facilities classification
A method for assigning classification or risk levels to work centers and processing centers, based on their operational criticality or other risk factors.
feasibility study
An activity that seeks to determine the expected benefits of a program or project.
fiduciary
A person who has a legal trust relationship with another party.
fiduciary duty
The highest standard of care that a fiduciary renders to a beneficiary.
file
A sequence of zero or more characters that is stored as a whole in a file system. A file may be a document, spreadsheet, image, sound file, computer program, or data that is used by a program.
file activity monitoring (FAM)
A program that monitors the use of files on a server or endpoint as a means for detecting indicators of compromise.
file integrity monitoring (FIM)
A program that periodically scans file systems on servers and workstations, as a means of detecting changes to file contents or permissions that may be indicators of compromise.
file server
A server that is used to store files in a central location, usually to make them available to many users.
fileless malware
Malware that resides in a computers memory instead of the file system.
financial audit
An audit of an accounting system, accounting department processes, and procedures to determine whether business controls are sufficient to ensure the integrity of financial statements. See also audit.
financial management
Management for IT services that consists of several activities, including budgeting, capital investment, expense management, project accounting, and project ROI. See also IT service management (ITSM), return on investment (ROI).
firewall
A device that controls the flow of network messages between networks. Placed at the boundary between the Internet and an organizations internal network, firewalls enforce security policy by prohibiting all inbound traffic except for the specific few types of traffic that are permitted to a select few systems.
first in, first out (FIFO)
A backup media rotation scheme where the oldest backup volumes are used next. See also backup media rotation.
forensic audit
An audit that is performed in support of an anticipated or active legal proceeding. See also audit.
forensics
The application of procedures and tools during an investigation of a computer or network-related event.
fraud
The intentional deception made for personal gain or for damage to another party.
gap analysis
An examination of a process or system to determine differences between its existing state and a desired future state.
general computing controls (GCCs)
Controls that are general in nature and implemented across most or all information systems and applications.
general data protection regulation (GDPR)
The European law, which takes effect in 2018, that protects the privacy of European residents.
governance
Managements control over policy and processes.
governance, risk, and compliance (GRC) tool
A software program used to track key aspects of an organizations information risk program.
grandfather-father-son
A hierarchical backup media rotation scheme that provides for longer retention of some backups.
hacker
Someone who interferes with or accesses anothers computer without authorization.
hard disk drive (HDD)
A storage device using magnetic storage on rapidly rotating disks.
hardening
The technique of configuring a system so that only its essential services and features are active and all others are deactivated. This helps to reduce the attack surface of a system to only its essential components.
hardening standard
A document that describes the security configuration details of a system, or class of systems. See also configuration standard, hardening.
hardware monitoring
Tools and processes used to continuously observe the health, performance, and capacity of one or more computers.
hash function
A cryptographic operation on a block of data that returns a fixed-length string of characters, used to verify the integrity of a message.
Health Insurance Portability and Accountability Act (HIPAA)
A U.S. law requiring the enactment of controls to protect electronic protected health information (EPHI).
HITRUST
A healthcare control framework and certification that serves as an external attestation of an organizations IT controls.
host-based intrusion detection system (HIDS)
An intrusion detection system (IDS) that is installed on a system and watches for anomalies that could be signs of intrusion. See also intrusion detection system (IDS).
hot site
An alternate processing center where backup systems are already running and in some state of near-readiness to assume production workload. The systems at a hot site most likely have application software and database management software already loaded and running, perhaps even at the same patch levels as the systems in the primary processing center.
human resources (HR)
The department in most organizations that is responsible for employee onboarding, offboarding, internal transfers, training, and signing important documents such as security policy.
human resource information system (HRIS)
An information system used to manage information about an organizations workforce.
human resource management (HRM or HR)
Activities regarding the acquisition, onboarding, support, and termination of workers in an organization.
hybrid cryptography
A cryptosystem that employs two or more iterations or types of cryptography.
