A method for assigning classification or risk levels to work centers and processing centers, based on their operational criticality or other risk factors.
An activity that seeks to determine the expected benefits of a program or project.
A person who has a legal trust relationship with another party.
The highest standard of care that a fiduciary renders to a beneficiary.
A sequence of zero or more characters that is stored as a whole in a file system. A file may be a document, spreadsheet, image, sound file, computer program, or data that is used by a program.
file activity monitoring (FAM)
A program that monitors the use of files on a server or endpoint as a means for detecting indicators of compromise.
file integrity monitoring (FIM)
A program that periodically scans file systems on servers and workstations, as a means of detecting changes to file contents or permissions that may be indicators of compromise.
A server that is used to store files in a central location, usually to make them available to many users.
Malware that resides in a computers memory instead of the file system.
An audit of an accounting system, accounting department processes, and procedures to determine whether business controls are sufficient to ensure the integrity of financial statements. See also audit.
Management for IT services that consists of several activities, including budgeting, capital investment, expense management, project accounting, and project ROI. See also IT service management (ITSM), return on investment (ROI).
A device that controls the flow of network messages between networks. Placed at the boundary between the Internet and an organizations internal network, firewalls enforce security policy by prohibiting all inbound traffic except for the specific few types of traffic that are permitted to a select few systems.
first in, first out (FIFO)
A backup media rotation scheme where the oldest backup volumes are used next. See also backup media rotation.
An audit that is performed in support of an anticipated or active legal proceeding. See also audit.
The application of procedures and tools during an investigation of a computer or network-related event.
The intentional deception made for personal gain or for damage to another party.
An examination of a process or system to determine differences between its existing state and a desired future state.
general computing controls (GCCs)
Controls that are general in nature and implemented across most or all information systems and applications.
general data protection regulation (GDPR)
The European law, which takes effect in 2018, that protects the privacy of European residents.
Managements control over policy and processes.
governance, risk, and compliance (GRC) tool
A software program used to track key aspects of an organizations information risk program.
A hierarchical backup media rotation scheme that provides for longer retention of some backups.
Someone who interferes with or accesses anothers computer without authorization.
hard disk drive (HDD)
A storage device using magnetic storage on rapidly rotating disks.
The technique of configuring a system so that only its essential services and features are active and all others are deactivated. This helps to reduce the attack surface of a system to only its essential components.
A document that describes the security configuration details of a system, or class of systems. See also configuration standard, hardening.
Tools and processes used to continuously observe the health, performance, and capacity of one or more computers.
A cryptographic operation on a block of data that returns a fixed-length string of characters, used to verify the integrity of a message.
Health Insurance Portability and Accountability Act (HIPAA)
A U.S. law requiring the enactment of controls to protect electronic protected health information (EPHI).
A healthcare control framework and certification that serves as an external attestation of an organizations IT controls.
host-based intrusion detection system (HIDS)
An intrusion detection system (IDS) that is installed on a system and watches for anomalies that could be signs of intrusion. See also intrusion detection system (IDS).
An alternate processing center where backup systems are already running and in some state of near-readiness to assume production workload. The systems at a hot site most likely have application software and database management software already loaded and running, perhaps even at the same patch levels as the systems in the primary processing center.
human resources (HR)
The department in most organizations that is responsible for employee onboarding, offboarding, internal transfers, training, and signing important documents such as security policy.
human resource information system (HRIS)
An information system used to manage information about an organizations workforce.
human resource management (HRM or HR)
Activities regarding the acquisition, onboarding, support, and termination of workers in an organization.
A cryptosystem that employs two or more iterations or types of cryptography.
Hypertext Transfer Protocol (HTTP)
A TCPIP application layer protocol used to transmit web page contents from web servers to users who are using web browsers.
Hypertext Transfer Protocol Secure (HTTPS)
A TCPIP application layer protocol that is similar to HTTP in its use for transporting data between web servers and browsers. HTTPS is not a separate protocol but instead is the instance where HTTP is encrypted with SSL or TLS. See also Hypertext Transfer Protocol (HTTP), Secure Sockets Layer (SSL), Transport Layer Security (TLS).
Virtualization software that facilitates the operation of one or more virtual machines.
identity and access management (IAM)
The activities and supporting systems that are used to manage workers identities and their access to information systems and data.
The activity of managing the identity of each employee, contractor, temporary worker, and, optionally, customer, for use in a single environment or multiple environments.
A binary representation of a fully installed and configured operating system and applications for a server or an end users computer.
The actual or expected result from some action such as a threat or disaster.
The analysis of a threat and the impact it would have if it were realized.
