’s (CA) operations. It provides an understanding of the value and trustworthiness of certificates issued by a given CA.

Scope Notes: In terms of the controls an enterprise observes, this is the method used to validate the authenticity of certificate applicants and the CA’s expectations of how its certificates may be used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Chain of custody

A

The process of evidence handling (from collection to presentation) that is necessary to maintain the validity and integrity of evidence

Scope Notes: Includes documentation of who had access to the evidence and when and the ability to identify that the evidence is the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited. Chain of custody depends on verifying that evidence could not have been tampered with. This is accomplished by sealing off the evidence so it cannot be changed and providing a documentary record of custody to prove that the evidence was, at all times, under strict control and not subject to tampering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Challenge/response token

A

A method of user authentication carried out through use of the Challenge Handshake Authentication Protocol (CHAP)

Scope Notes: When a user tries to log into the server using CHAP, the server sends the user a “challenge,” which is a random value. The user enters a password, which is used as an encryption key to encrypt the “challenge” and return it to the server. The server is aware of the password. It, therefore, encrypts the “challenge” value and compares it with the value received from the user. If the values match, the user is authenticated. The challenge/response activity continues throughout the session, protecting it from password-sniffing attacks. In addition, CHAP is not vulnerable to “man-in-the-middle” attacks because the challenge value is a random value that changes on each access attempt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Change management (CM)

A

A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human, or “soft,” elements of change (ISACA)

Scope Notes: Includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resources policies and procedures, executive coaching, change leadership training, team building and communication planning and execution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Ciphertext

A

Information generated by an encryption algorithm to protect the plaintext that is unintelligible to the unauthorized reader

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Circuit-switched network

A

A data transmission service that requires establishing a circuit-switched connection before data can be transferred from source data terminal equipment (DTE) to a sink DTE

Scope Notes: A circuit-switched data transmission service uses a connection network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Circular routing

A

In open systems architecture, the logical path of a message in a communication network based on a series of gates at the physical network layer in the open systems interconnection (OSI) model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Client-server

A

A term used to broadly describe the relationship between the receiver and provider of a service. Generally, the client-server describes a networked system where front-end applications, like the client, make service requests to another networked system. Client-server relationships are defined primarily by software. In a local area network (LAN), the workstation is the client, and the file server is the server. However, client-server systems are inherently more complex than file-server systems. Two disparate programs must work in tandem, and there are many more decisions to make about separating data and processing between the client workstations and the database server. The database server encapsulates database files and indexes, restricts access, enforces security and provides applications with a consistent interface to data via a data dictionary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Cloud computing

A

Convenient, scalable on-demand network access to a shared pool of resources that can be provisioned rapidly and released with minimal management effort or service provider interaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Coaxial cable

A

A cable composed of an insulated wire that runs through the middle of each cable, a second wire that surrounds the insulation of the inner wire like a sheath and the outer insulation that wraps the second wire

Scope Notes: Has a greater transmission capacity than standard twisted-pair cables but has a limited range of effective distance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Cold site

A

An IS backup facility that has the necessary electrical and physical components of a computer facility but does not have the computer equipment in place

Scope Notes: The site is ready to receive the necessary replacement computer equipment in the event that the users have to move from the main computing location to the alternative computer facility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Compensating control

A

An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Completely connected (mesh) configuration

A

A network topology in which devices are connected with many redundant interconnections between network nodes (primarily used for backbone networks)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Compliance testing

A

Control tests designed to obtain evidence on both the effectiveness of the controls and their operation during the audit period

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Comprehensive audit

A

An audit designed to determine the accuracy of financial records and evaluate the internal controls of a function or department

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Computer emergency response team (CERT)

A

A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group acts as an efficient corrective control and should also be the single point of contact for all incidents and issues related to information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Computer forensics

A

The application of the scientific method to digital media to establish factual information for judicial review

Scope Notes: This process often involves investigating computer systems to determine whether they have been used for illegal or unauthorized activities. As a discipline, it combines elements of law and computer science to collect and analyze data from information systems (e.g., personal computers, networks, wireless communication and digital storage devices) in a way that makes it admissible as evidence in a court of law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Computer-assisted audit technique (CAAT)

A

Any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Configuration management (CM)

A

The control of changes to a set of configuration items over a system life cycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Contingency planning

A

Process of developing advance arrangements and procedures that enable an enterprise to respond to an event that might occur by chance or unforeseen circumstances

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Continuous auditing approach

A

Allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Control objective

A

A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Control practice

A

Key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk and alignment of IT with business

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Control risk

A

Risk that assets are lost/compromised or that financial statements are materially misstated, due to lack of, or ineffective, design and/or implementation of internal controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Cookie

