CISA

Ace your homework & exams now with Quizwiz!

hub

An Ethernet network device that is used to connect devices to the network. A ___________ can be thought of as a multiport repeater.

repeater

An Ethernet network device that receives and retransmits signals on the network.

bridge

An Ethernet network device used to interconnect two or more Ethernet networks.

private address

An IP address that fall into one of the following ranges: 10.0.0.0-10.255.255.255, 172.31.255.255, or 192.168.0.0-192.168.255.255. Packets with a private address destination cannot be transported over the global Internet.

Customer Relationship Management (CRM)

An IS application used to track the details of the relationships with each of an organization's customers.

ISO/IEC 9660

An ISO/IEC standard file system used on CD-ROM and DVD-ROM media.

ISO/IEC 27002

An ISO/IEC standard for IT security controls.

ISO/IEC 27001

An ISO/IEC standard for IT security management.

ISO/IEC 20000

An ISO/IEC standard for IT service management (ITSM).

ISO/IEC 9000

An ISO/IEC standard for a quality management system.

ISO/IEC 38500

An ISO/IEC standard for corporate governance of information technology.

ISO/IEC 15504

An ISO/IEC standard for evaluating the maturity of a software development process.

ISO/IEC 9126

An ISO/IEC standard for evaluating the quality of software.

indicator of compromise (IoC)

An observation on a network or in an operating system that indicates evidence of a network or computer intrusion.

Universal Disk Format (UDF)

An optical media file system considered a replacement for ISO/IEC 9660.

program

An organization of many large, complex activities; it can be thought of as a set of projects that work to fulfill one or more key business objectives or goals.

Managed Security Service Provider (MSSP)

An organization that provides security monitoring and/or management services for customers.

plaintext

An original message, file, or stream of data that can be read by anyone who has access to it.

disaster

An unexpected and unplanned event that results in the disruption of business operations.

Plain OId Telephone Service (POTS)

Another name for the public-switched telephone network (PSTN).

countermeasure

Any activity or mechanism designed to reduce risk.

access bypass

Any attempt by an intruder to bypass access controls in order to gain entry into a system.

gate process

Any business process that consists of one or more review/ approval gates, which must be completed before the process may continue.

input/output (I/O) device

Any device that can be connected to a computer that enables the computer to send data to the device as well as receive data from the device.

electromagnetic interface (EMI)

Any electric field or magnetic field energy that can potentially interfere with a signal being sent via radiofrequency or over a metallic medium.

Object-Oriented (OO) System Development

Development of information systems using object-oriented languages and tools.

atomicity

The characteristic of a complex transaction whereby it is either performed completely as a single unit or not performed at all.

objectivity

The characteristic of a person that relates to his or her ability to develop an opinion that is not influenced by external pressures.

independence

The characteristic of an auditor and his or her relationship to a party being audited. An auditor should be independent of the auditee; this permits the auditor to be objective.

referential integrity

The characteristic of relational database management systems that requires the database management system maintain the parent-child relationships between records in different tables and prohibits activities such as deleting parent records and transforming child records into orphans.

class

The characteristics of an object, including its attributes, properties, fields, and the methods it can perform.

off-site media storage

The practice of storing media such as backup tapes at an offsite facility located away from the primary computing facility.

noise

The presence of other electromagnetic signals within incoming power.

threat hunting

The proactive search for intrusions, intruders, and indicators of compromise.

confidence coefficient

The probability that a sample selected actually represents the entire population. This is usually expressed as a percentage.

sampling risk

The probability that a sample selected does not represent the entire population. This is usually expressed as a percentage, as the numeric inverse of the confidence coefficient.

reverse engineering

The process of analyzing a system to see how it functions, usually as a means for developing a similar system. ____________________________ is usually not permitted when it is applied to commercial software programs.

authentication

The process of asserting one's identity and providing proof of that identity. Typically, authentication can also requires a user ID (the assertion) and a password (the proof). However, authentication can also require stronger means of proof, such as a digital certificate, token, smart card, biometric.

identification

The process of asserting one's identity without providing proof of that identity.

data classification/ information classification

The process of assigning a sensitivity classification to a data set or information asset.

E-vaulting

The process of backing up data to a cloud-based storage provider. ______________ is a form of backup, as distinguished from e-journaling.

password reset

The process of changing a user account password and unlocking the user account so that the user's use of the account may resume.

transfer

The process of changing an employee's job title, department, and/or responsibilities.

asset inventory

The process of confirming the existence, location, and condition of assets; also, the results of such a process.

project change management

The process of controlling a project plan and budget through formal reviews of changes.

data restore

The process of copying data from backup media to a target system for the purpose of restoring lost or damaged data.

backup

The process of copying important data to another media device in the event of a hardware failure, error, or software bug, disaster, that causes damage to data.

key disposal

The process of decommissioning encryption keys.

termination

The process of discontinuing employment of an employee or a contractor.

media destruction/ media sanitization

The process of ensuring the destruction of data on digital media.

damage assessment

The process of examining assets after a disaster to determine the extent of damage.

risk analysis

The process of identifying and studying risks in an organization.

patch management

The process of identifying, analyzing, and applying patches (including security patches) to systems.

key rotation

The process of issuing a new encryption key and re-encrypting data protected with the new key.

software licensing

The process of maintaining accurate records regarding the permitted use of software programs.

salvage

The process of recovering components or assets that still have value after a disaster.

password vaulting

The process of storing a password in a secure location for later use.

migration

The process of transferring data from one system to a replacement system.

decryption

The process of transforming ciphertext into plaintext so that a recipient can read it.

background check

The process of verifying an employment candidate's employment history, education recfords, professional licenses and certifications, criminal background, and financial background.

developement

The process where software code is created.

authorization

The process whereby a system determines what rights and privileges a user has.

audit scope

The process, procedures, systems, and applications that are the subject of an audit.

asset management

The processes used to manage the inventory, classification, use, and disposal of assets.

inheritance

The property of a class whereby the class's attributes are passed to its chidlren.

nonrepudiation

The property of digital signatures and encryption that can make it difficult or impossible for a party to deny having sent a digitally signed message- unless they admit to having lost control of their private encryption key.

privacy

The protection of personal information from unauthorized disclosure, use, and distribution.

packet

The protocol data unit (PDU) at the IP layer of TCP/IP and layer 3 of the OSI model.

frame

The protocol data unit (PDU) at the transport layer of TCP/IP (namely, for Ethernet) , and layer 2 of the OSI model.

cell

The protocol data unit (PDU) for the Asynchronous Transfer Mode (ATM) protocol.

datagram

The protocol data unit (PDU) for the User Datagram Protocol in the TCP?IP suite.

audit objective

The purpose or goals of an audit. Generally, the _______________ of an audit is to determine whether controls exist and are effective in some specific aspect of business operations in an organization.

