ISACA CISA Glossary Exam 395 Questions with Verified Answers,100% CORRECT

ISACA CISA Glossary Exam 395 Questions with Verified Answers Acceptable use policy - CORRECT ANSWER A policy that establishes an agreement between users and the enterprise and defines for all parties' the ranges of use that are approved before gaining access to a network or the Internet. Access control - CORRECT ANSWER The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises. Access control list (ACL) - CORRECT ANSWER An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals. Scope Note: Also referred to as access control tables. Access path - CORRECT ANSWER The logical route that an end user takes to access computerized information. Scope Note: Typically includes a route through the operating system, telecommunications software, selected application software and the access control system Access rights - CORRECT ANSWER The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy. Adware - CORRECT ANSWER A software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being used. Scope Note: In most cases, this is done without any notification to the user or without the user's consent. The term adware may also refer to software that displays advertisements, whether or not it does so with the user's consent; such programs display advertisements as an alternative to shareware registration fees. These are classified as adware in the sense of advertising supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and it provides the user with a specific service. Alternative routing - CORRECT ANSWER A service that allows the option of having an alternate route to complete a call when the marked destination is not available. Scope Note: In signaling, alternative routing is the process of allocating substitute routes for a given signaling traffic stream in case of failure(s) affecting the normal signaling links or routes of that traffic stream. Antivirus software - CORRECT ANSWER An application software deployed at multiple points in an IT architecture. It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been infected Application - CORRECT ANSWER A computer program or set of programs that performs the processing of records for a specific function. Scope Note: Contrasts with systems programs, such as an operating system or network control program, and with utility programs, such as copy or sort. Application controls - CORRECT ANSWER The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved. Application programming interface (API) - CORRECT ANSWER A set of routines, protocols and tools referred to as "building blocks" used in business application software development. Scope Note: A good API makes it easier to develop a program by providing all the building blocks related to functional characteristics of an operating system that applications need to specify, for example, when interfacing with the operating system (e.g., provided by Microsoft Windows, different versions of UNIX). A programmer utilizes these APIs in developing applications that can operate effectively and efficiently on the platform chosen. Application software tracing and mapping - CORRECT ANSWER Specialized tools that can be used to analyze the flow of data through the processing logic of the application software and document the logic, paths, control conditions and processing sequences. Scope Note: Both the command language or job control statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons. Asymmetric key (public key) - CORRECT ANSWER A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message. Scope Note: See Public key encryption. Attribute sampling - CORRECT ANSWER An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size). Audit evidence - CORRECT ANSWER The information used to support the audit opinion. Audit objective - CORRECT ANSWER The specific goal(s) of an audit. Scope Note: These often center on substantiating the existence of internal controls to minimize business risk. Audit plan - CORRECT ANSWER 1. A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion. Scope Note: Includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the work. 2. A high-level description of the audit work to be performed in a certain period of time. Audit program - CORRECT ANSWER A step-by-step set of audit procedures and instructions that should be performed to complete an audit. Audit risk - CORRECT ANSWER The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred. Audit trail - CORRECT ANSWER A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source. Authentication - CORRECT ANSWER 1. The act of verifying identity (i.e., user, system). Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data. 2. The act of verifying the identity of a user and the user's eligibility to access computerized information. Scope Note: Assurance: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data. Backbone - CORRECT ANSWER The main communication channel of a digital network. The part of a network that handles the major traffic. Scope Note: Employs the highest-speed transmission paths in the network and may also run the longest distances. Smaller networks are attached to the backbone, and networks that connect directly to the end user or customer are called "access networks." A backbone can span a geographic area of any size from a single building to an office complex to an entire country. Or, it can be as small as a backplane in a single cabinet. Backup - CORRECT ANSWER Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service. Balanced scorecard (BSC) - CORRECT ANSWER Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives. Bandwidth - CORRECT ANSWER The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second). Batch control - CORRECT ANSWER Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage. Scope Note: There are two main forms of batch controls: sequence control, which involves numbering the records in a batch consecutively so that the presence of each record can be confirmed; and control total, which is a total of the values in selected fields within the transactions. Batch processing - CORRECT ANSWER The processing of a group of transactions at the same time. Scope Note: Transactions are collected and processed against the master files at a specified time. Baud rate - CORRECT ANSWER The rate of transmission for telecommunications data, expressed