A

A web browser message used for the purpose of identifying users and possibly preparing customized web pages for them

Scope Notes: The first time a cookie is set, a user may be required to go through a registration process. Subsequent to this, whenever the cookies message is sent to the server, a customized view based on that users preferences can be produced. The browsers implementation of cookies has, however, brought several security concerns, allowing breaches of security and the theft of personal information (e.g., user passwords that validate the user identity and enable restricted web services).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Corrective control

A

A control designed to correct errors, omissions, unauthorized uses and intrusions, once they are detected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Countermeasure

A

The reduction of threats or vulnerabilities through any direct process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Critical success factor (CSF)

A

The most important issue or action for management to achieve control over and within its IT processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Data custodian

A

Individual(s) and department(s) responsible for the storage and safeguarding of computerized data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Data Encryption Standard (DES)

A

A legacy algorithm for encoding binary data that was deprecated in 2006. DES and its variants were replaced by the Advanced Encryption Standard (AES).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Data leakage

A

Unauthorized transmission of data from an organization, either electronically or physically

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Data owner

A

Individual(s) who has responsibility for the integrity, accurate reporting and use of computerized data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Data security

A

The controls that seek to maintain confidentiality, integrity and availability of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Database

A

A collection of data, often with controlled redundancy, organized according to a schema to serve one or more applications. The data are stored so that they can be used by different programs without considering the data structure or organization. A common approach is used to add new data and modify and retrieve existing data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Database administrator (DBA)

A

An individual or department responsible for the security and information classification of the shared data stored on a database system. This responsibility includes the design, definition and maintenance of the database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Database management system (DBMS)

A

A software system that controls the organization, storage and retrieval of data in a database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Decision support systems (DSS)

A

An interactive system that provides the user with easy access to decision models and data to support semistructured decision-making tasks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Decryption

A

A technique used to recover the original plaintext from the ciphertext so that it is intelligible to the reader. The decryption is a reverse process of the encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Decryption key

A

A digital piece of information used to recover plaintext from the corresponding ciphertext by decryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Degauss

A

The application of variable levels of alternating current for the purpose of demagnetizing magnetic recording media.

Scope Notes: The process involves increasing the alternating current field gradually from zero to some maximum value and back to zero, leaving a very low residue of magnetic induction on the media. Degauss loosely means to erase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Detective control

A

Controls designed to detect and report when errors, omissions and unauthorized uses or entries occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Digital certificate

A

An electronic credential that permits an entity to exchange information securely via the Internet using the public key infrastructure (PKI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Digital signature

A

An electronic identification of a person or entity using a public key algorithm that serves as a way for the recipient to verify the identity of the sender, integrity of the data and proof of transaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Disaster recovery plan (DRP)

A

A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Discovery sampling

A

A form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Discretionary access control (DAC)

A

Logical access control filters that may be configured or modified by the users or data owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Domain name system (DNS)

A

A hierarchical database distributed across the Internet, which allows names to be resolved into IP addresses (and vice versa) to locate services, such as web and email servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Domain name system (DNS) poisoning

A

Corrupts the table of an Internet server’s DNS, replacing an Internet address with the address of a vagrant or scoundrel address

Scope Notes: If a web user looks for the page with that address, the request is redirected by the scoundrel entry in the table to a different address. Cache poisoning differs from another form of DNS poisoning in which the attacker spoofs valid email accounts and floods the in-boxes of administrative and technical contacts. Cache poisoning is related to URL poisoning or location poisoning, in which an Internet user’s behavior is tracked by adding an identification number to the location line of the browser that can be recorded as the user visits successive pages on the site. It is also called DNS cache poisoning or cache poisoning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

Dry-pipe fire extinguisher system

A

A sprinkler system that does not have water in the pipes during idle usage, unlike a fully charged fire extinguisher system that has water in the pipes at all times

Scope Notes: The dry-pipe system is activated at the time of the fire alarm and water is emitted to the pipes from a water reservoir for discharge to the location of the fire.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Dynamic Host Configuration Protocol (DHCP)

A

A protocol used by networked computers (clients) to obtain IP addresses from DHCP servers, and parameters such as default gateways, subnet masks and domain name system (DNS) server IP addresses

Scope Notes: The DHCP server ensures that all IP addresses are unique (e.g., no IP address is assigned to a second client while the first client’s assignment is valid [its lease has not expired]). Thus, IP address pool management is done by the server and not by a human network administrator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Ecommerce

A

The processes by which enterprises conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology.