False Accept Rate (FAR)

The rate at which invalid subjects are accepted as valid. This occurs when the biometric system has too large a margin of error.

False Reject Rate (FRR)

The rate at which valid subjects are rejected as invalid. This occurs when the biometric system has too small a margin of error.

Return of Investment (ROI)

The ratio of money gained or lost as compared to an original investment.

software program library

The repository that contains program source code and that usually includes tools to manage the maintenance of source code.

RACI (Responsible, Accountable, Consulted, and Informed)

The responsibility model used to describe and track individual responsibilities in a business process or a project.

message digest

The result of a cryptographic hash functions.

control failure

The result of an audit of a control whereby the control is determined to be ineffective.

digital signature

The result of encrypting the hash of a message with the originator's private encryption key, used to prove the authenticity and integrity of a message.

benefits realization

The result of strategic planning, process development, and system development, which all contribute toward a launch of business operations to reach a set of business objectives.

control risk

The risk that a material error exists that will not be prevented or detected by the organization's control framework.

detection risk

The risk that an IS auditor will overlook errors or exceptions during an audit.

inherent risk

The risk that material weaknesses are present in existing business processes and no compensating controls are able to detect or prevent them.

residual risk

The risk that remains after being reduced through other risk treatment options.

risk acceptance

The risk treatment option in which management chooses to accept the risk as-is.

risk avoidance

The risk treatment option involving a cessation of the activity that introduces identified risk.

risk mitigation

The risk treatment option involving implementation of a solution that will reduce an identified risk.

risk transfer

The risk treatment option involving the act of transferring risk to another party, such as an insurance company.

IT Infrastructure Library (ITIL)/ IT service management (ITSM)

The set of activities that ensures the delivery of IT services is efficient and effective, through active management and the continuous improvement of processes.

attack surface

The set of hardware and software components present on a system or in an environment that can potentially be exploited by an attacker.

OSI network model

The seven-layer network model that incorporates encapsulation of messages. The OSI model has been extensively studied but has never been entirely implemented.

key length

The size (measured in bits) of an encryption key. Longer encryption keys mean that it takes greater effort to attack a cryptosystem successfully.

Maximum Transmission Unit (MTU)

The size of the largest protocol data unit (PDU) that can be transmitted on a network.

cutover

The step in the system development life cycle in which an old replaced system is shut down and a new replacement system is started.

threat management

Activities undertaken by an organization to learn of relevant security threats, so that the organization can take appropriate action to counter the threats.

strategic planning

Activities used to develop and refine long-term plans and objectives.

input controls

Administrative and technical controls that determine what data is permitted to be input into an information system. These controls exist to ensure the integrity of information in a system.

key protection

All means used to protect encryption keys from unauthorized disclosure and harm.

mobile device

A portable computer in the form of a smartphone, tablet computer, or wearable device.

laptop computer/ notebook computer

A portable computer used by an individual user.

mobile site

A portable recovery center that can be delivered to almost any location in the world.

sprint

A portion of a project in which an individual or a team will accomplish a set of objectives within a specified timeframe.

sample

A portiuon of population of records taht is slected for auditing.

encapsulation

A practice in which a method can call on another method to help perform its work.

digital private branch exchange (DPBX)

A private branch exchange (PBX) that supports digital technologies such as Voice over IP (VoIP) and Session Initiation Protocol (SIP).

data control language

A procedural language used to control access to a database.

Data Definition Language (DDL)

A procedural language used to describe the structure of data contained in a database.

Data Manipulation Language (DML)

A procedural language used to insert, delete, and modify data in a database.

back-out plan

A procedure used to reverse the effect of a change that was not successful.

risk assessment

A process in which risks, in the form of threats and vulnerabilities, are identified for each asset.

performance evaluation

A process whereby an employer evaluates the performance of each employee for the purpose of promotion, salary increase, bonus, or retention.

sniffer

A program that can be installed on a network-attached system to capture network traffic being transmitted to or from the system.

component-based development

A system development life cycle process whereby various components of a larger system are developed separately.

message server

A system in a distributed processing environment that stores and forwards transactions between systems.

Occupant Emergency Plan (OEP)

Activities required to care for occupants in a business location safely during a disaster.

preventive control

A control that is used to prevent unwanted events from happening.

manual control

A control that requires a human to operate it.

project

A coordinated and managed sequence of tasks that results in the realization of an objective or goal.

hash function

A cryptographic operation on a block of data that returns fixed-length string of characters, used to verify the integrity of a message.

hybrid cryptography

A cryptosystem that employs two or more iterations or types of cryptography.

reciprocal site

A data center that is operated by another company. Two or more organizations with similar processing needs will draw up a legal contract that obligates one or more of the organizations to house another party's systems temporarily at a reciprocal site in the vent of a disaster.

Relational Database Management System (RDBMS)

A database management system that permits the design of a database consisting of one ore more tables that can contain fields that refer to rows in other tables. This is currently the most popular type of database management system.

Distributed Denial of Service (DDoS)

A denial of service (DoS) attack that originates from many computers.

statement of impact

A description of the impact a disaster will have on a business or business process.

session border controller

A device deployed in a VoIP network to control VoIP security, connectivity, quality of service, and metering.

codec

A device or program that encodes or decodes a data stream.

proxy server

A device or system used to control end-user access to Internet web sites.

gateway

A device that acts as a protocol converter or that performs some other type of transformation of messages.

firewall

A device that controls the flow of network messages between networks. Placed at the boundary between the Internet and an organization's internal network, firewalls enforce security policy by prohibiting all inbound traffic except for the specific few types of traffic that are permitted to a select few systems.

Power Distribution Unit (PDU)

A device that distributes electric power to a computer room or data center.

protocol analyzer

A device that is connected to a network to view network communications at a detailed level.