in bits per second (bps). Benchmarking - CORRECT ANSWER A systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting business. Scope Note: Examples include benchmarking of quality, logistic efficiency and various other metrics. Biometrics - CORRECT ANSWER A security technique that verifies an individual's identity by analyzing a unique physical attribute, such as a handprint. Black box testing - CORRECT ANSWER A testing approach that focuses on the functionality of the application or product and does not require knowledge of the code intervals. Broadband - CORRECT ANSWER Multiple channels are formed by dividing the transmission medium into discrete frequency segments. Scope Note: Broadband generally requires the use of a modem. Brouter - CORRECT ANSWER Device that performs the functions of both a bridge and a router. Scope Note: A brouter operates at both the data link and the network layers. It connects same data link type LAN segments as well as different data link ones, which is a significant advantage. Like a bridge, it forwards packets based on the data link layer address to a different network of the same type. Also, whenever required, it processes and forwards messages to a different data link type network based on the network protocol address. When connecting same data link type networks, it is as fast as a bridge and is able to connect different data link type networks. Buffer - CORRECT ANSWER Memory reserved to temporarily hold data to offset differences between the operating speeds of different devices, such as a printer and a computer. Scope Note: In a program, buffers are reserved areas of random access memory (RAM) that hold data while they are being processed. Bus configuration - CORRECT ANSWER All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes. Scope Note: This architecture is reliable in very small networks, as well as easy to use and understand. This configuration requires the least amount of cable to connect the computers together and, therefore, is less expensive than other cabling arrangements. It is also easy to extend, and two cables can be easily joined with a connector to make a longer cable for more computers to join the network. A repeater can also be used to extend a bus configuration. Business case - CORRECT ANSWER Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle. Business continuity plan (BCP) - CORRECT ANSWER A plan used by an enterprise to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems. Business impact analysis (BIA) - CORRECT ANSWER A process to determine the impact of losing the support of any resource. Scope Note: The BIA assessment study will establish the escalation of that loss over time. It is predicated on the fact that senior management, when provided reliable data to document the potential impact of a lost resource, can make the appropriate decision. Business process reengineering (BPR) - CORRECT ANSWER The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings. Capability Maturity Model (CMM) - CORRECT ANSWER 1. Contains the essential elements of effective processes for one or more disciplines. Scope Note: It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness. 2. CMM for software, from the Software Engineering Institute (SEI), is a model used by many enterprises to identify best practices useful in helping them assess and increase the maturity of their software development processes. Scope Note: CMM ranks software development enterprises according to a hierarchy of five process maturity levels. Each level ranks the development environment according to its capability of producing quality software. A set of standards is associated with each of the five levels. The standards for level one describe the most immature or chaotic processes and the standards for level five describe the most mature or quality processes. A maturity model that indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives. A collection of instructions that an enterprise can follow to gain better control over its software development process. Capacity stress testing - CORRECT ANSWER Testing an application with large quantities of data to evaluate its performance during peak periods. Also called volume testing. Card swipe - CORRECT ANSWER A physical control technique that uses a secured card or ID to gain access to a highly sensitive location. Scope Note: If built correctly, card swipes act as a preventive control over physical access to those sensitive locations. After a card has been swiped, the application attached to the physical card swipe device logs all card users who try to access the secured location. The card swipe device prevents unauthorized access and logs all attempts to enter the secured location. Certificate (Certification) authority (CA) - CORRECT ANSWER A trusted third party that serves authentication infrastructures or enterprises and registers entities and issues them certificates. Certificate revocation list (CRL) - CORRECT ANSWER An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility. Scope Note: The CRL details digital certificates that are no longer valid. The time gap between two updates is very critical and is also a risk in digital certificates verification. Certification practice statement (CPS) - CORRECT ANSWER A detailed set of rules governing the certificate authority's operations. It provides an understanding of the value and trustworthiness of certificates issued by a given certificate authority (CA). Scope Note: In terms of the controls that an enterprise observes, the method it uses to validate the authenticity of certificate applicants and the CA's expectations of how its certificates may be used. Chain of custody - CORRECT ANSWER A legal principle regarding the validity and integrity of evidence. It requires accountability for anything that will be used as evidence in a legal proceeding to ensure that it can be accounted for from the time it was collected until the time it is presented in a court of law. Scope Note: Includes documentation as to who had access to the evidence and when, as well as the ability to identify evidence as being the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited. Chain of custody depends on the ability to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence, so it cannot be changed, and providing a documentary record of custody to prove that the evidence was