Hypertext Transfer Protocol (HTTP)
A TCPIP application layer protocol used to transmit web page contents from web servers to users who are using web browsers.
Hypertext Transfer Protocol Secure (HTTPS)
A TCPIP application layer protocol that is similar to HTTP in its use for transporting data between web servers and browsers. HTTPS is not a separate protocol but instead is the instance where HTTP is encrypted with SSL or TLS. See also Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL), Transport Layer Security (TLS).
hypervisor
Virtualization software that facilitates the operation of one or more virtual machines.
identity and access management (IAM)
The activities and supporting systems that are used to manage workers identities and their access to information systems and data.
identity management
The activity of managing the identity of each employee, contractor, temporary worker, and, optionally, customer, for use in a single environment or multiple environments.
image
A binary representation of a fully installed and configured operating system and applications for a server or an end users computer.
impact
The actual or expected result from some action such as a threat or disaster.
impact analysis
The analysis of a threat and the impact it would have if it were realized.
incident
Any event that is not part of the standard operation of a service and that causes, or may cause, interruption to or a reduction in the quality of that service.
incident declaration
The process of determining that a security incident is taking place so that incident responders can begin the task of managing it.
incident management (ITSM)
The IT function that analyzes service outages, service slowdowns, security incidents, and software bugs, and seeks to resolve them to restore normal service. See also IT service management (ITSM), security incident management.
incident prevention
Proactive steps taken to reduce the probability or impact of security incidents.
incident responder
A worker in an organization who has responsibility for responding to a security incident.
incident response retainer
A legal agreement between an organization and a security professional services firm that arranges for the security firm to render assistance to the organization in the event of a security incident.
incident response team (IRT)
Personnel who are trained in incident response techniques.
indicator of compromise (IoC)
An observation on a network or in an operating system that indicates evidence of a network or computer intrusion.
industrial control system (ICS)
A control system used to monitor and manage physical machinery in an industrial environment. See also supervisory control and data acquisition (SCADA).
information classification
The process of assigning a sensitivity classification to an information asset.
information risk
Paraphrased from the ISACA Risk IT Framework the business risk associated with the use, ownership, operation, involvement, influence, and adoption of information within an enterprise.
information security management
The aggregation of policies, processes, procedures, and activities to ensure that an organizations security policy is effective.
Information Security Management System (ISMS)
The collection of activities for managing information security in an organization, as defined by ISOIEC 27001.
information security policy
A statement that defines how an organization will classify and protect its important assets.
infrastructure
The collection of networks, network services, devices, facilities, and system software that facilitates access to, communications with, and protection of business applications.
infrastructure-as-a-service (IaaS)
A cloud computing model where a service provider makes computers and other infrastructure components available to subscribers. See also cloud computing.
inherent risk
The risk that there are material weaknesses in existing business processes and no compensating controls to detect or prevent them.
initialization vector (IV)
A random number that is needed by some encryption algorithms to begin the encryption process.
insider threat
Any scenario where an employee or contractor knowingly, or unknowingly, commits acts that result in security incidents or breaches.
integrated audit
An audit that combines an operational audit and a financial audit. See also operational audit, financial audit.
integrated development environment (IDE)
A software application that facilitates the writing, updating, testing, and debugging of application source code.
intellectual property
A class of assets owned by an organization includes an organizations designs, architectures, software source code, processes, and procedures.
internal audit
A formal audit of an organizations controls, processes, or systems, which is carried out by personnel who are part of the organization. See also audit.
internal audit (IA)
The name of an organizations internal department that performs audits.
Internet
The interconnection of the worlds TCPIP networks.
Internet hygiene
The practice of security awareness while accessing the Internet with a computer or mobile device to reduce the possibility of attack.
intrusion detection system (IDS)
A hardware or software system that detects anomalies that may be signs of an intrusion.
intrusion kill chain
The computer intrusion model developed by Lockheed-Martin that depicts a typical computer intrusion. The phases of the kill chain are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective.
intrusion prevention system (IPS)
A hardware or software system that detects and blocks malicious network traffic that may be signs of an intrusion.
intrusive monitoring
Any technique used by an organization to actively monitor activities within a third partys IT environment.
