ISACA CISA Glossary
Audit objective
The specific goal(s) of an audit Scope Note: These often center on substantiating the existence of internal controls to minimize business risk.
Corporate governance
The system by which enterprises are directed and controlled. The board of directors is responsible for the governance of their enterprise. It consists of the leadership and organizational structures and processes that ensure the enterprise sustains an...
Audit plan
1. A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion appropriate opinion Scope Note: Includes the areas to be a...
Capability Maturity Model C (CMM)
1. C Contains the essential elements off effective processes for one or more disciplines ff f It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectivene...
Authentication
1. The act of verifying identity (i.e., user, system) Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data 2. The act of verifying the identity of a user and the user\s eligibility to access computerized informat...
Asymmetric key (public key)
A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message Scope Note: See Public key encryption.
Cluster controller
A communication terminal control hardware unit that controls a number of computer terminals Scope Note: All messages are buffered by the controller and then transmitted to the receiver.
Application
A computer program or set off programs that performs the processing off records for a specific function f f f f Scope Note: Contrasts with systems programs, such as an operating system or network control program, and with utility programs, such as...
Circuit-switched network
A data transmission service requiring the establishment of a circuit-switched connection before data can be transferred from source data tterminal equipment (DTE) tto a sink DTE erminal (DTE) o sink DTE Scope Note: A circuit-switched data transmiss...
Data dictionary
A database that contains the name, type, range of values, source and authorization for access for each data element in a database. It also iindicates which application programs use those data so that when a data structure is contemplated, a listt of ...
Certification practice practice statement (CPS)
A detailed set of rules governing the certificate authority's operations. It provides an understanding of the value and set certificate authority's value trustworthiness of certificates issued by a given certificate authority (CA). Scope Note: In ...
Client-server
A group of computers connected by a communication network, in which the client is the requesting machine and the server is the supplying machine the supplying machine Scope Note: Software is specialized at both ends. Processing may take place on eit...
Computer emergency response team (CERT)
A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency This group will act as an efficient corrective control, and should also act as a single ...
Change management
A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or "soft" elements of change Scope Note: Includes activities such as culture change (values, b...
Chain off custody C
A legal principle regarding the validity and integrity off evidence. It requires accountability for anything that will be used as f evidence in a legal proceeding to ensure that it can be accounted for from the time it was collected until the time it...
Checksum C
A mathematical value that is assigned to a file and used to "test" the ffile at a later date to verify that the data contained in the file f " f f has not been maliciously changed Scope Note: A cryptographic checksum is created by performing a co...
Cookie
A message kept in the web browser for the purpose of identifying users and possibly preparing customized web pages for them Scope Note: The first time a cookie is set, a user may be required to go through a registration process. Subsequent to this, ...
Challenge/response token
A method of user authentication that is carried out through use of the Challenge Handshake Authentication Protocol (CHAP) Scope Note: When a user ttries to log iinto the server using CHAP, tthe server sends the user a "challenge," which iis a random ...
Completely connected (mesh) configuration
A network topology in which devices are connected with many redundant interconnections between network nodes (primarily used for backbone networks)
Check digit
A numeric value, which has been calculated mathematically, is added to data to ensure that original data have not been altered or that an incorrect, but valid match has occurred. Scope Note: Check digit control is effective in detecting transpositio...
Card swipe
A physical control technique that uses a secured card or ID to gain access to a highly sensitive location. Scope Note: If built correctly, card swipes act as a preventive control over physical access to those sensitive locations. After a card has bee...
Business continuity plan (BCP)
A plan used by an enterprise to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems
Checkpoint restart procedures
A point in a routine at which sufficient information can be stored to permit restarting the computation from that point
Acceptable use policy
A policy that establishes an agreement between users and the enterprise and defines for all parties' the ranges of use that are approved before gaining access to a network or the Internet
Completeness check
A procedure designed to ensure that no fields are missing from a record
Business impact analysis (BIA)
A process to determine the impact of losing the support of any resource Scope Note: The BIA assessment study will establish the escalation of that loss over time. It is predicated on the fact that senior management, when provided reliable data tto do...
