GLOSSARY
802.1X A standard for network authentication and access control that can mutually authenticate both people and devices connecting to a LAN or a wireless LAN.
802.11 The wireless network standard, commonly known as Wi-Fi, that can transport data up to 108 Mbit/sec up to a distance of 300 meters.
acceptable use A security policy that defines the types of activities that are acceptable and those that are not acceptable to the organization.
access bypass Any attempt by an intruder to bypass access controls in order to gain entry into a system.
access control Any means that detects or prevents unauthorized access and that permits authorized access.
access control list (ACL) An access control method whereby a list of permitted or denied users (or systems, or services, as the case may be) is used to control access to resources.
access control log A record of attempted accesses.
access control policy A statement that defines the policy for the granting, review, and revocation of access to systems and work areas.
access management A formal business process used to control access to networks and information systems.
access point A device that provides communication services using the 802.11 (Wi-Fi) protocol standard.
access review A review of the users, systems, or other subjects that are permitted to access protected objects. The purpose of a review is to ensure that all subjects are authorized to have access.
account lockout An administrative lock that is placed on a user account when a predetermined event occurs, such as when an expiration date is reached or when there have been several unsuccessful attempts to access the user account.
accumulation of privileges A situation in which an employee accumulates system access privileges over a long period of time and after internal transfers or other privilege changes, but old access privileges have not been removed.
Address Resolution Protocol (ARP) A standard network protocol used to obtain the address for another station on a local area network (LAN).
administrative audit An audit of operational efficiency.
administrative control Controls in the form of policies, processes, procedures, and standards.
agile development Software development process whereby a large project team is broken up into smaller teams, and project deliverables are broken up into smaller pieces, each of which can be attained in a few weeks.
algorithm In cryptography, a specific mathematical formula that is used to perform encryption, decryption, message digests, and digital signatures.
analytics See audit data analytics.
annualized loss expectancy (ALE) The expected loss of asset value due to threat realization. ALE is defined as single loss expectancy (SLE) × annualized rate of occurrence (ARO).
annualized rate of occurrence (ARO) An estimate of the number of times that a threat will occur every year.
anti-malware Software that uses various means to detect and block malware. See also antivirus software.
antivirus software Software that is designed to detect and remove viruses and other forms of malware.
AppleTalk The suite of protocols developed by Apple Inc. that are used to transmit packets from one station to another over a network.
appliance A type of computer with preinstalled software that requires little or no maintenance.
application firewall A device used to control packets being sent to an application server, primarily to block unwanted or malicious content.
application layer (OSI model) Layer 7 of the OSI network model. See also OSI network model.
application layer (TCP/IP model) Layer 4 of the TCP/IP network model. The purpose of the application layer is the delivery of messages from one process to another on the same network or on different networks. See also TCP/IP network model.
application programming language See programming language.
application server A server that runs application software.
architecture standard A standard that defines technology architecture at the database, system, or network level.
ARCI See RACI.
arithmetic logic unit (ALU) The part of a central processing unit that performs arithmetic computations. See central processing unit (CPU).
asset inventory The process of confirming the existence, location, and condition of assets; also, the results of such a process.
asset management The processes used to manage the inventory, classification, use, and disposal of assets.
asset value (AV) The value of an IT asset, which is usually (but not necessarily) the asset’s replacement value.
assets The collection of property that is owned by an organization.
asymmetric encryption A method for encryption, decryption, and digital signatures that uses pairs of encryption keys: a public key and a private key.
asynchronous replication A type of replication whereby writing data to the remote storage system is not kept in sync with updates on the local storage system. Instead, there may be a time lag, and there is no guarantee that data on the remote system is identical to that on the local storage system. See also replication.
Asynchronous Transfer Mode (ATM) A LAN and WAN protocol standard for sending messages in the form of cells over networks. On an ATM network, all messages are transmitted in synchronization with a network-based time clock. A station that wants to send a message to another station must wait for the time clock.
atomicity The characteristic of a complex transaction whereby it is either performed completely as a single unit or not performed at all.
attack surface The set of hardware and software components present on a system or in an environment that can potentially be exploited by an attacker.
attribute sampling A sampling technique used to study the characteristics of a population to determine how many samples possess a specific characteristic. See also sampling.
audit charter A written document that defines the mission and goals of the audit program as well as roles and responsibilities.
audit data analytics Techniques used to examine audit evidence computationally to assist auditors in determining control effectiveness.
audit hook Components in software applications used to provide additional transaction monitoring and to create alerts when certain events occur.
audit logging A feature in an application, operating system, or database management system whereby events are recorded in a separate log.
audit methodology A set of audit procedures that is used to accomplish a set of audit objectives.
audit objective The purpose or goals of an audit. Generally, the objective of an audit is to determine whether controls exist and are effective in some specific aspect of business operations in an organization.
audit procedures The step-by-step instructions and checklists required to perform specific audit activities. Procedures may include a list of people to interview and questions to ask them, evidence to request, audit tools to use, sampling rates, where and how evidence will be archived, and how evidence will be evaluated.
audit program The plan for conducting audits over a long period.
audit report The final, written product of an audit. An audit report will include a description of the purpose, scope, and type of audit performed; persons interviewed; evidence collected; rates and methods of sampling; and findings on the existence and effectiveness of each control.
audit scope The process, procedures, systems, and applications that are the subject of an audit.
authentication The process of asserting one’s identity and providing proof of that identity. Typically, authentication requires a user ID (the assertion) and a password (the proof). However, authentication can also require stronger means of proof, such as a digital certificate, token, smart card, or biometric.
authorization The process whereby a system determines what rights and privileges a user has.
automated workpapers Data that has been captured by computer-assisted audit techniques. See also computer-assisted audit technique (CAAT).
automatic control A control that is enacted through some automatic mechanism that requires little or no human intervention.
availability management The IT function that consists of activities concerned with the availability of IT applications and services. See also IT service management (ITSM).
back door A section of code that permits someone to bypass access controls and access data or functions. Back doors are commonly placed in programs during development but are removed before programming is complete.
background check The process of verifying an employment candidate’s employment history, education records, professional licenses and certifications, criminal background, and financial background.
background verification See background check.
back-out plan A procedure used to reverse the effect of a change that was not successful.
backup The process of copying important data to another media device in the event of a hardware failure, error, or software bug, disaster, that causes damage to data.
backup media rotation Any scheme used to determine how backup media is to be reused.
balanced scorecard (BSC) A management tool that is used to measure the performance and effectiveness of an organization.
barbed wire Coiled or straight wire with sharp barbs that may be placed along the top of a fence or wall to prevent or deter passage by unauthorized personnel.
benchmarking The practice of measuring a process in order to compare its performance and quality with the same process as performed by another firm. The purpose is to discover opportunities for improvement that may result in lower cost, fewer resources, and higher quality.
benefits realization The result of strategic planning, process development, and systems development, which all contribute toward a launch of business operations to reach a set of business objectives.
biometrics Any use of a machine-readable characteristic of a user’s body that uniquely identifies the user. Biometrics can be used for strong authentication. Types of biometrics include voice recognition, fingerprint, hand scan, palm vein scan, iris scan, retina scan, facial scan, and handwriting. See also authentication; multifactor authentication.
blackmail An attempt to extort money from an individual or organization through a threat of exposure.
blackout A complete loss of electric power for more than a few seconds.
blade server A type of computer architecture in which a main chassis equipped with a power supply, cooling, network, and console connectors contains several slots that are fitted with individual computer modules, or blades. Each blade is an independent computer system.
block cipher An encryption algorithm that operates on blocks of data.
blockchain A distributed ledger used to record cryptographically linked transactions.
Bluetooth A short-range airlink standard for data communications between peripherals and low-power consumption devices.
bollard A barrier that prevents the entry of vehicles into protected areas.
Border Gateway Protocol (BGP) A TCP/IP routing protocol used to transmit network routing information from one network router to another in order to determine the most efficient path through a large network.
bot A type of malware in which agents are implanted by other forms of malware and are programmed to obey remotely issued instructions. See also botnet.
bot army See bot; botnet.
botnet A collection of bots that are under the control of an individual. See also bot.
bridge An Ethernet network device used to interconnect two or more Ethernet networks.
broadcast address The highest numeric IP address in an IP subnet. When a packet is sent to the network’s broadcast address, all active stations on the network will receive it.
brownout A sustained drop in voltage that can last from several seconds to several hours.
budget A plan for allocating resources over a certain time period.
bug sweeping The practice of electronically searching for covert listening devices.
bus A component in a computer that provides the means for the different components of the computer to communicate with one another.
bus topology A network topology in which each station is connected to a central cable.
business case An explanation of the expected benefits to the business that will be realized as a result of a program or project.
business continuity planning (BCP) The activities required to ensure the continuation of critical business processes.
business functional requirements Formal statements that describe required business functions that a system must support.
business impact analysis (BIA) A study used to identify the impact that different disaster scenarios will have on ongoing business operations.
business process life cycle (BPLC) The life cycle process concerned with the development and maintenance of business processes.
business process management (BPM) Activities concerned with the development, maintenance, and monitoring of business processes.
business process reengineering (BPR) The set of activities related to the process of making changes to business processes.
business realization See benefits realization.
business recovery plan The activities required to recover and resume critical business processes and activities. See also response document.
call tree A method for ensuring the timely notification of key personnel when an event such as a disaster occurs.
campus area network (CAN) The interconnection of LANs for an organization that has buildings in close proximity.
capability maturity model A model used to measure the relative maturity of an organization or of its processes.
Capability Maturity Model Integration (CMMI) A maturity model that represents the aggregation of other maturity models.
capacity management The IT function that consists of activities that confirm that there is sufficient capacity in IT systems and IT processes to meet service needs. Primarily, an IT system or process has sufficient capacity if its performance falls within an acceptable range, as specified in service-level agreements (SLAs). See also IT service management (ITSM); service-level agreement (SLA).
Category 3 A twisted-pair cabling standard that is capable of transporting 10MB Ethernet up to 100 meters (328 ft.). See also twisted-pair cable.
Category 5/5e A twisted-pair cabling standard that is capable of transporting 10MB, 100MB, and 1000MB (1GB) Ethernet up to 100 meters (328 ft.). See also twisted-pair cable.
Category 6 A twisted-pair cabling standard that is capable of transporting 10MB, 100MB, and 1000MB (1GB) Ethernet up to 100 meters (328 ft.). Category 6 has the same transport capability as Category 5, but with better noise resistance. See also twisted-pair cable.
Category 7 A twisted-pair cabling standard that is capable of transporting 10GB Ethernet over 100 meters (328 ft.). See also twisted-pair cable.
Category 8 A new cable standard, still under development, designed for high-speed networking in data centers. See also twisted-pair cable.
cell The protocol data unit (PDU) for the Asynchronous Transfer Mode (ATM) protocol.
Center for Internet Security Controls A security controls framework developed by the Center for Internet Security (CIS).
central processing unit (CPU) The main hardware component of a computer that executes program instructions.
certificate authority (CA) A trusted party that stores digital certificates and public encryption keys.
certificate revocation list (CRL) An electronic list of digital certificates that have been revoked prior to their expiration date.
certification practice statement (CPS) A published statement that describes the practices used by the CA to issue and manage digital certificates.
chain of custody Documentation that shows the acquisition, storage, control, and analysis of evidence. The chain of custody may be needed if the evidence is to be used in a legal proceeding.
change advisory board The group of stakeholders from IT and business that propose, discuss, and approve changes to IT systems.
change control See change management.
change control board See change advisory board.
change management The IT function that is used to control changes made to an IT environment. See also IT service management (ITSM).
change request A formal request for a change to be made in an environment. See also change management.
change review A formal review of a requested change. See also change request; change management.
channel service unit/data service unit (CSU/DSU) A device used to connect a telecommunications circuit to a local device such as a router.
cipher lock An electronic or mechanical door equipped with combination locks. Only persons who know the combination may unlock the door.
ciphertext A message, file, or stream of data that has been transformed by an encryption algorithm and rendered unreadable.
circuit switched A WAN technology where a dedicated, end-to-end communications channel is established that lasts for the duration of the connection.