Scope Notes: Ecommerce encompasses both business-to-business (B2B) and business-to-consumer (B2C) ecommerce models, but does not include existing non-Internet ecommerce methods based on private networks such as electronic data interchange (EDI) and Society for Worldwide Interbank Financial Telecommunication (SWIFT).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

Electronic data interchange (EDI)

A

The electronic transmission of transactions (information) between two enterprises. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents, including invoices or purchase orders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

Electronic funds transfer (EFT)

A

The exchange of money via telecommunications. EFT refers to any financial transaction that originates at a terminal and transfers a sum of money from one account to another.

95
Q

Email/interpersonal messaging

A

An individual using a terminal, PC or an application can access a network to send an unstructured message to another individual or group of people

96
Q

Embedded audit module (EAM)

A

Integral part of an application system that is designed to identify and report specific transactions or other information based on pre-determined criteria. Identification of reportable items occurs as part of real-time processing. Reporting may be real-time online or may use store and forward methods. Also known as integrated test facility or continuous auditing module.

97
Q

Encryption

A

The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext).

98
Q

Encryption key

A

A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertext

99
Q

End-user computing

A

The ability of end users to design and implement their own information system utilizing computer software products.

100
Q

Enterprise resource planning (ERP)

A

A packaged business software system that allows an enterprise to automate and integrate the majority of its business processes; to share common data and practices across the entire enterprise; and to produce and access information in a real-time environment

101
Q

Ethernet

A

A popular network protocol and cabling scheme that uses a bus topology and carrier sense multiple access/collision detection (CSMA/CD) to prevent network failures or collisions when two devices try to access the network at the same time

102
Q

Evidence

A

Information that an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support

Scope Notes: Audit perspective

103
Q

Exception reports

A

An exception report is generated by a program that identifies transactions or data that appear to be incorrect.

Scope Notes: Exception reports may be outside a predetermined range or may not conform to specified criteria.

104
Q

eXtensible Markup Language (XML)

A

Promulgated through the World Wide Web Consortium, XML is a web-based application development technique that allows designers to create their own customized tags, thus, enabling the definition, transmission, validation and interpretation of data between applications and enterprises.

105
Q

Extranet

A

A private network that resides on the Internet and allows a company to securely share business information with customers, suppliers or other businesses as well as to execute electronic transactions.

Scope Notes: Different from an Intranet in that it is located beyond the company’s firewall. Therefore, an extranet relies on the use of securely issued digital certificates (or alternative methods of user authentication) and encryption of messages. A virtual private network (VPN) and tunneling are often used to implement extranets, to ensure security and privacy.

106
Q

Fallback procedures

A

A plan of action or set of procedures to be performed if a system implementation, upgrade or modification does not work as intended.

Scope Notes: May involve restoring the system to its state prior to the implementation or change. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and should always be considered in system migration or implementation.

107
Q

False authorization

A

Also called false acceptance, occurs when an unauthorized person is identified as an authorized person by the biometric system.

108
Q

False enrollment

A

Occurs when an unauthorized person manages to enroll into the biometric system.

Scope Notes: Enrollment is the initial process of acquiring a biometric feature and saving it as a personal reference on a smart card, a PC or in a central database.

109
Q

Feasibility study

A

Analysis of the known or anticipated need for a product, system or component to assess the degree to which the requirements, designs or plans can be implemented

110
Q

Fiber-optic cable

A

Glass fibers that transmit binary signals over a telecommunications network.

Scope Notes: Fiber-optic systems have low transmission losses as compared to twisted-pair cables. They do not radiate energy or conduct electricity. They are free from corruption and lightning-induced interference, and they reduce the risk of wiretaps.

111
Q

File Transfer Protocol (FTP)

A

A protocol used to transfer files over a Transmission Control Protocol/ Internet Protocol (TCP/IP) network (Internet, UNIX, etc.)

112
Q

Financial audit

A

An audit designed to determine the accuracy of financial records and information.

113
Q

Firewall

A

A system or combination of systems that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment such as the Internet

114
Q

Firmware

A

The combination of a hardware device, e.g., an IC, and computer instructions and data that reside as read only software on that device. Such software cannot be modified by the computer during processing.

115
Q

Fourth-generation language (4GL)

A

High-level, user-friendly, nonprocedural computer language used to program and/or read and process computer files.

116
Q

Frame relay

A

A packet-switched wide-area-network (WAN) technology that provides faster performance than older packet-switched WAN technologies.

Scope Notes: Best suited for data and image transfers. Because of its variable-length packet architecture, it is not the most efficient technology for real-time voice and video. In a frame-relay network, end nodes establish a connection via a permanent virtual circuit (PVC).

117
Q

Function point analysis (FPA)

A

A technique used to determine the size of a development task, based on the number of function points

Scope Notes: Function points are factors such as inputs, outputs, inquiries and logical internal sites.

