반응형
Term | Definition |
---|---|
Abend | An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing |
Access control | The process that limits and controls access to resources of a computer system; a logical or physical control designed to protect against unauthorized entry or use. Access control can be defined by the system (mandatory access control, or MAC) or defined by the user who owns the object (discretionary access control, or DAC). |
Access control table | An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals |
Access method | The technique used for selecting records in a file, one at a time, for processing, retrieval or storage. The access method is related to, but distinct from, the file organization that determines how the records are stored. |
Access path | The logical route an end user takes to access computerized information. Typically, it includes a route through the operating system, telecommunications software, selected application software and the access control system. |
Access rights | Also called permissions or privileges, these are the rights granted to users by the administrator or supervisor. Access rights determine the actions users can perform (e.g., read, write, execute, create and delete) on files in shared volumes or file shares on the server. |
Accountability | The ability to map a given activity or event back to the responsible party |
ACK (acknowledgement) | A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly by the receiver without errors, or that the receiver is now ready to accept a transmission |
Active recovery site (mirrored) | Recovery strategy that involves two active sites, each capable of taking over the other’s workload in the event of a disaster. Each site will have enough idle processing power to restore data from the other site and to accommodate the excess workload in the event of a disaster. |
Active response | A response, in which the system (automatically or in concert with the user) blocks or otherwise affects the progress of a detected attack. The response takes one of three forms--amending the environment, collecting more information or striking back against the user. |
Address | The code used to designate the location of a specific piece of data within computer storage |
Address space | The number of distinct locations that may be referred to with the machine address. For most binary machines, it is equal to 2n, where n is the number of bits in the machine address. |
Addressing | The method used to identify the location of a participant in a network. Ideally, addressing specifies where the participant is located rather than who they are (name) or how to get there (routing). |
adjusting period | The calendar can contain “real” accounting periods and/or adjusting accounting periods. The “real” accounting periods must not overlap, and cannot have any gaps between “real” accounting periods. Adjusting accounting periods can overlap with other accounting periods. For example, a period called DEC-93 can be defined that includes 01-DEC-1993 through 31-DEC-1993. An adjusting period called DEC31-93 can also be defined that includes only one day: 31-DEC-1993 through 31-DEC-1993. |
Administrative controls | The actions/controls dealing with operational effectiveness, efficiency and adherence to regulations and management policies |
allocation entry | A recurring journal entry used to allocate revenues or costs. For example, an allocation entry could be defined to allocate costs to each department based on headcount. |
Alpha | The use of alphabetic characters or an alphabetic character string |
Analog | A transmission signal that varies continuously in amplitude and time and is generated in wave formation. Analog signals are used in telecommunications. |
Anomaly | Unusual or statistically rare |
Anomaly detection | Detection on the basis of whether the system activity matched that defined as abnormal |
Anonymity | The quality or state of not being named or identified |
Anonymous File Transfer Protocol (FTP) | A method for downloading public files using the File Transfer Protocol (FTP). Anonymous FTP is called anonymous because users do not need to identify themselves before accessing files from a particular server. In general, users enter the word anonymous when the host prompts for a username; anything can be entered for the password, such as the user's e-mail address or simply the word guest. In many cases, an anonymous FTP site will not even prompt users for a name and password. |
Antivirus software | Applications that detect, prevent and possibly remove all known viruses from files located in a microcomputer hard drive |
Appearance | The act of giving the idea or impression of being or doing something |
Appearance of independence | Behavior adequate to meet the situations occurring during audit work (interviews, meetings, reporting, etc.). The IS auditor should be aware that appearance of independence depends upon the perceptions of others and can be influenced by improper actions or associations. |
Applet | A program written in a portable, platform independent computer language, such as Java. It is usually embedded in an HTML page and then executed by a browser. Applets can only perform a restricted set of operations, thus preventing, or at least minimizing, the possible security compromise of the host computers. |
application | A computer program or set of programs that perform the processing of records for a specific function |
Application acquisition review | An evaluation of an application system being acquired or evaluated, which considers such matters as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is acquired in compliance with the established system acquisition process. |
Application controls | Refer to the transactions and data relating to each computer-based application system and are therefore specific to each such application. The objectives of application controls, which may be manual, or programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from both manual and programmed processing. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted. |
Application development review | An evaluation of an application system under development which considers matters such as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is developed in compliance with the established systems development life cycle process |
Application implementation review | An evaluation of any part of an implementation project (e.g., project management, test plans, user acceptance testing procedures) |
Application layer | A layer within the International Organization for Standardization (ISO)/Open Systems Interconnection (OSI) model. It is used in information transfers between users through application programs and other devices. In this layer various protocols are needed. Some of them are specific to certain applications and others are more general for network services. |
Application maintenance review | An evaluation of any part of a project to perform maintenance on an application system (e.g., project management, test plans, user acceptance testing procedures) |
Application program | A program that processes actions upon business data, such as data entry, update or query. It contrasts with systems program, such as an operating system or network control program, and with utility programs, such as copy or sort. |
Application programming | The act or function of developing and maintaining applications programs in production |
Application programming interface (API) | A set of routines, protocols and tools referred to as "building blocks" used in business application software development. A good API makes it easier to develop a program by providing all the building blocks related to functional characteristics of an operating system, which applications need to specify when, for example, interfacing with an operating system (e.g., provided by MS-Windows, different versions of UNIX). A programmer would utilize these APIs in developing applications that can operate effectively and efficiently on the platform chosen. |
Application proxy | A proxy service that connects programs running on internal networks to services on exterior networks by creating two connections, one from the requesting client and another to the destination service |
application security | Refers to the security aspects supported by the ERP, primarily with regard to the roles or responsibilities and audit trails within the applications |
Application software tracing and mapping | Specialized tools that can be used to analyze the flow of data, through the processing logic of the application software, and document the logic, paths, control conditions and processing sequences. Both the command language or job control statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons. |
Application system | An integrated set of computer programs designed to serve a particular function that has specific input, processing and output activities (e.g., general ledger, manufacturing resource planning, human resource management) |
Arithmetic-logic unit (ALU) | The area of the central processing unit that performs mathematical and analytical operations |
Artificial intelligence | Advanced computer systems that can simulate human capabilities, such as analysis, based on a predetermined set of rules |
ASCII | (American Standard Code for Information Interchange) An eight-digit/seven-bit code representing 128 characters; used in most small computers |
ASP/MSP (application or managed service provider) | A third party that delivers and manages applications and computer services, including security services to multiple users via the Internet or a private network |
Assembler | A program that takes as input a program written in assembly language and translates it into machine code or relocatable code |
Assembly language | A low-level computer programming language which uses symbolic code and produces machine instructions |
Asymmetric key (public key) | A cipher technique whereby different cryptographic keys are used to encrypt and decrypt a message (see public key cryptosystems) |
Asynchronous Transfer Mode (ATM) | ATM is a high-bandwidth low-delay switching and multiplexing technology. It is a data link layer protocol. This means that it is a protocol-independent transport mechanism. ATM allows integration of real-time voice and video as well as data. ATM allows very high speed data transfer rates at up to 155 Mbit/s. |
Asynchronous transmission | Character-at-a-time transmission |
Attest reporting engagement | An engagement where an IS auditor is engaged to either examine management’s assertion regarding particular a subject matter or the subject matter directly. The IS auditor’s report consists of an opinion on one of the following: * The subject matter. These reports relate directly to the subject matter itself rather than an assertion. In certain situations management will not be able to make an assertion over the subject of the engagement. An example of this situation is when IT services are out-sourced to third party. Management will not ordinarily be able to make an assertion over the controls that the third-party is responsible for. Hence, an IS auditor would have to report directly on the subject matter rather than an assertion * Management’s assertion about the effectiveness of the control procedures * Examination reporting engagement where the IS auditor is engaged to issue an opinion on particular subject matter. These engagements can include reports on controls implemented by management and on their operating effectiveness |
Attitude | Way of thinking, behaving, feeling, etc. |
Attribute sampling | An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size) |
Audit | The process of generating, recording and reviewing a chronological record of system events to ascertain their accuracy |
Audit accountability | Performance measurement of service delivery including cost, timeliness and quality against agreed service levels |
Audit authority | A statement of the position within the organization, including lines of reporting and the rights of access |
Audit charter | A document which defines the IS audit function's responsibility, authority and accountability |
Audit evidence | The information systems auditor (IS auditor) gathers information in the course of performing an IS audit. The information used by the IS auditor to meet audit objectives is referred to as audit evidence (evidence). Also used to describe the level of risk that an auditor is prepared to accept during an audit engagement. |
Audit expert systems | Expert or decision support systems that can be used to assist IS auditors in the decision-making process by automating the knowledge of experts in the field. This technique includes automated risk analysis, systems software and control objectives software packages. |
Audit objective | The specific goal(s) of an audit. These often center on substantiating the existence of internal controls to minimize business risk. |
Audit plan | A high level description of the audit work to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the work. |
Audit program | A series of steps to complete an audit objective |
Audit responsibility | The roles, scope and objectives documented in the service level agreement between management and audit |
Audit risk | The risk of giving an incorrect audit opinion |
Audit sampling | The application of audit procedures to less than 100 percent of the items within a population to obtain audit evidence about a particular characteristic of the population |
Audit trail | A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source |
auditability | The level to which transactions can be traced and audited through a system |
Authentication | The act of verifying the identity of a system entity (e.g., a user, a system, a network node) and the entity’s eligibility to access computerized information. Designed to protect against fraudulent logon activity. Authentication can also refer to the verification of the correctness of a piece of data. |
authorization | The process of determining what types of activities are permitted. Ordinarily, authorisation is in the context of authentication: once you have authenticated a user, he/she may be authorised to perform different types of access or activity |
Automated teller machine (ATM) | A 24-hour, stand-alone mini-bank, located outside branch bank offices or in public places like shopping malls. Through ATMs, clients can make deposits, withdrawals, account inquiries and transfers. Typically, the ATM network is comprised of two spheres: a proprietary sphere, in which the bank manages the transactions of its clients, and the public or shared domain, in which a client of one financial institution can use another’s ATMs. |
Availability | Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. |
Backup | Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service |
Bandwidth | The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second). |
Bar case | A standardized body of data created for testing purposes. Users normally establish the data. Base case validates production application systems and tests the ongoing accurate operation of the system. |
Bar code | A printed machine-readable code that consists of parallel bars of varied width and spacing |
Base case | A standardized body of data created for testing purposes. Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system. |
Baseband | A form of modulation in which data signals are pulsed directly on the transmission medium without frequency division and usually utilize a transceiver. In baseband the entire bandwidth of the transmission medium (e.g., coaxial cable) is utilized for a single channel. |
Batch control | Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage. There are two main forms of batch controls: 1) sequence control, which involves numbering the records in a batch consecutively so that the presence of each record can be confirmed, and 2) control total, which is a total of the values in selected fields within the transactions. |
Batch processing | The processing of a group of transactions at the same time. Transactions are collected and processed against the master files at a specified time. |
Baud rate | The rate of transmission for telecommunication data. It is expressed in bits per second (bps). |
Benchmark | A test that has been designed to evaluate the performance of a system. In a benchmark test, a system is subjected to a known workload and the performance of the system against this workload is measured. Typically, the purpose is to compare the measured performance with that of other systems that have been subject to the same benchmark test. |
Binary code | A code whose representation is limited to 0 and 1 |
Biometric locks | Door and entry locks that are activated by such biometric features as voice, eye retina, fingerprint or signature |
Biometrics | A security technique that verifies an individual’s identity by analyzing a unique physical attribute, such as a handprint |