Network Interface Card (NIC)

A device that is directly connected to a computer's bus and contains one or more connectors to which a network cable may be connected.

router

A device that is used to interconnect two or more networks.

access point

A device that provides communication services using the 802.11 (Wi-Fi) protocol standard.

layer 3 switch

A device that routes packets between different TCP/IP networks.

layer 4-7 switch

A device that routes packets to destinations based on their internal content.

modem (modulator-demodulator)

A device used to connect a local computer or network to a telecommunications network.

Channel Service Unit/Data Service Unit (CSU/DSU)

A device used to connect a telecommunications circuit to a local device such as a router.

switch

A device used to connect computers and other devices to a network. Unlike a hub, which sends all network packets to all stations on the network, a switch sends packets only to intended destination stations on the network.

multiplexor

A device used to connect several separate signals and combine them into a single data stream.

application firewall

A device used to control packets being sent to an application server, primarily to block unwanted or malicious content.

layer 4 switch

A device used to route packets to destinations based on TCP and UDP port numbers.

Hardware Security Module (HSM)

A device used to store and protect encryption keys.

organization chart

A diagram that depicts the manager-subordinate relationships within an organization or within a part of an organizations.

data flow diagram

A diagram that illustrates the flow of data within and between systems.

VoIP handset

A digital telephone designed to communicate using VoIP.

man-made disaster

A disaster that is directly or indirectly caused by human activity, through action or inaction.

natural disaster

A disaster that occurs in the natural world with little or no assistance from mankind.

Protocol Data Unit (PDU)

A discrete term that is used to signify a message that is created at various layers of encapsulated protocols such as TCP/IP.

virtual tape library (VTL)

A disk-based storage system that emulates a tape-based storage system.

blockchain

A distibuted ledger used to record cryptographically linked transactions.

response document

A document that outlines required action of personnel after a disaster strikes. Includes business recovery plan, occupant emergency plan, emergency communication plan, contact lists, disaster recovery plan, continuity of operations plan (COOP), and security incident response plan (SIRP).

deluge

A dry pipe fire sprinkler system with all sprinkler heads open. When the system is operated (for instance, when an alarm is triggered), water flows into the pipes and out of the sprinkler heads.

softphone

A software program with the functionality of a VoIP telephone.

process

1) A collection of one or more procedures used to perform a business function. 2) A logical container in an operating system in which a program executes.

wide area network (WAN)

1) A network that ranges in size from regional to international. 2) A single point-to-point connection between two distant locations (a WAN connection).

object

1) The instantiation of a class. If a class is thought of a s a design, an object can be thought of as a running example of the class. 2) A resource, such as a computer, application, database, file, or record.

training

1) The process of educating personnel. 2) To impart information or provide an environment where personnel can practice a new skill.

Asynchronous Transfer Mode (ATM)

A LAN or WAN protocol standard for sending messages in the form of cells over networks. On an ______________ network, all messages are transmitted in synchronization with a network-based time clock. A station that wants to send a message to another station must wait for the time clock.

Dynamic Host Configuration Protocol (DHCP)

A TCP/ IP application layer protocol used to assign an IP address, subnet mask, default gateway, IP address of DNS servers, and other information to a workstation that has joined the network.

Internet Group Management Protocol (IGMP)

A TCP/IP Internet layer protocol used to manage group membership in multicast networks.

remote copy (rcp)

A TCP/IP application layer protocol that is an early file transfer protocol used to copy files or directories from system to system.

File Transfer Protocol Secure (FTPS)

A TCP/IP application layer protocol that is an extension of FTP, in which authentication and transport are encrypted using SSL or TLS.

Secure File Transfer Protocol (SFTP)

A TCP/IP application layer protocol that is an extension of the FTP protocol, where authentication and file transfer are encrypted using SSH. Sometimes referred to as SSH File Transfer Protocol.

Hypertext Transfer Protocol Secure (HTTPS)

A TCP/IP application layer protocol that is similar to HTTP in its use for transporting data between web servers and browsers. _________________ is not a separate protocol, but instead is the instance where HTTP is encrypted with SSL or TLS.

Telnet

A TCP/IP application layer protocol that is used to establish a commandline session on a remote computer. _____ does not encrypt user credentials as they are transmitted over the network and has been largely replaced by SSH.

Simple Mail Transfer Protocol (SMTP)

A TCP/IP application layer protocol that is used to transport e-mail messages.

Secure Shell (SSH)

A TCP/IP application layer protocol that provides a secure channel between two computers whereby all communications between them are encrypted. ______ can also be used as a tunnel to encapsulate and thereby protect other protocols.

Lightweight Directory Access Protocol (LDAP)

A TCP/IP application layer protocol used as a directory service for people and computing resources.

Secure Copy (SCP)

A TCP/IP application layer protocol used as a file transfer protocol that is similar to remote copy (rcp) but is protected using Secure Shell (SSH).

Internet Message Access Protocol (IMAP)

A TCP/IP application layer protocol used by an end-user program to retrieve e-mail messages from an e-mail server.

Simple Network Management Protocol (SNMP)

A TCP/IP application layer protocol used by network devices and systems to transmit management messages indicating a need for administrative attention.

remote login (rlogin)

A TCP/IP application layer protocol used to establish a command-line session on a remote system. Like Telnet, __________ does not encrypt authentication or session contents and has been largely replaced by Secure Shell (SSH).

Network File System (NFS)

A TCP/IP application layer protocol used to make a disk-based resource on another computer appear as a logical volume on a local computer.

Post Office Protocol (POP)

A TCP/IP application layer protocol used to retrieve e-mail messages from an e-mail server.

Network Time Protocol (NTP)

A TCP/IP application layer protocol used to synchronize the time-of-day clocks on systems with time reference standards.

Domain Name System (DNS)

A TCP/IP application layer protocol used to translate domain names (such as www.isecbooks.com) into IP address (such as 216.128.12).

Hypertext Transfer Protocol (HTTP)

A TCP/IP application layer protocol used to transmit web page contents from web servers to users who are using web browsers.

Network News Transfer Protocol (NNTP)

A TCP/IP application layer protocol used to transport Usenet news throughout the Internet and from news servers to end users using news reading programs. Usenet news has been largely deprecated by web-based applications.