118
Q

Gateway

A

A physical or logical device on a network that serves as an entrance to another network (e.g., router, firewall or software)

119
Q

Generalized audit software (GAS)

A

Multipurpose audit software that can be used for general processes, such as record selection, matching, recalculation and reporting

120
Q

Governance

A

The method by which an enterprise evaluates stakeholder needs, conditions and options to determine balanced, agreed-upon enterprise objectives to be achieved. It involves setting direction through prioritization, decision making and monitoring performance and compliance against the agreed-upon direction and objectives.

121
Q

Hacker

A

An individual who attempts to gain unauthorized access to a computer system

122
Q

Handprint scanner

A

A biometric device used to authenticate a user through palm scans

123
Q

Hash total

A

The total of any numeric data field in a document or computer file. This total is checked against a control total of the same field to facilitate the accuracy of processing.

124
Q

Help desk

A

A service offered via telephone/Internet by an enterprise to its clients or employees that provides information, assistance and troubleshooting advice regarding software, hardware or networks

Scope Notes: A help desk is staffed by people who can either resolve the problem on their own or escalate the problem to specialized personnel. A help desk is often equipped with dedicated customer relationship management (CRM) software that logs the problems and tracks them until they are solved.

125
Q

Hierarchical database

A

A database structured in a tree/ root or parent/child relationship.

Scope Notes: Each parent can have many children, but each child may have only one parent.

126
Q

Honeypot

A

A specially configured server, also known as a decoy server, designed to attract and monitor intruders in a manner so that their actions do not affect production systems

127
Q

Hot site

A

A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster

128
Q

Hypertext Markup Language (HTML)

A

A language designed for the creation of web pages with hypertext and other information to be displayed in a web browser; used to structure information–denoting certain text such as headings, paragraphs and lists–and can be used to describe, to some degree, the appearance and semantics of a document

129
Q

Incident

A

A violation or imminent threat of violation of computer security policies, acceptable use policies, guidelines or standard security practices

130
Q

Incident response

A

The response of an enterprise to a disaster or other significant event that may significantly affect the enterprise, its people or its ability to function productively. Incident response may include evacuation of a facility, initiating a disaster recovery plan (DRP), performing a damage assessment or any other measures necessary to bring an enterprise to a more stable status.

131
Q

Information processing facility (IPF)

A

The computer room and support areas.

132
Q

Information systems (IS)

A

The combination of strategic, managerial and operational activities involved in gathering, processing, storing, distributing and using information and its related technologies

Scope Notes: Information systems are distinct from information technology (IT) in that an information system has an IT component that interacts with the process components.

133
Q

Inherent risk

A

The level of risk or exposure that does not account for the actions management has taken or might take (e.g., implementing controls)

134
Q

Instant messaging (IM)

A

An online mechanism or a form of real-time communication between two or more people based on typed text and multimedia data

Scope Notes: Text is conveyed via computers or another electronic device (e.g., cellular phone or handheld device) and connected over a network, such as the Internet.

135
Q

Integrated services digital network (ISDN)

A

A public end-to-end digital telecommunications network with signaling, switching and transport capabilities that support a wide range of services accessed by standardized interfaces with integrated customer control

Scope Notes: The standard allows transmission of digital voice, video and data over 64-kbps lines.

136
Q

Integrated test facilities (ITF)

A

A testing methodology in which test data are processed in production systems

Scope Notes: The data usually represent a set of fictitious entities such as departments, customers or products. Output reports are verified to confirm the correctness of the processing.

137
Q

Integrity

A

The guarding against improper information modification or destruction. This includes ensuring information nonrepudiation and authenticity.

138
Q

Internal controls

A

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected

139
Q

IP Security (IPSec)

A

A set of protocols developed by the Internet Engineering Task Force (IETF) to support the secure exchange of packets

140
Q

IT steering committee

A

An executive-management-level committee that assists in the delivery of the IT strategy, oversees day-to-day management of IT service delivery and IT projects, and focuses on implementation aspects.

141
Q

IT strategic plan

A

A long-term plan (i.e., three- to five-year horizon) in which business and IT management cooperatively describe how IT resources will contribute to the enterprise’s strategic objectives (goals).

142
Q

Key goal indicator (KGI)

A

A measure that tells management, after the fact, whether an IT process has achieved its business requirements; usually expressed in terms of information criteria.

143
Q

Key performance indicator (KPI)

A

A type of performance measurement

144
Q

Leased line

A

A communication line permanently assigned to connect two points, as opposed to a dial-up line that is only available and open when a connection is made by dialing the target machine or network. Also known as a dedicated line.

145
Q

Licensing agreement

A

A contract that establishes the terms and conditions under which a piece of software is being licensed (i.e., made legally available for use) from the software developer (owner) to the user.

