A

Acceptable use policy (AUP) A policy that defines which actions are acceptable and which ones aren’t.

Access control lists (ACLs) Lists of permissions that define which users or groups can access an object.

Acts of Congress Statutes or public laws enacted by Congress.

Administrator account Refers to an account with elevated privileges used to manage a system, application, or other users’ configurations; for example, an account that can install software, configure an application, or reset another user’s password.

American Institute of Certified Public Accountants (AICPA) A professional association of accountants that set financial audit standards.

American National Standards Institute (ANSI) A non-profit private organization that promotes and publishes a common set of standards.

Application performance monitoring software Software that can measure end-user response time for application software server requests as well as end-user traffic volume.

Application software A computer program that is designed to perform a specific set of tasks.

Assurance A level of confidence that appropriate and effective IT controls are in place.

Attack vector A path or approach used by a hacker (i.e., attacker) to gain unauthorized access or disrupt normal computer operations.

Audit An independent assessment that takes a well-defined approach to examining an organization’s internal policies, controls, and activities.

Audit frequency The rate of occurrence for an audit.

Audit objective The goal of an audit.

Audit scope The range of the organization to be included in an audit within a defined time frame.

Authentication The process of providing additional credentials that match the user ID or user name.

Authorization The process of granting rights and permissions to access objects to a subject.

Availability The assurance that information is available to authorized users in an acceptable time frame when the information is requested.

B

Background check An investigation to divulge evidence of past behavior that may indicate that a prospect is a security risk.

Baseline A system in a known good state, with the minimum controls relative to the accepted risk applied.

Baseline controls Countermeasures that apply broadly to the entire IT infrastructure.

Blocking A general term typically related to preventing data or access.

Broadband A transmission technique that uses only a portion of the full bandwidth of a channel.

Business continuity plans (BCPs) Plans that document the steps to restore business operation after an interruption. BCPs, along with DRPs, enable you to recover from disruptions ranging from small to large.

Business drivers The components, including people, information, and conditions, that support business objectives.

Business requirement analysis The process of determining the information technology requirements and controls of a business process.

C

Card verification value (CVV) A number printed on a credit card that provides additional authentication when rendering payment for online transactions.

Certification and accreditation (C&A) An audit of a federal system before being placed into a production environment.

Certification in Control Self-Assessment (CCSA) An IIA certification that tests professional knowledge of control self-assessments.

Certified Financial Services Auditor (CFSA) An IIA certification that tests one’s knowledge and abilities of audits pertaining to financial services.

Certified Government Auditing Professional (CGAP) An IIA certification that tests audit knowledge unique to the public sector.

Certified in Risk and Information Systems and Control (CRISC) An ISACA certification that tests knowledge of enterprise risk and control.

Certified in the Governance of Enterprise IT (CGEIT) An ISACA certification that tests knowledge of IT governance concepts.

Certified Information Security Manager (CISM) An ISACA certification that tests required knowledge of information security managers.

Certified Information Systems Auditor (CISA) An ISACA certification exam considered by many to be the gold standard for IT auditing.

Certified Information Systems Security Professional (CISSP) An (ISC)² certification considered by many to be the gold standard for information security management.

Certified Internal Auditor (CIA) An IIA certification exam that covers internal auditing practices and issues.

Certified public accountants (CPAs) A designation earned by qualified accountants in the United States after passing an accounting certification exam and meeting other professional requirements.

Chief privacy officer (CPO) A senior-level position responsible for the overall management of an organization’s privacy program.

Children’s Internet Protection Act (CIPA) An act of Congress to address concerns about minors’ access to explicit online content.

Children’s Online Privacy Protection Act (COPPA) A United States federal law designed with the intent to protect children. COPPA is maintained and enforced by the FTC. COPPA requires websites and other online services aimed at children less than 13 years of age to comply with specific requirements of the law.

CIA The confidentiality, integrity, and availability (C-I-A) properties that describe a secure object. Also referred to as availability, integrity, and confidentiality (A-I-C).