CISC (complex instruction set computer) A central processing unit design that uses a comprehensive instruction set. See also central processing unit (CPU).
class The characteristics of an object, including its attributes, properties, fields, and the methods it can perform. See also object; method.
class library A repository where classes are stored. See also class.
classful network A TCP/IP network with addressing that fits into one of the network classes: Class A, Class B, or Class C. A classful network will have a predetermined address range and subnet mask.
classless internet domain routing (CIDR) A method for creating IP subnets that is more efficient than classful networks.
classless network A TCP/IP network with addressing that does not fit the classful network scheme, but instead uses an arbitrary subnet mask, as determined by the network’s physical and logical design.
client-server application An application design in which the database and some business logic are stored on a central server and additional business logic plus display logic are stored on each user’s workstation.
cloud access security broker (CASB) A system that monitors and, optionally, controls users’ access to cloud-based resources.
cloud computing A technique of providing a dynamically scalable and usually virtualized computing resource as a service.
cluster A tightly coupled collection of computers that is used to solve a common task. In a cluster, one or more servers actively perform tasks, while zero or more computers may be in a “standby” state, ready to assume active duty should the need arise.
coaxial A type of network cable that consists of a solid inner conductor surrounded by an insulating jacket, which is surrounded by a metallic shield, which in turn is surrounded by a plastic jacket.
COBIT A control framework for managing information systems and security. COBIT is published by ISACA.
code division multiple access (CDMA) An airlink standard for wireless communications between mobile devices and base stations.
code division multiple access 2000 (CDMA2000) An airlink standard (updated from CDMA) for wireless communications between mobile devices and base stations.
code of ethics A statement that defines acceptable and unacceptable professional conduct.
codec A device or program that encodes or decodes a data stream.
cold site An alternate processing center where the degree of readiness for recovery systems is low. At the very least, a cold site is nothing more than an empty rack or allocated space on a computer room floor.
compensating control A control that is implemented because another control cannot be implemented or is ineffective.
compliance audit An audit to determine the level and degree of compliance to a law, regulation, standard, contract provision, or internal control.
compliance testing A type of testing used to determine whether control procedures have been properly designed and implemented and are operating properly.
component-based development A system development life cycle process whereby various components of a larger system are developed separately. See also system development life cycle (SDLC).
computer trespass Unlawful entry into a computer or application.
computer-aided software engineering (CASE) A broad variety of tools that are used to automate various aspects of application software development.
computer-assisted audit technique (CAAT) Any technique by which computers are used to automate or simplify the audit process.
confidence coefficient The probability that a sample selected actually represents the entire population. This is usually expressed as a percentage.
configuration item A configuration setting in an IT asset. See also configuration management.
configuration management The IT function in which the configuration of components in an IT environment is independently recorded. Configuration management is usually supported by the use of automated tools that inventory and control system configurations. See also IT service management (ITSM).
configuration management database (CMDB) A repository for every component in an environment that contains information on every configuration change made on those components.
configuration standard A standard that defines the detailed configurations that are used in servers, workstations, operating systems, database management systems, applications, network devices, and other systems.
conspiracy A plan by two or more persons to commit an illegal act.
Constructive Cost Model (COCOMO) A method for estimating software development projects based on the number of lines of code and the complexity of the software being developed.
contact list A list of key personnel and various methods used to contact them. See also response document.
container A method of virtualization whereby several isolated operating zones are created in a running server operation, which isolates programs and data to their respective containers.
continuity of operations plan (COOP) The activities required to continue critical and strategic business functions at an alternate site. See also response document.
continuous and intermittent simulation (CIS) A continuous auditing technique in which flagged transactions are processed in a parallel simulation and the results compared to production processing results.
continuous auditing An auditing technique in which sampling and testing are automated and occur continuously.
contract A binding legal agreement between two parties that may be enforceable in a court of law.
control A policy, process, or procedure that is created to achieve a desired event or to avoid an unwanted event.
control failure The result of an audit of a control whereby the control is determined to be ineffective.
control objective A foundational statement that describes desired states or outcomes from business operations.
control risk The risk that a material error exists that will not be prevented or detected by the organization’s control framework.
control self-assessment (CSA) A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity.
corrective action An action that is initiated to correct an undesired condition.
corrective control A control that is used after an unwanted event has occurred.
corroboration An audit technique whereby an IS auditor interviews additional personnel to confirm the validity of evidence obtained from others who were interviewed previously.
countermeasure Any activity or mechanism designed to reduce risk.
crash gate Hard barriers that lift into position to prevent the entry (or exit) of unauthorized vehicles and that can be lowered to permit authorized vehicles.
critical path methodology (CPM) A technique used to identify the most critical path in a project to understand which tasks are most likely to affect the project schedule.
criticality analysis (CA) A study of each system and process, a consideration of the impact on the organization if it is incapacitated, the likelihood of incapacitation, and the estimated cost of mitigating the risk or impact of incapacitation.
cross-over error rate The point at which the false reject rate equals the false accept rate. This is the ideal point for a well-tuned biometric system. See also biometrics; false reject rate (FRR); false accept rate (FAR).
cryptanalysis An attack on a cryptosystem whereby the attacker is attempting to determine the encryption key used to encrypt messages.
cryptography The practice of hiding information from unauthorized persons.
cryptosystem A set of algorithms used to generate an encryption key, to perform encryption, and to perform decryption.
custodian A person or group delegated to operate or maintain an asset.
customer relationship management (CRM) An IS application used to track the details of the relationships with each of an organization’s customers.
customization A unique change that is made to a computer program or system.
cutover The step in the system development life cycle in which an old replaced system is shut down and a new replacement system is started.
cutover test An actual test of disaster recovery and/or business continuity response plans. Its purpose is to evaluate the ability of personnel to follow directives in emergency response plans—to actually set up the DR business processing or data processing capability. In a cutover test, personnel shut down production systems and operate recovery systems to assume actual business workload. See also disaster recovery plan.
Cybersecurity Framework (CSF) See NIST CSF (National Institute for Standards and Technology Cybersecurity Framework).
cyclic redundancy check (CRC) A hash function used to create a checksum that detects errors in network transmissions. The Ethernet standard uses a CRC to detect errors.
damage assessment The process of examining assets after a disaster to determine the extent of damage.
data acquisition The act of obtaining data for later use in a forensic investigation.
data analytics See audit data analytics.
data classification The process of assigning a sensitivity classification to a data set or information asset.
data classification policy Policy that defines sensitivity levels and handling procedures for information.
data control language A procedural language used to control access to a database.
data definition language (DDL) A procedural language used to describe the structure of data contained in a database.
data dictionary (DD) A set of data in a database management system that describes the structure of databases stored there.
data file controls Controls that ensure the security and integrity of data files and their contents.
data flow architecture The part of network architecture that is closely related to application and data architecture. See also data flow diagram.
data flow diagram A diagram that illustrates the flow of data within and between systems.
data link layer Layer 2 of the OSI network model. See also OSI network model.
data loss prevention (DLP) Any of several methods of gaining visibility and control into the presence and movement of sensitive data.
data management utility A type of utility software used to manipulate, list, transform, query, compare, encrypt, decrypt, import, or export data. See also utility software.
data manipulation language (DML) A procedural language used to insert, delete, and modify data in a database.
data restore The process of copying data from backup media to a target system for the purpose of restoring lost or damaged data.
database A collection of structured or unstructured information.
database management system (DBMS) A software program that facilitates the storage and retrieval of potentially large amounts of structured or unstructured information.
database server A server that contains and facilitates access to one or more databases.
datagram The protocol data unit (PDU) for the User Datagram Protocol in the TCP/IP suite.
data-oriented system development (DOSD) A software development life cycle process that starts with a design of data and interfaces to databases and then moves on to program design.
debugging The activity of searching for the cause of malfunctions in programs or systems.
decryption The process of transforming ciphertext into plaintext so that a recipient can read it.
default gateway A station on a network (usually a router) that is used to forward messages to stations on distant networks.
default password A password associated with a user account or system account that retains its factory default setting.
deluge A dry pipe fire sprinkler system with all sprinkler heads open. When the system is operated (for instance, when an alarm is triggered), water flows into the pipes and out of the sprinkler heads. See also fire sprinkler system.
denial of service (DoS) An attack on a computer or network with the intention of causing disruption or malfunction of the target.
desktop computer A computer used by an individual end user and located at the user’s workspace.
destructware Malware that intentionally destroys information or information systems.
detection risk The risk that an IS auditor will overlook errors or exceptions during an audit.
detective control A control that is used to detect events.
deterrent control A control that is designed to deter people from performing unwanted activities.
development The process where software code is created.
DevOps An agile software development and operations model.
DevSecOps An agile and secure software development and operations model.
diameter An authentication standard that is the successor to RADIUS. See also Remote Authentication Dial-in User Service (RADIUS).
Diffie-Hellman A popular key exchange algorithm. See also key exchange.
digital certificate An electronic document that contains an identity that is signed with the public key of a certificate authority (CA).
digital envelope A method that uses two layers of encryption. A symmetric key is used to encrypt a message; then a public or private key is used to encrypt the symmetric key.
digital private branch exchange (DPBX) A private branch exchange (PBX) that supports digital technologies such as Voice over IP (VoIP) and Session Initiation Protocol (SIP). See also private branch exchange (PBX); Voice over IP (VoIP); Session Initiation Protocol (SIP).
digital rights management (DRM) Any technology used to control the distribution and use of electronic content.
digital signature The result of encrypting the hash of a message with the originator’s private encryption key, used to prove the authenticity and integrity of a message.
digital subscriber line (DSL) A common carrier standard for transporting data from the Internet to homes and businesses.
digital transformation (DX) The creative use of information technology to support business operations and solve business problems.
directory A structure in a file system that is used to store files and, optionally, other directories. See also file system.
directory system (DS) See data dictionary (DD).
disaster An unexpected and unplanned event that results in the disruption of business operations.
disaster declaration criteria The conditions that must be present to declare a disaster, triggering response and recovery operations.
disaster declaration procedure Instructions to determine whether to declare a disaster and trigger response and recovery operations. See also disaster declaration criteria.
disaster recovery and business continuity requirements Formal statements that describe required recoverability and continuity characteristics that a system must support.
disaster recovery plan The activities required to restore critical IT systems and other critical assets, whether in alternate or primary locations. See also response document.
disaster recovery planning (DRP) Activities related to the assessment, salvage, repair, and restoration of facilities and assets.
Disaster Recovery-as-a-Service (DRaaS) A cloud-based set of tools and services that streamline planning and execution of data backup and data replication for disaster recovery purposes.
discovery sampling A sampling technique by which at least one exception is sought in a population. See also sampling.
Discretionary Access Control (DAC) An access model by which the owner of an object is able to determine how and by whom the object may be accessed. The discretion of the owner determines permitted accesses by subjects.
disk array A chassis in which several hard disks can be installed and connected to a server. The individual disk drives can be “hot swapped” in the chassis while the array is still operating.
disk management system (DMS) An information system used to manage disk media, usually for the purpose of performing information backup. See also backup.
distributed denial of service (DDoS) A denial of service (DoS) attack that originates from many computers. See also denial of service (DoS).
document review A review of some or all disaster recovery and business continuity plans, procedures, and other documentation. Individuals typically review these documents on their own and at their own pace, but within whatever time constraints or deadlines that may have been established.
documentation The inclusive term that describes charters, processes, procedures, standards, requirements, and other written documents.