146
Q

Local area network (LAN)

A

Communication network that serves several users within a specified limited geographic area

147
Q

Log

A

To record details of information or events in an organized record-keeping system, usually sequenced in the order in which they occurred

148
Q

Logical access controls

A

The policies, procedures, organizational structure and electronic access controls designed to restrict access to computer software and data files

149
Q

Logon

A

The act of connecting to the computer, which typically requires entry of a user ID and password into a computer terminal.

150
Q

Malware

A

Short for malicious software. Designed to infiltrate, damage or obtain information from a computer system without the owner’s consent. Examples of malware include computer viruses, worms, Trojan horses, spyware and adware.

151
Q

Mandatory access control (MAC)

A

Logical access control filters used to validate access credentials that cannot be controlled or modified by normal users or data owners

152
Q

Media access control (MAC)

A

Lower sublayer of the OSI Model Data Link layer

153
Q

Middleware

A

Another term for an application programmer interface (API). It refers to the interfaces that allow programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services.

154
Q

Mobile site

A

The use of a mobile/temporary facility to serve as a business resumption location. The facility can usually be delivered to any site and can house information technology and staff.

155
Q

Network

A

A system of interconnected computers and the communication equipment used to connect them.

156
Q

Network administrator

A

Responsible for planning, implementing and maintaining the telecommunications infrastructure; also may be responsible for voice networks.

Scope Notes: For smaller enterprises, the network administrator may also maintain a local area network (LAN) and assist end users.

157
Q

Network attached storage (NAS)

A

Utilizes dedicated storage devices that centralize storage of data.

Scope Notes: NA storage devices generally do not provide traditional file/print or application services.

158
Q

Network interface card (NIC)

A

A communication card that when inserted into a computer, allows it to communicate with other computers on a network.

Scope Notes: Most NICs are designed for a particular type of network or protocol.

159
Q

Nondisclosure agreement (NDA)

A

A legal contract between at least two parties that outlines confidential materials that the parties wish to share with one another for certain purposes, but wish to restrict from generalized use; a contract through which the parties agree not to disclose information covered by the agreement.

Scope Notes: Also called a confidential disclosure agreement (CDA), confidentiality agreement or secrecy agreement. An NDA creates a confidential relationship between the parties to protect any type of trade secret. As such, an NDA can protect non-public business information. In the case of certain governmental entities, the confidentiality of information other than trade secrets may be subject to applicable statutory requirements, and in some cases may be required to be revealed to an outside party requesting the information. Generally, the governmental entity will include a provision in the contract to allow the seller to review a request for information that the seller identifies as confidential and the seller may appeal such a decision requiring disclosure. NDAs are commonly signed when two companies or individuals are considering doing business together and need to understand the processes used in one another’s businesses solely for the purpose of evaluating the potential business relationship. NDAs can be “mutual,” meaning that both parties are restricted in their use of the materials provided, or they can only restrict a single party. It is also possible for an employee to sign an NDA or NDA-like agreement with a company at the time of hiring; in fact, some employment agreements will include a clause restricting confidential information in general.

160
Q

Operating system (OS)

A

A master control program that runs the computer and acts as a scheduler and traffic controller

Scope Notes: The operating system is the first program copied into the computer memory after the computer is turned on; it must reside in memory at all times. It is the software that interfaces between the computer hardware (disk, keyboard, mouse, network, modem and printer) and the application software (word processor, spreadsheet email) which also controls access to the devices, is partially responsible for security components and sets the standards for the application programs that run in it.

161
Q

Operational audit

A

An audit designed to evaluate the various internal controls, economy and efficiency of a function or department.

162
Q

Outsourcing

A

A formal agreement with a third party to perform IS or other business functions for an enterprise

163
Q

Paper test

A

A walk-through of the steps of a regular test, but without actually performing the steps.

Scope Notes: Usually used in disaster recovery and contingency testing; team members review and become familiar with the plans and their specific roles and responsibilities

164
Q

Password

A

A protected, generally computer-encrypted string of characters that authenticate a computer user to the computer system

165
Q

Patch management

A

An area of systems management that involves acquiring, testing and installing multiple patches (code changes) to an administered computer system to maintain up-to-date software and often to address security risk

Scope Notes: Patch management tasks include maintaining current knowledge of available patches, deciding what patches are appropriate for particular systems, ensuring that patches are installed properly, testing systems after installation and documenting all associated procedures, such as specific configurations required. A number of products are available to automate patch management tasks. Patches are sometimes ineffective and can sometimes cause more problems than they fix. Patch management experts suggest that system administrators take simple steps to avoid problems, such as performing backups and testing patches on noncritical systems prior to installations. Patch management can be viewed as part of change management.