at all times under strict control and not subject to tampering. Challenge/response token - CORRECT ANSWER A method of user authentication that is carried out through use of the Challenge Handshake Authentication Protocol (CHAP). Scope Note: When a user tries to log into the server using CHAP, the server sends the user a "challenge," which is a random value. The user enters a password, which is used as an encryption key to encrypt the "challenge" and return it to the server. The server is aware of the password. It, therefore, encrypts the "challenge" value and compares it with the value received from the user. If the values match, the user is authenticated. The challenge/response activity continues throughout the session and this protects the session from password sniffing attacks. In addition, CHAP is not vulnerable to "man-in-the-middle" attacks because the challenge value is a random value that changes on each access attempt. Change management - CORRECT ANSWER A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or "soft" elements of change. Scope Note: Includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resources (HR) policies and procedures, executive coaching, change leadership training, team building and communication planning and execution. Check digit - CORRECT ANSWER A numeric value, which has been calculated mathematically, is added to data to ensure that original data have not been altered or that an incorrect, but valid match has occurred. Scope Note: Check digit control is effective in detecting transposition and transcription errors. Checkpoint restart procedures - CORRECT ANSWER A point in a routine at which sufficient information can be stored to permit restarting the computation from that point. Checksum - CORRECT ANSWER A mathematical value that is assigned to a file and used to "test" the file at a later date to verify that the data contained in the file has not been maliciously changed. Scope Note: A cryptographic checksum is created by performing a complicated series of mathematical operations (known as a cryptographic algorithm) that translates the data in the file into a fixed string of digits called a hash value, which is then used as the checksum. Without knowing which cryptographic algorithm was used to create the hash value, it is highly unlikely that an unauthorized person would be able to change data without inadvertently changing the corresponding checksum. Cryptographic checksums are used in data transmission and data storage. Cryptographic checksums are also known as message authentication codes, integrity check-values, modification detection codes or message integrity codes. Circuit-switched network - CORRECT ANSWER A data transmission service requiring the establishment of a circuit-switched connection before data can be transferred from source data terminal equipment (DTE) to a sink DTE. Scope Note: A circuit-switched data transmission service uses a connection network. Circular routing - CORRECT ANSWER In open systems architecture, circular routing is the logical path of a message in a communication network based on a series of gates at the physical network layer in the open systems interconnection (OSI) model. Client-server - CORRECT ANSWER A group of computers connected by a communication network, in which the client is the requesting machine and the server is the supplying machine. Scope Note: Software is specialized at both ends. Processing may take place on either the client or the server, but it is transparent to the user. Cluster controller - CORRECT ANSWER A communication terminal control hardware unit that controls a number of computer terminals. Scope Note: All messages are buffered by the controller and then transmitted to the receiver. Coaxial cable - CORRECT ANSWER Composed of an insulated wire that runs through the middle of each cable, a second wire that surrounds the insulation of the inner wire like a sheath, and the outer insulation which wraps the second wire. Scope Note: Has a greater transmission capacity than standard twisted-pair cables, but has a limited range of effective distance. Cohesion - CORRECT ANSWER The extent to which a system unit--subroutine, program, module, component, subsystem--performs a single dedicated function. Scope Note: Generally, the more cohesive the unit, the easier it is to maintain and enhance a system because it is easier to determine where and how to apply a change. Cold site - CORRECT ANSWER An IISS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place. Scope Note: The site is ready to receive the necessary replacement computer equipment in the event that the users have to move from their main computing location to the alternative computer facility. Compensating control - CORRECT ANSWER An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions. Completely connected (mesh) configuration - CORRECT ANSWER A network topology in which devices are connected with many redundant interconnections between network nodes (primarily used for backbone networks). Completeness check - CORRECT ANSWER A procedure designed to ensure that no fields are missing from a record. Compliance testing - CORRECT ANSWER Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period. Comprehensive audit - CORRECT ANSWER An audit designed to determine the accuracy of financial records as well as to evaluate the internal controls of a function or department. Computer emergency response team (CERT) - CORRECT ANSWER A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems. Computer forensics - CORRECT ANSWER The application of the scientific method to digital media to establish factual information for judicial review. Scope Note: This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. As a discipline, it combines elements of law and computer science to collect and analyze data from information systems (e.g., personal computers, networks, wireless communication and digital storage devices) in a way that is admissible as evidence in a court of law. Computer sequence checking - CORRECT ANSWER Verifies that the control number follows sequentially and that any control numbers out of sequence are rejected or noted on an exception report for further research. Computer-aided software engineering (CASE) - CORRECT ANSWER The use of software packages that aid in the development of all phases of an information system. Scope Note: System analysis, design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access. Computer-assisted audit technique (CAAT) - CORRECT ANSWER Any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities. Concurrency control - CORRECT ANSWER Refers to a class of controls used in a database management system (DBMS) to ensure that transactions are processed in an atomic, consistent, isolated and durable manner (ACID). This implies that only serial and recoverable schedules are permitted, and that committed transactions are not discarded when undoing aborted transactions. Configuration management - CORRECT ANSWER The control of changes to a set of configuration items over a system life cycle. Console log - CORRECT ANSWER An automated detail report of computer system activity. Contingency planning - CORRECT ANSWER Process of developing advance arrangements and procedures that enable an enterprise to respond to an event that could occur by chance or unforeseen circumstances. Continuity - CORRECT ANSWER Preventing, mitigating and recovering from disruption. Scope Note: The terms "business resumption planning," "disaster recovery planning" and "contingency planning" also may be used in this context; they all concentrate on the recovery aspects of continuity. Continuous auditing approach - CORRECT ANSWER This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer. Continuous improvement - CORRECT ANSWER The goals of continuous improvement (Kaizen) include the elimination of waste, defined as "activities that add cost, but do not add value;" just-in-time (JIT) delivery; production load leveling of amounts and types; standardized work; paced moving lines; and right-sized equipment. Scope Note: A closer definition of the Japanese usage of Kaizen is "to take it apart and put it back together in a better way." What is taken apart is usually a process, system, product or service. Kaizen is a daily activity whose purpose goes beyond improvement. It is also a process that, when done correctly, humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how to do rapid experiments using the scientific method and how to learn to see and eliminate waste in business processes. Control objective - CORRECT ANSWER A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process. Control practice - CORRECT ANSWER Key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk and alignment of IT with business. Control risk - CORRECT ANSWER The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. See Inherent risk. Cookie - CORRECT ANSWER A message kept in the web browser for the purpose of identifying users and possibly preparing customized web pages for them. Scope Note: The first time a cookie is set, a user may be required to go through a registration process. Subsequent to this, whenever the cookie's message is sent to the server, a customized view based on that user's preferences can be produced. The browser's implementation of cookies has, however, brought several security concerns, allowing breaches of security and the theft of personal information (e.g., user passwords that validate the user identity and enable restricted web services). Corporate governance - CORRECT ANSWER The system by which enterprises are directed and controlled. The board of directors is responsible for the governance of their enterprise. It consists of the leadership and organizational structures and processes that ensure the enterprise sustains and extends strategies and objectives. Corrective control - CORRECT ANSWER Designed to correct errors, omissions and unauthorized uses and intrusions, once they are detected. Coupling - CORRECT ANSWER Measure of interconnectivity among structure of software programs. Coupling depends on the interface complexity between modules. This can be defined as the point at which entry or reference is made to a module, and what data pass across the interface. Scope Note: In application software design, it is preferable to strive for the lowest possible coupling between modules. Simple connectivity among modules results in software that is easier to understand and maintain and is less prone to a ripple or domino effect caused when errors occur at one location and propagate through the system. Critical infrastructure - CORRECT ANSWER Systems whose incapacity or destruction would have a debilitating effect on the economic security of an enterprise, community or nation. Critical success factor (CSF) - CORRECT ANSWER The most important issue or action for management to achieve control over and within its IT processes Customer relationship management (CRM) - CORRECT ANSWER A way to identify, acquire and retain customers. CCRRMM is also an industry term for software solutions that help an enterprise manage customer relationships in an organized manner. Data custodian - CORRECT ANSWER The individual(s) and department(s) responsible for the storage and safeguarding of computerized data. Data dictionary - CORRECT ANSWER A database that contains the name, type, range of values, source and authorization for access for each data element in a database. It also indicates which application programs use those data so that when a data structure is contemplated, a list of the affected programs can be generated. Scope Note: May be a stand-alone information system used for management or documentation purposes, or it may control the operation of a database. Data diddling - CORRECT ANSWER Changing data with malicious intent before or during input into the system. Data Encryption Standard (DES) - CORRECT ANSWER An algorithm for encoding binary data. Scope Note: It is a secret key cryptosystem published by the National Bureau of Standards (NBS), the predecessor of the US National Institute of Standards and Technology (NIST). DES and its variants has been replaced by the Advanced Encryption Standard (AES). Data leakage - CORRECT ANSWER Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes. Data owner - CORRECT ANSWER The individual(s), normally a manager or director, who has responsibility for the integrity, accurate reporting and use of computerized data. Data structure - CORRECT ANSWER The relationships among files in a database and among data items within each file. Database - CORRECT ANSWER A stored collection of related data needed by enterprises and individuals to meet their information processing and retrieval requirements. Database