Domain Name System (DNS) A TCP/IP application layer protocol used to translate domain names (such as www.isecbooks.com) into IP addresses (such as 216.3.128.12).
dropout A momentary loss of power that lasts from a few milliseconds to a few seconds.
dry pipe system A fire sprinkler system used in locales where ambient temperatures often drop below freezing. In this type of system, pipes are filled with compressed air. When sufficient heat causes one of the sprinkler head fuses (heat-sensitive glass bulbs) to break, a control valve releases water into the piping. See also fire sprinkler system.
dual power feeds The use of two physically separate electric power feeds into a facility.
Dynamic Host Configuration Protocol (DHCP) A TCP/IP application layer protocol used to assign an IP address, subnet mask, default gateway, IP address of DNS servers, and other information to a workstation that has joined the network.
dynamic random access memory (DRAM) The most common form of semiconductor memory by which data is stored in capacitors that require periodic refreshing.
E-1 A common carrier standard protocol for transporting voice and data. E-1 can support up to 32 separate voice channels of 64 Kbit/sec each and is used primarily in Europe.
E-3 A common carrier standard protocol for transporting voice and data. E-3 can support up to 512 separate voice channels of 64 Kbit/sec each and is used primarily in Europe.
E-vaulting The process of backing up data to a cloud-based storage provider. E-vaulting is a form of backup, as distinguished from e-journaling.
east–west traffic Network traffic moving between and among a tier of servers, between servers within a single virtualization environment, or within a data center. See also north–south traffic.
eavesdropping The act of secretly intercepting and recording a voice or data transmission.
electric generator A system consisting of an internal combustion engine powered by gasoline, diesel fuel, or natural gas that spins an electric generator. A generator can supply electricity for as long as several days, depending upon the size of its fuel supply and whether it can be refueled.
electrically erasable programmable read-only memory (EEPROM) A form of permanent memory that can be rewritten using a special program on the computer on which it is installed.
electromagnetic interference (EMI) Any electric field or magnetic field energy that can potentially interfere with a signal being sent via radiofrequency or over a metallic medium.
electronic protected health information (ePHI) Patient-related healthcare information in electronic form, as defined by the U.S. Healthcare Insurance Portability and Accountability Act (HIPAA).
elliptic curve A public key cryptography algorithm.
e-mail A network-based service used to transmit messages between individuals and groups.
embedded audit module (EAM) A continuous auditing technique that consists of a special software module embedded within a system that is designed to detect processing anomalies.
emergency communications plan A plan that outlines the communications required during a disaster. See also response document.
emergency response The urgent activities that immediately follow a disaster, including evacuation of personnel, first aid, triage of injured personnel, and possibly firefighting.
employee handbook See employee policy manual.
employee policy manual A formal statement of the terms of employment, facts about the organization, benefits, compensation, conduct, and policies.
employment agreement A legal contract between an organization and an employee, which may include a description of duties, roles and responsibilities, confidentiality requirements, compliance requirements, and termination information.
encapsulation A practice in which a method can call on another method to help perform its work. See also method.
encryption The act of hiding sensitive information in plain sight. Encryption works by scrambling the characters in a message, using a method known only to the sender and receiver, to make the message useless to anyone who intercepts the message.
encryption key A block of characters used in combination with an encryption algorithm to encrypt or decrypt a stream or block of data.
Enhanced Interior Gateway Routing Protocol (EIGRP) A TCP/IP routing protocol used to transmit network routing information from one network router to another to determine the most efficient path through a large network.
enterprise architecture The model used to map business functions into the IT environment and IT systems in increasing levels of detail, with activities that ensure important business needs are met by IT systems.
erasable programmable read-only memory (EPROM) A form of permanent memory that can be erased by shining ultraviolet (UV) light through a quartz window on the top of the chip.
error handling Functions that are performed when errors in processing are encountered.
espionage The act of spying on an organization.
Ethernet A standard protocol for assembling a stream of data into frames for transport over a physical medium from one station to another on a local area network. On an Ethernet network, any station is free to transmit a packet at any time, provided that another station is not already doing so.
evacuation procedure Instructions to evacuate a work facility safely in the event of a fire, earthquake, or other disaster.
evidence Information gathered by the auditor that provides proof that a control exists and is being operated.
expected error rate An estimate that expresses the percent of errors or exceptions that may exist in an entire population.
exposure factor (EF) The financial loss that results from the realization of a threat, expressed as a percentage of the asset’s total value.
extreme programming (XP) An iterative software development methodology that consists of short development cycles intended to improve quality and respond to changing requirements.
false accept rate (FAR) The rate at which invalid subjects are accepted as valid. This occurs when the biometric system has too large a margin of error. See also biometrics.
false reject rate (FRR) The rate at which valid subjects are rejected as invalid. This occurs when the biometric system has too small a margin of error. See also biometrics.
feasibility study An activity that seeks to determine the expected benefits of a program or project.
fence A structure that prevents or deters passage by unauthorized personnel.
Fiber Distributed Data Interface (FDDI) A local area network technology that consists of a “dual ring” with redundant network cabling and counter-rotating logical tokens.
fiber optics A cabling standard that uses optical fiber instead of metal conductors.
Fibre Channel A standard protocol for assembling a stream of data into frames for transport over a physical medium from one station to another on a local area network. Fibre Channel is most often found in storage area networks. See also storage area network (SAN).
field A unit of storage in a relational database management system that consists of a single data item within a row. See also relational database management system (RDBMS); table; row.
file A sequence of zero or more characters that is stored as a whole in a file system. A file may be a document, spreadsheet, image, sound file, computer program, or data that is used by a program. See also file system.
file activity monitoring (FAM) Software that detects accesses to sensitive files, usually operating system files.
File Allocation Table (FAT) A file system used by the MS-DOS operating system as well as by early versions of the Microsoft Windows operating system.
file integrity monitoring (FIM) Software that detects tampering with sensitive files, usually operating system files.
file server A server that is used to store files in a central location, usually to make them available to many users.
file system A logical structure that facilitates the storage of data on a digital storage medium such as a hard drive, CD/DVD-ROM, or flash memory device.
File Transfer Protocol (FTP) An early and still widely used TCP/IP application layer protocol used for the batch transfer of files or entire directories from one system to another.
File Transfer Protocol Secure (FTPS) A TCP/IP application layer protocol that is an extension of FTP, in which authentication and transport are encrypted using SSL or TLS. See also File Transfer Protocol (FTP); Secure Sockets Layer (SSL); Transport Layer Security (TLS).
financial audit An audit of an accounting system, accounting department processes, and accounting procedures to determine whether business controls are sufficient to ensure the integrity of financial statements.
financial management Management for IT services that consists of several activities, including budgeting, capital investment, expense management, project accounting, and project ROI. See also IT service management (ITSM); return on investment (ROI).
fire extinguisher A hand-operated fire suppression device used for fighting small fires.
fire sprinkler system A fire suppression system that extinguishes a fire by spraying water on it.
firewall A device that controls the flow of network messages between networks. Placed at the boundary between the Internet and an organization’s internal network, firewalls enforce security policy by prohibiting all inbound traffic except for the specific few types of traffic that are permitted to a select few systems.
firmware A computer’s special-purpose storage that is usually used to store the instructions required to start the computer system. Firmware is usually implemented in ROM, PROM, EPROM, EEPROM, or flash.
first in, first out (FIFO) A backup media rotation scheme in which the oldest backup volumes are used next. See also backup media rotation.
flash A form of permanent memory that can be rewritten by the computer that it is installed on. Flash memory is used by several types of devices, including SD (Secure Digital) cards, Compact Flash, Memory Stick, and USB drives.
foreign key A field in a table in a relational database management system that references a unique primary key in another table. See also relational database management system (RDBMS); table; row; field.
forensic audit An audit that is performed in support of an anticipated or active legal proceeding.
forensics The application of procedures and tools during an investigation of a computer or network-related event.
fourth-generation language (4GL) A variety of tools that are used in the development of applications, or that are parts of the applications themselves.
frame The protocol data unit (PDU) at the transport layer of TCP/IP (namely, for Ethernet), and layer 2 of the OSI model.
Frame Relay A common carrier standard for transporting packets from one network to another. Frame Relay is being replaced by MPLS. See also Multiprotocol Label Switching (MPLS).
fraud The intentional deception made for personal gain or for damage to another party.
function point analysis (FPA) A method for estimating software development projects based on the number of user inputs, outputs, queries, files, and external interfaces.
functional requirements Statements that describe required characteristics that software must have to support business needs.
functional testing The portion of software testing in which functional requirements are verified.
gate process Any business process that consists of one or more review/approval gates, which must be completed before the process may continue.
gateway A device that acts as a protocol converter or that performs some other type of transformation of messages.
general computing controls (GCC) Controls that are general in nature and implemented across most or all information systems and applications.
General Packet Radio Service (GPRS) An airlink standard for wireless communications between mobile devices and base stations.
generalized audit software (GAS) Audit software that is designed to read data directly from database platforms and flat files.
governance Management’s control over policy and processes.
grandfather-father-son A hierarchical backup media rotation scheme that provides for longer retention of some backups. See also backup media rotation.
grid computing A large number of loosely coupled computers that are used to solve a common task.
guard dogs Dogs that assist security guards and that can be used to apprehend and control trespassers.
guest A virtual machine running under a hypervisor.
hacker Someone who interferes with or accesses another’s computer without authorization.
hardening The technique of configuring a system so that only its essential services and features are active and all others are deactivated. This helps to reduce the attack surface of a system to its essential components only.
hardware monitoring Tools and processes used continuously to observe the health, performance, and capacity of one or more computers.
hardware security module (HSM) A device used to store and protect encryption keys.
hash function A cryptographic operation on a block of data that returns a fixed-length string of characters, used to verify the integrity of a message.
Health Insurance Portability and Accountability Act (HIPAA) A U.S. regulation requiring healthcare delivery organizations, health insurance companies, and other healthcare industry organizations to secure and maintain privacy for electronic protected health information (ePHI).
heating, ventilation, and air conditioning (HVAC) A system that controls temperature and humidity in a facility.
Hierarchical File System (HFS) A file system used on computers running the Mac OS X operating system. See also file system.
honeynet A network of computers acting as a honeypot. See also honeypot.
honeypot A trap that is designed to detect unauthorized use of information systems.
host-based intrusion detection system (HIDS) An intrusion detection system that is installed on a system and watches for anomalies that could be signs of intrusion. See also intrusion detection system (IDS).
hot site An alternate processing center where backup systems are already running and in some state of near-readiness to assume production workload. The systems at a hot site most likely have application software and database management software already loaded and running, perhaps even at the same patch levels as the systems in the primary processing center.
hub An Ethernet network device that is used to connect devices to the network. A hub can be thought of as a multiport repeater.
humidity The amount of water moisture in the air.
hybrid cryptography A cryptosystem that employs two or more iterations or types of cryptography.
Hypertext Transfer Protocol (HTTP) A TCP/IP application layer protocol used to transmit web page contents from web servers to users who are using web browsers.
Hypertext Transfer Protocol Secure (HTTPS) A TCP/IP application layer protocol that is similar to HTTP in its use for transporting data between web servers and browsers. HTTPS is not a separate protocol, but instead is the instance where HTTP is encrypted with SSL or TLS. See also Hypertext Transfer Protocol (HTTP); Secure Sockets Layer (SSL); Transport Layer Security (TLS).
hypervisor Virtualization software that facilitates the operation of one or more virtual machines.
identification The process of asserting one’s identity without providing proof of that identity. See also authentication.
identity management The activity of managing the identity of each employee, contractor, temporary worker, and, optionally, customer, in a single environment or multiple environments.
impact The actual or expected result from some action such as a threat or disaster.
impact analysis The analysis of a threat and the impact it would have if it were realized.
implementation A step in the software development life cycle where new or updated software is placed into the production environment and started.
incident Any event that is not part of the standard operation of a service and that causes, or may cause, interruption to or a reduction in the quality of that service.
incident management The IT function that analyzes service outages, service slowdowns, security incidents, and software bugs, and seeks to resolve them to restore normal service. See also IT service management (ITSM).
incident prevention Proactive steps taken to reduce the probability and/or impact of security incidents.
independence The characteristic of an auditor and his or her relationship to a party being audited. An auditor should be independent of the auditee; this permits the auditor to be objective.
index An entity in a relational database management system that facilitates rapid searching for specific rows in a table based on a field other than the primary key. See also relational database management system (RDBMS); table; row; field; primary key.
indicator of compromise (IoC) An observation on a network or in an operating system that indicates evidence of a network or computer intrusion.
inert gas system A fire suppression system that floods a room with an inert gas, displacing oxygen from the room and extinguishing the fire.
information classification See data classification.
information leakage The tendency for sensitive information to leak out of an organization’s databases through various means, most of which are perpetrated by the organization’s personnel.
information security management The aggregation of policies, processes, procedures, and activities implemented to ensure that an organization’s security policy is effective.