Black box testing | A testing approach which focuses on the functionality of the application or product and does not require knowledge of the code intervals. |
Blackbox testing | A testing approach which focuses on the functionality of the application or product and does not require knowledge of the code intervals |
Border router | See external router. |
Bridge | A device that connects two similar networks together |
Broadband | In broadband, multiple channels are formed by dividing the transmission medium into discrete frequency segments. It generally requires the use of a modem. |
Brouters | Devices that perform the functions of both bridges and routers, are called brouters. Naturally, they operate at both the data link and the network layers. A brouter connects same data link type LAN segments as well as different data link ones, which is a significant advantage. Like a bridge it forwards packets based on the data link layer address to a different network of the same type. Also, whenever required, it processes and forwards messages to a different data link type network based on the network protocol address. When connecting same data link type networks, they are as fast as bridges besides being able to connect different data link type networks. |
browser | A computer program that enables the user to retrieve information that has been made publicly available on the Internet; also, that permits multimedia (graphics) applications on the World Wide Web |
Brute force | The name given to a class of algorithms that repeatedly try all possible combinations until a solution is found |
BSP (business service provider) | An ASP that also provides outsourcing of business processes such as payment processing, sales order processing and application development |
budget | Estimated cost and revenue amounts for a given range of periods and set of books. There can be multiple budget versions for the same set of books. |
budget formula | A mathematical expression used to calculate budget amounts based on actual results, other budget amounts and statistics. With budget formulas, budgets using complex equations, calculations and allocations can be automatically created. |
budget hierarchy | A group of budgets linked together at different levels such that the budgeting authority of a lower-level budget is controlled by an upper-level budget. |
budget organization | An entity (department, cost center, division or other group) responsible for entering and maintaining budget data. |
Buffer | Memory reserved to temporarily hold data. Buffers are used to offset differences between the operating speeds of different devices, such as a printer and a computer. In a program, buffers are reserved areas of RAM that hold data while they are being processed. |
Bulk data transfer | A data recovery strategy that includes a recovery from complete backups that are physically shipped off site once a week. Specifically, logs are batched electronically several times daily, and then loaded into a tape library located at the same facility as the planned recovery. |
Bus | Common path or channel between hardware devices. It can be between components internal to a computer or between external computers in a communications network. |
Bus topology | A type of local area network (LAN) architecture in which each station is directly attached to a common communication channel. Signals transmitted over the channel take the form of messages. As each message passes along the channel, each station receives it. Each station then determines, based on an address contained in the message, whether to accept and process the message or simply to ignore it. |
Business impact analysis (BIA) | An exercise that determines the impact of losing the support of any resource to an organization and establishes the escalation of that loss over time, identifies the minimum resources needed to recover and prioritizes the recovery of processes and supporting systems |
business process integrity | Controls over the business processes that are supported by the ERP |
Business process reengineering (BPR) | Modern expression for organizational development stemming from IS/IT impacts. The ultimate goal of BPR is to yield a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings. To reengineer means to redesign a structure and procedures with intelligence and skills, while being well informed about all of the attendant factors of a given situation, so as to obtain the maximum benefits from mechanization as basic rationale. |
Business risk | Risks that could impact the organization’s ability to perform business or provide a service. They can be financial, regulatory or control oriented. |
Business-to-consumer e-commerce (B2C) | Refers to the processes by which organisations conduct business electronically with their customers and or public at large using the Internet as the enabling technology. |
Bypass label processing (BLP) | A technique of reading a computer file while bypassing the internal file/data set label. This process could result in bypassing of the security access control system. |
CAATs | See computer-assisted audit techniques |
Cadbury | The Committee on the Financial Aspects of Corporate Governance, set up in May 1991 by the UK Financial Reporting Council, the London Stock Exchange and the UK accountancy profession, was chaired by Sir Adrian Cadbury and produced a report on the subject commonly known, in the UK, as the Cadbury Report. |
Capacity stress testing | Testing an application with large quantities of data to evaluate its performance during peak periods. It also is called volume testing. |
Card swipes | A physical control technique that uses a secured card or ID to gain access to a highly sensitive location. Card swipes, if built correctly, act as a preventative control over physical access to those sensitive locations. After a card has been swiped, the application attached to the physical card swipe device logs all card users that try to access the secured location. The card swipe device prevents unauthorized access and logs all attempts to enter the secured location. |
Cathode ray tube (CRT) | A vacuum tube that displays data by means of an electron beam striking the screen, which is coated with suitable phosphor material or a device similar to a television screen upon which data can be displayed |
Central office (CO) | A telecommunications carrier’s facilities in a local area in which service is provided where local service is switched to long distance |
Central processing unit (CPU) | Computer hardware that houses the electronic circuits that control/direct all operations of the computer system |
Centralized data processing | Identified by one central processor and databases that form a distributed processing configuration |
Certificate authority (CA) | A trusted third party that serves authentication infrastructures or organizations and registers entities and issues them certificates |
Certificate Revocation List | A list of retracted certificates |
Challenge/response token | A method of user authentication. Challenge response authentication is carried out through use of the Challenge Handshake Authentication Protocol (CHAP). When a user tries to log into the server, the server sends the user a "challenge," which is a random value. The user enters a password, which is used as an encryption key to encrypt the "challenge" and return it to the server. The server is aware of the password. It, therefore, encrypts the "challenge" value and compares it with the value received from the user. If the values match, the user is authenticated. The challenge/response activity continues throughout the session and this protects the session from password sniffing attacks. In addition, CHAP is not vulnerable to "man in the middle" attacks as the challenge value is a random value that changes on each access attempt. |
Check digit | A numeric value, which has been calculated mathematically, is added to data to ensure that original data have not been altered or that an incorrect, but valid match has occurred. This control is effective in detecting transposition and transcription errors. |
Check digit verification (self-checking digit) | A programmed edit or routine that detects transposition and transcription errors by calculating and checking the check digit |
Checkpoint restart procedures | A point in a routine at which sufficient information can be stored to permit restarting the computation from that point |
Ciphertext | Information generated by an encryption algorithm to protect the plaintext. The ciphertext is unintelligible to the unauthorized reader. |
Circuit-switched network | A data transmission service requiring the establishment of a circuit-switched connection before data can be transferred from source data terminal equipment (DTE) to a sink DTE. A circuit-switched data transmission service uses a connection network. |
Circular routing | In open systems architecture, circular routing is the logical path of a message in a communications network based on a series of gates at the physical network layer in the open systems interconnection (OSI) model. |
Cleartext | Data that is not encrypted. Also known as plaintext. |
Client-server | A group of computers connected by a communications network, where the client is the requesting machine and the server is the supplying machine. Software is specialized at both ends. Processing may take place on either the client or the server but it is transparent to the user. |
Cluster controller | A communications terminal control hardware unit that controls a number of computer terminals. All messages are buffered by the controller and then transmitted to the receiver. |
Coaxial cable | It is composed of an insulated wire that runs through the middle of each cable, a second wire that surrounds the insulation of the inner wire like a sheath, and the outer insulation which wraps the second wire. Coaxial cable has a greater transmission capacity than standard twisted-pair cables but has a limited range of effective distance. |
COBIT® | Control Objectives for Information and related Technology, the international set of IT control objectives published by ISACF,® 2000, 1998, 1996 |
COCO | Criteria Of Control, published by the Canadian Institute of Chartered Accountants in 1995 |
Cohesion | The extent to which a system unit--subroutine, program, module, component, subsystem--performs a single dedicated function. Generally, the more cohesive are units, the easier it is to maintain and enhance a system, since it is easier to determine where and how to apply a change. |
Cold site | An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. The site is ready to receive the necessary replacement computer equipment in the event the users have to move from their main computing location to the alternative computer facility. |
Combined Code on Corporate Governance | The consolidation in 1998 of the "Cadbury," "Greenbury" and "Hampel" Reports. Named after the Committee Chairs, these reports were sponsored by the UK Financial Reporting Council, the London Stock Exchange, the Confederation of British Industry, the Institute of Directors, the Consultative Committee of Accountancy Bodies, the National Association of Pension Funds and the Association of British Insurers to address the Financial Aspects of Corporate Governance, Directors' Remuneration and the implementation of the Cadbury and Greenbury recommendations. |
Communications controller | Small computers used to connect and coordinate communication links between distributed or remote devices and the main computer, thus freeing the main computer from this overhead function |
Comparison program | A program for the examination of data, using logical or conditional tests to determine or to identify similarities or differences |
Compensating control | An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions |
Compiler | A program that translates programming language (source code) into machine executable instructions (object code) |
Completeness check | A procedure designed to ensure that no fields are missing from a record |
Compliance testing | Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period |
Components (as in component-based development) | Cooperating packages of executable software that make their services available through defined interfaces. Components used in developing systems may be commercial off-the-shelf software (COTS) or may be purposely built. However, the goal of component-based development is to ultimately use as much predeveloped, pretested components as possible. |
Comprehensive audit | An audit designed to determine the accuracy of financial records, as well as evaluate the internal controls of a function or department |
Computationally greedy | Requiring a great deal of computing power; processor intensive |
Computer sequence checking | Verifies that the control number follows sequentially and any control numbers out of sequence are rejected or noted on an exception report for further research |
computer server | 1) A computer dedicated to servicing requests for resources from other computers on a network. Servers typically run network operating systems. 2) A computer that provides services to another computer (the client). |
Computer-aided software engineering (CASE) | The use of software packages that aid in the development of all phases of an information system. System analysis, design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access. |
Computer-assisted audit technique (CAATs) | Any automated audit technique, such as generalized audit software, test data generators, computerized audit programs and specialized audit utilities |
Concurrent access | A fail-over process, in which all nodes run the same resource group (there can be no IP or MAC addresses in a concurrent resource group) and access the external storage concurrently |
Confidentiality | Confidentiality concerns the protection of sensitive information from unauthorized disclosure |
Console log | An automated detail report of computer system activity |
consumer | One who obtains products or services from a bank to be used primarily for personal, family or household purposes. |
Content filtering | Controlling access to a network by analyzing the contents of the incoming and outgoing packets and either letting them pass or denying them based on a list of rules. Differs from packet filtering in that it is the data in the packet that are analyzed instead of the attributes of the packet itself (e.g., source/target IP address, TCP flags). |
Continuity | The acts preventing, mitigating and recovering from disruption. The terms business resumption planning, disaster recovery planning and contingency planning also may be used in this context; they all concentrate on the recovery aspects of continuity. |
Continuous auditing approach | This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer. |
Control group | Members of the operations area that are responsible for the collection, logging and submission of input for the various user groups |
Control objective | The objectives of management that are used as the framework for developing and implementing controls (control procedures). |
Control Objectives for Enterprise Governance | A discussion document which sets out an "Enterprise Governance Model" focusing strongly on both the enterprise business goals and the information technology enablers which facilitate good enterprise governance, published by the Information Systems Audit and Control Foundation in 1999 |
Control perimeter | The boundary defining the scope of control authority for an entity. For example, if a system is within the control perimeter, the right and ability exists to control it in response to an attack. |
Control risk | The risk that an error which could occur in an audit area, and which could be material, individually or in combination with other errors, will not be prevented or detected and corrected on a timely basis by the internal control system |
control risk self-assessment | An empowering method/process by which management and staff of all levels collectively identify and evaluate IS related risks and controls under the guidance of a facilitator who could be an IS auditor. The IS auditor can utilise CRSA for gathering relevant information about risks and controls and to forge greater collaboration with management and staff. CRSA provides a framework and tools for management and employees to: *Identify and prioritise their business objectives. *Assess and manage high risk areas of business processes. *Self-evaluate the adequacy of controls. *Develop risk treatment recommendations |
Control section | The area of the central processing unit (CPU) that executes software, allocates internal memory and transfers operations between the arithmetic-logic, internal storage and output sections of the computer |