Any event that is not part of the standard operation of a service and that causes, or may cause, interruption to or a reduction in the quality of that service.
The process of determining that a security incident is taking place so that incident responders can begin the task of managing it.
incident management (ITSM)
The IT function that analyzes service outages, service slowdowns, security incidents, and software bugs, and seeks to resolve them to restore normal service. See also IT service management (ITSM), security incident management.
Proactive steps taken to reduce the probability or impact of security incidents.
A worker in an organization who has responsibility for responding to a security incident.
incident response retainer
A legal agreement between an organization and a security professional services firm that arranges for the security firm to render assistance to the organization in the event of a security incident.
incident response team (IRT)
Personnel who are trained in incident response techniques.
indicator of compromise (IoC)
An observation on a network or in an operating system that indicates evidence of a network or computer intrusion.
industrial control system (ICS)
A control system used to monitor and manage physical machinery in an industrial environment. See also supervisory control and data acquisition (SCADA).
The process of assigning a sensitivity classification to an information asset.
Paraphrased from the ISACA Risk IT Framework the business risk associated with the use, ownership, operation, involvement, influence, and adoption of information within an enterprise.
information security management
The aggregation of policies, processes, procedures, and activities to ensure that an organizations security policy is effective.
Information Security Management System (ISMS)
The collection of activities for managing information security in an organization, as defined by ISOIEC 27001.
information security policy
A statement that defines how an organization will classify and protect its important assets.
The collection of networks, network services, devices, facilities, and system software that facilitates access to, communications with, and protection of business applications.
A cloud computing model where a service provider makes computers and other infrastructure components available to subscribers. See also cloud computing.
The risk that there are material weaknesses in existing business processes and no compensating controls to detect or prevent them.
initialization vector (IV)
A random number that is needed by some encryption algorithms to begin the encryption process.
Any scenario where an employee or contractor knowingly, or unknowingly, commits acts that result in security incidents or breaches.
An audit that combines an operational audit and a financial audit. See also operational audit, financial audit.
integrated development environment (IDE)
A software application that facilitates the writing, updating, testing, and debugging of application source code.
A class of assets owned by an organization includes an organizations designs, architectures, software source code, processes, and procedures.
A formal audit of an organizations controls, processes, or systems, which is carried out by personnel who are part of the organization. See also audit.
internal audit (IA)
The name of an organizations internal department that performs audits.
The interconnection of the worlds TCPIP networks.
The practice of security awareness while accessing the Internet with a computer or mobile device to reduce the possibility of attack.
intrusion detection system (IDS)
A hardware or software system that detects anomalies that may be signs of an intrusion.
intrusion kill chain
The computer intrusion model developed by Lockheed-Martin that depicts a typical computer intrusion. The phases of the kill chain are reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective.
intrusion prevention system (IPS)
A hardware or software system that detects and blocks malicious network traffic that may be signs of an intrusion.
Any technique used by an organization to actively monitor activities within a third partys IT environment.
An audit of an IS departments operations and systems. See also audit.
Formerly the Information Systems Audit and Control Association, now just ISACA. Global organization the develops and administers numerous certifications including Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified in Risk, Information Security, and Control (CRISC), and Certified in the Governance of Enterprise IT (CGEIT).
ISACA audit standards
The minimum standards of performance related to security, audits, and the actions that result from audits. The standards are published by ISACA and updated periodically. ISACA audit standards are considered mandatory.
ISAE 3402 (International Standard on Assurance Engagement)
An external audit of a service provider. An ISAE 3402 audit is performed according to rules established by the International Auditing and Assurance Standards Board (IAASB).
An ISOIEC standard for IT service management (ITSM).
An ISOIEC standard for IT security management.
An ISOIEC standard for IT security controls.
IT Infrastructure Library (ITIL)
See IT service management (ITSM).
IT service management (ITSM)
The set of activities that ensures the delivery of IT services is efficient and effective, through active management and the continuous improvement of processes.
A written description of a job in an organization. A job description usually contains a job title, work experience requirements, knowledge requirements, and responsibilities.
A sampling technique where items are chosen based upon the auditors judgment, usually based on risk or materiality. See also sampling.
Any unauthorized disclosure or damage to an encryption key. See also key management.
The policies, processes, and procedures regarding the management of keys. See also key management.
The process of decommissioning encryption keys. See also key management.
key encrypting key
An encryption key that is used to encrypt another encryption key.
A technique that is used by two parties to establish a symmetric encryption key when no secure channel is available.
A short sequence of characters that is used to authenticate a public key.