Ciphertext The unreadable output that results from encryption. Encryption turns cleartext data into ciphertext through the use of an algorithm and a key.

Cleartext Human-readable data.

Clinger-Cohen Act of 1996 A U.S. law that improves upon the acquisition, use, and disposal of federal IT resources.

Cloud General term typically referring to either the public Internet or private network that acts a unified ecosystem.

Cloud services Common services that are typically found in the cloud.

Code of conduct A statement of procedures and guiding principles to influence the culture and behavior of an organization’s employees.

Code of ethics A statement of general principles that pertain to an organization and its constituents.

Committee of Sponsoring Organizations (COSO) An organization that provides guidance to executive management on organizational governance, internal controls, and risk management.

Compensating controls Alternative countermeasures to minimize risk.

Compliance The act of adhering to internal policies, applicable laws, regulations, and industry requirements.

CompTIA Project+ certification A CompTIA certification that tests knowledge of project management.

CompTIA Security+ certification A CompTIA certification that tests basic IT security concepts.

Computer assisted audit tools and techniques (CAATT) Automated computerized tools and techniques that auditors use to aid them in their auditing function.

Computing Technology Industry Association (CompTIA) A nonprofit professional association known for its many certifications covering a wide range of topics.

Confidentiality Assurance that information is not disclosed to unauthorized sources.

Confidentiality agreement A legally binding document in which the parties agree that certain types of information will pass among the parties and must remain confidential and not divulged. Also commonly called a non-disclosure agreement (NDA).

Configuration and change management Governance process that establishes an orderly method of reviewing, approving, logging, and applying technology changes.

Configuration control board (CCB) A person or group of people who reviews each change request and approves or denies the request.

Configuration management database (CMDB) A central repository of system configuration items.

Connection media The adapters and wires or wireless media that connect components together in the LAN Domain.

Continuing education units (CEUs) Measurements used in continuing education programs such as certifications.

Control objectives Objectives that state the high-level organizational goals of information system measures.

Control Objectives for Information and Related Technology (COBIT) A framework that provides best practices for IT governance and control.

Control self-assessments (CSAs) Methods for organizations to assess risk and controls on their own.

Controls Actions or changes put in place to reduce a weakness or potential loss. A control is also referred to as a countermeasure.

Critical Security Controls A list of 20 security controls primarily addressing the technical control area.

Cybersecurity The practice of protecting computers and electronic communication systems as well as the associated information.

Cybersecurity Framework Developed by NIST, a framework that provides a voluntary structure for reducing the risks to critical infrastructure.

D

Data center One or more rooms with protected access and a controlled environment for computers and other IT devices. Also called a computer room.

Data leak security appliances Network devices or software running on computers that scan network traffic for data-matching rules.

Data Loss Protection (DLP) A set of tools and processes to ensure unauthorized sensitive data does not leave the confines of the organization secure network.

Decommission Relates to the proper retirement and disposal of software and hardware once it is no longer needed.

Dedicated line A permanent circuit between two endpoints.

Demilitarized zone (DMZ) A separate network or portion of a network that is connected to a WAN and at least one LAN, with at least one firewall between the DMZ and the LAN.

Denial of service (DoS) An attack that generally floods a network with traffic. A successful DoS attack renders the network unusable and effectively stops the victim organization’s ability to conduct business.

Deployment Refers to the process of implementing new software or hardware.

Descriptive control A measure to be applied to a system that is high level and provides a lot of flexibility.

Developer testing Refers to the testing performed by a developer to ensure operating as designed.

Dial-up modems Older technology used to connect to a network through a telephone line.

Disaster recovery plans (DRPs) Plans that document the steps you can take to replace damaged or destroyed components due to a disaster to restore the integrity of your IT infrastructure. DRPs, along with BCPs, enable you to recover from disruptions ranging from small to large.

Dual-homed ISP connection A design in which a network maintains two connections to its ISP.

Due diligence Reasonable steps taken to ensure adherence to requirements.

E

E-Government Act of 2002 A U.S. law that improves the management of electronic government services by establishing a framework that requires the use of the Internet and related technologies to improve citizen access to government information services.