Control weakness | A deficiency in the design or operation of a control procedure. Control weaknesses can potentially result in risks relevant to the area of activity not being reduced to an acceptable level (relevant risks are those that threaten achievement of the objectives relevant to the area of activity being examined). Control weaknesses can be material when the design or operation of one or more control procedures does not reduce to a relatively low level the risk that misstatements caused by illegal acts or irregularities may occur and not be detected by the related control procedures. |
Controls | (Control procedures) Those policies and procedures implemented to achieve a related control objective |
corporate exchange rate | An exchange rate, which can be used optionally to perform foreign currency conversion. The corporate exchange rate is generally a standard market rate determined by senior financial management for use throughout the organization. |
Corporate governance | "...the structure through which the objectives of an organization are set, and the means of attaining those objectives, and determines monitoring performance guidelines. Good corporate governance should provide proper incentives for board and management to pursue objectives that are in the interests of the company and stakeholders and should facilitate effective monitoring, thereby encouraging firms to use resources more efficiently." (Source: Principles of Corporate Governance, 1999 issued by the Organization for Economic Cooperation and Development (OECD)) |
Corrective controls | These controls are designed to correct errors, omissions and unauthorized uses and intrusions, once they are detected. |
COSO | A report on "Internal Control--An Integrated Framework" sponsored by the Committee of Sponsoring Organizations of the Treadway Commission in 1992. It provides guidance and a comprehensive framework of internal control for all organizations. |
Coupling | Measure of interconnectivity among software program modules’ structure. Coupling depends on the interface complexity between modules. This can be defined as the point at which entry or reference is made to a module, and what data passes across the interface. In application software design, it is preferable to strive for the lowest possible coupling between modules. Simple connectivity among modules results in software that is easier to understand, maintain and less prone to a ripple or domino effect caused when errors occur at one location and propagate through the system. |
Coverage | The proportion of known attacks detected by an intrusion detection system |
Credentialed analysis | In vulnerability analysis, passive monitoring approaches in which passwords or other access credentials are required. This sort of check usually involves accessing a system data object. |
credit risk | The risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise to perform as agreed. Internet banking provides the opportunity for banks to expand their geographic range. Customers can reach a given bank from literally anywhere in the world. In dealing with customers over the Internet, absent any personal contact, it is challenging for banks to verify the good faith of their customers, which is an important element in making sound credit decisions. |
Criteria | The standards and benchmarks used to measure and present the subject matter and against which the IS auditor evaluates the subject matter. Criteria should be: Objective—free from bias Measurable—provide for consistent measurement Complete—include all relevant factors to reach a conclusion Relevant—relate to the subject matter |
Cross-certification | A certificate issued by one certification authority to a second certification authority so that users of the first certification authority are able to obtain the public key of the second certification authority and verify the certificates it has created. Often cross certification refers specifically to certificates issued to each other by two CAs at the same level in a hierarchy. |
Cryptography | The art of designing, analyzing and attacking cryptographic schemes |
data analysis | Typically in large organisations where the quantum of data processed by the ERPs are extremely voluminous, analysis of patterns and trends prove to be extremely useful in ascertaining the efficiency and effectiveness of operations. Most ERPs provide opportunities for extraction and analysis of data, some with built-in tools through the use of third-party developed tools that interface with the ERP systems |
Data communications | The transfer of data between separate computer processing sites/devices using telephone lines, microwave and/or satellite links |
Data custodian | Individuals and departments responsible for the storage and safeguarding of computerized information. This typically is within the IS organization. |
Data dictionary | A data dictionary is a database that contains the name, type, range of values, source and authorization for access for each data element in a database. It also indicates which application programs use that data so that when a data structure is contemplated, a list of the affected programs can be generated. The data dictionary may be a stand-alone information system used for management or documentation purposes, or it may control the operation of a database. |
Data diddling | Changing data with malicious intent before or during input into the system |
Data Encryption Standard (DES) | A private key cryptosystem published by the National Bureau of Standards (NBS), the predecessor of the US National Institute of Standards and Technology (NIST). DES has been used commonly for data encryption in the forms of software and hardware implementation (also see private key cryptosystems). |
data flow | The flow of data from the input (in Internet banking, ordinarily user input at his/her desktop) to output (in Internet banking, ordinarily data in a bank’s central database). Data flow includes travelling through the communication lines, routers, switches and firewalls as well as processing through various applications on servers which process the data from user fingers to storage in bank central database. |
data integrity | The property that data meet with a priority expectation of quality and that the data can be relied upon |
Data leakage | Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes |
Data owner | Individuals, normally managers or directors, who have responsibility for the integrity, accurate reporting and use of computerized data |
Data security | Those controls that seek to maintain confidentiality, integrity and availability of information |
Data structure | The relationships among files in a database and among data items within each file |
Database | A stored collection of related data needed by organizations and individuals to meet their information processing and retrieval requirements |
Database administrator (DBA) | An individual or department responsible for the security and information classification of the shared data stored on a database system. This responsibility includes the design, definition and maintenance of the database. |
Database management system (DBMS) | A complex set of software programs that control the organization, storage and retrieval of data in a database. It also controls the security and integrity of the database. |
Database replication | The process of creating and managing duplicate versions of a database. Replication not only copies a database but also synchronizes a set of replicas so that changes made to one replica are reflected in all the others. The beauty of replication is that it enables many users to work with their own local copy of a database but have the database updated as if they were working on a single centralized database. For database applications where geographically users are distributed widely, replication is often the most efficient method of database access. |
Database specifications | These are the requirements for establishing a database application. They include field definitions, field requirements and reporting requirements for the individual information in the database. |
Datagram | A packet (encapsulated with a frame containing information), which is transmitted in a packet-switching network from source to destination |
Data-oriented systems development | The purpose is to provide usable data rather than a function. The focus of the development is to provide ad hoc reporting for users by developing a suitable accessible database of information. |
DDoS (distributed denial-of-service) attack | A denial-of-service (DoS) assault from multiple sources; see DoS |
Decentralization | The process of distributing computer processing to different locations within an organization |
Decision support systems (DSS) | An interactive system that provides the user with easy access to decision models and data, to support semistructured decision-making tasks |
Decoy server | See honey pot. |
Decryption | A technique used to recover the original plaintext from the ciphertext such that it is intelligible to the reader. The decryption is a reverse process of the encryption. |
Decryption key | A piece of information, in a digitized form, used to recover the plaintext from the corresponding ciphertext by decryption |
Default deny policy | A policy whereby access is denied unless it is specifically allowed. The inverse of default allow. |
Default password | The password used to gain access when a system is first installed on a computer or network device. There is a large list published on the Internet and maintained at several locations. Failure to change these after the installation leaves the system vulnerable. |
Degauss | To apply a variable, alternating current (AC) field for the purpose of demagnetizing magnetic recording media. The process involves increasing the AC field gradually from zero to some maximum value and back to zero, which leaves a very low residue of magnetic induction on the media. Degauss loosely means to erase. |
Demodulation | The process of converting an analog telecommunications signal into a digital computer signal |
Detailed IS ontrols | Controls over the acquisition, implementation, delivery and support of IS systems and services. They are made up of application controls plus those general controls not included in pervasive controls. |
Detection risk | The risk that the IS auditor's substantive procedures will not detect an error which could be material, individually or in combination with other errors |
Detective controls | These controls exist to detect and report when errors, omissions and unauthorized uses or entries occur. |
Dial-back | Used as a control over dial-up telecommunications lines. The telecommunications link established through dial-up into the computer from a remote location is interrupted so the computer can dial back to the caller. The link is permitted only if the caller is from a valid phone number or telecommunications channel. |
Dial-in access controls | Controls that prevent unauthorized access from remote users that attempt to access a secured environment. These controls range from dial-back controls to remote user authentication. |
Digital certificate | A certificate identifying a public key to its subscriber, corresponding to a private key held by that subscriber. It is a unique code that typically is used to allow the authenticity and integrity of communicated data to be verified. |
digital certification | A process to authenticate (or certify) a party’s digital signature, carried out by trusted third parties. |
Digital signature | A piece of information, a digitized form of signature, that provides sender authenticity, message integrity and nonrepudiation. A digital signature is generated using the sender’s private key or applying a one-way hash function. |
Direct reporting engagement | An engagement where management does not make a written assertion about the effectiveness of their control procedures, and the IS auditor provides an opinion about subject matter directly, such as the effectiveness of the control procedures |
Discovery sampling | A form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population |
Diskless workstations | A workstation or PC on a network that does not have its own disk. Instead, it stores files on a network file server. |
Distributed data processing network | A system of computers connected together by a communications network. Each computer processes its data and the network supports the system as a whole. Such a network enhances communication among the linked computers and allows access to shared files. |
DMZ (demilitarized zone) | Commonly it is the network segment between the Internet and a private network. It allows access to services from the Internet and the internal private network, while denying access from the Internet directly to the private network. |
DNS (domain name system) | A hierarchical database that is distributed across the Internet that allows names to be resolved into IP addresses (and vice versa) to locate services such as web and e-mail servers |
DoS (denial-of-service) attack | An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate |
Downloading | The act of transferring computerized information from one computer to another computer |
Downtime report | A report that identifies the elapsed time when a computer is not operating correctly because of machine failure |
Dry-pipe fire extinguisher system | Refers to a sprinkler system that does not have water in the pipes during idle usage, unlike a fully charged fire extinguisher system that has water in the pipes at all times. The dry-pipe system is activated at the time of the fire alarm, and water is emitted to the pipes from a water reservoir for discharge to the location of the fire. |
Due care | Diligence which a person would exercise under a given set of circumstances |
Due professional care | Diligence which a person, who possesses a special skill, would exercise under a given set of circumstances |
Dumb terminal | A display terminal without processing capability. Dumb terminals are dependent upon the main computer for processing. All entered data are accepted without further editing or validation. |
Duplex routing | The method or communication mode of routing data over the communication network (also see half duplex and full duplex) |
Dynamic analysis | Analysis that is performed in real time or in continuous form |
Echo checks | Detects line errors by retransmitting data back to the sending device for comparison with the original transmission |
e-commerce | Defined by ISACA as the processes by which organisations conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology. It therefore encompasses both business-to-business (B2B) and business-to-consumer (B2C) e-Commerce models, but does not include existing non-Internet e-Commerce methods based on private networks such as EDI and SWIFT. |
Edit controls | Detects errors in the input portion of information that is sent to the computer for processing. The controls may be manual or automated and allow the user to edit data errors before processing. |
Editing | Editing ensures that data conform to predetermined criteria and enable early identification of potential errors. |
Electronic cash | An electronic form functionally equivalent to cash in order to make and receive payments in cyberbanking |
Electronic data interchange (EDI) | The electronic transmission of transactions (information) between two organizations. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents, including invoices or purchase orders. |
Electronic funds transfer (EFT) | The exchange of money via telecommunications. EFT refers to any financial transaction that originates at a terminal and transfers a sum of money from one account to another. |
Electronic signature | Any technique designed to provide the electronic equivalent of a handwritten signature to demonstrate the origin and integrity of specific data. Digital signatures are an example of electronic signatures. |
Electronic vaulting | A data recovery strategy that allows organizations to recover data within hours after a disaster. It includes recovery of data from an offsite storage media that mirrors data via a communication link. Typically used for batch/journal updates to critical files to supplement full backups taken periodically. |
E-mail/interpersonal messaging | An individual using a terminal, PC or an application can access a network to send an unstructured message to another individual or group of people. |
Embedded audit module | Integral part of an application system that is designed to identify and report specific transactions or other information based on pre-determined criteria. Identification of reportable items occurs as part of real-time processing. Reporting may be real-time online, or may use store and forward methods. Also known as integrated test facility or continuous auditing module. |
Encapsulation (objects) | Encapsulation is the technique used by layered protocols in which a lower layer protocol accepts a message from a higher layer protocol and places it in the data portion of a frame in the lower layer. |