Reverse Address Resolution Protocol (RARP)

A TCP/IP link layer protocol that is used by a station that needs to know the IP address that has been assigned to it. ___________ has been largely superseded by DHCP.

classless network

A TCP/IP network whose addressing does not fit the classful network scheme, but instead uses an arbitrary subnet mask, as determined by the network's physical and logical design.

classful network

A TCP/IP network with addressing that does not fit the classful network scheme, but instead uses an arbitrary subnet mask, as determined by the network's physical and logical design.

Enhanced Interior Gateway Routing Protocol (EIGRP)

A TCP/IP routing protocol that is used to transmit network routing information from one network router to another in order to determine the most efficient path through a large network.

Routing Information Protocol (RIP)

A TCP/IP routing protocol that is used to transmit network routing information from one network router to another to determine the most efficient path through a network. _________ is one of the earliest routing protocols and is not used for Internet routing.

Border Gatewy Protocol (BGP)

A TCP/IP routing protocol used to transmit network routing information from one network router to another in order to determine the most efficient path through a large network.

Interior Gateway Routing Protocol (IGRP)

A TCP/IP routing protocol used to transmit network routing information from one network router to another to determine the most efficient path through a large network.

Intermediate System to Intermediate System (IS-IS)

A TCP/IP routing protocol used to transmit network routing information from one network router to another to determine the most efficient path through a large network.

Open Shortest Path First (OSPF)

A TCP/IP routing protocol used to transmit network routing information from one network router to another to determine the most efficient path through a large network.

Layer 2 Tunneling Protocol (L2TP)

A TCP/IP tunneling protocol.

Multistation Access Unit (MAU)

A Token Ring network device used to connect stations to the network.

Health Insurance Portability and Accountability Act (HIPAA)

A U.S. regulation requiring healthcare delivery organizations, health insurance companies, and other healthcare industry organizations to secure and maintain privacy for electronic protected health information (ePHI).

message switched

A WAN communications technology in which each message is switched to its destination when a communications path is available.

packet switched

A WAN technology in which communications between endpoints take place over a stream of packets that are routed through switches until they reach their destination.

circuit switched

A WAN technology where a dedicated, end-to-end communications channel is established that lasts for the duration of the connection.

first in, first out (FIFO)

A backup media rotation scheme in which the oldest backup volumes are used next.

last in, first out (LIFO)

A backup media rotation scheme whereby the newest backup volumes are used next.

IT Balanced Scorecard (IT-BSC)

A balanced scorecard used to measure IT organization performance and results.

bollard

A barrier that prevents the entry of vehicles into protected areas.

process isolation

A basic feature of an operating system that prevents one process from accessing the resources used by another process.

contract

A binding legal agreement between two parties that may be enforceable in a court of law.

encryption key/ key

A block of characters used in combination with an encryption algorithm to encrypt or decrypt a stream or block of data.

IT steering committee

A body of senior managers or executives that discusses high-level and long-term issues in the organization.

computer-aided software engineering (CASE)

A broad variety of tools that are used to automate various aspects of application software development.

user

A business or customer who uses an information system.

fiber optics

A cabling standard that uses optical fiber instead of metal conductors.

CISC (complex instruction set computer)

A central processing unit design that uses a comprehensive instruction set.

RISC (Reduced Instruction Set Computer)

A central processing unit design that uses a smaller instruction set, which leads to simpler microprocessor design.

spam filter

A central program or device that examines incoming e-mail and removes all messages identified as spam.

web content filter

A central program or device that monitors and, optionally, filters web communications. A web content filter is often used to control the sites (or categories of sites) that users are permitted to access from the workplace. Some web content filters can also protect and organization from malware.

server

A centralized computer used to perform a specific task.

Public Key Infrastructure (PKI)

A centralized function that is used to store and publish public keys and other information.

disk array

A chassis in which several hard disks can be installed and connected to a server. The individual disk drives can be "hot swapped" in the chassis while the array is still operating.

intellectual property

A class of assets owned by an organization, including the organization's designs, architectures, software source code, processes, and procedures.

Software-Defined Networking (SDN)

A class of capabilities in which network infrastructure devices such as routers, switches, and firewalls are created, configured, and managed as virtual devices in virtualization environments.

Synchronous Optical Networking (SONET)

A class of common carrier telecommunications network technologies used to transport voice and data over fiber optic networks at very high speeds.

Mobile Device Management (MDM)

A class of enterprise tools used to manage mobile devices such as smartphones and tablet computers.

T-Carrier

A class of multiplexed carrier network technologies developed to transport voice and data communications over long distances using copper cabling.

control

A policy, process, or procedure that is created to achieve a desired event or to avoid an unwanted event.

network management

A class of software program that is used to monitor and manage devices connected to a network. Also refers to the business processes used for the same purpose.

right to audit

A clause in a contract that grants one party the right to conduct an audit of the other party's operations.

Platform-as-a-Service (PaaS)

A cloud computing delivery model whereby the service provider supplies the platform on which an organization can build and run software.

Infrastructure-as-a-Service (IaaS)

A cloud computing model in which a service provider makes computers and other infrastructure components available to subscribers.

Disaster Recovery-as-a-Service (DRaaS)

A cloud-based set of tools and services that streamline planning and execution of data backup and data replication for disaster recovery purposes.

botnet

A collection of bots that are under the control of an individual.

database

A collection of structured or unstructured information.

Digital Subscriber Line (DSL)

A common carrier standard for transporting data from the Internet to homes and businesses.

Frame Relay

A common carrier standard for transporting packets from one network to another. _________________ is being replaced by Multiprotocol Label Switching (MPLS).

T-1

A common carrier standard protocol for transporting voice and data. ___ can support up to 24 separate voice channels of 64 Kbit/sec each and is used primarily in North America.

E-3

A common carrier standard protocol for transporting voice and data. _____ can support to 512 separate voice channels of 64 Kbit/sec each and is used primarily in Europe.

E-1

A common carrier standard protocol for transporting voice and data. _____ can support up to 32 voice channels of 64 Kbit/sec each and is used primarily in Europe.

T-3

A common carrier standard protocol for transporting voice and data. _____ can support up to 672 separate voice channels of 64 Kbit/sec each and is used primarily in North America.