administrator (DBA) - CORRECT ANSWER An individual or department responsible for the security and information classification of the shared data stored n a database system. This responsibility includes the design, definition and maintenance of the database. Database management system (DBMS) - CORRECT ANSWER A software system that controls the organization, storage and retrieval of data in a database. Database replication - CORRECT ANSWER The process of creating and managing duplicate versions of a database. Scope Note: Replication not only copies a database but also synchronizes a set of replicas so that changes made to one replica are reflected in all of the others. The beauty of replication is that it enables many users to work with their own local copy of a database, but have the database updated as if they were working on a single centralized database. For database applications in which, geographically users are distributed widely, replication is often the most efficient method of database access. Data-oriented systems development - CORRECT ANSWER Focuses on providing ad hoc reporting for users by developing a suitable accessible database of information and to provide useable data rather than a function. Decentralization - CORRECT ANSWER The process of distributing computer processing to different locations within an enterprise. Decision support systems (DSS) - CORRECT ANSWER An interactive system that provides the user with easy access to decision models and data, to support semi structured decision- making tasks. Decryption - CORRECT ANSWER A technique used to recover the original plaintext from the ciphertext so that it is intelligible to the reader. The decryption is a reverse process of the encryption. Degauss - CORRECT ANSWER The application of variable levels of alternating current for the purpose of demagnetizing magnetic recording media. Scope Note: The process involves increasing the alternating current field gradually from zero to some maximum value and back to zero, leaving a very low residue of magnetic induction on the media. Degauss loosely means to erase. Demodulation - CORRECT ANSWER The process of converting an analog telecommunications signal into a digital computer signal. Dial-back - CORRECT ANSWER Used as a control over dial-up telecommunications lines. The telecommunications link established through dial-up into the computer from a remote location is interrupted so the computer can dial back to the caller. The link is permitted only if the caller is calling from a valid phone number or telecommunications channel. Dial-in access control - CORRECT ANSWER Prevents unauthorized access from remote users who attempt to access a secured environment. Ranges from a dial-back control to remote user authentication. Digital signature - CORRECT ANSWER A piece of information, a digitized form of signature, that provides sender authenticity, message integrity and non-repudiation A digital signature is generated using the sender's private key or applying a one-way hash function. Disaster recovery plan (DRP) - CORRECT ANSWER A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster. Discovery sampling - CORRECT ANSWER A form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population. Distributed data processing network - CORRECT ANSWER A system of computers connected together by a communication network. Scope Note: Each computer processes its data and the network supports the system as a whole. Such a network enhances communication among the linked computers and allows access to shared files. Diverse routing - CORRECT ANSWER The method of routing traffic through split cable facilities or duplicate cable facilities. Scope Note: This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual entrance facilities. However, acquiring this type of access is time-consuming and costly. Most carriers provide facilities for alternate and diverse routing, although the majority of services are transmitted over terrestrial media. These cable facilities are usually located in the ground or basement. Ground-based facilities are at great risk due to the aging infrastructures of cities. In addition, cable-based facilities usually share room with mechanical and electrical systems that can impose great risk due to human error and disastrous events. Domain name system (DNS) poisoning - CORRECT ANSWER Corrupts the table of an Internet server's DNS, replacing an Internet address with the address of another vagrant or scoundrel address. Scope Note: If a web user looks for the page with that address, the request is redirected by the scoundrel entry in the table to a different address. Cache poisoning differs from another form of DNS poisoning in which the attacker spoofs valid e-mail accounts and floods the "in" boxes of administrative and technical contacts. Cache poisoning is related to URL poisoning or location poisoning, in which an Internet user behavior is tracked by adding an identification number to the location line of the browser that can be recorded as the user visits successive pages on the site. It is also called DNS cache poisoning or cache poisoning. Downtime report - CORRECT ANSWER A report that identifies the elapsed time when a computer is not operating correctly because of machine failure. Dry-pipe fire extinguisher system - CORRECT ANSWER Refers to a sprinkler system that does not have water in the pipes during idle usage, unlike a fully charged fire extinguisher system that has water in the pipes at all times. Scope Note: The dry-pipe system is activated at the time of the fire alarm and water is emitted to the pipes from a water reservoir for discharge to the location of the fire. Duplex routing - CORRECT ANSWER The method or communication mode of routing data over the communication network. Dynamic Host Configuration Protocol (DHCP) - CORRECT ANSWER A protocol used by networked computers (clients) to obtain IP addresses and other parameters such as the default gateway, subnet mask and IP addresses of domain name system (DNS) servers from a DHCP server. Scope Note: The DHCP server ensures that all IP addresses are unique (e.g., no IP address is assigned to a second client while the first client's assignment is valid [its lease has not expired]). Thus, IP address pool management is done by the server and not by a human network administrator. Echo checks - CORRECT