Information Security Management System (ISMS) The collection of activities for managing information security, as defined by ISO/IEC 27001.
information security policy A statement that defines how an organization will classify and protect its important assets.
Infrared Data Association (IrDA) The organization that has developed technical standards for point-to-point data communications using infrared light. IrDA has largely been replaced with Bluetooth and USB.
infrastructure The collection of networks, network services, devices, facilities, and system software that facilitates access to, communications with, and protection of business applications.
Infrastructure-as-a-Service (IaaS) A cloud computing model in which a service provider makes computers and other infrastructure components available to subscribers. See also cloud computing.
inherent risk The risk that material weaknesses are present in existing business processes and no compensating controls are able to detect or prevent them.
inheritance The property of a class whereby the class’s attributes are passed to its children. See also class.
initialization vector (IV) A random number that is needed by some encryption algorithms to begin the encryption process.
input authorization Controls that ensure that all data input into an information system is authorized by management.
input controls Administrative and technical controls that determine what data is permitted to be input into an information system. These controls exist to ensure the integrity of information in a system.
input validation Controls that ensure the type and values of information that are input into a system are appropriate and reasonable.
input/output (I/O) device Any device that can be connected to a computer that enables the computer to send data to the device as well as receive data from the device.
inquiry and observation An audit technique whereby an IS auditor asks questions of interviewees and makes observations about personnel behavior and the way they perform work tasks.
inrush A sudden increase in current flowing to a device, usually associated with the startup of a large motor. This can cause a voltage drop that lasts several seconds.
insourcing A form of sourcing whereby an employer will use its own employees to perform a function.
instant messaging (IM) Any of several TCP/IP application layer protocols and tools used to send short text messages over a network.
integrated audit An audit that combines an operational audit and a financial audit. See also operational audit; financial audit.
Integrated Services Digital Network (ISDN) A common carrier telephone network used to carry voice and data over landlines. ISDN can be thought of as a digital version of the PSTN. See also public-switched telephone network (PSTN).
integrated test facility (ITF) A type of automated test in which an auditor creates fictitious transactions to trace their integrity through the system.
intellectual property A class of assets owned by an organization, including the organization’s designs, architectures, software source code, processes, and procedures.
Interior Gateway Routing Protocol (IGRP) A TCP/IP routing protocol used to transmit network routing information from one network router to another to determine the most efficient path through a large network.
Intermediate System to Intermediate System (IS-IS) A TCP/IP routing protocol used to transmit network routing information from one network router to another to determine the most efficient path through a large network.
Internet The interconnection of the world’s TCP/IP networks.
Internet Control Message Protocol (ICMP) A communications diagnostics protocol that is a part of the TCP/IP suite of protocols.
Internet Group Management Protocol (IGMP) A TCP/IP Internet layer protocol used to manage group membership in multicast networks.
Internet Key Exchange (IKE) A protocol used to establish security associations (logical connections) between hosts using the IPsec protocol.
Internet layer (TCP/IP model) Layer 2 of the TCP/IP network model. The purpose of the Internet layer is the delivery of messages (called packets) from one station to another on the same network or on different networks. See also TCP/IP network model.
Internet Message Access Protocol (IMAP) A TCP/IP application layer protocol used by an end-user program to retrieve e-mail messages from an e-mail server.
Internet Protocol (IP) The network layer protocol used in the TCP/IP suite of protocols. IP is concerned with the delivery of packets from one station to another, whether the stations are on the same network or on different networks.
Internet Protocol Security (IPsec) A suite of protocols used to secure IP-based communications by using authentication and encryption.
interprocess communications (IPC) Any of several protocols used for communications between running processes on one system or between systems.
intrusion detection system (IDS) A hardware or software system that detects anomalies that may be signs of an intrusion.
intrusion prevention system (IPS) A hardware or software system that detects and blocks anomalies that may be signs of an intrusion.
IP address An address assigned to a station on a TCP/IP network.
irregularity An event that represents an action that is contrary to accepted practices or policy.
IS audit An audit of an information systems department’s operations and systems.
IS operations The day-to-day control of the information systems, applications, and infrastructure that support organizational objectives and processes.
ISACA audit guidelines Published documents that help the IS auditor apply ISACA audit standards.
ISACA audit procedures Published documents that provide sample procedures for performing various audit activities and for auditing various types of technologies and systems.
ISACA audit standards The minimum standards of performance related to security, audits, and the actions that result from audits. The standards are published by ISACA and updated periodically. ISACA audit standards are considered mandatory.
ISAE 3402 (International Standard on Assurance Engagement) audit An external audit of a service provider. An ISAE 3402 audit is performed according to rules established by the International Auditing and Assurance Standards Board (IAASB).
ISO/IEC 15504 An ISO/IEC standard for evaluating the maturity of a software development process.
ISO/IEC 20000 An ISO/IEC standard for IT service management (ITSM).
ISO/IEC 27001 An ISO/IEC standard for IT security management.
ISO/IEC 27002 An ISO/IEC standard for IT security controls.
ISO/IEC 38500 An ISO/IEC standard for corporate governance of information technology.
ISO/IEC 9000 An ISO/IEC standard for a quality management system.
ISO/IEC 9126 An ISO/IEC standard for evaluating the quality of software.
ISO/IEC 9660 An ISO/IEC standard file system used on CD-ROM and DVD-ROM media.
IT Assurance Framework (ITAF) An end-to-end framework developed to guide organizations in developing and managing IT assurance and IT audit.
IT balanced scorecard (IT-BSC) A balanced scorecard used to measure IT organization performance and results. See also balanced scorecard (BSC).
IT governance Management’s control over IT policy and processes.
IT Infrastructure Library (ITIL) See IT service management (ITSM).
IT service management (ITSM) The set of activities that ensures the delivery of IT services is efficient and effective, through active management and the continuous improvement of processes.
IT steering committee A body of senior managers or executives that discusses high-level and long-term issues in the organization.
iterative development process A software development process that consists of one or more repeating loops of planning, requirements, design, coding, and testing until development and implementation are considered complete.
job description A written description of a job in an organization. A job description usually contains a job title, experience requirements, and knowledge requirements.
job rotation The practice of moving personnel from position to position, sometimes with little or no notice, as a means for deterring personnel from engaging in prohibited or illegal practices.
JSON-RPC A protocol used in application environments to facilitate a client request made to a server.
judgmental sampling A sampling technique in which items are chosen based upon the auditor’s judgment, usually based on risk or materiality. See also sampling.
Kanban A lean software development methodology that uses a visual Kanban board to track and plan the assignment and completion of tasks in a project.
key See encryption key.
key compromise Any unauthorized disclosure or damage to an encryption key. See also key management.
key custody The policies, processes, and procedures regarding the management of keys. See also key management.
key disposal The process of decommissioning encryption keys. See also key management.
key encrypting key An encryption key that is used to encrypt another encryption key.
key exchange A technique that is used by two parties to establish a symmetric encryption key when no secure channel is available.
key fingerprint A short sequence of characters used to authenticate a public key.
key generation The initial generation of an encryption key. See also key management.
key length The size (measured in bits) of an encryption key. Longer encryption keys mean that it takes greater effort to attack a cryptosystem successfully.
key logger A hardware device or a type of malware that records a user’s keystrokes and, optionally, mouse movements and clicks and sends them to the key logger’s owner.
key management The various processes and procedures used by an organization to generate, protect, use, and dispose of encryption keys over their lifetime.
key performance indicator (KPI) Measure of business processes’ performance and quality, used to reveal trends related to efficiency and effectiveness of key processes in the organization.
key protection All means used to protect encryption keys from unauthorized disclosure and harm. See also key management.
key rotation The process of issuing a new encryption key and re-encrypting data protected with the new key. See also key management.
keycard system A physical access control system by which personnel are able to enter a workspace by waving a keycard near a reader or inserting it into a reader, activating a door lock to unlock the door briefly.
known error An incident that has been seen before, and its root cause is known.
laptop computer A portable computer used by an individual user.
last in, first out (LIFO) A backup media rotation scheme whereby the newest backup volumes are used next. See also backup media rotation.
Layer 2 Tunneling Protocol (L2TP) A TCP/IP tunneling protocol.
layer 3 switch A device that routes packets between different TCP/IP networks.
layer 4 switch A device used to route packets to destinations based on TCP and UDP port numbers.
layer 4-7 switch A device that routes packets to destinations based on their internal content.
lean A project management approach that emphasizes focus on value and efficiency. Lean is derived from lean manufacturing techniques developed at Toyota in Japan in the 1990s.
least privilege The concept by which an individual user should have the lowest privilege possible that will still enable him or her to perform necessary tasks.
Lightweight Directory Access Protocol (LDAP) A TCP/IP application layer protocol used as a directory service for people and computing resources.
link layer Layer 1 of the TCP/IP network model. The purpose of the link layer is the delivery of messages (usually called frames) from one station to another on a local network. See also TCP/IP network model.
local area network (LAN) A network that connects computers and devices together in a small building or a residence.
logic bomb A set of instructions designed to perform some damaging action when a specific event occurs; a popular example is a time bomb that alters or destroys data on a specified date in the future.
logical network architecture The part of network architecture concerned with the depiction of network communications at a local, campus, regional, and global level.
loopback address The IP address 127.0.0.1 (or any other address in the entire 127 address block). A packet sent to a loopback address is sent to the station at which it originated.
LTE (Long Term Evolution) A wireless telecommunications standard for use by mobile devices, considered an upgrade of older GSM and CDMA2000 standards.
machine authentication controls Access controls used to authenticate a device to determine whether it will be permitted to access resources.
main storage A computer’s short-term storage of information, usually implemented with electronic components such as random access memory (RAM).
mainframe A large central computer capable of performing complex tasks for several users simultaneously.
malware The broad class of programs designed to inflict harm on computers, networks, or information. Types of malware include viruses, worms, Trojan horses, spyware, and rootkits.
managed security service provider (MSSP) An organization that provides security monitoring and/or management services for customers.
mandatory access control (MAC) An access model used to control access to objects (files, directories, databases, systems, networks, and so on) by subjects (persons, programs, and so on). When a subject attempts to access an object, the operating system examines the access properties of the subject and object to determine whether the access should be allowed. The operating system then permits or denies the requested access.
mandatory vacation A policy established by some organizations that requires each employee to take a vacation every year.
man-in-the-browser (MITB) attack An attack on an end user’s browser whereby a malicious browser helper object (BHO) interferes with the browser’s operation.
man-in-the-middle (MITM) attack An attack used to take over communications occurring between two parties. Here, an attacker intercepts communications being sent from one party to another and injects new, altered communications in their place. The attacker must be able to impersonate each party in the communication so that each party believes it is talking directly with the other party.
man-made disaster A disaster that is directly or indirectly caused by human activity, through action or inaction. See also disaster.
manual control A control that requires a human to operate it.
marking The act of affixing a classification label to a document.
mash-up A web-based application that contains components that originate from other web applications.
materiality In financial audits, a dollar-amount threshold that alters the results on an organization’s financial statements. In IS audits, materiality is the threshold at which serious errors, omissions, irregularities, or illegal acts could occur.
maximum tolerable downtime (MTD) A theoretical time period, measured from the onset of a disaster, after which the organization’s ongoing viability would be at risk.
maximum transmission unit (MTU) The size of the largest protocol data unit (PDU) that can be transmitted on a network.