Integrated Services Digital Network (ISDN)

A common carrier telephone network used to carry voice and data over landlines. __________ can be thought of as a digital version of the PSTN.

Internet Control Message Protocol (ICMP)

A communications diagnostics protocol that is part of the TCP/IP suite of protocols.

blackout

A complete loss of electric power for more than a few seconds.

population

A complete set of subjects, entities, transactions, or events that are the subject of an audit.

Towers of Hanoi

A complex backup media rotation scheme that provides for more lengthy retention of some backup media. Based on the ________________________________ puzzle.

bus

A component in a computer that provides the means for the different components of the computer to communicate with one another.

middleware

A component in an application environment that is used to control or monitor transactions.

sample standard deviation

A computation of the variance of sample values from the sample mean. This is a measurement of the "spread" of values in the sample.

desktop computer

A computer used by an individual end user and located at the user's workspace.

secondary storage

A computer's long-term storage of information, usually implemented with hard disk drives or static random access memory (SRAM).

main storage

A computer's short-term storage of information, usually implemented with electronic components such as random access memory (RAM).

firmware

A computer's special-purpose storage that is usually used to store the instructions required to start the computer system. _____________ is usually implemented in ROM, PROM, EPROM, EEPROM, or flash.

configuration item

A configuration setting in an IT asset.

continuous and intermittent simulation (CIS)

A continuous auditing technique in which flagged transactions are processed in a parallel simulation and the results compared to production processing results.

embedded audit module (EAM)

A continuous auditing technique that consists of a special software module embedded within a system that is designed to detect processing anomalies.

snapshot

A continuous auditing technique that involves the use of special audit modules embedded in online applications that sample specific transactions. The module copies key database records that can be examined later on.

COBIT

A control framework for managing information systems and security. _____________ is published by ISACA.

deterrent control

A control that is designed to deter people from performing unwanted activities.

automatic control

A control that is enacted through some automatic mechanism that requires little or no human intervention.

compensating control/ mitigating control

A control that is implemented because another control cannot be implemented or is ineffective.

technical controls

A control that is implemented in IT systems and applications.

corrective control

A control that is used after an unwanted event has occurred.

recovery control

A control that is used after an unwanted event to restore a system or process to its pre-event state.

detective control

A control that is used to detect events.

Redundant Array of Independent Disks (RAID)

A family of technologies that combines multiple physical disk drive components into one or more logical units to improve the reliability, performance, or capacity of disk-based storage systems.

audit logging

A feature in an application, operating system, or database management system whereby events are recorded in a separate log.

polymorphism

A feature of a programming language that enables an object to behave in different ways, depending upon the data passed to it.

foreign key

A field in a table in a relational database management system that references a unique primary key in another table.

Unix file system (UFS)

A file system used by many Unix operating system.

File Allocation Table (FAT)

A file system used by the MS-DOS operating system as well as by early versions of the Microsoft Windows operating system.

Hierarchical File System (HFS)

A file system used on computers running the MAC OS X operating system.

wet pipe system

A fire sprinkler system in which all sprinkler pipes are filled with water. Each sprinkler head is equipped with a fuse- a heat-sensitive glass bulb- that breaks upon reaching a preset temperature. When this occurs, water is discharged from just that sprinkler head, which is presumably located near a fire.

pre-action system

A fire sprinkler system used in areas with high-value contents, such as data centers. A _______________ system is essentially a dry pip system until a "preceding" event such as a smoke detector alarm occurs; at this time, the system is filled with water and becomes a wet pipe system. Then, if the ambient temperature at any of the sprinkler heads is high enough, fuse (heat-sensitive glass bulbs) break, releasing water to extinguish the fire.

dry pipe system

A fire sprinkler system used in locales where ambient temperatures often drop below freezing. In this type of system, pipes are filled with compressed air. When sufficient heat causes one of the sprinkler head fuses (heat-sensitive glass bulbs_ to break, a control valve releases water into the piping.

fire sprinkler system

A fire suppression system that extinguishes a fire by spraying water on it.

inert gas system

A fire suppression system that floods a room with an inert gas, displacing oxygen from the room and extinguishing the fire.

Erasable Programmable Read Only Memory (EPROM)

A form of permanent memory that can be erased by shining ultraviolet (UV) light through a quartz window on the top of the chip.

flash

A form of permanent memory that can be rewritten by the computer that it is installed on. ______________ memory is used by several types of devices, including SD (Secure Digital) cards, Compact Flash, Memory Stick, and USB drives.

Electrically Erasable Programmable Read-Only Memory (EEPROM)

A form of permanent memory that can be rewritten using a special program on the computer on which it is installed.

Programmable Read-Only Memory (PROM)

A form of permanent memory that cannot be modified.

static random access memory (SRAM)

A form of semiconductor memory that does not require refreshing.

outsourcing

A form of sourcing in which an employer uses contract employees to perform a function. The contract employees may be located on-site or off-site.

off-shoring

A form of sourcing whereby an employer will source a function with employees or contractors located in another country or continent.

insourcing

A form of sourcing whereby an employer will use its own employees to perform a function.

access management

A formal business process used to control access to networks and information systems.

vulnerability management

A formal business process used to identify and mitigate vulnerabilities in an IT environment.

program charter

A formal definition of the objectives of a program, its main timelines, sources of funding, the names of its principal leaders and managers, and the business executive(s) who are sponsoring the program.

Request for Information (RFI)

A formal process whereby an organization solicits detailed product of service information from one or more vendors.

Request for Proposals (RFP)

A formal process whereby an organization solicits solution proposals from one ore more vendors. The process usually includes formal requirements and desired terms and conditions. IT is used to evaluate vendor proposals to make a selection.

security awareness

A formal program used to educate employees, users, customers, or constituents on required, acceptable, and unacceptable security-related behaviors.

change request/ Request for Change (RFC)

A formal request for a change to be made in an environment.

change review

A formal review of a requested change.

employee handbook/ employee policy manual

A formal statement of the terms of employment, facts about the organization, benefits, compensation, conduct, and policies.

control objective

A foundational statement that describes desired states or outcomes from business operations.

NIST CSF (National Institute for Standards and Technology Cybersecurity Framework)

A framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk, developed by the U.S. National Institute for Standards and Technology.