Encryption | The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext) |
Encryption key | A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertext |
End-user computing | The ability of end users to design and implement their own information system utilizing computer software products |
Engagement letter | Formal document which defines the IS auditor's responsibility, authority and accountability for a specific assignment |
Enterprise governance | A broad and wide-ranging concept of corporate governance, covering associated organizations such as global strategic alliance partners. (Source: Control Objectives for Enterprise Governance Discussion Document, published by the Information Systems Audit and Control Foundation in 1999) |
enterprise resource planning | First, it denotes the planning and management of resources in an enterprise. Second, it denotes a software system that can be used to manage whole business processes, integrating purchasing, inventory, personnel, customer service, shipping, financial management and other aspects of the business. An ERP system typically is based on a common database, various integrated business process application modules and business analysis tools |
error | Error control deviations (compliance testing) or misstatements (substantive testing) |
Error risk | The risk of errors occurring in the area being audited |
Ethernet | A popular network protocol and cabling scheme that uses a bus topology and CSMA/CD (carrier sense multiple access/collision detection) to prevent network failures or collisions when two devices try to access the network at the same time |
Evidence | The information an auditor gathers in the course of performing an IS audit. Evidence is relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support. |
Exception reports | An exception report is generated by a program that identifies transactions or data that appear to be incorrect. These items may be outside a predetermined range or may not conform to specified criteria. |
Executable code | The machine language code that is generally referred to as the object or load module |
Expert systems | Expert systems are the most prevalent type of computer systems that arise from the research of artificial intelligence. An expert system has a built in hierarchy of rules, which are acquired from human experts in the appropriate field. Once input is provided, the system should be able to define the nature of the problem and provide recommendations to solve the problem. |
Exposure | The potential loss to an area due to the occurrence of an adverse event |
Extended Binary-coded Decimal Interchange Code | (EBCDIC) An eight-bit code representing 256 characters; used in most large computer systems |
Extensible Markup Language (XML) | Promulgated through the World Wide Web Consortium, XML is a web-based application development technique that allows designers to create their own customized tags, thus, enabling the definition, transmission, validation and interpretation of data between applications and organizations. |
External router | The router at the extreme edge of the network under control, usually connected to an ISP or other service provider; also known as border router |
Fail-over | The transfer of service from an incapacitated primary component to its backup component |
Fail-safe | Describes the design properties of a computer system that allow it to resist active attempts to attack or bypass it |
False negative | In intrusion detection, an error that occurs when an attack is misdiagnosed as a normal activity |
False positive | In intrusion detection, an error that occurs when a normal activity is misdiagnosed as an attack |
Fault tolerance | A system’s level of resilience to seamlessly react from hardware and/or software failure |
Feasibility study | A phase of an SDLC methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need |
Fiber optic cable | Glass fibers that transmit binary signals over a telecommunications network. Fiber optic systems have low transmission losses as compared to twisted-pair cables. They do not radiate energy or conduct electricity. They are free from corruption and lightning-induced interference, and they reduce the risk of wiretaps. |
Field | An individual data element in a computer record. Examples include employee name, customer address, account number, product unit price and product quantity in stock. |
File | A named collection of related records |
File layout | Specifies the length of the file’s record and the sequence and size of its fields. A file layout also will specify the type of data contained within each field. For example, alphanumeric, zoned decimal, packed and binary are types of data. |
File server | A high-capacity disk storage device or a computer that stores data centrally for network users and manages access to that data. File servers can be dedicated so that no process other than network management can be executed while the network is available; file servers can be non-dedicated so that standard user applications can run while the network is available. |
Filtering router | A router that is configured to control network access by comparing the attributes of the incoming or outgoing packets to a set of rules |
FIN (final) | A flag set in a packet to indicate that this packet is the final data packet of the transmission |
Financial audit | An audit designed to determine the accuracy of financial records and information |
Finger | A protocol and program that allows the remote identification of users logged into a system |
Firewall | A device that forms a barrier between a secure and an open environment. Usually, the open environment is considered hostile. The most notable hostile environment is the Internet. In other words, a firewall enforces a boundary between two or more networks. |
Firmware | Memory chips with embedded program code that hold their content when power is turned off |
fiscal year | Any yearly accounting period without regard to its relationship to a calendar year. |
foreign exchange risk | Is present when a financial asset or liability is denominated in a foreign currency or is funded by borrowings in another currency |
Format checking | The application of an edit, using a predefined field definition to a submitted information stream; a test to ensure that data conform to a predefined format |
Fourth generation language (4GL) | English-like, user friendly, nonprocedural computer languages used to program and/or read and process computer files |
Frame relay | A packet-switched wide-area-network technology that provides faster performance than older packet-switched WAN technologies such as X.25 networks, because it was designed for today’s reliable circuits and performs less rigorous error detection. Frame relay is best suited for data and image transfers. Because of its variable-length packet architecture, it is not the most efficient technology for real-time voice and video. In a frame-relay network, end nodes establish a connection via a permanent virtual circuit (PVC). |
Fraud risk | The risk that activities will include deliberate circumvention of controls with the intent to conceal the perpetuation of irregularities. The unauthorized use of assets or services and abetting or helping to conceal. |
FTP (file transfer protocol) | A protocol used to transfer files over a TCP/IP network (Internet, UNIX, etc.) |
Full duplex | A communications channel over which data can be sent and received simultaneously |
Function point analysis | A technique used to determine the size of a development task, based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal sites. |
Gateway | A hardware/software package that is used to connect networks with different protocols. The gateway has its own processor and memory and can perform protocol and bandwidth conversions. |
General computer controls | Controls, other than application controls, which relate to the environment within which computer-based application systems are developed, maintained and operated, and which are therefore applicable to all applications. The objectives of general controls are to ensure the proper development and implementation of applications, the integrity of program and data files and of computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IS strategy and an IS security policy, the organization of IS staff to separate conflicting duties and planning for disaster prevention and recovery. |
Generalized audit software | A computer program or series of programs designed to perform certain automated functions. These functions include reading computer files, selecting data, manipulating data, sorting data, summarizing data, performing calculations, selecting samples and printing reports or letters in a format specified by the IS auditor. This technique includes software acquired or written for audit purposes and software embedded in production systems. |
Geographic disk mirroring | A data recovery strategy that takes a set of physically disparate disks and synchronously mirrors them over high performance communication lines. Any write to a disk on one side will result in a write on the other. The local write will not return until the acknowledgement of the remote write is successful. |
Hacker | An individual who attempts to gain unauthorized access to a computer system |
Half duplex | A communications channel that can handle only one signal at a time. The two stations must alternate their transmissions. |
Handprint scanner | A biometric device that is used to authenticate a user through palm scans |
Harden | To configure a computer or other network device to resist attacks |
Hardware | Relates to the technical and physical features of the computer |
Hash function | An algorithm that maps or translates one set of bits into another (generally smaller) so that a message yields the same result every time the algorithm is executed using the same message as input. It is computationally infeasible for a message to be derived or reconstituted from the result produced by the algorithm. It is computationally infeasible to find two different messages that produce the same hash result using the same algorithm. |
Hash total | The total of any numeric data field on a document or computer file. This total is checked against a control total of the same field to facilitate accuracy of processing. |
Hexadecimal | A numbering system that uses a base of 16 and uses 16 digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E and F. Programmers use hexadecimal numbers as a convenient way of representing binary numbers. |
Hierarchical database | A database structured in a tree/root or parent/child relationship. Each parent can have many children, but each child may have only one parent. |
Honey pot | A specially configured server, designed to attract intruders so that their actions do not affect production systems; also known as a decoy server |
Hot site | A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster |
HTTP (hyper text transfer protocol) | A communication protocol used to connect to servers on the World Wide Web. Its primary function is to establish a connection with a web server and transmit HTML pages to the client browser. |
HTTPS (hyper text transfer protocol secure) | A protocol for accessing a secure web server, whereby all data transferred is encrypted |
Hub | A common connection point for devices in a network, hubs commonly are used to connect segments of a LAN. A hub contains multiple ports. When a packet arrives at one port, it is copied to the other ports so that all segments of the LAN can see all packets. |
hyperlink | Is an electronic pathway that may be displayed in the form of highlighted text, graphics or a button that connects one web page with another web page address. |
hypertext | A language, which enables electronic documents that present information that can be connected together by links instead of being presented sequentially, as is the case with normal text. |
ICMP (internet control message protocol) | A set of protocols that allow systems to communicate information about the state of services on other systems. It is used, for example, in determining whether systems are up, maximum packet sizes on links, whether a destination host/network/port is available. Hackers typically (abuse) use ICMP to determine information about the remote site. |
Idle standby | A fail-over process in which the primary node owns the resource group. The backup node runs idle, only supervising the primary node. In case of a primary node outage, the backup node takes over. The nodes are prioritized, which means the surviving node with the highest priority will acquire the resource group. A higher priority node joining the cluster will thus cause a short service interruption. |
IDS (intrusion detection system) | An intrusion detection system (IDS) inspects network activity to identify suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system |
IEEE | (Institute of Electrical and Electronics Engineers)--Pronounced I-triple-E, IEEE is an organization composed of engineers, scientists and students. The IEEE is best known for developing standards for the computer and electronics industry. |
Image processing | The process of electronically inputting source documents by taking an image of the document, thereby eliminating the need for key entry |
implementation life cycle review | Refers to the controls that support the process of transformation of the organisation’s legacy information systems into the ERP applications. This would largely cover all aspects of systems implementation and configuration, such as change management |
Incremental testing | Deliberately testing only the value-added functionality of a software component |
Independence | Self-governance and freedom from conflict of interest and undue influence. The IS auditor should be free to make his/her own decisions, not influenced by the organization being audited and its people (managers and employers). |
Independent appearance | The outward impression of being self-governing and free from conflict of interest and undue influence |
Independent attitude | Impartial point of view which allows the IS auditor to act objectively and with fairness |
Indexed sequential access method (ISAM) | A disk access method that stores data sequentially, while also maintaining an index of key fields to all the records in the file for direct access capability |
Indexed sequential file | A file format in which records are organized and can be accessed, according to a preestablished key that is part of the record |
Information engineering | Data-oriented development techniques that work on the premise that data are at the center of information processing and that certain data relationships are significant to a business and must be represented in the data structure of its systems |
Information processing facility (IPF) | The computer room and support areas |
Inherent risk | The susceptibility of an audit area to error which could be material, individually or in combination with other errors, assuming that there are no related internal controls |
Inheritance (objects) | Inheritance refers to database structures that have a strict hierarchy (no multiple inheritance). Inheritance can initiate other objects irrespective of the class hierarchy, thus there is no strict hierarchy of objects. |
Initial program load (IPL) | The initialization procedure that causes an operating system to be loaded into storage at the beginning of a workday or after a system malfunction |
Input controls | Techniques and procedures used to verify, validate and edit data, to ensure that only correct data are entered into the computer |
Integrated services digital network (ISDN) | A public end-to-end digital telecommunications network with signaling, switching and transport capabilities supporting a wide range of service accessed by standardized interfaces with integrated customer control. The standard allows transmission of digital voice, video and data over 64 Kpbs lines. |
Integrated test facilities (ITF) | Test data are processed in production systems. The data usually represent a set of fictitious entities such as departments, customers and products. Output reports are verified to confirm the correctness of the processing. |
Integrity | The accuracy and completeness of information as well as to its validity in accordance with business values and expectations |
Intelligent terminal | A terminal with built-in processing capability. It has no disk or tape storage but has memory. The terminal interacts with the user by editing and validating data as they are entered prior to final processing. |
interest rate risk | Is the risk to earnings or capital arising from movements in interest rates. From an economic perspective, a bank focuses on the sensitivity of the value of its assets, liabilities and revenues to changes in interest rates. Internet banking may attract deposits, loans and other relationships from a larger pool of possible customers than other forms of marketing. Greater access to customers who primarily seek the best rate or term reinforces the need for managers to maintain appropriate asset/liability management systems, which should include the ability to react quickly to changing market conditions. |