Media Access Control (MAC) A framing protocol used by Ethernet, DSL, MPLS, and ISDN.
Media Access Control (MAC) address Node addressing used on an Ethernet network in which the address is expressed as a six-byte hexadecimal value. A typical address is displayed in a notation separated by colons or dashes, such as F0:E3:67:AB:98:02.
media control A set of processes for controlling the security of storage media.
media destruction See media sanitization.
media sanitization The process of ensuring the destruction of data on digital media.
message digest The result of a cryptographic hash function.
message server A system in a distributed processing environment that stores and forwards transactions between systems.
message switched A WAN communications technology in which each message is switched to its destination when a communications path is available.
method The actions that an object can perform. See also object.
methodology standard A standard that specifies the practices used by the IT organization.
metropolitan area network (MAN) An interconnection of LANs that spans a city or regional area.
microsegmentation A segmentation technique in which individual hosts are isolated with network access controls, typically with network or host firewalls.
middleware A component in an application environment that is used to control or monitor transactions.
midrange computer A large central computer capable of performing complex tasks for users.
migration The process of transferring data from one system to a replacement system.
mitigating control See compensating control.
mobile device A portable computer in the form of a smartphone, tablet computer, or wearable device.
mobile device management (MDM) A class of enterprise tools used to manage mobile devices such as smartphones and tablet computers.
mobile site A portable recovery center that can be delivered to almost any location in the world.
modem (modulator-demodulator) A device used to connect a local computer or network to a telecommunications network.
monitoring The continuous or regular evaluation of a system or control to determine its operation or effectiveness.
multifactor authentication Any means used to authenticate a user that is stronger than the use of a user ID and password. Examples of multifactor authentication include digital certificate, token, smart card, and biometrics.
multiplexor A device used to connect several separate signals and combine them into a single data stream.
Multiprotocol Label Switching (MPLS) A packet-switched network technology that utilizes a variable-length packet. In an MPLS network, each packet has one or more labels affixed to it that contain information that helps MPLS routers make packet-forwarding decisions without examining the contents of the packet itself (for an IP address, for instance).
multistation access unit (MAU) A Token Ring network device used to connect stations to the network.
N + 1 The practice of employing one more than the minimum required number of systems so that in the event of a planned or unplanned outage of one of the systems, the other systems will continue functioning and provide service. This term usually applies to HVAC, UPS, and electric generators. See also heating, ventilation, and air conditioning (HVAC); uninterruptible power supply (UPS); electric generator.
natural disaster A disaster that occurs in the natural world with little or no assistance from mankind. See also disaster.
near-field communications (NFC) A standard for extremely short-distance radiofrequency data communications.
nearshore outsourcing Outsourced personnel are located in a nearby country.
netbook computer A miniature laptop computer, usually with more limited storage and peripheral connectivity than a laptop computer.
netflow A network diagnostic tool that collects all network metadata, which can be used for network diagnostic or security purposes.
network access control (NAC) An approach for network authentication and access control for devices designed to attach to a LAN or wireless LAN.
network address translation (NAT) A method of translating IP addresses at network boundaries, most notably to convert private internal network addresses to publicly-routable network addresses.
network analysis A reconnaissance operation on an organization’s network.
network architecture The overall design of an organization’s network.
network attached storage (NAS) A stand-alone storage system that contains one or more virtual volumes. Servers access these volumes over the network using the Network File System (NFS) or Server Message Block/Common Internet File System (SMB/CIFS) protocols, common on Unix and Windows operating systems, respectively.
network authentication A network-based service that is used to authenticate persons to network-based resources.
Network Basic Input/Output System (NetBIOS) A network protocol that permits applications to communicate with one another using the legacy NetBIOS API.
Network File System (NFS) A TCP/IP application layer protocol used to make a disk-based resource on another computer appear as a logical volume on a local computer.
network interface card (NIC) A device that is directly connected to a computer’s bus and contains one or more connectors to which a network cable may be connected.
network layer Layer 3 of the OSI network model. See also OSI network model.
network management A class of software program that is used to monitor and manage devices connected to a network. Also refers to the business processes used for the same purpose.
Network News Transfer Protocol (NNTP) A TCP/IP application layer protocol used to transport Usenet news throughout the Internet and from news servers to end users using news reading programs. Usenet news has been largely deprecated by web-based applications.
network operations center (NOC) An IT function whereby personnel centrally monitor operations within an organization’s network, and often also its systems and applications.
network segmentation The design process that results in the creation of network security zones, which are defined and controlled by firewalls or other stateful ACLs that limit access between zones.
Network Time Protocol (NTP) A TCP/IP application layer protocol used to synchronize the time-of-day clocks on systems with time reference standards.
network-based intrusion detection system (NIDS) An intrusion detection system that attaches to a network and listens for network-based anomalies. See also intrusion detection system (IDS).
NIST CSF (National Institute for Standards and Technology Cybersecurity Framework) A framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk, developed by the U.S. National Institute for Standards and Technology.
noise The presence of other electromagnetic signals within incoming power.
nonrepudiation The property of digital signatures and encryption that can make it difficult or impossible for a party to deny having sent a digitally signed message—unless they admit to having lost control of their private encryption key.
north–south traffic Network traffic that crosses virtual server boundaries, server tier boundaries, or data center boundaries. See also east–west traffic.
NoSQL An inclusive term referring to several nonrelational database management system designs.
notebook computer See laptop computer.
NT File System (NTFS) The file system used by Windows operating system to store and retrieve files on a hard disk.
object 1) The instantiation of a class. If a class is thought of as a design, an object can be thought of as a running example of the class. See also class. 2) A resource, such as a computer, application, database, file, or record. See also subject.
object breakdown structure (OBS) A representation of the components of a project in graphical or tabular form.
object database See object database management system (ODBMS).
object database management system (ODBMS) A type of database management system in which information is represented as objects that are used in object-oriented programming languages.
object request broker (ORB) gateway A system that facilitates the processing of transactions across a distributed environment that uses the CORBA (Common Object Request Broker Architecture) or Microsoft COM/DCOM standards.
objectivity The characteristic of a person that relates to his or her ability to develop an opinion that is not influenced by external pressures.
object-oriented (OO) system development Development of information systems using object-oriented languages and tools.
occupant emergency plan (OEP) Activities required to care for occupants in a business location safely during a disaster. See also response document.
off-shoring A form of sourcing whereby an employer will source a function with employees or contractors located in another country or continent.
off-site media storage The practice of storing media such as backup tapes at an off-site facility located away from the primary computing facility.
online inquiry An auditing technique whereby an auditor can log on to an application to retrieve detailed information on specific transactions.
onshore outsourcing Outsourced personnel are located in the same country.
Open Shortest Path First (OSPF) A TCP/IP routing protocol used to transmit network routing information from one network router to another to determine the most efficient path through a large network.
operating system A large, general-purpose program used to control computer hardware and facilitate the use of software applications.
operational audit An audit of IS controls, security controls, or business controls to determine control existence and effectiveness.
optical carrier (OC) level Classifications of data throughput over wide area fiber telecommunications networks.
organization chart A diagram that depicts the manager-subordinate relationships within an organization or within a part of an organization.
OSI network model The seven-layer network model that incorporates encapsulation of messages. The OSI model has been extensively studied but has never been entirely implemented. See also TCP/IP network model.
output controls Controls that ensure the accuracy and validity of final calculations and transformations.
outsourcing A form of sourcing in which an employer uses contract employees to perform a function. The contract employees may be located on-site or off-site.
owner A person or group responsible for the operation of an asset.
packet The protocol data unit (PDU) at the IP layer of TCP/IP and layer 3 of the OSI model.
packet switched A WAN technology in which communications between endpoints take place over a stream of packets that are routed through switches until they reach their destination.
parallel test An actual test of disaster recovery (DR) and/or business continuity response plans. The purpose of a parallel test is to evaluate the ability of personnel to follow directives in emergency response plans—to set up the DR business processing or data processing capability. In a parallel test, personnel operate recovery systems in parallel with production systems to compare the results between the two to determine the actual capabilities of recovery systems.
password An identifier that is created by a system manager or a user; a secret combination of letters, numbers, and other symbols used to log into an account, system, or network.
password complexity The characteristics required of user account passwords. For example, a password may not contain dictionary words and must contain uppercase letters, lowercase letters, numbers, and symbols.
password length The minimum and maximum number of characters permitted for a user password associated with a computer, network, application, or system account.
password reset The process of changing a user account password and unlocking the user account so that the user’s use of the account may resume.
password reuse The act of reusing a prior password for a user account. Some information systems can prevent the use of prior passwords in case any were compromised with or without the user’s knowledge.
password vaulting The process of storing a password in a secure location for later use.
patch management The process of identifying, analyzing, and applying patches (including security patches) to systems.
Payment Card Industry Data Security Standard (PCI-DSS) A security standard intended to protect credit card numbers in storage, while being processed, and while being transmitted. The standard was developed by the PCI Standards Council, which is a consortium of credit card companies, including Visa, MasterCard, American Express, Discover, and JCB.
performance evaluation A process whereby an employer evaluates the performance of each employee for the purpose of promotion, salary increase, bonus, or retention.
personal area network (PAN) A network that is generally used by a single individual and is usually limited to about 3 meters in size.
phishing A social engineering attack on unsuspecting individuals in which e-mail messages that resemble official communications entice victims to visit imposter web sites that contain malware or request credentials to sensitive or valuable assets.
physical control Controls that employ physical means.
physical layer Layer 1 of the OSI network model. See also OSI network model.
physical network architecture The part of network architecture concerned with the physical locations of network equipment and network media.
piggybacking See tailgating.
plain old telephone service (POTS) Another name for the public-switched telephone network (PSTN). See also public-switched telephone network (PSTN).
plaintext An original message, file, or stream of data that can be read by anyone who has access to it.
Platform-as-a-Service (PaaS) A cloud computing delivery model whereby the service provider supplies the platform on which an organization can build and run software.
Point-to-Point Protocol (PPP) A network protocol used to transport TCP/IP packets over point-to-point serial connections (usually RS-232 and dial-up connections).
policy A statement that specifies a course, principle, or method of action that has been adopted or proposed in an organization. A policy usually defines who is responsible for monitoring and enforcing the policy.
polymorphism A feature of a programming language that enables an object to behave in different ways, depending upon the data passed to it. See also object.
population A complete set of subjects, entities, transactions, or events that are the subject of an audit.