IS audit
An audit of an IS departments operations and systems. See also audit.
ISACA
Formerly the Information Systems Audit and Control Association, now just ISACA. Global organization the develops and administers numerous certifications including Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk, Information Security, and Control (CRISC), and Certified in the Governance of Enterprise IT (CGEIT).
ISACA audit standards
The minimum standards of performance related to security, audits, and the actions that result from audits. The standards are published by ISACA and updated periodically. ISACA audit standards are considered mandatory.
ISAE 3402 (International Standard on Assurance Engagement)
An external audit of a service provider. An ISAE 3402 audit is performed according to rules established by the International Auditing and Assurance Standards Board (IAASB).
ISOIEC 20000
An ISOIEC standard for IT service management (ITSM).
ISOIEC 27001
An ISOIEC standard for IT security management.
ISOIEC 27002
An ISOIEC standard for IT security controls.
IT Infrastructure Library (ITIL)
See IT service management (ITSM).
IT service management (ITSM)
The set of activities that ensures the delivery of IT services is efficient and effective, through active management and the continuous improvement of processes.
job description
A written description of a job in an organization. A job description usually contains a job title, work experience requirements, knowledge requirements, and responsibilities.
judgmental sampling
A sampling technique where items are chosen based upon the auditors judgment, usually based on risk or materiality. See also sampling.
key compromise
Any unauthorized disclosure or damage to an encryption key. See also key management.
key custody
The policies, processes, and procedures regarding the management of keys. See also key management.
key disposal
The process of decommissioning encryption keys. See also key management.
key encrypting key
An encryption key that is used to encrypt another encryption key.
key exchange
A technique that is used by two parties to establish a symmetric encryption key when no secure channel is available.
key fingerprint
A short sequence of characters that is used to authenticate a public key.
key generation
The initial generation of an encryption key. See also key management.
key goal indicator (KGI)
Measure of progress in the attainment of strategic goals in the organization.
key length
The size (measured in bits) of an encryption key. Longer encryption keys mean that it takes greater effort to successfully attack a cryptosystem.
key logger
A hardware device or a type of malware that records a users keystrokes and, optionally, mouse movements and clicks, and sends this data to the key loggers owner.
key management
The various processes and procedures used by an organization to generate, protect, use, and dispose of encryption keys over their lifetime.
key performance indicator (KPI)
Measure of business processes performance and quality, used to reveal trends related to efficiency and effectiveness of key processes in the organization.
key protection
All means used to protect encryption keys from unauthorized disclosure and harm. See also key management.
key risk indicator (KRI)
Measure of information risk, used to reveal trends related to levels of risk of security incidents in the organization.
key rotation
The process of issuing a new encryption key and reencrypting data protected with the new key. See also key management.
laptop computer
A portable computer used by an individual user.
last in, first out (LIFO)
A backup media rotation scheme where the newest backup volumes are used next. See also backup media rotation.
learning management system (LMS)
An on-premise or cloud-based system that makes online training and testing facilities available to an organizations personnel. Some LMSs automatically maintain records of training enrollment, test scores, and training completion.
least privilege
The concept where an individual user should have the lowest privilege possible that will still enable them to perform their tasks.
Lightweight Directory Access Protocol (LDAP)
A TCPIP application layer protocol used as a directory service for people and computing resources.
log correlation
The process of combining log data from many devices in order to discern patterns that may be indicators of operational problems or compromise.
log review
An examination of the event log in an information system, typically to see whether any security events or incidents have occurred. See also continuous log review.
log server
A system or device to which event logs from other systems are sent for processing and storage. See also security information and event management (SIEM).
macro virus
Malicious software that is embedded within another file such as a document or spreadsheet.
malware
The broad class of programs that are designed to inflict harm on computers, networks, or information. Types of malware include viruses, worms, Trojan horses, spyware, and rootkits.
man-made disaster
A disaster that is directly or indirectly caused by human activity, through action or inaction. See also disaster.
managed security service provider (MSSP)
An organization that provides security monitoring andor management services for customers.
manual control
A control that requires a human to operate it.
maximum tolerable downtime (MTD)
A theoretical time period, measured from the onset of a disaster, after which the organizations ongoing viability would be at risk.
maximum tolerable outage (MTO)
The maximum period of time that an organization can tolerate operating in recovery (or alternate processing) mode.
message digest
The result of a cryptographic hash function.
methodology standard
A standard that specifies the practices used by the IT organization.
metric
A measurement of a periodic or ongoing activity, for the purpose of understanding the activity within the context of overall business operations.
microsegmentation
A design characteristic of a network where each network node resides on its own segment, resulting in improved network security and efficiency.
mobile device
A portable computer in the form of a smartphone, tablet computer, or wearable device.
mobile site
A portable recovery center that can be delivered to almost any location in the world.
monitoring
The continuous or regular evaluation of a system or control to determine its operation or effectiveness.
multifactor authentication
Any means used to authenticate a user that is stronger than the use of a user ID and password. Examples of multifactor authentication include digital certificate, token, smart card, or biometric.
natural disaster
A disaster that occurs in the natural world with little or no assistance from mankind. See also disaster.
netflow
A network diagnostic tool that collects all network metadata, which can be used for network diagnostic or security purposes.
network access control (NAC)
An approach for network authentication and access control that determines whether devices will be permitted to attach to a LAN or wireless LAN.
network anomaly detection
A technique used to identify network traffic that may be a part of an intrusion or other unwanted event.
network attached storage (NAS)
A stand-alone storage system that contains one or more virtual volumes. Servers access these volumes over the network using the Network File System (NFS) or Server Message BlockCommon Internet File System (SMBCIFS) protocols, common on Unix and Windows operating systems, respectively.
network segmentation
The practice of dividing a network into two or more zones, with protective measures such as firewalls between the zones.
network tap
A connection on a network router or network switch. A copy of all of the network traffic passing through the router or switch is also sent to the network tap. Also known as a span port.
NIST CSF
A risk management methodology and controls framework developed by the U.S. National Institute for Standards and Technology (NIST).
NIST 800 Series
A collection of documents published by the U.S. National Institute for Standards and Technology (NIST).
nonrepudiation
The property of encryption and digital signatures that can make it difficult or impossible for a party to later deny having sent a digitally signed messageunless they admit to having lost control of their private encryption key.
North American Reliability Corporation (NERC)
The organization that maintains resilience and security controls for use by public utilities.
North American Reliability Council Critical Infrastructure Protection (NERC CIP)
The standards and requirements defined by the North American Reliability Council for protection of the electric power generation and distribution grid.
occupant emergency plan (OEP)
Activities required to safely care for occupants in a business location during a disaster. See also response document.
off-site media storage
The practice of storing media such as backup tapes at an off-site facility located away from the primary computing facility.
onboarding
The process undertaken when an organization hires a new worker or when it begins a business relationship with a third party.
operational audit
An audit of IS controls, security controls, or business controls to determine control existence and effectiveness. See also audit.
operational risk
The risk of loss resulting from failed controls, processes, and systems internal and external events and other occurrences that impact business operations and threaten an organizations survival.
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE)
A qualitative risk analysis methodology developed at Carnegie Mellon University.
orchestration
In the context of security information and event management (SIEM), this is the scripted, automated response that is automatically or manually triggered when specific events occur. See also security information and event management (SIEM).
organization chart
A diagram that depicts the manager-subordinate relationships in an organization or in part of an organization.
out of band
Communications that takes place separately from the main communications method.
outsourcing
A form of sourcing where an employer will use contract employees to perform a function. The contract employees may be located on-site or off-site.
owner
A person or group responsible for the management andor operation of an asset.
packet sniffer
A device, or a program that can be installed on a network-attached system, to capture network traffic.