Interface testing | A testing technique that is used to evaluate output from one application, while the information is sent as input to another application |
Internal control | The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. |
Internal control structure | The dynamic, integrated processes, effected by the governing body, management and all other staff, that are designed to provide reasonable assurance regarding the achievement of the following general objectives: Effectiveness, efficiency and economy of operations Reliability of management Compliance with applicable laws, regulations and internal policies Management’s strategies for achieving these general objectives are affected by the design and operation of the following components: Control environment Information system Control procedures |
Internal penetrators | Authorized users of a computer system who overstep their legitimate access rights. This category is divided into masqueraders and clandestine users. |
Internal storage | The main memory of the computer’s central processing unit |
Internet | 1) Two or more networks connected by a router 2) The world’s largest network using TCP/IP protocols to link government, university and commercial institutions |
Internet banking | Use of the Internet as a remote delivery channel for banking services. Services include the traditional ones, such as opening an account or transferring funds to different accounts, and new banking services, such as electronic bill presentment and payment (allowing customers to receive and pay bills on a bank’s web site). |
Internet Engineering Task Force (IETF) | The Internet standards setting organization with affiliates internationally from network industry representatives. This includes all network industry developers and researchers concerned with evolution and planned growth of the Internet. |
Internet Inter-ORB Protocol (IIOP) | A protocol developed by the object management group (OMG) to implement Common Object Request Broker Architecture (CORBA) solutions over the World Wide Web. CORBA enables modules of network-based programs to communicate with one another. These modules or program parts, such as tables, arrays, and more complex program subelements, are referred to as objects. Use of IIOP in this process enables browsers and servers to exchange both simple and complex objects. This significantly differs from HTTP, which only supports the transmission of text. |
Internet packet (IP) spoofing | An attack using packets with the spoofed source Internet packet (IP) addresses. This technique exploits applications that use authentication based on IP addresses. This technique also may enable an unauthorized user to gain root access on the target system. |
intranet | A private network that uses the infrastructure and standards of the Internet and World Wide Web, but is isolated from the public Internet by firewall barriers. |
Intrusion | Any intentional violation of the security policy of a system |
Intrusion detection | The process of monitoring the events occurring in a computer system or network, detecting signs of security problems |
Intrusive monitoring | In vulnerability analysis, gaining information by performing checks that affects the normal operation of the system, even crashing the system |
IP (Internet protocol) | Specifies the format of packets and the addressing scheme |
IPSec (Internet protocol security) | A set of protocols developed by the IETF to support the secure exchange of packets |
Irregularities | Intentional violations of established management policy or regulatory requirements. Deliberate misstatements or omissions of information concerning the area under audit or the organization as a whole; gross negligence or unintentional illegal acts. |
ISO17799 | An international standard that defines information confidentiality, integrity and availability controls |
ISP (Internet service provider) | A third party that provides organizations with a variety of Internet, and Internet-related services |
IT governance | A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes |
Job control language (JCL) | A language used to control run routines in connection with performing tasks on a computer |
journal entry | A debit or credit to a general ledger account. See also manual journal entry. |
Judgment sampling | Any sample that is selected subjectively or in such a manner that the sample selection process is not random or the sampling results are not evaluated mathematically |
L2F (Layer 2 forwarding) | A tunnelling protocol developed by Cisco Systems to support the creation of VPNs |
L2TP (Layer 2 tunneling protocol) | An extension to PPP to facilitate the creation of VPNs. L2TP merges the best features of PPTP (from Microsoft) and L2F (from Cisco). |
Latency | The time it takes a system and network delay to respond. System latency is the time a system takes to retrieve data. Network latency is the time it takes for a packet to travel from source to the final destination. |
LDAP (Lightweight Directory Access Protocol) | A set of protocols for accessing information directories. It is based on the X.500 standard, but is significantly simpler. |
Leased lines | A communication line permanently assigned to connect two points, as opposed to a dial-up line that is only available and open when a connection is made by dialing the target machine or network. Also known as a dedicated line. |
legal risk | Is the risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices or ethical standards. Banks are subject to various forms of legal risk. This can include the risk that assets will turn out to be worth less or liabilities will turn out to be greater than expected because of inadequate or incorrect legal advice or documentation. In addition, existing laws may fail to resolve legal issues involving a bank; a court case involving a particular bank may have wider implications for banking business and involve costs to it and many or all other banks; and, laws affecting banks or other commercial enterprises may change. Banks are particularly susceptible to legal risks when entering new types of transactions and when the legal right of a counter-party to enter into transactions is not established. |
Librarian | The individual responsible for the safeguard and maintenance of all program and data files |
Limit check | Tests of specified amount fields against stipulated high or low limits of acceptability. When both high and low values are used, the test may be called a range check. |
Link editor (linkage editor) | A utility program that combines several separately compiled modules into one, resolving internal references between them |
liquidity risk | Is the risk to earnings or capital arising from a bank’s inability to meet its obligations when they come due, without incurring unacceptable losses. Internet banking may increase deposit volatility from customers who maintain accounts solely on the basis of rate or terms. |
Local area network (LAN) | A communication network that serves several users within a specified geographic area. It is made up of servers, workstations, a network operating system and a communications link. Personal computer LANs function as distributed processing systems in which each computer in the network does its own processing and manages some of its data. Shared data are stored in a file server that acts as a remote disk drive to all users in the network. |
Local loop | The communication lines that provide connectivity between the telecommunications carrier’s central office and the subscriber’s facilities |
Log | To record details of information or events in an organized record-keeping system, usually sequenced in the order they occurred |
Logical access controls | The policies, procedures, organizational structure and electronic access controls designed to restrict access to computer software and data files |
Logoff | Disconnecting from the computer |
Logon | The act of connecting to the computer. It typically requires entry of a user ID and password into a computer terminal. |
Logs/Log file | Files created specifically to record various actions occurring on the system to be monitored, such as failed login attempts, full disk drives and e-mail delivery failures |
Machine language | The logical language a computer understands |
Magnetic card reader | A card reader that reads cards with a magnetizable surface on which data can be stored and retrieved |
Magnetic ink character recognition (MICR) | Used to electronically input, read and interpret information directly from a source document; requires the source document to have specially-coded magnetic ink typeset |
Management information system (MIS) | An organized assembly of resources and procedures required to collect, process and distribute data for use in decision making |
Man-in-the-middle attack | An attack strategy in which the attacker intercepts the communications stream between two parts of the victim system and then replaces the traffic between the two components with the intruder’s own, eventually assuming control of the communication |
manual journal entry | A journal entry entered at a computer terminal. Manual journal entries can include regular, statistical, inter-company and foreign currency entries |
Mapping | Diagramming data that are to be exchanged electronically, including how it is to be used and what business management systems need it. It is a preliminary step for developing an applications link. (Also see application tracing and mapping.) |
Masking | A computerized technique of blocking out the display of sensitive information, such as passwords, on a computer terminal or report |
Masqueraders | Attackers that penetrate systems by using user identifiers and passwords taken from legitimate users |
Master file | A file of semipermanent information that is used frequently for processing data or for more than one purpose |
Materiality | An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited. An expression of the relative significance or importance of a particular matter in the context of the organization as a whole. |
Memory dump | The act of copying raw data from one place to another with little or no formatting for readability. Usually, dump refers to copying data from main memory to a display screen or a printer. Dumps are useful for diagnosing bugs. After a program fails, one can study the dump and analyze the contents of memory at the time of the failure. Dumps are usually output in a difficult-to-read form (that is, binary, octal or hexadecimal), so a memory dump will not help unless each person knows exactly for what to look. |
Message switching | A telecommunications traffic controlling methodology in which a complete message is sent to a concentration point and stored until the communications path is established |
Microwave transmission | A high-capacity line-of-sight transmission of data signals through the atmosphere which often requires relay stations |
Middleware | Another term for an application programmer interface (API). It refers to the interfaces that allow programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services. |
Misuse detection | Detection on the basis of whether the system activity matches that defined as bad |
Modem (modulator-demodulator) | Connects a terminal or computer to a communications network via a telephone line. Modems turn digital pulses from the computer into frequencies within the audio range of the telephone system. When acting in the receiver capacity, a modem decodes incoming frequencies. |
Modulation | The process of converting a digital computer signal into an analog telecommunications signal |
Monetary unit sampling | A sampling technique that estimates the amount of overstatement in an account balance |
Monitor | Any information collection mechanism utilized by an intrusion detection system |
Monitoring policy | The rules outlining the way in which information is captured and interpreted |
Multiplexing | The transmission of more than one signal across a physical channel |
Multiplexor | A device used for combining several lower-speed channels into a higher-speed channel |
Mutual takeover | A fail-over process, which is basically a two-way idle standby: two servers are configured so that both can take over the other node’s resource group. Both must have enough CPU power to run both applications with sufficient speed, or performance losses must be taken into account expected until the failed node reintegrates. This also works nicely in three or more node configurations. |
NAT (Network Address Translation) | An Internet standard that allows a network to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. The server, providing the NAT service, changes the source address of outgoing packets from the internal to the external address and reverses it for packets returning. |
Netware | A popular local area network operating system developed by the Novell Corp. |
Network | A system of interconnected computers and the communications equipment used to connect them |
Network administrator | The person responsible for maintaining a LAN and assisting end users |
Network hop | An attack strategy in which the attacker successively hacks into a series of connected systems, obscuring his/her identify from the victim of the attack |
Node | Point at which terminals are given access to a network |
Noise | Disturbances, such as static, in data transmissions that cause messages to be misinterpreted by the receiver |
Non-intrusive monitoring | In vulnerability analysis, gaining information by performing standard system status queries and inspecting system attributes |
nonrepudiable trnasactions | Transactions that cannot be denied after the fact |
Nonrepudiation | The assurance that a party cannot later deny originating data, that it is the provision of proof of the integrity and origin of the data which can be verified by a third party. Nonrepudiation may be provided by a digital signature. |
Normalization | The elimination of redundant data |
Numeric check | An edit check designed to ensure the data in a particular field is numeric |
Object code | Machine-readable instructions produced from a compiler or assembler program that has accepted and translated the source code |
Object Management Group (OMG) | A consortium with more than 700 affiliates from the software industry. Its purpose is to provide a common framework for developing applications using object-oriented programming techniques. For example, OMG is known principally for promulgating the CORBA specification. |
Object orientation | An approach to system development where the basic unit of attention is an object, which represents an encapsulation of both data (an object’s attributes) and functionality (an object’s methods). Objects usually are created using a general template called a class. Classes are the basis for most design work in objects. Classes and their objects communicate in defined ways. Aggregate classes interact through messages, which are directed requests for services from one class (the client) to another class (the server). A class may share the structure or methods defined in one or more other classes--a relationship known as inheritance. |
Objectivity | The ability to exercise judgement, express opinions and present recommendations with impartiality |
object-oriented system development | A system development methodology that is organised around "objects" rather than "actions,” and ”data ” rather than ”logic.” Object-oriented analysis is an assessment of a physical system to determine which objects in the real world need to be represented as objects in a software system. Any object-oriented design is software design that is centred around designing the objects that will make up a program. Any object-oriented program is one that is composed of objects or software parts. |
Offline files | Computer file storage media not physically connected to the computer; typically tapes or tape cartridges used for backup purposes |
Offsite storage | A storage facility located away from the building housing the primary information processing facility (IPF), used for storage of computer media such as offline backup data and storage files |
Online data processing | Processing is achieved by entering information into the computer via a video display terminal. The computer immediately accepts or rejects the information, as it is entered. |
Open systems | Systems for which detailed specifications of their components composition are published in a nonproprietary environment, thereby enabling competing organizations to use these standard components to build competitive systems. The advantages of using open systems include portability, interoperability and integration. |