Post Office Protocol (POP) A TCP/IP application layer protocol used to retrieve e-mail messages from an e-mail server.
power distribution unit (PDU) A device that distributes electric power to a computer room or data center.
pre-action system A fire sprinkler system used in areas with high-value contents, such as data centers. A pre-action system is essentially a dry pipe system until a “preceding” event such as a smoke detector alarm occurs; at this time, the system is filled with water and becomes a wet pipe system. Then, if the ambient temperature at any of the sprinkler heads is high enough, fuses (heat-sensitive glass bulbs) break, releasing water to extinguish the fire. See also fire sprinkler system; dry pipe system; wet pipe system.
pre-audit An examination of business processes, controls, and records in anticipation of an upcoming audit.
precision A measure of how closely a sample represents the entire population.
presentation layer Layer 6 of the OSI network model. See also OSI network model.
preventive action An action that is initiated to prevent an undesired event or condition.
preventive control A control that is used to prevent unwanted events from happening.
primary key One of the fields in a table in a relational database management system that contains values that are unique for each record (row). See also relational database management system (RDBMS); table; row; field.
print server A server used to coordinate printing to shared printers.
privacy The protection of personal information from unauthorized disclosure, use, and distribution.
privacy policy A policy statement that defines how an organization will protect, manage, and handle private information.
privacy requirements Formal statements that describe required privacy safeguards that a system must support.
private address An IP address that falls into one of the following ranges: 10.0.0.0–10.255.255.255, 172.16.0.0–172.31.255.255, or 192.168.0.0–192.168.255.255. Packets with a private address destination cannot be transported over the global Internet.
privilege creep See accumulation of privileges.
probability analysis The analysis of a threat and the probability of its realization.
problem An incident—often multiple incidents—that exhibits common symptoms and whose root cause is not known.
problem management The IT function that analyzes chronic incidents and seeks to resolve them, and also enacts proactive measures in an effort to avoid problems. See also IT service management (ITSM).
procedure A written sequence of instructions used to complete a task.
process 1) A collection of one or more procedures used to perform a business function. See also procedure. 2) A logical container in an operating system in which a program executes.
process isolation A basic feature of an operating system that prevents one process from accessing the resources used by another process.
processing controls Controls that ensure the correct processing of information.
program An organization of many large, complex activities; it can be thought of as a set of projects that work to fulfill one or more key business objectives or goals.
program charter A formal definition of the objectives of a program, its main timelines, sources of funding, the names of its principal leaders and managers, and the business executive(s) who are sponsoring the program.
program management The management of a group of projects that exists to fulfill a business goal or objective.
programmable read-only memory (PROM) A form of permanent memory that cannot be modified.
programming language A vocabulary and set of rules used to construct a human-readable computer program.
project A coordinated and managed sequence of tasks that results in the realization of an objective or goal.
project change management The process of controlling a project plan and budget through formal reviews of changes.
Project Evaluation and Review Technique (PERT) A visual representation of a project plan that shows project tasks, timelines, and dependencies.
project management The activities that are used to control, measure, and manage the activities in a project.
Project Management Body of Knowledge (PMBOK) A project management guide that defines the essentials of project management.
project plan The chart of tasks in a project, which also includes start and completion dates, resources required, and dependencies and relationships between tasks.
project planning The activities related to the development and management of a project.
project schedule The chart of tasks in a project with their expected start and completion dates.
PRojects IN Controlled Environments 2 (PRINCE2) A project management framework.
proof of concept A method for demonstrating the ability to build or implement complex systems through the use of simpler models.
protocol analyzer A device that is connected to a network to view network communications at a detailed level.
protocol data unit (PDU) A discrete term that is used to signify a message that is created at various layers of encapsulated protocols such as TCP/IP.
protocol standard A standard that specifies the protocols used by the IT organization.
prototyping An alternative software development process whereby rapidly developed application prototypes are developed with user input and continuous involvement.
provided by client (PBC) A list of evidence requested of an auditee at the onset of an audit.
proxy server A device or system used to control end-user access to Internet web sites.
public key cryptography See asymmetric encryption.
public key infrastructure (PKI) A centralized function that is used to store and publish public keys and other information.
public-switched telephone network (PSTN) The common carrier-switched telephone network used to carry voice telephone calls over landlines.
qualitative risk analysis A risk analysis methodology by which risks are classified on a nonquantified scale, such as “High, Medium, Low,” or on a simple numeric scale, such as 1 through 5.
quality assurance testing (QAT) The portion of software testing in which system specifications and technologies are formally tested.
quality management Methods and processes by which business processes are controlled, monitored, and managed to bring about continuous improvement.
quality of service (QoS) Any of several schemes in networks that ensure the quality of interactive, jitter-sensitive protocols such as telephony and streaming video.
quantitative risk analysis A risk analysis methodology whereby risks are estimated in the form of actual cost amounts.
race condition A type of attack in which an attacker is attempting to exploit a small window of time that may exist between the time that a resource is requested and when it is available for use.
RACI Responsible, Accountable, Consulted, and Informed. The responsibility model used to describe and track individual responsibilities in a business process or a project.
Radio Resource Control (RRC) A part of the Universal Mobile Telecommunications System (UMTS) Wideband Code Division Multiple Access (WCDMA) wireless telecommunications protocol that is used to facilitate the allocation of connections between mobile devices and base stations.
random access memory (RAM) A type of semiconductor memory usually used for a computer’s main storage.
ransomware Malware that performs some malicious action, requiring payment from the victim to reverse the action. Such actions include data erasure, data encryption, and system damage.
rapid application development (RAD) A software development life cycle process characterized by small development teams, prototypes, design sessions with end users, and development tools that integrate data design, data flow, user interface, and prototyping.
razor wire Coiled wire with razorlike barbs that may be placed along the top of a fence or wall to prevent or deter passage by unauthorized personnel.
read-only memory (ROM) An early form of permanent memory that cannot be modified.
reciprocal site A data center that is operated by another company. Two or more organizations with similar processing needs will draw up a legal contract that obligates one or more of the organizations to house another party’s systems temporarily at a reciprocal site in the event of a disaster.
records Documents describing business events such as meeting minutes, contracts, financial transactions, decisions, purchase orders, logs, and reports.
recovery control A control that is used after an unwanted event to restore a system or process to its pre-event state.
recovery point objective (RPO) The time during which recent data will be irretrievably lost in a disaster. RPO is usually measured in hours or days.
recovery procedure Instructions that key personnel use to bootstrap services that support critical business functions identified in the business impact assessment (BIA).
recovery strategy A high-level plan for the resumption of business operations after a disaster.
recovery time objective (RTO) The period of time from the onset of an outage until the resumption of service. RTO is usually measured in hours or days.
reduced sign-on The use of a centralized directory service (such as LDAP or Microsoft Active Directory) for authentication into systems and applications. Users will need to log in to each system and application, using only one set of login credentials.
Redundant Array of Independent Disks (RAID) A family of technologies that combines multiple physical disk drive components into one or more logical units to improve the reliability, performance, or capacity of disk-based storage systems.
referential integrity The characteristic of relational database management systems that requires the database management system maintain the parent-child relationships between records in different tables and prohibits activities such as deleting parent records and transforming child records into orphans. See also relational database management system (RDBMS).
registration authority (RA) An entity that works within or alongside a certificate authority (CA) to accept requests for new digital certificates.
regulatory requirements Formal statements, derived from laws and regulations, that describe the required characteristics a system must support.
relational database management system (RDBMS) A database management system that permits the design of a database consisting of one or more tables that can contain fields that refer to rows in other tables. This is currently the most popular type of database management system.
release management The IT function that controls the release of software programs, applications, and environments. See also IT service management (ITSM).
release process The IT process whereby changes to software programs, applications, and environments are requested, reviewed, approved, and implemented.
remote access A service that permits a user to establish a network connection from a remote location so that the user can access network resources remotely.
Remote Authentication Dial-in User Service (RADIUS) A network authentication protocol.
remote copy (rcp) A TCP/IP application layer protocol that is an early file transfer protocol used to copy files or directories from system to system.
Remote Desktop Protocol (RDP) A proprietary protocol from Microsoft that is used to establish a graphic interface connection with another computer.
remote destruct The act of commanding a device, such as a laptop computer or mobile device, to destroy stored data. Remote destruct is sometimes used when a device is lost or stolen to prevent anyone from being able to read data stored on the device.
remote login (rlogin) A TCP/IP application layer protocol used to establish a command-line session on a remote system. Like Telnet, rlogin does not encrypt authentication or session contents and has been largely replaced by Secure Shell (SSH). See also Telnet; Secure Shell (SSH).
Remote Procedure Call (RPC) A network protocol that permits an application to execute a subroutine or procedure on another computer.
repeater An Ethernet network device that receives and retransmits signals on the network.
reperformance An audit technique whereby an IS auditor repeats actual tasks performed by auditees to confirm they were performed properly.
replication An activity in which data that is written to a storage system is also copied over a network to another storage system and written. The result is the presence of up-to-date data that exists on two or more storage systems, each of which could be located in a different geographic region.
request for change (RFC) See change request.
request for information (RFI) A formal process whereby an organization solicits detailed product or service information from one or more vendors.
request for proposals (RFP) A formal process whereby an organization solicits solution proposals from one or more vendors. The process usually includes formal requirements and desired terms and conditions. It is used to evaluate vendor proposals to make a selection.
requirements Formal statements that describe required (and desired) characteristics of a system that is to be changed, developed, or acquired.
residual risk The risk that remains after being reduced through other risk treatment options.
response document A document that outlines required action of personnel after a disaster strikes. Includes business recovery plan, occupant emergency plan, emergency communication plan, contact lists, disaster recovery plan, continuity of operations plan (COOP), and security incident response plan (SIRP).
responsibility A stated expectation of activities and performance.
return on investment (ROI) The ratio of money gained or lost as compared to an original investment.
Reverse Address Resolution Protocol (RARP) A TCP/IP link layer protocol that is used by a station that needs to know the IP address that has been assigned to it. RARP has been largely superseded by DHCP. See also Dynamic Host Configuration Protocol (DHCP).
reverse engineering The process of analyzing a system to see how it functions, usually as a means for developing a similar system. Reverse engineering is usually not permitted when it is applied to commercial software programs.
right to audit A clause in a contract that grants one party the right to conduct an audit of the other party’s operations.
ring topology A network topology in which connections are made from one station to the next, in a complete loop.
RISC (reduced instruction set computer) A central processing unit design that uses a smaller instruction set, which leads to simpler microprocessor design. See also central processing unit (CPU).
risk Generally, the fact that undesired events can happen that may damage property or disrupt operations; specifically, an event scenario that can result in property damage or disruption.
risk acceptance The risk treatment option in which management chooses to accept the risk as-is.
risk analysis The process of identifying and studying risks in an organization.
risk appetite The level of risk that an organization is willing to accept while in pursuit of its mission, strategy, and objectives, and before action is needed to treat or manage the risk.
risk assessment A process in which risks, in the form of threats and vulnerabilities, are identified for each asset.
risk avoidance The risk treatment option involving a cessation of the activity that introduces identified risk.
Risk IT Framework A risk management model that approaches risk from the enterprise perspective.
risk management The management activities used to identify, analyze, and treat risks.
risk mitigation The risk treatment option involving implementation of a solution that will reduce an identified risk.
risk tolerance The amount of variation from the risk appetite that an organization is willing to accept in a particular situation. See risk appetite.
risk transfer The risk treatment option involving the act of transferring risk to another party, such as an insurance company.
risk treatment The decision to manage an identified risk. The available choices are mitigate the risk, avoid the risk, transfer the risk, or accept the risk.
role A set of privileges in an application. Also a formally defined set of work tasks assigned to an individual.
rollback A step in the system development life cycle in which system changes need to be reversed, returning the system to its previous state.
rootkit A type of malware that is designed to evade detection.
router A device that is used to interconnect two or more networks.
Routing Information Protocol (RIP) A TCP/IP routing protocol that is used to transmit network routing information from one network router to another to determine the most efficient path through a network. RIP is one of the earliest routing protocols and is not used for Internet routing.
row A unit of storage in a relational database management system that consists of a single record in a table. See also relational database management system (RDBMS); table.
RPC gateway A system that facilitates communication through the RPC suite of protocols between components in an application environment.
RS-232 A standard protocol for sending serial data between computers.
RS-449 A standard protocol for sending serial data between network devices.
sabotage Deliberate damage of an organization’s asset.
salvage The process of recovering components or assets that still have value after a disaster.
sample A portion of a population of records that is selected for auditing.
sample mean The sum of all samples divided by the number of samples.
sample standard deviation A computation of the variance of sample values from the sample mean. This is a measurement of the “spread” of values in the sample.
sampling A technique used to select a portion of a population when it is not feasible to test an entire population.
sampling risk The probability that a sample selected does not represent the entire population. This is usually expressed as a percentage, as the numeric inverse of the confidence coefficient. See also confidence coefficient.