The initial generation of an encryption key. See also key management.
key goal indicator (KGI)
Measure of progress in the attainment of strategic goals in the organization.
The size (measured in bits) of an encryption key. Longer encryption keys mean that it takes greater effort to successfully attack a cryptosystem.
A hardware device or a type of malware that records a users keystrokes and, optionally, mouse movements and clicks, and sends this data to the key loggers owner.
The various processes and procedures used by an organization to generate, protect, use, and dispose of encryption keys over their lifetime.
key performance indicator (KPI)
Measure of business processes performance and quality, used to reveal trends related to efficiency and effectiveness of key processes in the organization.
All means used to protect encryption keys from unauthorized disclosure and harm. See also key management.
key risk indicator (KRI)
Measure of information risk, used to reveal trends related to levels of risk of security incidents in the organization.
The process of issuing a new encryption key and reencrypting data protected with the new key. See also key management.
A portable computer used by an individual user.
last in, first out (LIFO)
A backup media rotation scheme where the newest backup volumes are used next. See also backup media rotation.
learning management system (LMS)
An on-premise or cloud-based system that makes online training and testing facilities available to an organizations personnel. Some LMSs automatically maintain records of training enrollment, test scores, and training completion.
The concept where an individual user should have the lowest privilege possible that will still enable them to perform their tasks.
Lightweight Directory Access Protocol (LDAP)
A TCPIP application layer protocol used as a directory service for people and computing resources.
The process of combining log data from many devices in order to discern patterns that may be indicators of operational problems or compromise.
An examination of the event log in an information system, typically to see whether any security events or incidents have occurred. See also continuous log review.
A system or device to which event logs from other systems are sent for processing and storage. See also security information and event management (SIEM).
Malicious software that is embedded within another file such as a document or spreadsheet.
The broad class of programs that are designed to inflict harm on computers, networks, or information. Types of malware include viruses, worms, Trojan horses, spyware, and rootkits.
A disaster that is directly or indirectly caused by human activity, through action or inaction. See also disaster.
managed security service provider (MSSP)
An organization that provides security monitoring andor management services for customers.
A control that requires a human to operate it.
maximum tolerable downtime (MTD)
A theoretical time period, measured from the onset of a disaster, after which the organizations ongoing viability would be at risk.
maximum tolerable outage (MTO)
The maximum period of time that an organization can tolerate operating in recovery (or alternate processing) mode.
The result of a cryptographic hash function.
A standard that specifies the practices used by the IT organization.
A measurement of a periodic or ongoing activity, for the purpose of understanding the activity within the context of overall business operations.
A design characteristic of a network where each network node resides on its own segment, resulting in improved network security and efficiency.
A portable computer in the form of a smartphone, tablet computer, or wearable device.
A portable recovery center that can be delivered to almost any location in the world.
The continuous or regular evaluation of a system or control to determine its operation or effectiveness.
Any means used to authenticate a user that is stronger than the use of a user ID and password. Examples of multifactor authentication include digital certificate, token, smart card, or biometric.
A disaster that occurs in the natural world with little or no assistance from mankind. See also disaster.
A network diagnostic tool that collects all network metadata, which can be used for network diagnostic or security purposes.
network access control (NAC)
An approach for network authentication and access control that determines whether devices will be permitted to attach to a LAN or wireless LAN.
network anomaly detection
A technique used to identify network traffic that may be a part of an intrusion or other unwanted event.
network attached storage (NAS)
A stand-alone storage system that contains one or more virtual volumes. Servers access these volumes over the network using the Network File System (NFS) or Server Message BlockCommon Internet File System (SMBCIFS) protocols, common on Unix and Windows operating systems, respectively.
The practice of dividing a network into two or more zones, with protective measures such as firewalls between the zones.
A connection on a network router or network switch. A copy of all of the network traffic passing through the router or switch is also sent to the network tap. Also known as a span port.
A risk management methodology and controls framework developed by the U.S. National Institute for Standards and Technology (NIST).
NIST 800 Series
A collection of documents published by the U.S. National Institute for Standards and Technology (NIST).
The property of encryption and digital signatures that can make it difficult or impossible for a party to later deny having sent a digitally signed messageunless they admit to having lost control of their private encryption key.
North American Reliability Corporation (NERC)
The organization that maintains resilience and security controls for use by public utilities.
North American Reliability Council Critical Infrastructure Protection (NERC CIP)
The standards and requirements defined by the North American Reliability Council for protection of the electric power generation and distribution grid.
occupant emergency plan (OEP)
Activities required to safely care for occupants in a business location during a disaster. See also response document.
off-site media storage
The practice of storing media such as backup tapes at an off-site facility located away from the primary computing facility.