Operating system | A master control program that runs the computer and acts as a scheduler and traffic controller. It is the first program copied into the computer’s memory after the computer is turned on and must reside in memory at all times. It is the software that interfaces between the computer hardware (disk, keyboard, mouse, network, modem, printer) and the application software (word processor, spreadsheet, e-mail), which also controls access to the devices and is partially responsible for security components and sets the standards for the application programs that run in it. |
Operating system audit trails | Records of system events generated by a specialized operating system mechanism |
Operational audit | An audit designed to evaluate the various internal controls, economy and efficiency of a function or department |
Operational control | These controls deal with the everyday operation of a company or organization to ensure all objectives are achieved. |
operational risk | The most important types of operational risk involve breakdowns in internal controls and corporate governance. Such breakdowns can lead to financial losses through error, fraud or failure to perform in a timely manner or cause the interests of the bank to be compromised in some other way, for example, by its dealers, lending officers or other staff exceeding their authority or conducting business in an unethical or risky manner. Other aspects of operational risk include major failure of information technology systems or events such as security problems or other disasters |
Operator console | A special terminal used by computer operations personnel to control computer and systems operations functions. These terminals typically provide a high level of computer access and should be properly secured. |
Optical character recognition | Used to electronically scan and input written information from a source document |
Optical scanner | An input device that reads characters and images that are printed or painted on a paper form into the computer. |
Output analyzer | Checks the accuracy of the results produced by a test run. There are three types of checks that an output analyzer can perform. First, if a standard set of test data and test results exists for a program, the output of a test run after program maintenance can be compared with the set of results that should be produced. Second, as programmers prepare test data and calculate the expected results, these results can be stored on a file and the output analyzer compares the actual results of a test run with the expected results. Third, the output analyzer can act as a query language; it accepts queries about whether certain relationships exist in the file of output results and reports compliance or noncompliance. |
Outsourcing | A formal agreement with a third party to perform an IS function for an organization |
Packet | Data unit that is routed from source to destination in a packet-switched network. A packet contains both routing information and data. Transmission control protocol/Internet protocol (TCP/IP) is such a packet-switched network. |
Packet filtering | Controlling access to a network by analyzing the attributes of the incoming and outgoing packets and either letting them pass, or denying them, based on a list of rules |
Packet switching | The process of transmitting messages in convenient pieces that can be reassembled at the destination |
Parallel simulation | Parallel simulation involves the IS auditor writing a program to replicate those application processes that are critical to an audit opinion and using this program to reprocess application system data. The results produced are compared with the results generated by the application system and any discrepancies identified. |
Parallel testing | The process of feeding test data into two systems, the modified system and an alternative system (possibly the original system) and comparing results |
Parity check | A general hardware control, which helps to detect data errors when data are read from memory or communicated from one computer to another. A 1-bit digit (either 0 or 1) is added to a data item to indicate whether the sum of that data item’s bit is odd or even. When the parity bit disagrees with the sum of the other bits, the computer reports an error. The probability of a parity check detecting an error is 50 percent. |
Partitioned file Partitioned file |
A file format in which the file is divided into multiple subfiles and a directory is established to locate each subfile |
Passive assault | In a passive assault, intruders attempt to learn some characteristic of the data being transmitted. They may be able to read the contents of the data so the privacy of the data is violated. Alternatively, although the content of the data itself may remain secure, intruders may read and analyze the plaintext source and destination identifiers attached to a message for routing purposes, or they may examine the lengths and frequency of messages being transmitted. |
Passive response | A response option in intrusion detection in which the system simply reports and records the problem detected, relying on the user to take subsequent action |
Password | A protected, generally computer-encrypted string of characters that authenticate a computer user to the computer system |
Password cracker | Specialized security checker that tests user’s passwords, searching for passwords that are easy to guess by repeatedly trying words from specially crafted dictionaries. Failing that, many password crackers can brute force all possible combinations in a relatively short period of time with current desktop computer hardware. |
payment system | A financial system that establishes the means for transferring money between suppliers and users of funds, ordinarily by exchanging debits or credits between banks or financial institutions. |
Penetration testing | A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers |
Performance indicators | A set of metrics designed to measure the extent to which performance objectives are being achieved on an on-going basis. They can include service level agreements, critical success factors, customer satisfaction ratings, internal or external benchmarks, industry best practices and international standards. |
Performance testing | Comparing the system’s performance to other equivalent systems using well defined benchmarks |
Peripherals | Auxiliary computer hardware equipment used for input, output and data storage. Examples include disk drives and printers. |
Permanent virtual circuit (PVC) | A permanent connection between hosts in a packet switched network |
Personal identification number (PIN) | A type of password (i.e., a secret number assigned to an individual) that, in conjunction with some means of identifying the individual, serves to verify the authenticity of the individual. PINs have been adopted by financial institutions as the primary means of verifying customers in an electronic funds transfer system (EFTS). |
Pervasive IS controls | General controls which are designed to manage and monitor the IS environment and which, therefore, affect all IS-related activities |
Piggy backing | 1) Following an authorized person into a restricted access area; 2) electronically attaching to an authorized telecommunications link to intercept and possibly alter transmissions. |
Plaintext | Digital information, such as cleartext, that is intelligible to the reader |
Point-of-presence (POP) | A phone number that represents the area in which the communications provider or Internet service provider (ISP) provides service |
Point-of-sale systems (POS) | Point-of-sale systems enable capture of data at the time and place of transaction. POS terminals may include use of optical scanners for use with bar codes or magnetic card readers for use with credit cards. POS systems may be online to a central computer or may use stand-alone terminals or microcomputers that hold the transactions until the end of a specified period when they are sent to the main computer for batch processing. |
Polymorphism (objects) | Polymorphism refers to database structures that send the same command to different child objects that can produce different results depending on their family hierarchical tree structure. |
Population | The entire set of data from which a sample is selected and about which the IS auditor wishes to draw conclusions |
Port | An interface point between the CPU and a peripheral device |
Posting | The process of actually entering transactions into computerized or manual files. Such transactions might immediately update the master files or may result in memo posting, in which the transactions are accumulated over a period of time, then applied to master file updating. |
PPP (point-to-point protocol) | A protocol used for transmitting data between two ends of a connection |
PPTP (point-to-point tunneling protocol) | A protocol used to transmit data securely between two end points to create a VPN |
Preventive controls | These controls are designed to prevent or restrict an error, omission or unauthorized intrusion. |
price risk | Is the risk to earnings or capital arising from changes in the value of portfolios of financial instruments. Price risk arises from market making, dealing and position taking in interest rate, foreign exchange, equity and commodities markets. Banks may be exposed to price risk if they create or expand deposit brokering, loan sales or securitisation programs as a result of Internet banking activities. |
Privacy | Freedom from unauthorized intrusion |
Private key | A mathematical key (kept secret by the holder) used to create digital signatures and, depending upon the algorithm, to decrypt messages or files encrypted (for confidentiality) with the corresponding public key |
Private key cryptosystems | Used in data encryption, it uses a secret key to encrypt the plaintext to the ciphertext. It also uses the same key to decrypt the ciphertext to the corresponding plaintext. In this case, the key is symmetric such that the encryption key is equivalent to the decryption key. |
Privilege | The level of trust with which a system object is imbued |
Procedure | The portion of a security policy that states the general process that will be performed to accomplish a security goal |
Production programs | Programs that are used to process live or actual data that were received as input into the production environment. |
Production software | Software that is being used and executed to support normal and authorized organizational operations. Such software is to be distinguished from test software, which is being developed or modified, but has not yet been authorized for use by management. |
Professional competence | Proven level of ability, often linked to qualifications issued by relevant professional bodies and compliance with their codes of practice and standards |
Program evaluation and review technique (PERT) | A project management technique used in the planning and control of system projects |
Program flowcharts | Program flowcharts show the sequence of instructions in a single program or subroutine. The symbols used should be the internationally accepted standard. Program flowcharts should be updated when necessary. |
Program narratives | Program narratives provide a detailed explanation of program flowcharts, including control points and any external input. |
Project sponsor | Considered for acquisition the person responsible for high-level decisions, such as changes to the scope and/or budget of the project, and whether or not to implement |
Project team | Group of people responsible for a project, whose terms of reference may include the development, acquisition, implementation or maintenance of an application system. The team members may include line management, operational line staff, external contractors and IS auditors. |
Promiscuous mode | Allows the network interface to capture all network traffic irrespective of the hardware device to which the packet is addressed |
Protection domain | The area of the system that the intrusion detection system is meant to monitor and protect |
Protocol | The rules by which a network operates and controls the flow and priority of transmissions |
Protocol converter | Hardware devices, such as asynchronous and synchronous transmissions, that convert between two different types of transmission |
Protocol stack | A set of utilities that implement a particular network protocol. For instance, in Windows machines a TCP/IP stack consists of TCP/IP software, sockets software and hardware driver software. |
Prototyping | A system development technique that enables users and developers to reach agreement on system requirements. Prototyping uses programmed simulation techniques to represent a model of the final system to the user for advisement and critique. The emphasis is on end-user screens and reports. Internal controls are not a priority item since this is only a model. |
Proxy server | A server that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps perform additional authentication, and complete a connection to a remote destination on behalf of the user. |
Public key | In an asymmetric cryptographic scheme, the key that may be widely published to enable the operation of the scheme |
Public key cryptosystem | Used in data encryption, it uses an encryption key, as a public key, to encrypt the plaintext to the ciphertext. It uses the different decryption key, as a secret key, to decrypt the ciphertext to the corresponding plaintext. In contrast to a private key cryptosystem, the decryption key should be secret; however, the encryption key can be known to everyone. In a public key cryptosystem, two keys are asymmetric, such that the encryption key is not equivalent to the decryption key. |
Public key infrastructure | A system that authentically distributes users’ public keys using certificates |
Queue | A group of items that is waiting to be serviced or processed |
Quick ship | A recovery solution provided by recovery and/or hardware vendors and includes a pre-established contract to deliver hardware resources within a specified number amount of hours after a disaster occurs. This solution usually provides organizations with the ability to recover within 72 hours or greater. |
RADIUS | (remote authentication dial-in user service) A type of service providing an authentication and accounting system often used for dial-up and remote access security |
Random access memory (RAM) | The computer’s primary working memory. Each byte of memory can be accessed randomly regardless of adjacent bytes. |
Range check | Range checks ensure that data fall within a predetermined range (also see limit checks). |
rapid application development | A methodology that enables organisations to develop strategically important systems faster, while reducing development costs and maintaining quality by using a series of proven application development techniques, within a well-defined methodology. |
Real-time analysis | Analysis that is performed on a continuous basis, with results gained in time to alter the run-time system |
Real-time processing | An interactive online system capability that immediately updates computer files when transactions are initiated through a terminal |
Reasonable assurance | A level of comfort short of a guarantee but considered adequate given the costs of the control and the likely benefits achieved |
Reasonableness check | Compares data to predefined reasonability limits or occurrence rates established for the data. |
Reciprocal agreement | Emergency processing agreements between two or more organizations with similar equipment or applications. Typically, participants promise to provide processing time to each other when an emergency arises. |
Record | A collection of related information treated as a unit. Separate fields within the record are used for processing of the information. |
Record, screen and report layouts | Record layouts provide information regarding the type of record, its size and the type of data contained in the record. Screen and report layouts describe what information is provided and necessary for input. |
Recovery point objective (RPO)— | A measurement of the point prior to an outage to which data are to be restored |
Recovery testing | A test to check the system’s ability to recover after a software or hardware failure |
Recovery time objective (RTO) | The amount of time allowed for the recovery of a business function or resource after a disaster occurs |
Redo logs | Files maintained by a system, primarily a database management system, for the purposed of reapplying changes following an error or outage recovery |
Redundancy check | Detects transmission errors by appending calculated bits onto the end of each segment of data |
Reengineering | A process involving the extraction of components from existing systems and restructuring these components to develop new systems or to enhance the efficiency of existing systems. Existing software systems thus can be modernized to prolong their functionality. An example of this is a software code translator that can take an existing hierarchical database system and transpose it to a relational database system. CASE includes a source code reengineering feature. |