Biometrics
A security technique that verifies an individual\s identity by analyzing a unique physical attribute, such as a handprint
Alternative routing
A service that allows the option of having an alternate route to complete a call when the marked destination is not available Scope Note: In signaling, alternative routing is the process of allocating substitute routes for a given signaling traffic st...
Application programming interface (API)
A set of routines, protocols and tools referred to as "building blocks" used in business application software development Scope Note: A good API makes it easier to develop a program by providing all the building blocks related to functional character...
Adware
A software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on iitt or while the application is being used on or while is Scope Note: In most cases, this is done without any ...
Database management system (DBMS)
A software system that controls the organization, storage and retrieval off data in a database f
Control objective
A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process
Audit program
A step-by-step set of audit procedures and instructions that should be performed to complete an audit
Database
A stored collection of related data needed by enterprises and individuals to meet their information processing and retrieval requirements
Benchmarking
A systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting business Scope Note: Examples include benchmarking of quality, logistic efficiency and various other metrics.
Black box testing
A testing approach that ffocuses on the functionality off the application or product and does not require knowledge off the code f intervals
Certificate (Certification) authority (CA) authority (CA
A trusted third party that serves authentication infrastructures or enterprises and registers entities and issues them certificates
Audit trail
A visible trail off evidence enabling one to trace information contained in statements or reports back to the original input source f
Customer relationship management (CRM)
A way to identify, acquire and retain customers. CRM is also an iindustry tterm ffor software solutions that help an enterprise way acquire ndustry erm or solutions an manage customer relationships in an organized manner.
Bus configuration
All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes. Scope Note: This architecture is reliable in very small networks, as well as easy to use and understand. This configuration requires t...
Comprehensive audit
An audit designed to determine the accuracy of financial records as well as to evaluate the internal controls of a function or department
Attribute sampling
An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size)) (
Console log
An automated detail report of computer system activity
Cold site
An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the facility that physical components of the computer equipment in place Scope Note: The site is ready to receive the necessa...
Data Encryption Standard (DES)
An algorithm for encoding binary data Scope Note: It is a secret key cryptosystem published by the National Bureau of Standards (NBS), the predecessor of the US National Institute of Standards and Technology (NIST). DES and its variants has been repl...
Antivirus software
An application software deployed at multiple points in an IT architecture It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been infected
Database administrator (DBA) (DBA)
An individual or department responsible for tthe security and information classification of the shared data stored on a database he classification shared stored on system This responsibility includes the design, definition and maintenance of the ...
Certificate revocation list (CRL)
An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility Scope Note: The CRL details digital certificates that are no longer valid. The time gap between two updates is very cri...
Decision support systems (DSS)
An interactive system that provides the user with easy access to decision models and data, to support semi structured decision- making tasks
Access control list (ACL)
An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals Scope Note: Also referred to as access control tables
Compensating control C
An internal control that reduces the risk off an existing or potential control weakness resulting in errors and omissions
Computer-assisted audit technique (CAAT)
Any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities
Data diddling g
Changing data with malicious intent before or during input into the system g g g y
Coaxial cable
Composed of an insulated wire that runs through the middle of each cable, a second wire that surrounds the insulation of the inner wire like a sheath, and the outer insulation which wraps the second wire Scope Note: Has a greater transmission capacit...
Batch control
Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage Scope Note: There are two main forms of batch controls: sequence control, which involves numbering the records in a...
Term
Definition
Corrective control
Designed to correct errors, omissions and unauthorized uses and intrusions, once they are detected
Balanced scorecard (BSC)
Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives
Brouter Brouter
Device that performs the functions of both a bridge and a router performs bridge router Scope Note: A brouter operates at both the data link and the network layers. It connects same data link type LAN segments as well as different data link ones, ...
Business case
Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycl...
Backup
Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service ice
Data-oriented systems development
Focuses on providing ad hoc reporting for users by developing a suitable accessible database of information and to provide useable data rather than a function
Circular routing
In open systems architecture, circular routing is the logical path of a message in a communication network based on a series of gates at the physical network layer in the open systems interconnection (OSI) model.
Contro practice Controll practice
Key control mechanism tha supports the achievemen of contro objectives through responsible Key control mechanism thatt supports the achievementt of control objectives through responsible use of resources appropriate resources, appropriate management...