166
Q

Penetration testing

A

A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers

167
Q

Phishing

A

A type of electronic mail (email) attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information for use in social engineering

Scope Notes: Phishing attacks may take the form of masquerading as a lottery organization advising the recipient or the user’s bank of a large win; in either case, the intent is to obtain account and personal identification number (PIN) details. Alternative attacks may seek to obtain apparently innocuous business information, which may be used in another form of active attack.

168
Q

Phreakers

A

Those who crack security, most frequently telephone and other communication networks.

169
Q

Plaintext

A

Digital information, such as cleartext, that is intelligible to the reader.

170
Q

Point-to-Point Protocol (PPP)

A

A protocol used for transmitting data between two ends of a connection.

171
Q

Policy

A

A document that communicates required and prohibited activities and behaviors

172
Q

Preventive control

A

An internal control that is used to avoid undesirable events, errors and other occurrences that an enterprise has determined could have a negative material effect on a process or end product.

173
Q

Privacy

A

The right of an individual to trust that others will appropriately and respectfully use, store, share and dispose of his/her associated personal and sensitive information within the context, and according to the purposes for which it was collected or derived

174
Q

Private key cryptosystems

A

A cryptosystem that involves secret, private keys. The keys are also known as “symmetric ciphers” because the same key both encrypts message plaintext from the sender and decrypts resulting ciphertext for a recipient.

175
Q

Procedure

A

A document containing a detailed description of the steps necessary to perform specific operations in conformance with applicable standards. Procedures are defined as part of processes.

176
Q

Process

A

Generally, a collection of activities influenced by the enterprise’s policies and procedures that takes inputs from a number of sources, (including other processes), manipulates the inputs and produces outputs.

177
Q

Protocol

A

The rules by which a network operates and controls the flow and priority of transmissions

178
Q

Public key cryptosystem

A

A cryptosystem that combines a widely distributed public key and a closely held, protected private key. A message that is encrypted by the public key can only be decrypted by the mathematically related counterpart private key. Conversely, only the public key can decrypt data that was encrypted by its corresponding private key.

179
Q

Public key encryption

A

A cryptographic system that uses two keys: one is a public key, which is known to everyone, and the second is a private or secret key, which is only known to the recipient of the message. See also Asymmetric Key.

180
Q

Public key infrastructure (PKI)

A

A series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued

181
Q

Quality assurance (QA)

A

A planned and systematic pattern of all actions necessary to provide adequate confidence that an item or product conforms to established technical requirements. (ISO/IEC 24765)

182
Q

Reciprocal agreement

A

Emergency processing agreement between two or more enterprises with similar equipment or applications.

Scope Notes: Typically, participants of a reciprocal agreement promise to provide processing time to each other when an emergency arises.

183
Q

Recovery point objective (RPO)

A

Determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.

184
Q

Recovery strategy

A

An approach by an enterprise that will ensure its recovery and continuity in the face of a disaster or other major outage.

Scope Notes: Plans and methodologies are determined by the enterprise’s strategy. There may be more than one methodology or solution for an enterprise’s strategy. Examples of methodologies and solutions include: contracting for hot site or cold site, building an internal hot site or cold site, identifying an alternate work area, a consortium or reciprocal agreement, contracting for mobile recovery or crate and ship, and many others.

185
Q

Recovery time objective (RTO)

A

The amount of time allowed for the recovery of a business function or resource after a disaster occurs

186
Q

Registration authority (RA)

A

An authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it

187
Q

Remote access service (RAS)

A

Refers to any combination of hardware and software to enable the remote access to tools or information that typically reside on a network of IT devices.

Scope Notes: Originally coined by Microsoft when referring to their built-in NT remote access tools, RAS was a service provided by Windows NT which allowed most of the services that would be available on a network to be accessed over a modem link. Over the years, many vendors have provided both hardware and software solutions to gain remote access to various types of networked information. In fact, most modern routers include a basic RAS capability that can be enabled for any dial-up interface.

188
Q

Remote procedure call (RPC)

A

The traditional Internet service protocol widely used for many years on UNIX-based operating systems and supported by the Internet Engineering Task Force (IETF) that allows a program on one computer to execute a program on another (e.g., server).

Scope Notes: The primary benefit derived from its use is that a system developer need not develop specific procedures for the targeted computer system. For example, in a client-server arrangement, the client program sends a message to the server with appropriate arguments, and the server returns a message containing the results of the program executed. Common Object Request Broker Architecture (CORBA) and Distributed Component Object Model (DCOM) are two newer object-oriented methods for related RPC functionality.

189
Q

Repeaters

A

A physical layer device that regenerates and propagates electrical signals between two network segments.