Electronic Communications Privacy Act of 2000 A U.S. Law, also referred to as HR5018, that further defines the privacy of an individual’s data including government access to such data.

Encryption The process of scrambling data in such a way that they are unreadable by unauthorized users but can be unscrambled by authorized users to be readable again.

Enterprise risk management (ERM) The governing process for managing risks and opportunities.

Ethics Moral beliefs and rules with regard to what is right and wrong.

Ethics Working Group A consortium to define information security as a recognized profession within IT and to establish a generally accepted framework of ethical behavior.

Executive summary A concise yet informative review intended for senior level management or those with decision-making power.

External compliance Refers to the process of ensuring an organization complies with requirement set by an external organization such as compliance with U.S. laws.

F

Fair Credit Reporting Act (FCRA) U.S. legislation that defines national standards for all consumer reports.

Family Educational Rights and Privacy Act (FERPA) An act of Congress to protect the privacy of education records.

FCAPS The acronym for a network management functional model that stands for fault, configuration, accounting, performance, and security.

Federal Information Processing Standards (FIPS) Technical standards published by NIST and approved by the Secretary of Commerce.

Federal Information Security Management Act of 2002 (FISMA) An act of Congress to recognize the importance of information security to the interests of the United States.

Finding A documented conclusion that highlights deficiencies, abuse, fraud, or other questionable acts.

Finding and issue Refers to audit observations that detail a specific set of non-compliance to standards.

Fingerprinting The process of identifying the operating system and general configuration of a computer.

Firewall A network security measure designed to filter out undesirable network traffic.

Footprinting The process of determining the operating system and version of a network node.

Framework A conceptual set of rules and ideas that provide structure to a complex and challenging situation.

FUD An acronym used to describe fear, uncertainty, and doubt.

G

Gap analysis A comparison between the actual outcome and the desired outcome.

Global Technology Audit Guides (GTAGs) IIA-published documents that provide audit guidance for IT auditors.

Governance The process through which an organization’s processes and assets are directed and controlled.

Gramm-Leach-Bliley Act (GLBA) An act of Congress to protect the financial aspects of consumer information held by financial agencies.

Guide to the Assessment of IT Risk (GAIT) A standardized approach to walking through IT risks including assessing risk severity and prioritization.

Guideline A document that support standards and policies but is not mandatory.

H

Halon A gas commonly used in data center fire suppression systems. Due to halon’s toxic properties, one type of halon has been banned and is no longer produced. Alternative gases are becoming more common.

Health Insurance Portability and Accountability Act (HIPAA) An act of Congress that helps citizens maintain their health coverage as well as improve the efficiency and effectiveness of the American healthcare system.

Hub A box with several connectors, or ports, that allows multiple network cables to attach to it. A hub is basically a hardware repeater. It takes input from any port and repeats the transmission, sending it as output on every port, including the original port.

I

Identification The process of providing user credentials or claiming to be a specific user.

Identity theft The taking of one’s personal information for unauthorized use.

Information resource management A process of managing information to improve performance.

Information Systems Security Assessment Framework (ISSAF) A method for evaluating networks, systems, and applications.

Information Technology Laboratory (ITL) An organization within NIST that performs research to help set U.S. standards.

Information Technology Laboratory (ITL) Bulletins NIST publications that provide in-depth coverage of important topics.

Infrastructure as a Service (IaaS) Cloud services related to providing network and management services to support an organization’s infrastructure.

Institute of Internal Auditors (IIA) A professional body for internal audit professionals that offers guidance on relevant topics.

Integrity Assurance against unauthorized modification or destruction.

Intellectual property rights (IPRs) The exclusive privilege to intangible assets.

Internal attack An attack in which an attacker is able to compromise a system’s access controls and either establish a presence inside the network or place malware on an internal computer.

Internal compliance Refers to complying with an organization’s internal standards.

Internal-to-external attack An attack in which the attacker uses an organization’s infrastructure to launch an attack on another organization.