registration authority (RA) | An entity that may be given responsibility for performing some of the administrative tasks necessary in the registration of subjects, such as confirming the subject's identity, validating that the subject is entitled to have the attributes requested in a certificate and verifying that the subject has possession of the private key associated with the public key requested for a certificate. |
Regression testing | A testing technique used to retest earlier program abends or logical errors that occurred during the initial testing phase |
Relevant audit evidence | Audit evidence is relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support. |
Reliable audit evidence | Audit evidence is reliable if, in the IS auditor's opinion, it is valid, factual, objective and supportable. |
Remote job entry (RJE) | The transmission of job control language (JCL) and batches of transactions from a remote terminal location |
Remote procedure calls (RPCs) | The traditional Internet service protocol widely used for many years on UNIX-based operating systems and supported by the Internet Engineering Task Force (IETF) that allows a program on one computer to execute a program on another (e.g., server). The primary benefit derived from its use is that a system developer need not develop specific procedures for the targeted computer system. For example, in a client-server arrangement, the client program sends a message to the server with appropriate arguments, and the server returns a message containing the results of the program executed. (See also CORBA and DCOM, as two newer object-oriented methods for related RPC functionality.) |
Repository | The central database that stores and organizes data |
repudiation | The denial by one of the parties to a transaction or participation in all or part of that transaction or of the content of communications related to that transaction. |
reputational risk | The current and prospective effect on earnings and capital arising from negative public opinion. This affects the bank’s ability to establish new relationships or services or continue servicing existing relationships. Reputation risk may expose the bank to litigation, financial loss or a decline in its customer base. A bank’s reputation can be damaged by Internet banking services that are poorly executed or otherwise alienate customers and the public. An Internet bank has a greater reputation risk as compared to a traditional brick-and-mortar bank since it is easier for its customers to leave and go to a different Internet bank and since it cannot discuss any problems with the customer in person |
Request for proposal (RFP) | A document distributed to software vendors requesting them to submit a proposal to develop or provide a software product |
Requirements definition | A phase of an SDLC methodology where the affected user groups define the requirements of the system for meeting the defined needs |
Residual risk | The risk associated with an event when the control is in place to reduce the effect or likelihood of that event being taken into account |
Reverse engineering | A software engineering technique whereby an existing application system code can be redesigned and coded using computer-aided software engineering (CASE) technology |
RFC (request for comments) | A document that has been approved by the IETF becomes an RFC and is assigned a unique number once published. If it gains enough interest, it may evolve into an Internet standard. |
Ring topology | A type of LAN architecture in which the cable forms a loop, with stations attached at intervals around the loop. Signals transmitted around the ring take the form of messages. Each station receives the messages and each station determines, on the basis of an address, whether to accept or process a given message. However, after receiving a message, each station acts as a repeater, retransmitting the message at its original signal strength |
Risk | The possibility of an act or event occurring that would have an adverse effect on the organization and its information systems |
Risk assessment | A process used to identify and evaluate risks and their potential effects |
Rootkit | A software suite designed to aid an intruder in gaining unauthorized administrative access to a computer system |
Rotating standby | A fail-over process in which there are two nodes (as in idle standby but without priority). The node that enters the cluster first owns the resource group, and the second will join as a standby node. |
Rounding down | A method of computer fraud involving a computer code that instructs the computer to remove small amounts of money from an authorized computer transaction by rounding down to the nearest whole value denomination and rerouting the rounded off amount to the perpetrator’s account |
Router | A networking device that can send (route) data packets from one local area network (LAN) or wide area network (WAN) to another, based on addressing at the network layer (Layer 3) in the OSI model. Networks connected by routers can use different or similar networking protocols. Routers usually are capable of filtering packets based on parameters, such as source addresses, destination addresses, protocol and network applications (ports). |
RS-232 interface | Interface between data terminal equipment and data communications equipment employing serial binary data interchange |
RSA | A public key cryptosystem developed by R. Rivest, A. Shamir and L. Adleman. The RSA has two different keys, the public encryption key and the secret decryption key. The strength of the RSA depends on the difficulty of the prime number factorization. For applications with high-level security, the number of the decryption key bits should be greater than 512 bits. RSA is used for both encryption and digital signatures. |
Rulebase | The list of rules and/or guidance that is used to analyze event data |
Run instructions | Computer operating instructions which detail the step-by-step processes that are to occur so an application system can be properly executed. It also identifies how to address problems that occur during processing. |
Run-to-run totals | Provide verification that all transmitted data are read and processed |
Salami technique | A method of computer fraud involving a computer code that instructs the computer to slice off small amounts of money from an authorized computer transaction and reroute this amount to the perpetrator’s account |
Sampling risk | The probability that the IS auditor has reached an incorrect conclusion because an audit sample, rather than the whole population, was tested. While sampling risk can be reduced to an acceptably low level by using an appropriate sample size and selection method, it can never be eliminated. |
Scheduling | A method used in the information processing facility (IPF) to determine and establish the sequence of computer job processing |
Screening routers | A router configured to permit or deny traffic based on a set of permission rules installed by the administrator |
secure socket layer (SSL) | A protocol originally developed by Netscape Communications to provide a high level of security for its browser software. It has become accepted widely as a means of securing Internet message exchanges. It ensures confidentiality of the data in transmission using encryption. |
Security administrator | The person responsible for implementing, monitoring and enforcing security rules established and authorized by management |
Security management | 1) The process of establishing and maintaining security in a computer or network system. The stages of this process include prevention of security problems, detection of intrusions, investigation of intrusions and resolution. 2) In network management, controlling access to the network and resources, finding intrusions, identifying entry points for intruders and repairing or otherwise closing those avenues of access. |
Security perimeter | The boundary that defines the area of security concern and security policy coverage |
Security policy | 1) The set of management statements that documents an organization’s philosophy of protecting its computing and information assets 2) The set of security rules enforced by the system’s security features |
Security software | Software used to administer logical security. It usually includes authentication of users, access granting according to predefined rules, monitoring and reporting functions. |
Security testing | Making sure the modified/new system includes appropriate access controls and does not introduce any security holes that might compromise other systems |
security/transaction risk | The current and prospective risk to earnings and capital arising from fraud, error and the inability to deliver products or services, maintain a competitive position and manage information. Security risk is evident in each product and service offered and encompasses product development and delivery, transaction processing, systems development, computing systems, complexity of products and services and the internal control environment. A high level of security risk may exist with Internet banking products, particularly if those lines of business are not adequately planned, implemented and monitored |
Segregation/separation of duties | A basic control that prevents or detects errors and irregularities by assigning responsibility for initiating transactions, recording transactions and custody of assets to separate individuals. Commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection. |
Sequence check | Verifies that the control number follows sequentially and any control numbers out of sequence are rejected or noted on an exception report for further research (can be alpha or numeric and usually utilizes a key field) |
Sequential file | A computer file storage format in which one record follows another. Records can be accessed sequentially only. It is required with magnetic tape. |
Service bureau | A computer facility that provides data processing services to clients on a continual basis |
Service level agreement (SLA) | Defined minimum performance measures at or above which the service delivered is considered acceptable |
Service provider | The organization providing the outsourced service |
Service user | The organization using the outsourced service |
Shell | The interface between the user and the system |
Signatures | Patterns indicating misuse of a system |
Simple fail-over | A fail-over process in which the primary node owns the resource group. The backup node runs a non-critical application (e.g., a development or test environment) and takes over the critical resource group but not vice versa. |
Simple Object Access Protocol (SOAP) | A platform-independent XML-based formatted protocol enabling applications to communicate with each other over the Internet. Use of this protocol may provide a significant security risk to web application operations, since use of SOAP piggybacks onto a web-based document object model and is transmitted via the web's HTTP service protocol (port 80) to penetrate server firewalls, which are usually configured to accept port 80 and port 21 (FTP) requests. Web-based document models define how objects on a web page are associated with each other, and how they can be manipulated while being sent from a server to a client browser. SOAP typically relies on XML for presentation formatting and also adds appropriate HTTP-based headers to send it. |
Single point of failure | A resource whose loss will result in the loss of service or production |
Smart card | A small electronic device that contains electronic memory, and possibly an embedded integrated circuit. It can be used for a number of purposes including the storage of digital certificates or digital cash, or it can be used as a token to authenticate users. |
SMTP (Simple Mail Transport Protocol) | The standard e-mail protocol on the Internet |
Sniff | The act of capturing network packets, including those not necessarily destined for the computer running the sniffing software |
Sniffing | An attack capturing sensitive pieces of information, such as passwords, passing through the network |
Software | Programs and supporting documentation that enable and facilitate use of the computer. Software controls the operation of the hardware. |
Source code | Source code is the language in which a program is written. Source code is translated into object code by assemblers and compilers. In some cases, source code may be converted automatically into another language by a conversion program. Source code is not executable by the computer directly. It must first be converted into a machine language. |
Source code compare programs | Programs that provide assurance that the software being audited is the correct version of the software, by providing a meaningful listing of any discrepancies between the two versions of the program |
Source documents | The forms used to record data that have been captured. A source document may be a piece of paper, a turnaround document or an image displayed for online data input. |
Source lines of code (SLOC) | Source lines of code are often used in deriving single-point software-size estimations. |
Spanning port | A port configured on a network switch to receive copies of traffic from one or more other ports on the switch |
Split data systems | A condition in which each of an organization’s regional locations maintains its own financial and operational data while sharing processing with an organizationwide, centralized database. This permits easy sharing of data while maintaining a certain level of autonomy. |
Split DNS | An implementation of DNS intended to secure responses provided by the server such that different responses are given to internal vs. external users |
Spoofing | Faking the sending address of a transmission in order to gain illegal entry into a secure system |
Spool (simultaneous peripheral operations online) | An automated function that can be operating system or application based in which electronic data being transmitted between storage areas are spooled or stored until the receiving device or storage area is prepared and able to receive the information. This operation allows more efficient electronic data transfers from one device to another by permitting higher speed sending functions, such as internal memory, to continue on with other operations instead of waiting on the slower speed receiving device, such as a printer. |
Standing data | Permanent reference data used in transaction processing. These data are changed infrequently, such as a product price file or a name and address file. |
Star topology | A type of LAN architecture that utilizes a central controller to which all nodes are directly connected. All transmissions from one station to another pass through the central controller, which is responsible for managing and controlling all communication. The central controller often acts as a switching device. |
Static analysis | Analysis of information that occurs on a noncontinuous basis; also known as interval-based analysis |
Statistical sampling | A method of selecting a portion of a population, by means of mathematical calculations and probabilities, for the purpose of making scientifically and mathematically sound inferences regarding the characteristics of the entire population |
strategic risk | The current and prospective effect on earnings or capital arising from adverse business decisions, improper implementation of decisions or lack of responsiveness to industry changes. |
Structured programming | A top-down technique of designing programs and systems. It makes programs more readable, more reliable and more easily maintained. |
Structured Query Language (SQL) | The primary language used by both application programmers and end users in accessing relational databases |
Subject matter | (Area of activity) The specific information subject to the IS auditor’s report and related procedures which can include things such as the design or operation of internal controls and compliance with privacy practices or standards or specified laws and regulations. |
Substantive testing | Tests of detailed activities and transactions, or analytical review tests, designed to obtain audit evidence on the completeness, accuracy or existence of those activities or transactions during the audit period |
Sufficient audit evidence | Audit evidence is sufficient if it is adequate, convincing and would lead another IS auditor to form the same conclusions. |
Surge suppressor | Filters out electrical surges and spikes |