Buffer
Memory reserved to temporarily hold data to offset differences between the operating speeds of different devices, such as a printer and a computer Scope Note: In a program, buffers are reserved areas of random access memory (RAM) that hold data while...
C Coupling
Measure off interconnectivity among structure off software programs. f Coupling depends on the interface complexity between modules. This can be defined as the point at which entry or reference is made to a module, and what data pass across the inte...
Broadband
Multiple channels are formed by dividing the transmission medium into discrete frequency segments. Scope Note: Broadband generally requires the use of a modem.
C Continuity
Preventing, mitigating and recovering from disruption f Scope Note: The terms "business resumption planning," "disaster recovery planning" and "contingency planning" also may be used in this context; they all concentrate on the recovery aspects of c...
Contingency planning planning
Process of developing advance arrangements and procedures that enable an enterprise tto rrespond to an event that could occur of arrangements an o espond occur by chance or unforeseen circumstances.
Concurrency control Concurrency
Refers to a class of controls used in a database management system (DBMS) to ensure that transactions are processed in an Refers management sy DBMS) processed atomic, consistent, isolated and durable manner (ACID). This implies that only serial an...
Data leakage leakage
Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes Siphoning leaking by dumping computer stealing computer reports tapes
Application software tracing and mapping
Specialized tools that can be used to analyze the flow of data through the processing logic of the application software and document the logic, paths, control conditions and processing sequences Scope Note: Both the command language or job control st...
Database replication
The process of creating and managing duplicate versions of a database Scope Note: Replication not only copies a database but also synchronizes a set of replicas so that changes made to one replica are reflected in all of the others. The beauty of rep...
Critical infrastructure
Systems whose incapacity or destruction would have a debilitating effect on the economic security of an enterprise, community or nation.
Control risk
The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls (See Inherent risk)
Capacity stress testing
Testing an application with large quantities of data to evaluate its performance during peak periods. Also called volume testing
Compliance testing
Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period period
Computer forensics
The application of the scientific method to digital media to establish factual information for judicial review Scope Note: This process often involves investigating computer systems to determine whether they are or have been used for illegal or unaut...
Configuration management
The control of changes to a set of configuration items over a system life cycle
Cohesion
The extent to which a system unit--subroutine, program, module, component, subsystem--performs a single dedicated function. Scope Note: Generally, the more cohesive the unit, the easier it is to maintain and enhance a system because it is easier to d...
Continuous improvement
The goals of continuous improvement (Kaizen) include the elimination of waste, defined as "activities that add cost, but do not add value;" just-in-time (JIT) delivery; production load leveling of amounts and types; standardized work; paced moving lin...
Data custodian
The individual(s) and department(s) responsible for the storage and safeguarding of computerized data
Data owner
The individual(s), normally a manager or director, who has responsibility for the integrity, accurate reporting and use of computerized data
Audit evidence
The information used to support the audit opinion
Access path
The logical route that an end user takes to access computerized information Scope Note: Typically includes a route through the operating system, telecommunications software, selected application software and the access control system
Backbone
The main communication channel of a digital network. The part of a network that handles the major traffic Scope Note: Employs the highest-speed transmission paths in the network and may also run the longest distances. Smaller networks are attached to...
Audit risk
The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred
Critical success factor (CSF)
The most important issue or action for management to achieve control over and within its IT processes
Access rights
The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy
Application controls
The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved (application)
Decentralization
The process of distributing computer processing to different locations within an enterprise process computer
Access control
The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises
Batch processing
The processing of a group of transactions at the same time Scope Note: Transactions are collected and processed against the master files at a specified time.
Bandwidth
The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second). y ( y )
Baud rate
The rate of transmission for telecommunications data, expressed in bits per second (bps)
Data structure
The relationships among files in a database and among data items within each file
Business process reengineering (BPR)
The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings
Computer-aided software engineering (CASE) g g( )
The use of software packages that aid in the development of all phases of an information system Scope Note: System analysis, design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts ...
Continuous auditing approach
This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer. through computer.
Computer sequence checking
Verifies that the control number follows sequentially and that any control numbers out of sequence are rejected or noted on an exception report for further research