International Electrotechnical Commission (IEC) An international, nonprofit organization that publishes global standards on electrotechnology, or all things electronic and electric.

International Information Systems Security Certification Consortium (ISC) A nonprofit professional and certification body that provides related programs for information security professionals.

International Organization for Standardization (ISO) The world’s largest publisher of worldwide standards.

International Telecommunication Union Telecommunication Standardization Sector (ITU-T) One of three divisions of the International Telecommunication Union, primarily responsible for communications standards.

Internet service provider (ISP) An organization that provides a connection to the Internet.

Intrusion detection A set of tools and processes to detect unauthorized access.

Intrusion detection system (IDS) A network hardware device or software that monitors real-time network activity and compares the observed behavior with performance thresholds and trends to detect unusual activity that might represent an intrusion.

Intrusion prevention system (IPS) A network hardware device or software that monitors real-time network activity, compares the observed behavior with performance thresholds and trends to detect unusual activity that might represent an intrusion and takes action to stop the attack.

Intrusive test Any test that simulates an attack and results in damage.

Inventory The process of identifying all assets of an organization including all software and hardware assets.

ISACA A global professional organization that provides resources and guidance relating to IT governance.

ISO/IEC 27001 Good practices that provide an accepted baseline against which IT auditors can audit.

ISO/IEC 27002 Good practices for information security management.

IT infrastructure Refers to all the hardware and software to support an organization’s IT operations.

IT universe All the resources or auditable components within an organization.

K

Kerberos A popular computer network authentication protocol that allows nodes to prove their identities to one another.

L

LAN Domain An IT domain composed of the equipment making up the local area network.

LAN-to-WAN Domain An IT domain that bridges between the LAN and the WAN.

Least privilege A principle that dictates that users have access only to what they need to perform their duties.

Local area network (LAN) A computer network for communications between systems covering a small physical area.

M

Maintenance Refers to the support to keep current software and hardware such as applying vendor patches.

Malware A term that refers to a collection of different types of software that share the goal of infiltrating a computer and making it do something.

Management system Refers to the software tools and process to manage technology assets.

Multifactor authentication A type of authentication that uses more than two methods to authenticate a user.

Multiprotocol Label Switching (MPLS) A network mechanism that adds a simple label to each network packet, making routing of the packet faster than routing based on data in the header portion of the packet.

N

National Institute of Standards and Technology (NIST) An organization that promotes innovation and competitiveness through the advancement of science, standards, and technology to improve economic security and quality of life.

Network Access Control (NAC) A combination of security controls that define and implement a policy that describes the requirements to access your network.

Network-attached storage (NAS) Refers to network attached data storage that is shared across the network.

Network operating system (NOS) Software that provides the interface between the hardware and the Application Layer software.

Network scan An automated method for discovering host systems on a network.

Networking devices Hardware devices that connect other devices and computers using connection media.

Networking services software Software that provides connection and communication services for users and devices.

NIST 800-30 A guide developed by NIST for the management of risk for IT systems.

NIST 800-53 Recommended security controls, developed by NIST.

NIST 800-53A A guide for assessing security controls, developed by NIST.

NIST 800-115 A technical guide published by NIST on conducting information security tests and assessments.

Node Any computer or device that is connected to the network.

Non-disclosure agreement (NDA) Another name for a confidentiality agreement.

Nonintrusive test A test that only validates the existence of a vulnerability.

O

Object The target of an access request, such as a file, folder, or other resource.

Objectives A set of goals. Used as part of an assessment to determine what needs to be accomplished to validate a control.

Open Source Security Testing Methodology Manual (OSSTMM) A peer-reviewed method that takes a scientific approach to security testing.

Open Systems Interconnection (OSI) reference model A generic description for how computers use multiple layers of protocol rules to communicate across a network. The OSI reference model defines seven distinct layers.

Owner A user who has complete control of an object, including the right to grant access to other users or groups.

P

Packet sniffer Software that copies specified packets from a network interface to an output device, generally a file.

Payment Card Industry Data Security Council (PCI DSC) The organization responsible for the development and maintenance of security standards for the payment card industry.

Payment Card Industry Data Security Standard (PCI DSS) Industry-created standards to prevent payment card theft and fraud.

Penetration test A method for assessing information systems in an attempt to bypass controls and gain access.

Perimeter Refers to the hardware and software that acts as a buffer between the public external network and private internal network.

Personal Information Protection and Electronic Documents Act (PIPEDA) A Canadian law that set the standard on how to collect, use, and disclose personal information.

Permissions The definitions of what object access actions are permitted for a specific user or group.

Plan-do-check-act (PDCA) An iterative process for continuous improvement.

Platform as a Service (PaaS) Cloud services related to providing server platforms to an organization.

Policy A document that regulates conduct through a general statement of beliefs, goals, and objectives.

Prescriptive control Detailed and specific measures to be applied to a system.

Pretexting The act of using false pretenses to obtain confidential information.

Privacy Act of 1974 A U.S. Law that defines an the collection, usage, and dissemination of an individual’s information that is stored in federal agencies systems.

Privacy management The process of protecting the rights and obligations of individuals and organizations with regard to how they manage personal information.

Privacy obligation Is a term that refers to professional standards to maintain the confidentiality of personal information.

Privacy officer A senior-level management position within an organization responsible for handling privacy laws and their impact on the organization.

Procedure A document that provides step-by-step instructions for how standards and guidelines are put into practice.

Protected health information (PHI) Individually identifiable health information.

Protocol A set of rules that govern communication.

Proxy server A type of firewall that makes requests for remote services on behalf of local clients.

Public Company Accounting Oversight Board (PCAOB) An organization that provides oversight for public accounting firms and defines the process for compliance audits.

Q

Qualified Security Assessor (QSA) Entities qualified and authorized to perform PCI compliance assessment.

R

RACI matrix A table used to document tasks and the personnel responsible for the assignments. RACI stands for responsible, accountable, consulted, and informed.

Rack system An open cabinet with tracks into which multiple computers can be mounted instead of mounting them in individual cases.

Regulatory agencies Oversight agencies that deal with administrative law, codifying, and enforcing rules.

Remote Access Domain An IT domain that covers the access infrastructure for users accessing remote systems.

Remote Authentication Dial In User Service (RADIUS) A network protocol that supports remote connections by centralizing the management tasks for authentication, authorization, and accounting for computers to connect and access a network.

Risk An uncertainty that might lead to a loss. Losses occur when a threat exploits vulnerability.

Risk appetite The degree of risk that an organization is willing to accept to achieve its goals.

Risk assessment An analysis of threats and vulnerabilities against assets. A risk assessment allows the risks to be prioritized.

Risk management The practice of identifying, assessing, controlling, and mitigating risks. Techniques to manage risk include avoiding, transferring, mitigating, and accepting the risk.

Risk tolerance The range of acceptance of risks to keep an organization within its appetite for risk.

Rotation of duties The process of rotating employees into different functions or job roles.

Router A network device that connects two or more separate networks.

S

SB1386 Refers to a California law that sets standards on the handling of an individual’s private information.

Scope creep When the original plans or goals of a project expand. Common with projects, particularly poorly planned projects.

Secure coding Methods of enhancing security as part of the software development process.

Secure VPNs VPNs in which all traffic is encrypted.

Security configuration management (SCM) The processes and techniques for managing security-related configuration items that directly relate to controls or settings.

Separation of duties The process of dividing roles and responsibilities so a single individual can’t undermine a critical process.

Server Message Block (SMB) An Application Layer protocol commonly used to provide access to file shares and printers.

Service accounts Refers to non-human accounts that support an application’s automated functions, also known as a system account.

Service level agreement (SLA) A portion of a service contract that promises specific levels of service.

Service Organization Control (SOC) reports Auditing standards maintained by the AICPA.

Simple Network Management Protocol (SNMP) A network protocol used to monitor network devices.

Single point of failure Any component on which service relies. If the single component fails, all other dependent components essentially fail as well.

Social engineering The act of manipulating people into divulging information.

Software as a Service (SaaS) Cloud services that provide software services to an organization.

Software configuration management (SCM) A formal method for managing changes to a software application.

Software design Refers to the process of defining business requirements and software components to meet requirements.

Software development Refers to the process of coding of the software to meet the design requirements.

Software Development Life Cycle (SDLC) Standardizes processes that define the life of software from its creation, deployment, maintenance, and retirement.

Software-defined WAN (SD-WAN) Software that defines and controls a wide-area network.

Source code Text files of programs that developers compile into application programs that computers can run.

Special Publications A series of standards developed by NIST.

Standard user account A human account without administrative privileges.

Standard A document that supports a policy. It consists of mandated rules, which support the higher-level policy goals.

Statement on Standards for Attestation Engagements No. 16 (SSAE 16) A report that is intended to provide assurance to organizations (user entities). This report replaces the SAS 70 report.

Storage area network (SAN) A collection of storage devices that is attached to a network in such a way that the devices appear to be local storage devices.

Subject A user or object that requests to access a file, folder, or other resource.

Subnet A subsection, or part, of a network.

Switch A networking device that forwards input it receives only to the appropriate output port.

System account Refers to non-human accounts that support an application’s automated functions, also known as a service account.

System software Software used to run other software which most often refers to the operating system of a platform.

System/Application Domain An IT domain that covers network systems, applications, and software for users.

T

Terminal Access Controller Access-Control System Plus (TACACS+) A network protocol developed by Cisco. TACACS+ provides access control for remote networked computing devices using one or more centralized servers.

Threat Any activity that represents a possible danger.

Threat actions The methods of carrying out a particular threat.

Threat identification The process of identifying all threats to the organization.

Traffic-monitoring devices Devices that monitor network traffic and compare performance with a baseline.

Transmission Control Protocol/Internet Protocol (TCP/IP) The basic protocol, or language, of modern networks and the Internet.

Transparent Data Encryption (TDE) A method of encrypting an entire database that is transparent to the user and requires no input or action.

Trojan horse Software that either hides or masquerades as a useful or benign program.

Tunneling A technique that creates a virtual encrypted connection and allows applications to use any protocol to communicate with servers and services without having to worry about addressing or privacy concerns.

Two-factor authentication A type of authentication that uses two types of authentication to authenticate a user.

Type I authentication (what you know) The information that only a valid user knows. The most common examples of Type I authentication are a password or PIN.

Type II authentication (what you have) A physical object that contains identity information, such as a token, card, or other device.

Type III authentication (what you are) A physical characteristic (biometric), such as a fingerprint, handprint, or retina characteristic.

U

Uninterruptible power supply (UPS) A device that provides continuous usable power to one or more devices.

User acceptance testing (UAT) Testing performed by the end-user to validate the functionality meets business requirements.

User Datagram Protocol (UDP) A core protocol of the Internet Protocol suite. UDP is a connectionless protocol, which provides no guarantee of delivery.

User Domain An IT domain that covers the end users of information systems.

User proxy Allows a user to connect through another account.

V

Virtual machines Software programs that look and run like a physical computer.

Virtual private network (VPN) A persistent connection between two nodes that allows bidirectional communication as if the connection were a direct connection with both nodes in the same network.

Virus A software program that attaches itself to or copies itself into another program for the purpose of causing the computer to follow instructions that were not intended by the original program developer.

Vulnerability A technology weakness.

Vulnerability analysis The examination of weaknesses or flaws.

Vulnerability scan An automated method for testing a system’s services and applications for known security holes.

W

WAN Domain An IT domain that covers the equipment and activities outside the LAN and beyond the LAN-to-WAN Domain.

WAN service provider An organization that provides access to its wide area network for a fee.

Wide area network (WAN) A network covering a large area often connecting multiple LANs.

Workstation Domain The operating environment of an end user. in 2002.

Worm A self-contained program that replicates and sends copies of itself to other computers, generally across a network.

Zero-day vulnerability Refers to a system vulnerability for which no patch or fix has been released.