SAS 70 (Statement of Accounting Standards No. 70) An external audit of a service provider. An SAS 70 audit is performed according to rules established by the American Institute of Certified Public Accountants (AICPA). Deprecated by SSAE 16 and by SSAE18. See also SSAE 18.
scanning attack An attack on a computer or network with the intention of discovering potentially vulnerable computers or programs.
screened shielded twisted pair (S/STP) A type of twisted-pair cable in which a thick metal shield protects each pair of conductors and an outer shield protects all of the conductors together. See also twisted-pair cable.
screened unshielded twisted pair (S/UTP) A type of twisted-pair cable in which a thick metal shield surrounds and protects the cables. See also twisted-pair cable.
screening router A network device that filters network traffic based on source and destination IP addresses and ports. See also firewall.
script kiddie An inexperienced computer hacker who uses tools developed by others to access computers and networks illegally.
Scrum An iterative and incremental methodology used for rapid and agile software development.
Scrumban An iterative and incremental methodology used for software development. Scrumban is derived from the terms “Scrum” and “Kanban” (Japanese). See also Kanban; Scrum.
secondary storage A computer’s long-term storage of information, usually implemented with hard disk drives or static random access memory (SRAM).
Secure Copy (SCP) A TCP/IP application layer protocol used as a file transfer protocol that is similar to remote copy (rcp) but is protected using Secure Shell (SSH). See also remote copy (rcp); Secure Shell (SSH).
secure electronic transaction (SET) A protocol used to protect credit card transactions that uses a digital envelope. SET has been deprecated by Secure Sockets Layer (SSL) and Transport Layer Security (TLS). See also digital envelope; Secure Sockets Layer (SSL); Transport Layer Security (TLS).
Secure File Transfer Protocol (SFTP) A TCP/IP application layer protocol that is an extension of the File Transfer Protocol, in which authentication and file transfer are encrypted using SSH. Sometimes referred to as SSH File Transfer Protocol. See also File Transfer Protocol (FTP); Secure Shell (SSH).
Secure Hypertext Transfer Protocol (SHTTP) A protocol used to encrypt web pages between web servers and web browsers. Often confused with Hypertext Transfer Protocol Secure (HTTPS).
Secure Multipurpose Internet Mail Extensions (S/MIME) An e-mail security protocol that provides sender and recipient authentication and encryption of message content and attachments.
Secure Shell (SSH) A TCP/IP application layer protocol that provides a secure channel between two computers whereby all communications between them are encrypted. SSH can also be used as a tunnel to encapsulate and thereby protect other protocols.
Secure Sockets Layer (SSL) An encryption protocol used to encrypt web pages requested with the HTTPS URL. Deprecated by Transport Layer Security (TLS). See also Transport Layer Security (TLS); Hypertext Transfer Protocol Secure (HTTPS).
security awareness A formal program used to educate employees, users, customers, or constituents on required, acceptable, and unacceptable security-related behaviors.
security governance Management’s control over an organization’s security program.
security guards Personnel who control passage at entry points or roam building premises looking for security issues such as unescorted visitors.
security incident An event in which the confidentiality, integrity, or availability of information (or an information system) has been compromised.
security incident response The formal, planned response that is enacted when a security incident has occurred. See also security incident.
security operations center (SOC) An IT function wherein personnel centrally monitor and manage security functions and devices and watch for security anomalies and incidents.
security policy See information security policy.
security requirements Formal statements that describe the required security characteristics that a system must support.
segment The term used to identify the protocol data unit (PDU) in the TCP of the TCP/IP suite of protocols.
segmentation The practice of dividing a network into two or more security zones, with network access controls restricting and monitoring traffic between those zones.
segregation of duties The concept that ensures single individuals do not possess excess privileges that could result in unauthorized activities such as fraud or the manipulation or exposure of sensitive data.
separation of duties See segregation of duties.
Serial Line Interface Protocol (SLIP) A network protocol used to transport TCP/IP packets over point-to-point serial connections (usually RS-232).
server A centralized computer used to perform a specific task.
service continuity management The IT function that consists of activities concerned with the organization’s ability to continue providing services, primarily in the event that a natural or man-made disaster has occurred. See also IT service management (ITSM); business continuity planning (BCP); disaster recovery planning (DRP).
service desk The IT function that handles incidents and service requests on behalf of customers by acting as a single point of contact. See also IT service management (ITSM).
service provider audit An audit of a third-party organization that provides services to other organizations.
service set identifier (SSID) A friendly name that identifies a particular 802.11 wireless network.
service-level agreement (SLA) An agreement that specifies service levels in terms of the quantity and quality of work, timeliness, and remedies for shortfalls in quality or quantity.
service-level management The IT function that confirms whether IT is providing adequate service to its customers. This is accomplished through continuous monitoring and periodic review of IT service delivery. See also IT service management (ITSM).
session border controller A device deployed in a VoIP network to control VoIP security, connectivity, quality of service, and metering.
session hijacking An attack on a user’s browser session whereby the attacker intercepts the user’s session cookie from an unencrypted wired or wireless network and then uses the cookie to take over the victim’s browser session.
Session Initiation Protocol (SIP) The network protocol used to set up and tear down Voice over IP (VoIP) and other communications connections. See also Voice over IP (VoIP).
session layer Layer 5 of the OSI network model. See also OSI network model.
shielded twisted pair (STP) A type of twisted-pair cable in which a thin metal shield protects each pair of conductors. See also twisted-pair cable.
Simple Mail Transfer Protocol (SMTP) A TCP/IP application layer protocol that is used to transport e-mail messages.
Simple Network Management Protocol (SNMP) A TCP/IP application layer protocol used by network devices and systems to transmit management messages indicating a need for administrative attention.
Simple Object Access Protocol (SOAP) A protocol used to facilitate the exchange of structured information between systems.
simulation A test of disaster recovery, business continuity, or security incident response procedures in which the participants take part in a “mock disaster” or incident to add some realism to the process of thinking their way through the emergency response process.
single loss expectancy (SLE) The financial loss when a threat is realized one time. SLE is defined as AV × EF. See also asset value (AV); exposure factor (EF).
single sign-on (SSO) An interconnected environment in which applications are logically connected to a centralized authentication server that is aware of the logged-in/logged-out status of each user. A user can log in once to the environment; each application and system is aware of a user’s log-in status and will not require the user to log in to each one separately.
site classification policy Policy that defines sensitivity levels, security controls, and security procedures for information processing sites and work centers.
Six Sigma A quantitative, statistical technique used to identify and remediate defects in business processes.
smart card A small, credit card–sized device that contains electronic memory and is accessed with a smart card reader and used in two-factor authentication.
smartphone A mobile phone equipped with an operating system and software applications.
smishing Phishing in the context of instant messaging. See also phishing.
snapshot A continuous auditing technique that involves the use of special audit modules embedded in online applications that sample specific transactions. The module copies key database records that can be examined later on.
sniffer A program that can be installed on a network-attached system to capture network traffic being transmitted to or from the system.
social engineering The act of using deception to trick an individual into revealing secrets.
softphone A software program with the functionality of a VoIP telephone.
software licensing The process of maintaining accurate records regarding the permitted use of software programs.
software maintenance An activity in the software development life cycle whereby modifications are made to the software code.
Software Process Improvement and Capability dEtermination (SPICE) A maturity model based on the SEI CMM maturity model. SPICE has been made an international standard: ISO/IEC 15504.
software program library The repository that contains program source code and that usually includes tools to manage the maintenance of source code.
Software-as-a-Service (SaaS) A software delivery model whereby an organization obtains a software application for use by its employees and the software application is hosted by the software provider, as opposed to the customer organization.
software-defined networking (SDN) A class of capabilities in which network infrastructure devices such as routers, switches, and firewalls are created, configured, and managed as virtual devices in virtualization environments.
source code management The techniques and tools used to manage application source code.
source lines of code (SLOC) A sizing technique for software development projects that represents the size of the planned program, expressed as the number of lines of code.
sourcing The choices that organizations make when selecting the personnel who will perform functions and where those functions will be performed.
spam Unsolicited and unwanted e-mail.
spam filter A central program or device that examines incoming e-mail and removes all messages identified as spam.
spear phishing Phishing that is specially crafted for a specific target organization or group. See also phishing.
spike A sharp increase in voltage that lasts for only a fraction of a second.
spim Spam in the context of instant messaging. See also spam.
spiral model A software development life cycle process in which the activities of requirements definition and software design go through several cycles until the project is complete. See also system development life cycle (SDLC).
split custody The concept of splitting knowledge of a specific object or task between two persons.
spoofing The act of changing the configuration of a device or system in an attempt to masquerade as a different, known, and trusted system or user.
sprint A portion of a project in which an individual or a team will accomplish a set of objectives within a specified timeframe.
spyware A type of malware software that performs one or more surveillance-type actions on a computer, reporting back to the spyware owner.
SSAE 16 (Statements on Standards for Attestation Engagements No. 16) An external audit of a service provider. SSAE 16 has been superseded by SSAE 18.
SSAE 18 (Statements on Standards for Attestation Engagements No. 18) An external audit of a service provider. An SSAE 18 audit is performed according to rules established by the American Institute of Certified Public Accountants (AICPA).
standard A statement that defines the technologies, protocols, suppliers, and methods used by an IT organization.
standard IT balanced scorecard A management tool that is used to measure the performance and effectiveness of an IT organization.
star topology A network topology in which a separate connection is made from a central device to each station.
stateful inspection firewall A network device that filters network traffic based on source and destination IP addresses and ports and keeps track of individual TCP/IP sessions to make filtering decisions, permitting established connections. See also firewall.
statement of impact A description of the impact a disaster will have on a business or business process.
static random access memory (SRAM) A form of semiconductor memory that does not require refreshing.
statistical sampling A sampling technique in which items are chosen at random; each item has a statistically equal probability of being chosen. See also sampling.
stop-or-go sampling A sampling technique used to permit sampling to stop at the earliest possible time. This technique is used when the auditor believes that there is low risk or a low rate of exceptions in the population. See also sampling.
storage area network (SAN) A stand-alone storage system that can be configured to contain several virtual volumes and is connected to many servers through fiber optic cables.
strategic planning Activities used to develop and refine long-term plans and objectives.
stratified sampling A sampling technique whereby a population is divided into classes or strata, based upon the value of one of the attributes. Samples are then selected from each class. See also sampling.
stream cipher A type of encryption algorithm that operates on a continuous stream of data, such as a video or audio feed.
strong authentication See multifactor authentication.
structured data Data that resides in database management systems and in other forms, as part of information systems and business applications. See also unstructured data.
subject A person or a system. See also object.
subnet mask A numeric value that determines which portion of an IP address is used to identify the network and which portion is used to identify a station on the network. See also IP address.
substantive testing A type of testing used to determine the accuracy and integrity of transactions that flow through processes and systems.
supercomputer The largest type of computer that is capable of performing large, complex calculations such as weather forecasting and earthquake simulations.
surge See spike.
switch A device used to connect computers and other devices to a network. Unlike a hub, which sends all network packets to all stations on the network, a switch sends packets only to intended destination stations on the network.
symmetric encryption A method for encryption and decryption that requires both parties to possess a common encryption key.
Synchronous Optical Networking (SONET) A class of common carrier telecommunications network technologies used to transport voice and data over fiber optic networks at very high speeds.
synchronous replication A type of replication in which writing data to a local and to a remote storage system is performed as a single operation, guaranteeing that data on the remote storage system is identical to data on the local storage system. See also replication.
system classification policy Policy that specifies levels of security for systems storing classified information.
system development life cycle (SDLC) The life cycle process used to develop or acquire and maintain information systems. Also known as software development life cycle.
system hardening See hardening.
system testing The portion of software testing in which an entire system is tested.