Media Access Control (MAC)

A framing protocol used by Ethernet, DSL, MPLS, and ISDN.

service set identifier (SSID)

A friendly name that identifies a particular 802.11 wireless network.

WAN switch

A general term encompassing several types of wide area network switching devices, including ATM switches, Frame Relay switches, MPLS switches, and ISDN switches.

fire extinguisher

A hand-operated fire suppression device used for fighting small fires.

key logger

A hardware device or a type of malware that records a user's keystrokes and, optionally, mouse movements and clicks and sends them to the key logger's owner.

Thunderbolt

A hardware interface standard combining PCI Express and DisplayPort (DP) technologies.

Intrusion Prevention System (IPS)

A hardware or software system that detects and block anomalies that may be signs of an intrusion.

Intrusion Detection System (IDS)

A hardware or software system that detects anomalies that may be signs of an intrusion.

Cyclic Redundancy Check (CRC)

A hash function used to create a checksum that detects errors in network transmissions. The Ethernet standard uses a CRC to detect errors.

grandfather-father-son

A hierarchical backup media rotation scheme that provides for longer retention of some backups.

recovery strategy

A high-level plan for the resumption of business operations after a disaster.

mainframe

A large central computer capable of performing complex tasks for several users simultaneously.

midrange computer

A large central computer capable of performing complex tasks for users.

grid computing

A large number of loosely coupled computers that are used to solve a common task.

operating system

A large, general-purpose program used to control computer hardware and facilitate the use of software applications.

Kanban

A lean software development methodology that uses a visual _____________ board to tack and plan the assignment and completion of tasks in a project.

employment agreement

A legal contract between an organization and an employee, which may include a description of duties, roles, and responsibilities, confidentiality requirements, compliance requirements, and termination information.

Provided by Client (PBC)

A list of evidence requested of an auditee at the onset of an audit.

contact list

A list of key personnel and various methods used to contact them.

Fiber Distributed Data Interface (FDDI)

A local area network technology that consists of a "dual ring" with redundant network cabling and counter-rotating logical tokens.

virtual circuit

A logical communications channel between two endpoints on a packet-switched network.

virtual local area network (VLAN)

A logical network that may share a physical medium with one ore more other virtual networks.

work breakdown structure (WBS)

A logical representation of the high-level and detailed tasks that must be performed to complete a project.

file system

A logical structure that facilitates the storage of data on a digital storage medium such as a hard drive, CD/ DVD-ROM, or flash memory device.

standard IT balanced scorecard

A management tool that is used to measure the performance and effectiveness of an IT organization.

balanced scorecard (BSC)

A management tool that is used to measure the performance and effectiveness of an organization.

Software Process Improvement and Capability dEtermination (SPICE)

A maturity model based on the SEI CMM maturity model. _________ has been made an international standard: ISO/IEC 15504.

Capability Maturity Model Integration (CMMI)

A maturity model that represents the aggregation of other maturity models.

web services

A means for system-to-system communications using HTTP.

precision

A measure of how closely a sample represents the entire population.

ciphertext

A message, file, or stream of data that has been transformed by an encryption algorithm and rendered unreadable.

classless internet domain routing (CIDR)

A method for creating IP subnets that is more efficient than classful networks.

proof of concept

A method for demonstrating the ability to build or implement complex systems through the use of simpler models.

symmetric encryption

A method for encryption a decryption that requires both parties to possess a common encryption key.

asymmetric encryption/ public key cryptography

A method for encryption, decryption, and digital signatures that uses pairs of encryption keys: a public key and a private key.

call tree

A method for ensuring the timely notification of key personnel when an event such as a disaster occurs.

Constructive Cost Model (COCOMO)

A method for estimating software development projects based on the number of lines of code and the complexity of the software being developed.

function point analysis (FPA)

A method for estimating software development projects based on the number of user inputs, outputs, queries, files, and external interfaces.

Network Address Translation (NAT)

A method of translating IP addresses at network boundaries, most notably to convert private internal network addresses to publicly routable network addresses.

container

A method of virtualization whereby several isolated operating zones are created in a running server operation, which isolated programs and data to their respective.

digital envelope

A method that uses two layers of encryption. A symmetric key is used to encrypt a message; then a public or private key is used to encrypt the symmetric key.

control self-assessment (CSA)

A methodology used by an organization to review key business objectives, risks, and controls. Control self-assessment is a self-regulation activity.

netbook computer

A miniature laptop computer, usually with more limited storage and peripheral connectivity than a laptop computer.

tablet

A mobile device with a touchscreen interface.

smartphone

A mobile phone equipped with an operating system and software applications.

capability maturity model

A model used to measure the relative maturity of an organization or of its processes.

dropout

A momentary loss of power that lasts from a few milliseconds to a few seconds.

Remote Authentication Dial-In User Service (RADIUS)

A network authentication protocol.

stateful inspection firewall

A network device that filters network traffic based on source and destination IP addresses and ports and keeps track of individual TCP/I{ sessions to make filtering decisions, permitting established connections.

screening router

A network device that filters network traffic based on source and destination IP addresses and ports.

netflow

A network diagnostic tool that collects all network metadata, which can be used for network diagnostic or security purposes.

honeynet

A network of computers acting as a honeypot.

Remote Procedure Call (RPC)

A network protocol that permits an application to execute a subroutine or procedure on another computer.

Network Basic Input/Output System (NetBIOS)

A network protocol that permits applications to communicate with one another using the legacy NetBIOS API.

Point-to-Point Protocol (PPP)

A network protocol used to transport TCP/IP packets over point-to-point serial connections (usually RS-232 and dial-up connections).

Serial Line Internet Protocol (SLIP)

A network protocol used to transport TCP/IP packets over point-to-point serial connections (usually RS-232).

local area network (LAN)

A network that connects computers and devices together in a small building or a residence.

Personal Area Network (PAN)

A network that is generally used by a single individual and is usually limited to about 3 meters in size.

star topology

A network topology in which a separate connection is made from a central device to each station.

ring topology

A network topology in which connections are made from one station to the next, in a complete loop.

bus topology

A network topology in which each station is connected to a central cable.

network authentication

A network-based service that is used to authenticate persons to network-based resources.

time sychronization

A network-based service used to synchronize the time clocks on computers connected to a network.

e-mail

A network-based service used to transmit messages between individuals and groups.

Category 8

A new cable standard, still under development, designed for high-speed networking in data centers.

subnet mask

A numeric value that determines which portion of an IP address is used to identify the network and which protion is used to identify a station on the network.

Multiprotocol Label Switching (MPLS)

A packet-switched network technology that utilizes a variable-length packet. In an ___________ network, each packet has one or more labels affixed to it that contain information that helps _________ routers make packet-forwarding decisions without examining the contents of the packet itself (for an IP address, for instance).

Radio Resource Control (RRC)

A part of the Universal Mobile Telecommunications System (UMTS) Wideband Code Division Multiple Access (WCDMA) wireless telecommunications protocol that is used to facilitate the allocation of connections between mobile devices and base stations.

default password

A password associated with a user account or system account that retains its factory default setting.

subject

A person or a system.

custodian

A person or group delegated to operate or maintain an asset.

owner

A person or group responsible for the operation of an asset.

terrorist

A person or group who perpetrates violence for political or other reasons.

keycard system

A physical access control system by which personnel are able to enter a workspace by waving a keycard near a reader or inserting it into a reader, activating a door lock to unlock the door briefly.

conspiracy

A plan by two or more persons to commit an illegal act.

budget

A plan for allocating resources over a certain time period.

emergency communications plan

A plan that outlines the communications required during a disaster.

mandatory vacation

A policy established by some organizations that requires each employee to take a vacation every year.

A policy statement that defines how an organization will protect, manage, and handle private information.

Diffe-Hellman

A popular key exchange algorithm

lean

A project management approach that empahsizes focus on value and efficiency. ____________ is derived from lean manufacturing techniques developed at Toyota in Japan in the 1990s.

PRojects IN Controlled Environments (PRINCE2)

A project management framework.

Project Management Body of Knowledge (PMBOK)

A project management guide that defines the essentials of project management.

timebox management

A project management technique in which a large project is broken down into smaller components and time periods.

Remote Desktop Protocol (RDP)

A proprietary protocol from Microsoft that is used to establish a graphic interface connection with another computer.

JSON-RPC

A protocol used in application environments to facilitate a client request made to a server.

Secure Hypertext Transfer Protocol (S-HTTP)

A protocol used to encrypt web pages between web servers and web browsers. Often confused with Hypertext Transfer Protocol Secure (HTTPS).

Internet Key Exchange (IKE)

A protocol used to establish security associations (logical connections) between hosts using the IPsec protocol.

Simple Object Access Protocol (SOAP)

A protocol used to facilitate the exchange of structured information between systems.

Secure Electronic Transaction (SET)

A protocol used to protect credit card transactions that uses a digital envelope. _______ has been deprecated by Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

elliptic curve

A public key cryptography algorithm.

certification practice statement (CPS)

A published statement that describes the practices used by the CA to issues and manage digital certificates.

Six Sigma

A quantitative, statistical technique used to identify and remediate defects in business processes.

Initialization Vector (IV)

A random number that is needed by some encryption algorithms to begin the encryption process.

network analysis

A reconnaissance operation on an organization's netowrk.

access control log

A record of attempted accesses.

Configuration Management Database (CMDB)

A repository force every components in an environment that contains information on every configuration change made on those components.

class library

A repository where classes are stored.

object breakdown structure (OBS)

A representation of the components of a project in graphical or tabular form.

walkthrough

A review of some or all disaster recovery and business continuity plans, procedures, and other documentation. A __________________ is performed by an entire group of individuals in a live discussion.

document review

A review of some or all disaster recovery and business continuity plans, procedures, and other documentation. Individuals typically review these documents on their own and at their own pace, but within whatever time constraints or deadlines that may have been established.

access review

A review of the users, systems, or other subjects that are permitted to access protected objects. The purpose of a review is the ensure that all subjects are authorized to have access.

qualitative risk analysis

A risk analysis methodology whereby risks are estimated in the form of actual cost amounts.

Risk IT Framework

A risk management model that approaches risk from the enterprise perspective.

judgmental sampling

A sampling of technique in which items are chosen based upon the auditor's judgement, usually based on risk or materiality.

discovery sampling

A sampling technique by which at least one exception is sought in a population.

statistical sampling

A sampling technique in which items are chosen at random; each item has a statistically equal probability of being chosen.

stop-or-go sampling

A sampling technique used to permit sampling to stop at the earliest possible time. This technique is used when the auditor believes that there is low risk or a low rate of exceptions in the population.

variable sampling

A sampling technique used to study the characteristics of a population to determine the numeric total of a specific attribute from the entire population.

attribute sampling

A sampling technique used to study the characteristics of population to determine how many samples possess a specific characteristic.

stratified sampling

A sampling technique whereby a population is divided into classes or strata, based upon the value of one of the attributes. Samples are then selected from each class.

back door

A section of code that permits someone to bypass access controls and access data or functions. ____________________ are commonly placed in placed in programs during development but are removed before programming is complete.

Center for Internet Security Controls

A security controls framework developed by the Center for Internet Security (CIS).

acceptable use

A security policy that defines the types of activities that are acceptable and those that are not acceptable to the organization.

Payment Card Industry Data Security Standard (PCI-DSS)

A security standard intended to protect credit card numbers in storage, while being processed, and while being transmitted. The standard was developed by the PCI Standards Council, which is a consortium of credit card companies, including Visa, MasterCard, American Express, Discover, and JCB.

microsegmentation

A segmentation technique in which individual hosts are isolated with network access controls, typically with network or host firewalls.

file

A sequence of zero or more characters that is stored as a whole in a file system. A _______ may be a document, spreadsheet, image, sound file, computer program, or data that is used by a program.

database server

A server that contains and facilitates access to one or more databases.

file server

A server that is used to store files in a central location, usually to make them available to many users.

application server

A server that runs application software.

web server

A server that runs specialized software that makes static and dynamic HTML pages available to users.

print server

A server used to coordinate printing to shared printers.

remote access

A service that permits a user to establish a network connection from a remote location so that the user can access network resources remotely.

cryptosystem

A set of algorithms used to generate an encryption key, to perform encryption, and to perform decryption.

audit methodology

A set of audit procedures that is used to accomplish a set of audit objectives.

Data Dictionary (DD)

A set of data in a database management system that describes the structure of databases stored there.

logic bomb/ time bomb

A set of instructions designed to perform some damaging action when a specific event occurs; a popular example is a time bomb that alters or destroys data on a specified date in the future.

role

A set of privileges in an application. Also a formally defined set of work tasks assigned to an individual.

media control

A set of processes for controlling the security of storage media.

spike/ surge

A sharp increase in voltage that lasts for only a fraction of a second.

key fingerprint

A short sequence of characters used to authenticate a public key.

Bluetooth

A short-range airlink standard for data communications between peripherals and low-poer consumption devices.

Wireless USB (WUSB)

A short-range, high-bandwidth standard wireless communications protocol used to connect computer peripherals.

visual notice

A sign or symbol used to inform personnel of security controls and/ or to warn unauthorized persons

accumulation of privileges/ privilege creep

A situation in which an employee accumulates system access privileges over a long period of time and after internal transfers or other privilege changes, but old access privileges have not been removed.

source lines of code (SLOC)

A sizing technique for software development projects that represents the size of the planned program, expressed as lines of code.

token

A small electronic device used in two-factor authentication. A _________ may display a number that the user types in to a login field, or it may be plugged into a workstation to complete authentication.

smart card

A small, credit card-sized device that contains electronic memory and is accessed with a smart card reader and used in two-factor authentication.

phishing

A social engineering attack on unsuspecting individuals in which e-mail messages that resemble official communications entice victims to visit imposter web sites that contain malware or request credentials to sensitive or valuable assets.

Software-as-a-Service (SaaS)

A software delivery model whereby an organization obtains a software application for use by its employees and the software application is hosted by the software provider, as opposed to the customer organization.

web-based application development

A software development effort in which the application' user interface is based on the HTTP (Hypertext Transport Protocol) and HTML (Hypertext Markup Language) standards.

Rapid Application Development (RAD)

A software development life cycle process characterized by small development teams, prototypes, design sessions with end users, and development tools that integrate data design, data flow, user interface, and prototyping.

spiral model

A software development life cycle process in which the activities of requirements definitions and software design go through several cycles until the project is complete.

data-oriented system development (DOSD)

A software development life cycle process that starts with a design of data and interfaces to databases and then moves on to program design.

denial of service (DOSD)

A software development life cycle process that starts with a design of data and interfaces to databases and then moves on to program design.

waterfall model

A software development life cycle process whereby activities are sequential and are executed one time in a software project.

iterative development process

A software development process that consists of one or more repeating loops of planning, requirements, design, coding, and testing until development and implementation are considered complete.

virtual machine

A software implementation of a computer, usually an operating system or other program running within a hypervisor.

Database Management System (DBMS)

A software program that facilitates the storage and retrieval of potentially large amounts of structured or unstructured information.

terminal emulation

A software program that runs on a workstation that emulates an older style computer terminal.

storage area network (SAN)

A stand-alone storage system that can be configured to contain several virtual volumes and is connected to many servers through fiber optic cables.

Network Attached Storage (NAS)

A stand-alone storage system that contains one or more virtual volumes. Servers access these volumes over the network using the Network File System (NFS) or Server Message Block/Common Internet File System (SMB/CIFS) protocols, common on Unix and Windows operating systems, respectively.

near-field communications (NFC)

A standard for extremely short-distance radiofrequency data communications.

802.1X

A standard for network authentication and access control that can mutually authenticate both people and devices connecting to a LAN or a wireless LAN.

Address Resolution Protocol (ARP)

A standard network protocol used to obtain the address for another station on a local area network (LAN).

Token Ring

A standard protocol for assembling a stream of data into frames for transport over a physical medium from one station to another on a local area network. On a ____________________ network, a three-byte token is passed from station to station over the network. A station may not transmit a packet to another station until it has first received the token.

Ethernet

A standard protocol for assembling a stream of data into frames for transport over a physical medium from one station to another on a local area network. On an ______________________ network, any station is free to transmit a packet at any time, provided that another station is not already doing so.

Fibre Channel

A standard protocol for assembling a stream of data into frames for transport over a physical medium from one station to another on a local area network. ____________________ is most often found in storage area networks.

RS-232

A standard protocol for sending serial data between computers.

V.35

A standard protocol for sending serial data between computers.

RS-449

A standard protocol for sending serial data between network devices.

architecture standard

A standard that defines technology architecture at the database, system, or network level.

configuration standard

A standard that defines the detailed configurations that are used in servers, workstations, operating systems, database management systems, applications, network devices, and other systems.

methodology standard

A standard that specifies the practices used by the IT organization.

protocol standard

A standard that specifies the protocols used by the IT organization.

technology standard

A standard that specifies the software and hardware technologies used by the IT organization.

vendor standard

A standard that specifies which suppliers and vendors are used for various types of products and services.

responsibility

A stated expectation of activities and performance.

code of ethics

A statement that defines acceptable and unacceptable professional conduct.

information security policy/ security policy

A statement that defines how an organization will classify and protect its important assets.

access control policy

A statement that defines the policy for the granting, review, and revocation of access to systems and work areas.

standard

A statement that defines the technologies, protocols, suppliers, and methods used by an IT organization.

policy

A statement that specifies a course, principle. or method of action that has been adopted or prosed in an organization. A ________ usually defines who is responsible for monitoring and enforcing the policy.

default gateway

A station on a network (usually a router) that is used to forward messages to stations on distant networks.

implementation

A step in the software development life cycle where new or updated software is placed into the production environment and started.

rollback

A step in the system development life cycle in which system changes need to be reversed, returning the system to its previous state.

CISA

Related study sets

BIOS100 Chapter 5

Ch 7 SmarkBook

political science test 2 edited

Chapter 11 Questions

Quizizz Answers

Chapter 13: Education (Questions)

Property - Real and Personal

Chapter 1: Retail Structure Exam 1

Chronic II Midterm

Hydraulics Final Exam

PHYS 2425 Final

Search Engines

Post-test: Fundamentals of Robotics for SCORBOT-ER4u

Nos vemos (Vistas 11.3)

215 Assessment 4

A&P Practical 2

Computer Network Test 1 (ch 1 & 2)

Lex

Psych Class 8 Addiction

Frandsen Ch. 24- Drug Therapy for Heart Failure