The process undertaken when an organization hires a new worker or when it begins a business relationship with a third party.
An audit of IS controls, security controls, or business controls to determine control existence and effectiveness. See also audit.
The risk of loss resulting from failed controls, processes, and systems internal and external events and other occurrences that impact business operations and threaten an organizations survival.
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE)
A qualitative risk analysis methodology developed at Carnegie Mellon University.
In the context of security information and event management (SIEM), this is the scripted, automated response that is automatically or manually triggered when specific events occur. See also security information and event management (SIEM).
A diagram that depicts the manager-subordinate relationships in an organization or in part of an organization.
out of band
Communications that takes place separately from the main communications method.
A form of sourcing where an employer will use contract employees to perform a function. The contract employees may be located on-site or off-site.
A person or group responsible for the management andor operation of an asset.
A device, or a program that can be installed on a network-attached system, to capture network traffic.
An actual test of disaster recovery (DR) or business continuity response plans. The purpose of a parallel test is to evaluate the ability of personnel to follow directives in emergency response plansto actually set up the DR business processing or data processing capability. In a parallel test, personnel operate recovery systems in parallel with production systems to compare the results between the two to determine the actual capabilities of recovery systems.
An identifier that is created by a system manager or a user a secret combination of letters, numbers, and other symbols that is known only to the user who uses it.
The characteristics required of user account passwords. For example, a password may not contain dictionary words and must contain uppercase letters, lowercase letters, numbers, and symbols.
The minimum and maximum number of characters permitted for a password that is associated with a computer account.
The process of changing a user account password and unlocking the user account so that the users use of the account may resume.
The act of reusing a prior password for a user account. Some information systems can prevent the use of prior passwords in case any were compromised with or without the users knowledge.
The process of identifying, analyzing, and applying patches (including security patches) to systems.
Payment Card Industry Data Security Standard (PCI-DSS)
A security standard whose objective is the protection of credit card numbers in storage, while processed, and while transmitted. The standard was developed by the PCI Security Standards Council, a consortium of credit card companies, including Visa, MasterCard, American Express, Discover, and JCB.
personally identifiable information (PII)
Information that can be used on its own, or combined with other information, to identify a specific person.
A social engineering attack on unsuspecting individuals where e-mail messages that resemble official communications entice victims to visit imposter web sites that contain malware or request credentials to sensitive or valuable assets. See also CEO fraud, spear phishing, whaling.
Controls that employ physical means.
An original message, file, or stream of data that can be read by anyone who has access to it.
A cloud computing delivery model where the service provider supplies the platform on which an organization can build and run software.
A procedure to be performed to accomplish some purpose.
A statement that specifies what must be done (or not done) in an organization. A policy usually defines who is responsible for monitoring and enforcing the policy.
A complete set of entities, transactions, or events that are the subject of an audit.
A label that designates a persons place or role in an organization.
An examination of business processes, controls, and records in anticipation of an upcoming audit. See also audit.
A control that is used to prevent unwanted events from happening.
The protection of personal information from unauthorized disclosure, use, and distribution.
A policy statement that defines how an organization will protect, manage, and handle private information.
A cloud infrastructure that is dedicated to a single organization.
private key cryptosystem
A cryptosystem that is based on a symmetric cryptographic algorithm.
The process of making a purchase of hardware, software, and services also, the name of the department that performs this activity.
The chances that an event may occur.
The analysis of a threat and the probability of its realization.
An incidentoften multiple incidentsthat exhibits common symptoms and whose root cause is not known.
The IT function that analyzes chronic incidents and seeks to resolve them and also enacts proactive measures in an effort to avoid problems. See also IT service management (ITSM).
A written sequence of instructions used to complete a task.
A logical container in an operating system in which a program executes.
An organization of many large, complex activities it can be thought of as a set of projects that work to fulfill one or more key business objectives or goals.
A formal definition of the objectives of a program, its main timelines, sources of funding, the names of its principal leaders and managers, and the business executives who are sponsoring the program.
The management of a group of projects that exist to fulfill a business goal or objective.
A coordinated and managed sequence of tasks that results in the realization of an objective or goal.
The activities that are used to control, measure, and manage the activities in a project.
The chart of tasks in a project, which also includes start and completion dates, resources required, and dependencies and relationships between tasks.
The activities that are related to the development and management of a project.
A device that is connected to a network in order to view network communications at a detailed level.
A cloud infrastructure used by multiple organizations.
public key infrastructure (PKI)
A centralized function that is used to store and publish public keys and other information.