ANSWER Detects line errors by retransmitting data back to the sending device for comparison with the original transmission. E-commerce - CORRECT ANSWER The processes by which enterprises conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology. Scope Note: E-commerce encompasses both business-to-business (B2B) and business-to-consumer (B2C) e-commerce models, but does not include existing non-Internet e-commerce methods based on private networks such as electronic data interchange (EDI) and Society for Worldwide Interbank Financial Telecommunication (SWIFT). Edit control - CORRECT ANSWER Detects errors in the input portion of information that is sent to the computer for processing. May be manual or automated and allow the user to edit data errors before processing. Editing - CORRECT ANSWER Ensures that data conform to predetermined criteria and enable early identification of potential errors. Electronic data interchange (EDI) - CORRECT ANSWER The electronic transmission of transactions (information) between two enterprises. EDI promotes a more efficient paperless environment. EDI transmissions can replace the use of standard documents, including invoices or purchase orders. Electronic funds transfer (EFT) - CORRECT ANSWER The exchange of money via telecommunications. EFT refers to any financial transaction that originates at a terminal and transfers a sum of money from one account to another. Embedded audit module (EAM) - CORRECT ANSWER Integral part of an application system that is designed to identify and report specific transactions or other information based on pre-determined criteria. Identification of reportable items occurs as part of real-time processing. Reporting may be real-time online or may use store and forward methods. Also known as integrated test facility or continuous auditing module. Encapsulation (objects) - CORRECT ANSWER The technique used by layered protocols in which a lower-layer protocol accepts a message from a higher-layer protocol and places it in the data portion of a frame in the lower layer. Encryption - CORRECT ANSWER The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext). Encryption key - CORRECT ANSWER A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext to the ciphertext. End-user computing - CORRECT ANSWER The ability of end users to design and implement their own information system utilizing computer software products. ERP (enterprise resource planning) system - CORRECT ANSWER A packaged business software system that allows an enterprise to automate and integrate the majority of its business processes, share common data and practices across the entire enterprise, and produce and access information in a real-time environment. Scope Note: Examples of ERP include SAP, Oracle Financials and J.D. Edwards. Escrow agent - CORRECT ANSWER A person, agency or enterprise that is authorized to act on behalf of another to create a legal relationship with a third party in regard to an escrow agreement; the custodian of an asset according to an escrow agreement. Scope Note: As it relates to a cryptographic key, an escrow agent is the agency or enterprise charged with the responsibility for safeguarding the key components of the unique key. Escrow agreement - CORRECT ANSWER A legal arrangement whereby an asset (often money, but sometimes other property such as art, a deed of title, web site, software source code or a cryptographic key) is delivered to a third party (called an escrow agent) to be held in trust or otherwise pending a contingency or the fulfillment of a condition or conditions in a contract. Scope Note: Upon the occurrence of the escrow agreement, the escrow agent will deliver the asset to the proper recipient; otherwise the escrow agent is bound by his/her fiduciary duty to maintain the escrow account. Source code escrow means deposit of the source code for the software into an account held by an escrow agent. Escrow is typically requested by a party licensing software (e.g., licensee or buyer), to ensure maintenance of the software. The software source code is released by the escrow agent to the licensee if the licensor (e.g., seller or contractor) files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement. Ethernet - CORRECT ANSWER A popular network protocol and cabling scheme that uses a bus topology and carrier sense multiple access/collision detection (CSSMMAA//CCDD)) to prevent network failures or collisions when two devices try to access the network at the same time Evidence - CORRECT ANSWER 1. Information that proves or disproves a stated issue Scope Note: 2. Information that an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support. Scope Note: Audit perspective. Exception reports - CORRECT ANSWER An exception report is generated by a program that identifies transactions or data that appear to be incorrect. Scope Note: Exception reports may be outside a predetermined range or may not conform to specified criteria. Executable code - CORRECT ANSWER The machine language code that is generally referred to as the object or load module. Expert system - CORRECT ANSWER The most prevalent type of computer system that arises from the research of artificial intelligence. Scope Note: An expert system has a built in hierarchy of rules, which are acquired from human experts in the appropriate field. Once input is provided, the system should be able to define the nature of the problem and provide recommendations to solve the problem. Exposure - CORRECT ANSWER The potential loss to an area due to the occurrence of an adverse event. eXtensible Markup Language (XML) - CORRECT ANSWER Promulgated through the World Wide Web Consortium, XML is a web-based application development technique that allows designers to create their own customized tags, thus, enabling the definition, transmission, validation and interpretation of data between applications and enterprises. Extranet - CORRECT ANSWER A private network that resides on the Internet and allows a company to securely share business information with customers, suppliers or other businesses as well as to execute electronic transactions. Scope Note: Different from an Intranet in that it is located beyond the company's firewall. Therefore, an extranet relies on the use of securely issued digital certificates (or alternative methods of user authentication) and encryption of messages. A virtual private network (VPN) and tunneling are often used to implement extranets, to ensure security and privacy. Fallback procedures - CORRECT ANSWER A plan of action or set of procedures to be performed if a system implementation, upgrade or modification does not work as intended. Scope Note: May involve restoring the system to its state prior to the implementation or change. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and should always be considered in system migration or implementation.. False authorization - CORRECT ANSWER Also called false acceptance, occurs when an unauthorized person is identified as an authorized person by the biometric system. False enrollment - CORRECT ANSWER Occurs when an unauthorized person manages to enroll into the biometric system. Scope Note: Enrollment is the initial process of acquiring a biometric feature and saving it as a personal reference on a smart card, a PC or in a central database. Fault tolerance - CORRECT ANSWER A system's level of resilience to seamlessly react to hardware and/or software failure Feasibility study - CORRECT ANSWER A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need. Fiber-optic cable - CORRECT ANSWER Glass fibers that transmit binary signals over a telecommunications network. Scope Note: Fiber-optic systems have low transmission losses as compared to twisted-pair cables. They do not radiate energy or conduct electricity. They are free from corruption and lightning-induced interference, and they reduce the risk of wiretaps. File allocation table (FAT) - CORRECT ANSWER A table used by the operating system to keep track of where every file is located on the disk. Scope Note: Since a file is often fragmented and thus subdivided into many sectors within the disk, the information stored in the FAT is used when loading or updating the contents of the file. File layout - CORRECT ANSWER Specifies the length of the file record and the sequence and size of its fields. Scope Note: Also will specify the type of data contained within each field; for example, alphanumeric, zoned decimal, packed and binary. File server - CORRECT ANSWER A high-capacity disk storage device or a computer that stores data centrally for network users and manages access to those data. Scope Note: File servers can be dedicated so that no process other than network management can be executed while the network is available; file servers can be non-dedicated so that standard user applications can run while the network is available. Financial audit - CORRECT ANSWER An audit designed to determine the accuracy of financial records and information. Firewall - CORRECT ANSWER A system or combination of systems that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment such as the Internet. Firmware - CORRECT ANSWER Memory chips with embedded program code that hold their content when power is turned off. Foreign key - CORRECT ANSWER A value that represents a reference to a tuple (a row in a table) containing the matching candidate key value. Scope Note: The problem of ensuring that the database does not include any invalid foreign key values is known as the referential integrity problem. The constraint that values of a given foreign key must match values of the corresponding candidate key is known as a referential constraint. The relation (table) that contains the foreign key is referred to as the referencing relation and the relation that contains the corresponding candidate key as the referenced relation or target relation. (In the relational theory it would be a candidate key, but in real database management systems (DBMSs) implementations it is always the primary key.) Format checking - CORRECT ANSWER The application of an edit, using a predefined field definition to a submitted information stream; a test to ensure that data conform to a predefined format. Frame relay - CORRECT ANSWER A packet-switched wide-area-network (WAN) technology that provides faster performance than older packet-switched WAN technologies. Scope Note: Best suited for data and image transfers. Because of its variable-length packet architecture, it is not the most efficient technology for real-time voice and video. In a frame-relay network, end nodes establish a connection via a permanent virtual circuit (PVC). Function point analysis - CORRECT ANSWER A technique used to determine the size of a development task, based on the number of function points. Scope Note: Function points are factors such as inputs, outputs, inquiries and logical internal sites. General computer control - CORRECT ANSWER A Control, other than an application control, that relates to the environment within which computer-based application systems are developed, maintained and operated, and that is therefore applicable to all applications. The objectives of general controls are to ensure the proper development and implementation of applications and the integrity of program and data files and of computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IS strategy and an IS security policy, the organization of IS staff to separate conflicting duties and planning for disaster prevention and recovery. Generalized audit software (GAS) - CORRECT ANSWER Multipurpose audit software that can be used for general processes, such as record selection, matching, recalculation and reporting. Hacker - CORRECT ANSWER An individual who attempts to gain unauthorized access to a computer system. Handprint scanner - CORRECT ANSWER A biometric device that is used to authenticate a user through palm scans. Hardware - CORRECT ANSWER The physical components of a computer system. Hash total - CORRECT ANSWER The total of any numeric data field in a document or computer file. This total is checked against a control total of the same field to facilitate accuracy of processing. Help desk - CORRECT ANSWER A service offered via telephone/Internet by an enterprise to its clients or employees that provides information, assistance and troubleshooting advice regarding software, hardware or networks. Scope Note: A help desk is staffed by people who can either resolve the problem on their own or escalate the problem to specialized personnel. A help desk is often equipped with dedicated customer relationship management (CRM) software that logs the problems and tracks them until they are solved. Heuristic filter - CORRECT ANSWER A method often