Scope Notes: Repeaters receive signals from one network segment and amplify (regenerate) the signal to compensate for signals (analog or digital) distorted by transmission loss due to reduction of signal strength during transmission (i.e., attenuation)

190
Q

Request for proposal (RFP)

A

A document distributed to software vendors requesting them to submit a proposal to develop or provide a software product.

191
Q

Ring topology

A

A type of local area network (LAN) architecture in which the cable forms a loop, with stations attached at intervals around the loop.

Scope Notes: In ring topology, signals transmitted around the ring take the form of messages. Each station receives the messages and each station determines, on the basis of an address, whether to accept or process a given message. However, after receiving a message, each station acts as a repeater, retransmitting the message at its original signal strength.

192
Q

Risk

A

The combination of the likelihood of an event and its impact (ISACA)

193
Q

Risk analysis

A

The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats.

Scope Notes: It often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of that event.

194
Q

Risk appetite

A

The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission.

195
Q

Risk assessment

A

A process used to identify and evaluate risk and its potential effects

Scope Notes: Risk assessments are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan. Risk assessments are also used to manage project delivery risk and project benefit risk.

196
Q

Risk evaluation

A

The process of comparing the estimated risk against given risk criteria to determine the significance of the risk. [ISO/IEC Guide 73:2002].

197
Q

Risk management

A

The coordinated activities to direct and control an enterprise with regard to risk

Scope Notes: In the International Standard, the term “control” is used as a synonym for “measure.” (ISO/IEC Guide 73:2002)

198
Q

Risk mitigation

A

The management of risk through the use of countermeasures and controls (ISACA)

199
Q

Risk tolerance

A

The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives

200
Q

Risk transfer

A

The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service

Scope Notes: Also known as risk sharing

201
Q

Risk treatment

A

The process of selection and implementation of measures to modify risk (ISO/IEC Guide 73:2002)

202
Q

Router

A

A networking device that can send (route) data packets from one local area network (LAN) or wide area network (WAN) to another, based on addressing at the network layer (Layer 3) in the open systems interconnection (OSI) model

Scope Notes: Networks connected by routers can use different or similar networking protocols. Routers usually are capable of filtering packets based on parameters, such as source addresses, destination addresses, protocol and network applications (ports).

203
Q

RSA (RSA)

A

A public key cryptosystem developed by R. Rivest, A. Shamir and L. Adleman used for both encryption and digital signatures

Scope Notes: The RSA has two different keys, the public encryption key and the secret decryption key. The strength of the RSA depends on the difficulty of the prime number factorization. For applications with high-level security, the number of the decryption key bits should be greater than 512 bits.

204
Q

Secure Sockets Layer (SSL)

A

A protocol that is used to transmit private documents through the Internet

Scope Notes: The SSL protocol uses a private key to encrypt the data that are to be transferred through the SSL connection.

205
Q

Segregation/separation of duties (SoD)

A

A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets.

Scope Notes: Segregation/separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection.

206
Q

Service level agreement (SLA)

A

An agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines minimum performance targets for a service and how they will be measured

207
Q

Simple Object Access Protocol (SOAP)

A

A platform-independent formatted protocol based on extensible markup language (XML) enabling applications to communicate with each other over the Internet.

Scope Notes: Use of SOAP may provide a significant security risk to web application operations because use of SOAP piggybacks onto a web-based document object model and is transmitted via HyperText Transfer Protocol (HTTP) (port 80) to penetrate server firewalls, which are usually configured to accept port 80 and port 21 File Transfer Protocol (FTP) requests. Web-based document models define how objects on a web page are associated with each other and how they can be manipulated while being sent from a server to a client browser. SOAP typically relies on XML for presentation formatting and also adds appropriate HTTP-based headers to send it. SOAP forms the foundation layer of the web services stack, providing a basic messaging framework on which more abstract layers can build. There are several different types of messaging patterns in SOAP, but by far the most common is the Remote Procedure Call (RPC) pattern, in which one network node (the client) sends a request message to another node (the server), and the server immediately sends a response message to the client.

208
Q

Spyware

A

Software whose purpose is to monitor a computer users actions (e.g., websites visited) and report these actions to a third party, without the informed consent of that machines owner or legitimate user

209
Q

Standard

A

A mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as International Organization for Standardization (ISO).

210
Q

Star topology

A

A type of local area network (LAN) architecture that utilizes a central controller to which all nodes are directly connected.

Scope Notes: With star topology, all transmissions from one station to another pass through the central controller which is responsible for managing and controlling all communication. The central controller often acts as a switching device.

211
Q

Statistical sampling

A

A method of selecting a portion of a population, by means of mathematical calculations and probabilities, for the purpose of making scientifically and mathematically sound inferences regarding the characteristics of the entire population.