Systems control audit review file and embedded audit modules (SCARF/EAM) The development and embedding of specialized audit software directly into production applications.
T-1 A common carrier standard protocol for transporting voice and data. T-1 can support up to 24 separate voice channels of 64 Kbit/sec each and is used primarily in North America.
T-3 A common carrier standard protocol for transporting voice and data. T-3 can support up to 672 separate voice channels of 64 Kbit/sec each and is used primarily in North America.
T-Carrier A class of multiplexed carrier network technologies developed to transport voice and data communications over long distances using copper cabling.
table A unit of storage in a relational database management system that can be thought of as a list of records. See also relational database management system (RDBMS).
tablet A mobile device with a touchscreen interface. See also mobile device.
tabletop An exercise, usually of security incident response plans, that consists of a scripted simulation of an actual incident or event.
tailgating A technique used by an intruder to attempt to enter an access-controlled building, typically executed by following closely behind an employee entering the building and “piggybacking” on the employee’s security credentials.
tape management system (TMS) An information system used to manage tape media, usually for the purpose of performing information backup. See also backup.
TCP/IP network model The four-layer network model that incorporates encapsulation of messages. The TCP/IP suite of protocols is built on the TCP/IP network model.
technical control A control that is implemented in IT systems and applications.
technical requirements Formal statements that describe the required technical characteristics that a system must support.
technology standard A standard that specifies the software and hardware technologies used by the IT organization.
Telnet A TCP/IP application layer protocol that is used to establish a command-line session on a remote computer. Telnet does not encrypt user credentials as they are transmitted over the network and has been largely replaced by SSH. See also Secure Shell (SSH).
terminal emulation A software program that runs on a workstation that emulates an older style computer terminal.
termination The process of discontinuing employment of an employee or a contractor.
terrorist A person or group who perpetrates violence for political or other reasons.
test plan The list of tests that are to be carried out during a unit test or system test. See also unit testing; system testing.
test server Any type of server that is used to test features; a test server does not perform production tasks.
thick client A workstation that contains a fully functional operating system and application programs.
thin client A workstation that contains a minimal operating system and little or no data storage.
threat An event that, if realized, would bring harm to an asset.
threat hunting The proactive search for intrusions, intruders, and indicators of compromise.
threat management Activities undertaken by an organization to learn of relevant security threats, so that the organization can take appropriate action to counter the threats.
threat modeling The activity of looking for potential threats in a business process, an information system, or a software application.
Thunderbolt A hardware interface standard combining PCI Express and DisplayPort (DP) technologies.
time bomb See logic bomb.
Time Division Multiple Access (TDMA) An airlink standard for wireless communications between mobile devices and base stations.
time of check/time of use (TOC/TOU) See race condition.
time synchronization A network-based service used to synchronize the time clocks on computers connected to a network.
timebox management A project management technique in which a large project is broken down into smaller components and time periods.
token A small electronic device used in two-factor authentication. A token may display a number that the user types in to a login field, or it may be plugged into a workstation to complete authentication. See also two-factor authentication.
Token Ring A standard protocol for assembling a stream of data into frames for transport over a physical medium from one station to another on a local area network. On a Token Ring network, a three-byte token is passed from station to station over the network. A station may not transmit a packet to another station until it has first received the token.
tolerable error rate The highest number of errors that can exist without a result being materially misstated.
Tolkien Ring A wireless network used for communications among beings wearing magic rings created by Sauron. Used in Middle-earth.
toll fraud An attack on a private branch exchange (PBX) that results in stolen long-distance telephone service.
Towers of Hanoi A complex backup media rotation scheme that provides for more lengthy retention of some backup media. Based on the Towers of Hanoi puzzle. See also backup media rotation.
training 1) The process of educating personnel. 2) To impart information or provide an environment where personnel can practice a new skill.
transaction processing (TP) monitor A system that manages transactions between application servers and database servers in a distributed processing environment.
transfer The process of changing an employee’s job title, department, and/or responsibilities.
transfer switch A system of electrical switches that automatically routes electric power from one or more public utility feeds, one or more generators, through one or more UPSs, to a data center facility.
Transmission Control Protocol (TCP) The connection-oriented protocol used in the TCP/IP suite of protocols to establish a connection and transport messages from one station to another over a network during a communication session.
transport layer (OSI model) Layer 4 of the OSI network model. See also OSI network model.
transport layer (TCP/IP model) Layer 3 of the TCP/IP network model. The purpose of the transport layer is the controlled and ordered delivery of messages (called packets) from one application on a station to another on the same network or on different networks. See also TCP/IP network model.
Transport Layer Security (TLS) An encryption protocol used to encrypt web pages requested with the HTTPS URL. Replacement for Secure Sockets Layer (SSL). See also Secure Sockets Layer (SSL); Hypertext Transfer Protocol Secure (HTTPS).
Trojan horse A type of malware program that purports to perform one function but actually performs other (or additional) undesired functions.
trunk A telecommunications network technique in which several communications can share a set of lines or frequencies.
tunneling The practice of encapsulating messages within another protocol.
twinax A type of coaxial cable that uses two inner conductors.
twisted-pair cable A type of network cabling that consists of a thick cable containing four pairs of insulated copper conductors, all surrounded by a protective jacket.
two-factor authentication See multifactor authentication.
uninterruptible power supply (UPS) A system that filters the incoming power of spikes and other noise and supplies power for short periods through a bank of batteries.
unit testing The portion of software testing in which individual modules are tested.
Universal Disk Format (UDF) An optical media file system considered a replacement for ISO/IEC 9660. See also ISO/IEC 9660; file system.
Universal Mobile Telecommunications System (UMTS) An airlink standard for wireless communications between mobile devices and base stations.
Universal Serial Bus (USB) An external bus technology used to connect computers to peripherals such as mice, keyboards, storage devices, printers, scanners, cameras, and network adaptors. However, the USB specification contains full networking capabilities, facilitated through the use of a USB hub.
Unix file system (UFS) A file system used by many Unix operating systems. See also file system.
unshielded twisted pair (UTP) A type of twisted-pair cable with no shielding—just four pairs of twisted conductors and the outer protective jacket. See also twisted-pair cable.
unstructured data Data that resides on end-user workstations and network file shares, usually as a result of the creation of reports and extracts See also structured data.
user A business or customer who uses an information system.
user acceptance testing (UAT) The portion of software testing in which end users test software programs for correct functional operation and usability.
User Datagram Protocol (UDP) The connectionless protocol used in the TCP/IP suite of protocols used to transport messages from one station to another over a network.
user ID An identifier created by a system manager and issued to a user for the purpose of identification or authentication.
utility software The broad class of programs that support the development or use of networks, systems, and applications. Utility software is most often used by IT specialists whose responsibilities include some aspect of system development, support, or operations.
V.35 A standard protocol for sending serial data between computers.
variable sampling A sampling technique used to study the characteristics of a population to determine the numeric total of a specific attribute from the entire population. See also sampling.
vendor standard A standard that specifies which suppliers and vendors are used for various types of products and services.
version control The techniques and tools used to manage different versions of source code files.
video surveillance The use of video cameras, monitors, and recording systems to record the movement of persons in or near sensitive areas.
virtual circuit A logical communications channel between two endpoints on a packet-switched network.
virtual desktop infrastructure (VDI) A technology by which user workstations use operating systems that are stored and run on central servers.
virtual keyboard An interactive software program that emulates the use of a physical keyboard. Virtual keyboards are used when key logging is a credible threat.
virtual local area network (VLAN) A logical network that may share a physical medium with one or more other virtual networks.
virtual machine A software implementation of a computer, usually an operating system or other program running within a hypervisor. See also hypervisor.
virtual private network (VPN) Any network encapsulation protocol that utilizes authentication and encryption; used primarily for protecting remote access traffic and for protecting traffic between two networks. See also tunneling; encapsulation.
virtual server An active instantiation of a server operating system, running on a system that is designed to house two or more such virtual servers. Each virtual server is logically partitioned from every other server so that each runs as though it were on its own physically separate machine.
virtual tape library (VTL) A disk-based storage system that emulates a tape-based storage system.
virus A type of malware in which fragments of code attach themselves to executable programs and are activated when the program they are attached to is run.
visual notice A sign or symbol used to inform personnel of security controls and/or to warn unauthorized persons.
Voice over IP (VoIP) Several technologies that permit telephony transported over IP networks.
VoIP client A computer program designed to communicate using VoIP. See also Voice over IP (VoIP).
VoIP handset A digital telephone designed to communicate using VoIP. See also Voice over IP (VoIP).
vulnerability A weakness that may be present in a system that makes the probability of one or more threats more likely.
vulnerability management A formal business process used to identify and mitigate vulnerabilities in an IT environment.
walkthrough A review of some or all disaster recovery and business continuity plans, procedures, and other documentation. A walkthrough is performed by an entire group of individuals in a live discussion.
wall A structure that prevents or deters passage by unauthorized personnel.
WAN switch A general term encompassing several types of wide area network switching devices, including ATM switches, Frame Relay switches, MPLS switches, and ISDN switches.
war chalking The practice of marking buildings (using chalk) with symbols to indicate the presence of a Wi-Fi access point, including some basic facts about it, to inform hackers of potential targets. See also war driving; Wi-Fi.
war dialing An attack designed to discover unprotected remote access modems by dialing phone numbers sequentially and recording those with modems.
war driving An attack on a wireless network in which attackers intercept and record information about Wi-Fi access points.
warm site An alternate processing center where recovery systems are present, but at a lower state of readiness than recovery systems at a hot site. For example, although the same version of the operating system may be running on the warm site system, it may be a few patch levels behind primary systems.
waterfall model A software development life cycle process whereby activities are sequential and are executed one time in a software project. See also system development life cycle (SDLC).
web content filter A central program or device that monitors and, optionally, filters web communications. A web content filter is often used to control the sites (or categories of sites) that users are permitted to access from the workplace. Some web content filters can also protect an organization from malware.
web server A server that runs specialized software that makes static and dynamic HTML pages available to users.
web services A means for system-to-system communications using HTTP.
Web Services Description Language (WSDL) An XML-based language used to describe web services. See also web services.
web-based application An application design in which the database and all business logic are stored on central servers and user workstations use only web browsers to access the application.
web-based application development A software development effort in which the application’s user interface is based on the HTTP (Hypertext Transport Protocol) and HTML (Hypertext Markup Language) standards.
wet pipe system A fire sprinkler system in which all sprinkler pipes are filled with water. Each sprinkler head is equipped with a fuse—a heat-sensitive glass bulb—that breaks upon reaching a preset temperature. When this occurs, water is discharged from just that sprinkler head, which is presumably located near a fire. See also fire sprinkler system.
whaling Spear phishing that targets executives and other high-value and high-privilege individuals in an organization. See also phishing; spear phishing.
wide area network (WAN) 1) A network that ranges in size from regional to international. 2) A single point-to-point connection between two distant locations (a WAN connection).
Wi-Fi The common name for a wireless LAN protocol. See also 802.11.
Wi-Fi Protected Access (WPA) An encryption standard for 802.11 wireless networks. The final version of WPA is WPA-2. See also 802.11.
WiMAX A wireless telecommunications standard with data rates ranging from 30 Mbit/sec to 1 GBit/sec.
Wired Equivalent Privacy (WEP) An encryption standard for 802.11 wireless networks. WEP has been compromised and should be replaced with WPA-2. See also 802.11; Wi-Fi Protected Access (WPA).
Wireless USB (WUSB) A short-range, high-bandwidth standard wireless communications protocol used to connect computer peripherals.
work breakdown structure (WBS) A logical representation of the high-level and detailed tasks that must be performed to complete a project.
worm A type of malware containing stand-alone programs capable of human-assisted and automatic propagation.
Zachman framework An enterprise architecture framework used to describe an IT architecture in increasing levels of detail.
zero trust An architecture model in which a portion of an environment is considered to be untrusted.