parallel test
An actual test of disaster recovery (DR) or business continuity response plans. The purpose of a parallel test is to evaluate the ability of personnel to follow directives in emergency response plansto actually set up the DR business processing or data processing capability. In a parallel test, personnel operate recovery systems in parallel with production systems to compare the results between the two to determine the actual capabilities of recovery systems.
password
An identifier that is created by a system manager or a user a secret combination of letters, numbers, and other symbols that is known only to the user who uses it.
password complexity
The characteristics required of user account passwords. For example, a password may not contain dictionary words and must contain uppercase letters, lowercase letters, numbers, and symbols.
password length
The minimum and maximum number of characters permitted for a password that is associated with a computer account.
password reset
The process of changing a user account password and unlocking the user account so that the users use of the account may resume.
password reuse
The act of reusing a prior password for a user account. Some information systems can prevent the use of prior passwords in case any were compromised with or without the users knowledge.
patch management
The process of identifying, analyzing, and applying patches (including security patches) to systems.
Payment Card Industry Data Security Standard (PCI-DSS)
A security standard whose objective is the protection of credit card numbers in storage, while processed, and while transmitted. The standard was developed by the PCI Security Standards Council, a consortium of credit card companies, including Visa, MasterCard, American Express, Discover, and JCB.
personally identifiable information (PII)
Information that can be used on its own, or combined with other information, to identify a specific person.
phishing
A social engineering attack on unsuspecting individuals where e-mail messages that resemble official communications entice victims to visit imposter web sites that contain malware or request credentials to sensitive or valuable assets. See also CEO fraud, spear phishing, whaling.
physical control
Controls that employ physical means.
plaintext
An original message, file, or stream of data that can be read by anyone who has access to it.
platform-as-a-service (PaaS)
A cloud computing delivery model where the service provider supplies the platform on which an organization can build and run software.
playbook
A procedure to be performed to accomplish some purpose.
policy
A statement that specifies what must be done (or not done) in an organization. A policy usually defines who is responsible for monitoring and enforcing the policy.
population
A complete set of entities, transactions, or events that are the subject of an audit.
position title
A label that designates a persons place or role in an organization.
pre-audit
An examination of business processes, controls, and records in anticipation of an upcoming audit. See also audit.
preventive control
A control that is used to prevent unwanted events from happening.
privacy
The protection of personal information from unauthorized disclosure, use, and distribution.
privacy policy
A policy statement that defines how an organization will protect, manage, and handle private information.
private cloud
A cloud infrastructure that is dedicated to a single organization.
private key cryptosystem
A cryptosystem that is based on a symmetric cryptographic algorithm.
procurement
The process of making a purchase of hardware, software, and services also, the name of the department that performs this activity.
probability
The chances that an event may occur.
probability analysis
The analysis of a threat and the probability of its realization.
problem
An incidentoften multiple incidentsthat exhibits common symptoms and whose root cause is not known.
problem management
The IT function that analyzes chronic incidents and seeks to resolve them and also enacts proactive measures in an effort to avoid problems. See also IT service management (ITSM).
procedure
A written sequence of instructions used to complete a task.
process
A logical container in an operating system in which a program executes.
program
An organization of many large, complex activities it can be thought of as a set of projects that work to fulfill one or more key business objectives or goals.
program charter
A formal definition of the objectives of a program, its main timelines, sources of funding, the names of its principal leaders and managers, and the business executives who are sponsoring the program.
program management
The management of a group of projects that exist to fulfill a business goal or objective.
project
A coordinated and managed sequence of tasks that results in the realization of an objective or goal.
project management
The activities that are used to control, measure, and manage the activities in a project.
project plan
The chart of tasks in a project, which also includes start and completion dates, resources required, and dependencies and relationships between tasks.
project planning
The activities that are related to the development and management of a project.
protocol analyzer
A device that is connected to a network in order to view network communications at a detailed level.
public cloud
A cloud infrastructure used by multiple organizations.
public key infrastructure (PKI)
A centralized function that is used to store and publish public keys and other information.
Nice work!
You just studied 187 terms!
Start over