212
Q

Storage area networks (SANs)

A

A variation of a local area network (LAN) that is dedicated for the express purpose of connecting storage devices to servers and other computing devices.

Scope Notes: SANs centralize the process for the storage and administration of data.

213
Q

Structured Query Language (SQL)

A

A language used to interrogate and process data in a relational database. Originally developed for IBM mainframes, many implementations have been created for mini- and microcomputer database applications. SQL commands can be used to interactively work with a database or embedded with a programming language to interface with a database.

214
Q

Switches

A

Typically associated as a data link layer device, switches enable local area network (LAN) segments to be created and interconnected, which has the added benefit of reducing collision domains in Ethernet-based networks.

215
Q

System development life cycle (SDLC)

A

The phases deployed in the development or acquisition of a software system.

Scope Notes: SDLC is an approach used to plan, design, develop, test and implement an application system or a major modification to an application system. Typical phases of SDLC include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and post-implementation review, but not the service delivery or benefits realization activities.

216
Q

Threat

A

Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm

Scope Notes: A potential cause of an unwanted incident (ISO/IEC 13335)

217
Q

Token ring topology

A

A type of local area network (LAN) ring topology in which a frame containing a specific format, called the token, is passed from one station to the next around the ring.

Scope Notes: When a station receives the token, it is allowed to transmit. The station can send as many frames as desired until a predefined time limit is reached. When a station either has no more frames to send or reaches the time limit, it transmits the token. Token passing prevents data collisions that can occur when two computers begin transmitting at the same time.

218
Q

Transmission Control Protocol Internet Protocol (TCP/IP)

A

Provides the basis for the Internet; a set of communication protocols that encompass media access, packet transport, session communication, file transfer, electronic mail (email), terminal emulation, remote file access and network management

219
Q

Trojan horse

A

Purposefully hidden malicious or damaging code within an authorized computer program

220
Q

Twisted pair

A

A low-capacity transmission medium; a pair of small, insulated wires that are twisted around each other to minimize interference from other wires in the cable.

221
Q

Uninterruptible power supply (UPS)

A

Provides short-term backup power from batteries for a computer system when the electrical power fails or drops to an unacceptable voltage level.

222
Q

Universal Serial BUS (USB)

A

An external bus standard that provides capabilities to transfer data at a rate of 12 Mbps.

Scope Notes: A USB port can connect up to 127 peripheral devices.

223
Q

Variable sampling

A

A sampling technique used to estimate the average or total value of a population based on a sample; a statistical model used to project a quantitative characteristic, such as a monetary amount.

224
Q

Voice-over Internet Protocol (VoIP)

A

Also called IP Telephony, Internet Telephony and Broadband Phone, a technology that makes it possible to have a voice conversation over the Internet or over any dedicated Internet Protocol (IP) network instead of over dedicated voice transmission lines

225
Q

Vulnerability

A

A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

226
Q

Vulnerability analysis

A

A process of identifying and classifying vulnerabilities

227
Q

Warm site

A

Similar to a hot site but not fully equipped with all of the necessary hardware needed for recovery.

228
Q

White box testing

A

A testing approach that uses knowledge of a program/modules underlying implementation and code intervals to verify its expected behavior.

229
Q

Wi-Fi Protected Access (WPA)

A

A class of security protocols used to secure wireless (Wi-Fi) computer networks

230
Q

Wide area network (WAN)

A

A computer network connecting multiple offices or buildings over a larger area

231
Q

Wide area network (WAN) switch

A

A data link layer device used for implementing various WAN technologies such as asynchronous transfer mode, point-to-point frame relay solutions, and integrated services digital network (ISDN).

Scope Notes: WAN switches are typically associated with carrier networks providing dedicated WAN switching and router services to enterprises via T-1 or T-3 connections.

232
Q

Wired Equivalent Privacy (WEP)

A

A scheme that is part of the IEEE 802.11 wireless networking standard to secure IEEE 802.11 wireless networks (also known as Wi-Fi networks).

Scope Notes: Because a wireless network broadcasts messages using radio, it is particularly susceptible to eavesdropping. WEP was intended to provide comparable confidentiality to a traditional wired network (in particular, it does not protect users of the network from each other), hence the name. Several serious weaknesses were identified by cryptanalysts, and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) in 2004. Despite the weaknesses, WEP provides a level of security that can deter casual snooping.

233
Q

Wiretapping

A

The practice of eavesdropping on information being transmitted over telecommunications links.

234
Q

X.25 Interface

A

An interface between data terminal equipment (DTE) and data circuit-terminating equipment (DCE) for terminals operating in the packet mode on some public data networks.

CRISC (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions