ISC Glossary

ISC CPA Exam Glossary from Becker

Abstraction

Hiding the complexity of tasks to limit user access to relevant information, enhancing security by controlling access to sensitive data

Acceptable Use Policy (AUP)

A document outlining acceptable behaviors, responsibilities, and consequences for employees and vendors using technology

Acceptance Criteria

Measurable and specific criteria established by management to objectively evaluate changes to systems or processes

Active Data Collection

The process of actively collecting new data from employees, customers, users, etc. through surveys, interviews, or forms

Adverse Opinion

An auditor’s report stating that the financial statements “do not present fairly…”

Agile Method

A flexible change management framework with cross-functional teams working on different phases or tasks simultaneously, allowing changes of direction throughout the project lifecycle.

Annualized Loss Expectancy

Single loss expectancy multiplied by the annualized rate of occurrence

Annualized Rate of Occurrence

Expected frequency of occurrences of a negative event in a year

Application Layer (Layer 7)

The top layer of the OSI model that serves as the interface between applications and the network protocol, allowing users to transmit messages

Application Logs

Logs recording application data, such as user access, executed functions, and errors

Application-Based Attacks

Target software (e.g., databases, websites) for unauthorized access or disruption

Artificial Intelligence

An umbrella term used to describe systems that are created to perform complex tasks typically requiring human intelligence and judgement

Assessment Procedures

Objectives with assessment objects and methods, such as examination, interviewing, and testing

Asymmetric Encryption

Encryption using two keys, a public key for encryption and a private key for decryption (or vice versa). It is slower due to longer keys and more complex algorithms

Attackers

Individuals or entities that negatively impact data security through theft, manipulation, or control of sensitive information.

Attest Engagements

An engagement in which a practitioner is engaged to issue or does issue an examination, a review, or an agreed-upon procedures report on subject matter, or on an assertion about the subject matter, that is the responsibility of another party

Attestation Risk

The risk that the practitioner may issue an inappropriate conclusion or report based on their findings during the attestation engagement, potentially leading to a false sense of security regarding the subject matter.

Audit Committee

A committee of the Board of Directors, generally made up of three to five members of the board who are “outside directors,” responsible for the selection and appointment of the independent external auditor, and for reviewing the nature and scope of the engagement

Audit Trail

Evidence indicative of the sequential flow of accounting operations

Availability

The ability of a business to perform its functions or meet business objectives, including system availability (accessibility of business data and normal IT system operations) and availability of human capital (personnel being ready and able to perform normal operations).

Backup

The process of creating and storing copies of data and systems to recover lost information after a failure

BIA Report

A comprehensive report that assesses risks and potential impacts of disruptions at the department, business unit, or product level to form a company-wide business impact analysis

Biometrics

Authentication using human physical characteristics or impressions, such as facial recognition, fingerprint scans, voice recognition, etc.

Blockchain

A control system originally designed to govern the creation of cryptocurrencies like Bitcoin.  It ensures the immutability and security of transactions through decentralized validation

Breach Notification

A requirement added by HITECH to HIPAA, obligating covered entities to notify individuals affected by a data breach within 60 days of discovery

BYOD policies

Policies allowing employees to use personally owned devices for work, covering issues like monitoring, data ownership, liability, and restricted activities

Buffer Overflow

Atype of cyberattack in which an attacker sends more data to a buffer than it can handle, causing data overflow and potentially allowing the execution of malicious code

Business Continuity Plans

Plans focused on keeping the business operational during a disaster, including contingency and mitigation procedures for all business processes, such as relocating facilities, managing human resources, and maintaining customer and supplier relationships

Business Impact Analysis

A process that evaluates the potential effects of an interruption to critical business operations due to a disaster, helping organizations prioritize recovery strategies.

Business Resiliency

The integration of system availability controls, disaster recovery plans, business continuity plans, and crisis management plans into a central set of procedures to ensure a business can continue to operate or quickly return to operations without irreparable harm to people, information, or assets

Carve-Out Method

A method used to describe the services performed by a subservice organization as a distinct portion of the overall system

Center for internet Security Benchmarks

Publicly available security standards, used by organizations as a starting point for asset reconfiguration. Adhering to these standards assist organizations in complying with any applicable laws and regulations

Center for Internet Security Controls

A set of recommended actions, processes, and best practices for organizations to strengthen their cybersecurity defenses. These controls include measures to track and manage software applications, protect data, and configure enterprise assets securely

Change Advisory Board

A formal board responsibly for reviewing, approving, and planning for system changes, ensuring separate environments for testing, staging, and production

Change Management

Policies, procedures, and resources employed to govern change in an organization, impacting IT infrastructure and governance

Change Management Controls

Measures put in place to minimize risks during the change management process, including policies, standardized change requests, impact assessment, and and ongoing monitoring

Change Management Process

Steps to successfully manage change, from identification and approval to implementation and monitoring

Change Request

A formal proposal for making changes to a system or process, often submitted for review and approval by a change advisory board

Changeover Methods

Different approaches for migrating from an old system to a new system, including direct changeover, parallel changeover, pilot changeover, phased changeover, and hybrid changeover

Chief Operations Officer

The executive officer responsible for the day-to-day operations of a company

CIA Triad

Confidentiality, integrity, and availability making up a common model that forms the basis for the development of security systems

Closed Loop Verification

A critical change management step that involves continuously monitoring the output from the changes, comparing the outputs with the desired outcome, and calibrating the changes to minimize discrepancies from the acceptance criteria

Cloud Computing

A computing model that uses shared resources over the internet, allowing customers to rent storage space, processing power, or proprietary software from cloud service providers (CSPs) instead of owning and managing their infrastructure

COBIT 2019

The latest version of COBIT, launched as a comprehensive global framework mapping enterprise strategy to IT objectives and governance, providing guidelines for organizations to achieve their goals and manage risks effectively.

Cold Site

A backup location that has basic infrastructure but requires additional setup to become operational after a disaster, often used for disaster recovery purposes.

Committee of Sponsoring Organizations (COSO)

An advisory group that offers guidance on internal controls, fraud deterrence, and risk management

Common Vulnerabilities List

A nomenclature and dictionary of security-related software flaws. Classification schemes. Classification schemes are used to assess the likelihood of exploitation and the impact of vulnerabilities

Common Vulnerability Scoring System (CVSS)

A system for measuring the relative severity of software flaw vulnerabilities

Communication Plan

A plan outlining the process and stakeholders to be notified during incident response

Community Cloud

A cloud infrastructure shared by multiple organizations for a common interest, such as regulatory compliance or collaboration

Complementary Subservice Organization Controls

Controls that a subservice organization (a third party used by the service organization) must have in place for the service organization’s controls to achieve its objectives

Complementary User Entity Controls

Controls that users of a service organization’s system must have in place for the service organization’s controls to achieve their objectives

Compliance

An objective qualitative assessment determining whether an application or infrastructure component complies with a particular standard or regulation.

Compliance Objectives

Objectives related to adhering to governmental laws and regulations

Components of Internal Controls

Interrelated elements of the system of internal control used to achieve an entity’s objectives; control components consist of the CRIME framework

Composite Primary Key

When more than one attribute is required to uniquely identify each record in a table, they form this

Confidentiality

Preserving authorized restrictions on access and disclosure of data, including means for protecting personal privacy and proprietary information

Control Activities

The policies and procedures that help ensure that management directives are carried out and that necessary steps are taken to address risks

Control deficiency

a weakness that exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis

Control Environment

the tone of an organization, including management attitude, participation of those charged with governance, organizational structure, and human resource policies

Control Objectives for Information and Related Technologies (COBIT)

a widely used enterprise IT governance framework developed bu the ISACA to provide best practices for IT governance and management

Corrective Controls

measures implemented to rectify known vulnerabilities in response to security incidents, self assessments, or changes in industry practices

COSO 2017 Enterprise Risk Management

a framework that helps organizations identify, assess, and manage risks to achieve their objectives effectively.

COSO Cube

A 3-D diagram illustrating how various elements of an internal control system work together within the COSO framework

COSO Internal Framework

A framework created by COSO in 1992 to help organizations establish effective Internal Control systems. It became a benchmark for internal control practices

Covert Channels

A type of cyberattack transmitting data using the methods not originally intended for data transmission by the system designers

Crisis

An unexpected and disruptive event or situation that demands urgent attention and response, often threatening the organization's operations, reputation, or stakeholders.

Crisis Management

Policies and procedures to manage crises, making important decisions quickly, protect people and organizational reputation, and restore normal operations

Cryptography

The practice and study of techniques for securing communication and information, ensuring confidentiality, integrity, and authentication.

CSF Core

The foundational component of the NIST CSF, consisting of six functions (Govern, Identify, Protect, Detect, Respond, and Recover) that represent different points in the cybersecurity lifecycle

CSF Organizational Profiles

the mechanisms by which NIST recommends companies measure cybersecurity risk and establish a roadmap to ensure the organization can minimize such risk

CSF Tiers

Four tiers that act as benchmarks for an organization’s information security infrastructure sophistication, indicating the degree to which cybersecurity practices are integrated throughout the organization.  Tier 1 = Partial, Tier 2 = Risk Informed, Tier 3 = Repeatable, Tier 4 = Adaptive.

Cybersecurity

the practice of protecting an organization’s IT infrastructure and critical data from malicious actors using technologies, processes, and best practices to mitigate the impact of attacks

Cybersecurity Event

A cybersecurity change that may have an impact on organizational operations (including mission, capabilities, or reputation)

Cybersecurity Incident

A cybersecurity event that has been determines to have an impact on the organization, prompting the need for response and recovery

Cybersecurity Risk Governance

A component of the CSF Tiers that refers to focusing on the policies, procedures, and structures put in place by an organization’s leadership to oversee and manage cybersecurity risks.  It involves establishing accountability, defining roles and responsibilities, and ensuring that cybersecurity risk management aligns with the organization’s overall risk governance and strategic objectives.

Cybersecurity Risk Management

a component of the CSF Tiers that refers to the continuous process of identifying, assessing, and responding to cybersecurity threats and vulnerabilities to minimize their impact on organizational operations, assets, and reputation. The primary goal is to balance the needs of cybersecurity with the organization's overall business objectives.

Data Backup and Restoration

Mechanisms for data recovery, automated backups, off-site storage, and encryption toprotect data and enable recovery to a trusted state

Data Breach

The unauthorized exposure of confidential information, either intentionally or unintentionally

Data Breach Notification

Obligatory communication to affected individuals and regulation about a data breach

Data Center

A facility that houses computer systems and related components, such as telecommunications and storage systems, with advanced security measures and climate control

Data Classification Scheme

Categorizing data based on sensitivity to understand implications in case of data loss or compromise

Data Flow Diagram (DFD)

A visual representation to describe the flow of data through a process

Data Lake

A repository that contains both structured and unstructured data, with data mostly being in its natural or raw format

Data Life Cycle

The sequential steps that all business data must go through from creation to disposal, including definition, capture, preparation, storage, usage, sharing, archiving, and deletion.

Data Link Layer (Layer 2)

The layer where data packets are formatted for transmission, determined by hardware and networking technology, and media access control addresses are added for source and destination reference.  Protocols used in this layer include Integrated Services Digital Network (ISDN), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and Address Resolution Protocol (ARP)

Data Loss Prevention (DLP) Systems

Tools that prevent sensitive data from being leaked or accessed by unauthorized users

Data Management Process

Securely managing the entire life cycle of data, from identification and classification to disposal

Data Mapping

Identifying software applications that access data based on sensitivity levels and consolidating devices and software into separate networks based on sensitivity

Data Mart

A subset of a data warehouse, focused on specific purposes such as marketing or logistics, tailored to different departments within a company

Data Minimization

A GDPR principle stating that data processing must be limited to what is necessary for the purpose

Data Model

Conceptual representations of the data structures in an information sysem

Data Privacy

Legal regulations designed to protect an individual’s private life and personal details from being disclosed to the public. They establish rules for data collection, storage, and sharing private information to build trust between consumers and enterprises

Data Privacy Framework

a framework published by NIST in early 2020 to protect individuals’ data used in data processing applications.  It is designed to be industry-agnostic and consider cultural and individual privacy constructs

Data Privacy Laws

Legal Regulations designed to protect an individual’s private life and personal details from being disclosed to the public. They establish rules for collecting, processing, maintaining and disclosing private information to build trust between consumers and enterprises

Data Security Framework

A framework published by NIST in early 2020 to protect data against unauthorized access and breaches. It establishes guidelines to ensure the integrity, confidentiality, and availability of sensitive information

Data Storage

Technology designed for the retention and management of data, ensuring it is organized and accessible when needed.

Data Types

Designated types for attributes that specify how data is stored and analyzed, such as numerical, text, or date/time

Data Warehouse

A large, centralized data repository used for reporting and analysis, pulling from multiple sources and combining it into a single repository

Database Management System (DBMS)

Software that manages databases, enabling users to interact with the data by storing, retrieving, updating, and deleting information