SWIFT | Founded in Brussels in 1973, the Society for the Worldwide Interbank Financial Telecommunication (SWIFT) is a co-operative organisation dedicated to the promotion and development of standardised global interactivity for financial transactions. SWIFT's original mandate was to establish a global communications link for data processing and a common language for international financial transactions. The Society operates a messaging service for financial messages, such as letters of credit, payments, and securities transactions, between member banks worldwide. SWIFT's essential function is to deliver these messages quickly and securely—both of which are prime considerations for financial matters. Member organisations create formatted messages that are then forwarded to SWIFT for delivery to the recipient member organisation. SWIFT operates out of its Brussels headquarters and processes data at centres in Belgium and the United States |
Switch | A device that forwards packets between LAN devices or segments. LANs that use switches are called switched LANs. |
Symmetric key encryption | Two trading partners both share one or more secrets. No one else can read their messages. A different key (or set of keys) is needed for each pair of trading partners. Same key is used for encryption and decryption. (Also see Private Key Cryptosystems). |
SYN (synchronize) | A flag set in the initial setup packets to indicate that the communicating parties are synchronizing the sequence numbers used for the data transmission |
Synchronous transmission | Block-at-a-time data transmission |
System exit | Special system software features and utilities that allow the user to perform complex system maintenance. Use of these exits often permits the user to operate outside of the security access control system. |
System flowcharts | System flowcharts are graphical representations of the sequence of operations in an information system or program. Information system flowcharts show how data from source documents flow through the computer to final distribution to users. Symbols used should be the internationally accepted standard. System flowcharts should be updated when necessary. |
System narratives | System narratives provide an overview explanation of system flowcharts, with explanation of key control points and system interfaces. |
System software | A collection of computer programs used in the design, processing and control of all applications. The programs and processing routines that control the computer hardware, including the operating system and utility programs. |
System testing | A series of tests designed to ensure that the modified program interacts correctly with other system components. These test procedures typically are performed by the system maintenance staff in their development library. |
Systems acquisition process | The procedures established to purchase application software, or an upgrade, including evaluation of the supplier's financial stability, track record, resources and references from existing customers |
Systems analysis | The systems development phase in which systems specifications and conceptual designs are developed, based on end-user needs and requirements |
Systems development life cycle (SDLC) | An approach used to plan, design, develop, test and implement an application system or a major modification to an application system. Typical phases include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and post-implementation review. |
Table look-ups | Used to ensure that input data agree with predetermined criteria stored in a table |
TACACS+ | (terminal access controller access control system plus)-- An authentication protocol, often used by remote-access servers |
Tape management system (TMS) | A system software tool that logs, monitors and directs computer tape usage |
Taps | Wiring devices that may be inserted into communication links for use with analysis probes, LAN analyzers and intrusion detection security systems |
TCP (transmission control protocol) | A connection-based Internet protocol that supports reliable data transfer connections. Packet data is verified using checksums and retransmitted if it is missing or corrupted. The application plays no part in validating the transfer. |
TCP/IP protocol | (Transmission Control Protocol/Internet Protocol) A set of communications protocols that encompasses media access, packet transport, session communications, file transfer, electronic mail, terminal emulation, remote file access and network management. TCP/IP provides the basis for the Internet. |
Tcpdump | A network monitoring and data acquisition tool that performs filter translation, packet acquisition and packet display |
technical infrastructure security | Refers to the security of the infrastructure that supports the ERP networking and telecommunications, operating systems and databases. |
Telecommunications | Electronic communications by special devices over distances or around devices that preclude direct interpersonal exchange |
Teleprocessing | Using telecommunications facilities for handling and processing of computerized information |
Telnet | Used to enable remote access to a server computer. Commands typed are run on the remote server. |
Terminal | A device for sending and receiving computerized data over transmission lines |
Terms of reference | A document that confirms the client's and the IS auditor's acceptance of a review assignment |
Test data | Simulated transactions that can be used to test processing logic, computations and controls actually programmed in computer applications. Individual programs or an entire system can be tested. This technique includes Integrated Test Facilities (ITFs) and Base Case System Evaluations (BCSEs). |
Test generators | Software used to create data to be used in the testing of computer programs |
Test programs | Programs that are tested and evaluated before approval into the production environment. Test programs, through a series of change control moves, migrate from the test environment to the production environment and become production programs. |
Third-party review | An independent audit of the control structure of a service organization, such as a service bureau, with the objective of providing assurances to the users of the service organization that the internal control structure is adequate, effective and sound |
Threat | Any situation or event that has the potential to harm a system |
Token | A device that is used to authenticate a user, typically in addition to a username and password. It is usually a credit card-sized device that displays a pseudo random number that changes every few minutes. |
Token ring topology | A type of LAN ring topology in which a frame containing a specific format, called the token, is passed from one station to the next around the ring. When a station receives the token, it is allowed to transmit. The station can send as many frames as desired until a predefined time limit is reached. When a station either has no more frames to send or reaches the time limit, it transmits the token. Token passing prevents data collisions that can occur when two computers begin transmitting at the same time. |
Top-level management | The highest level of management in the organization, responsible for direction and control of the organization as a whole (such as director, general manager, partner, chief officer and executive manager). |
Topology | The physical layout of how computers are linked together. Examples include ring, star and bus. |
Transaction | Business events or information grouped together because they have a single or similar purpose. Typically, a transaction is applied to a calculation or event that then results in the updating of a holding or master file. |
Transaction log | A manual or automated log of all updates to data files and databases |
Transaction protection | Also known as "automated remote journaling of redo logs." A data recovery strategy that is similar to electronic vaulting, except that instead of transmitting several transaction batches daily, the archive logs are shipped as they are created. |
Trap door | Unauthorized electronic exits, or doorways, out of an authorized computer program into a set of malicious instructions or programs |
Trojan horse | Purposefully hidden malicious or damaging code within an authorized computer program. Unlike viruses, they do not replicate themselves, but they can be just as destructive to a single computer. |
Trust | Generally, the assumption that an entity will behave substantially as expected. Trust may apply only for a specific function. The key role of this term in an authentication framework is to describe the relationship between an authenticating entity and a certificate authority (CA). An authenticating entity must be certain that it can trust the CA to create only valid and reliable certificates, and users of those certificates rely upon the authenticating entity's determination of trust. |
Trusted processes | Processes certified as supporting a security goal |
Trusted systems | Systems that employ sufficient hardware and software assurance measures to allow their use for processing of a range of sensitive or classified information |
Tuple | A row or record consisting of a set of attribute value pairs (column or field) in a relational data structure |
Twisted pairs | A pair of small, insulated wires that are twisted around each other to minimize interference from other wires in the cable. This is a low-capacity transmission medium. |
UDP (User Datagram Protocol) | A connectionless Internet protocol that is designed for network efficiency and speed at the expense of reliability. A data request by the client is served by sending packets without testing to verify if they actually arrive at the destination, not if they were corrupted in transit. It is up to the application to determine these factors and request retransmissions. |
Uninterruptible power supply (UPS) | Provides short-term backup power from batteries for a computer system when the electrical power fails or drops to an unacceptable voltage level |
Unit testing | A testing technique that is used to test program logic within a particular program or module. The purpose of the test is to ensure that the program meets system development guidelines and does not abnormally end during processing. |
Universal Description, Discovery and Integration | (UDDI) A web-based version of the traditional phone book's yellow and white pages enabling businesses to be publicly listed in promoting greater e-commerce activities. |
UNIX | A multiuser, multitasking operating system that is used widely as the master control program in workstations and especially servers |
untrustworthy host | To the basic border firewall, add a host that resides on an untrusted network where the firewall cannot protect it. That host is minimally configured and carefully managed to be as secure as possible. The firewall is configured to require incoming and outgoing traffic to go through the untrustworthy host. The host is referred to as untrustworthy because it cannot be protected by the firewall; therefore, hosts on the trusted networks can place only limited trust in it. |
Uploading | The process of electronically sending computerized information from one computer to another computer. Most often, the transfer is from a smaller computer to a larger one. |
Useful audit evidence | Audit evidence is useful if it assists the IS auditors in meeting their audit objectives. |
Utility programs | Specialized system software used to perform particular computerized functions and routines that are frequently required during normal processing. Examples include sorting, backing up and erasing data. |
Utility software | Computer programs provided by a computer hardware manufacturer or software vendor and used in running the system. This technique can be used to examine processing activities; to test programs, system activities and operational procedures; to evaluate data file activity; and, to analyze job accounting data. |
Vaccine | A program designed to detect computer viruses |
Validity check | Programmed checking of data validity in accordance with predetermined criteria |
Value-added network (VAN) | A data communication network that adds processing services such as error correction, data translation and/or storage to the basic function of transporting data |
Variable sampling | A sampling technique used to estimate the average or total value of a population based on a sample; a statistical model used to project a quantitative characteristic, such as a dollar amount |
Verification | Checks that data are entered correctly |
virtual organizations | Organizations that have no official physical site presence and are made up of diverse geographically dispersed or mobile employees. |
Virtual private network (VPN) | A private network that is configured within a public network. For years, common carriers have built VPNs that appear as private national or international networks to the customer, but physically share backbone trunks with other customers. VPNs enjoy the security of a private network via access control and encryption, while taking advantage of the economies of scale and built-in management facilities of large public networks. |
Virus | A destructive computer program that spreads from computer to computer using a range of methods, including infecting floppy disks and other programs. Viruses typically attach themselves to a program and modify it so that the virus code runs when the program is first started. The infected program typically runs normally, but the virus code then infects other programs whenever it can. (Also see worm.) |
Voice mail | A system of storing messages in a private recording medium where the called party can later retrieve the messages |
Vulnerabilities | Weaknesses in systems that can be exploited in ways that violate security policy |
vulnerability | A weakness in system security procedures, system design, implementation or internal controls that could be exploited to violate system security. |
Vulnerability analysis | Analysis of the security state of a system or its compromise on the basis of information collected at intervals |
War dialler | Software packages that sequentially dial telephone numbers, recording any numbers that answer |
Warm-site | A warm-site is similar to a hot-site; however, it is not fully equipped with all necessary hardware needed for recovery. |
waterfall development | Also known as traditional development, it is a very procedure-focused development cycle with formal sign-off at the completion of each level. |
web page | A viewable screen displaying information, presented through a web browser in a single view sometimes requiring the user to scroll to review the entire page. A bank web page may display the bank’s logo, provide information about bank products and services, or allow a customer to interact with the bank or third parties that have contracted with the bank. |
Web Services Description Language (WSDL) | An XML-formatted language used to describe a web service's capabilities as collections of communication endpoints capable of exchanging messages. WSDL is the language that UDDI uses. (Also see Universal Description, Discovery and Integration (UDDI)) |
web site | Consists of one or more web pages that may originate at one or more web server computers. A person can view the pages of a website in any order, as he or she would a magazine. |
Whitebox testing | A testing approach that uses knowledge of a program/module’s underlying implementation and code intervals to verify its expected behavior. |
Wide area network (WAN) | A computer network connecting different remote locations that may range from short distances, such as a floor or building, to extremely long transmissions that encompass a large region or several countries |
Windows NT | A version of the Windows operating system that supports preemptive multitasking |
Wiretapping | The practice of eavesdropping on information being transmitted over telecommunications links |
world wide web (WWW) | A sub-network of the Internet through which information is exchanged by text, graphics, audio and video. |
World Wide Web Consortium (W3C) | An international consortium founded in 1994 of affiliates from public and private organizations involved with the Internet and the web. The W3C's primary mission is to promulgate open standards to further enhance the economic growth of Internet web services globally. |
Worm | With respect to security, a special type of virus that does not attach itself to programs, but rather spreads via other methods such as e-mail (also see virus) |
X.25 | A protocol for packet-switching networks |
X.25 interface | An interface between data terminal equipment (DTE) and data circuit-terminating equipment (DCE) for terminals operating in the packet mode on some public data networks |
X.500 | Standard that defines how global directories should be structured. X.500 directories are hierarchical with different levels for each category of information, such as country, state and city. |
반응형
'B1:기초 Basement' 카테고리의 다른 글
CISA References (0) | 2008.02.11 |
---|---|
처리장치 (Datapath) (0) | 2007.10.31 |
ISO 9126 (0) | 2007.10.21 |
8086 assembler tutorials (0) | 2007.10.21 |
버스 시스템 ( Bus System ) (0) | 2007.10.21 |