employed by antispam software to filter spam using criteria established in a centralized rule database. Scope Note: Every e-mail message is given a rank, based on its header and contents, which is then matched against preset thresholds. A message that surpasses the threshold will be flagged as spam and discarded, returned to its sender or put in a spam directory for further review by the intended recipient. Hexadecimal - CORRECT ANSWER A numbering system that uses a base of 16 and uses 16 digits: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E and F. Programmers use hexadecimal numbers as a convenient way of representing binary numbers. Hierarchical database - CORRECT ANSWER A database structured in a tree/root or parent/child relationship. Scope Note: Each parent can have many children, but each child may have only one parent. Hot site - CORRECT ANSWER A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster. Hypertext Markup Language (HTML) - CORRECT ANSWER A language designed for the creation of web pages with hypertext and other information to be displayed in a web browser; used to structure information-denoting certain text sure as headings, paragraphs, lists--and can be used to describe, to some degree, the appearance and semantics of a document. Image processing - CORRECT ANSWER The process of electronically inputting source documents by taking an image of the document, thereby eliminating the need for key entry. Impact assessment - CORRECT ANSWER A review of the possible consequences of a risk. Scope Note: See also Impact analysis. Impersonation - CORRECT ANSWER A security concept related to Windows NT that allows a server application to temporarily "be" the client in terms of access to secure objects. Scope Note: Impersonation has three possible levels: identification, letting the server inspect the client's identity; impersonation, letting the server act on behalf of the client; and delegation, the same as impersonation but extended to remote systems to which the server connects (through the preservation of credentials). Impersonation by imitating or copying the identification, behavior or actions of another may also be used in social engineering to obtain otherwise unauthorized physical access. Incident - CORRECT ANSWER Any event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of that service. Incident response - CORRECT ANSWER The response of an enterprise to a disaster or other significant event that may significantly affect the enterprise, its people, or its ability to function productively. An incident response may include evacuation of a facility, initiating a disaster recovery plan (DRP), performing damage assessment, and any other measures necessary to bring an enterprise to a more stable status. Incremental testing - CORRECT ANSWER Deliberately testing only the value-added functionality of a software component. Independence - CORRECT ANSWER 1. Self-governance. 2. Freedom from conflict of interest and undue influence. Scope Note: The IS auditor should be free to make his/her own decisions, not influenced by the enterprise being audited and its people (managers and employers). Indexed Sequential Access Method (ISAM) - CORRECT ANSWER A disk access method that stores data sequentially while also maintaining an index of key fields to all the records in the file for direct access capability. Indexed sequential file - CORRECT ANSWER A file format in which records are organized and can be accessed, according to a pre-established key that is part of the record. Information processing facility (IPF) - CORRECT ANSWER The computer room and support areas. Information security - CORRECT ANSWER Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity), and non-access when required (availability). Information security governance - CORRECT ANSWER The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risk is managed appropriately and verifying that the enterprise's resources are used responsibly. Information systems (IS) - CORRECT ANSWER The combination of strategic, managerial and operational activities involved in gathering, processing, storing, distributing and using information and its related technologies. Scope Note: Information systems are distinct from information technology (IT) in that an information system has an IT component that interacts with the process components. Inherent risk - CORRECT ANSWER 1. The risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls). 2. The risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error. Scope Note: Audit perspective; also see Control risk. Inheritance (objects) - CORRECT ANSWER Database structures that have a strict hierarchy (no multiple inheritance). Inheritance can initiate other objects irrespective of the class hierarchy, thus there is no strict hierarchy of objects. Initial program load (IPL) - CORRECT ANSWER The initialization procedure that causes an operating system to be loaded into storage at the beginning of a workday or after a system malfunction. Input control - CORRECT ANSWER Techniques and procedures used to verify, validate and edit data to ensure that only correct data are entered into the computer. Instant messaging (IM) - CORRECT ANSWER An online mechanism or a form of real-time communication between two or more people based on typed text and multimedia data. Scope Note: Text is conveyed via computers or another electronic device (e.g., cellular phone or handheld device) connected over a network, such as the Internet. Integrated services digital network (ISDN) - CORRECT ANSWER A public end-to-end digital telecommunications network with signaling, switching and transport capabilities supporting a wide range of service accessed by standardized interfaces with integrated customer control. Scope Note: The standard allows transmission of digital voice, video and data over 64-Kpbs lines. Integrated test facilities (ITF) - CORRECT ANSWER A testing methodology in which test data are processed in production systems. Scope Note: The data usually represent a set of fictitious entities such as departments, customers or products. Output reports are verified to confirm the correctness of the processing. Integrity - CORRECT ANSWER Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Interface testing - CORRECT ANSWER A testing technique that is used to evaluate output from one application while the information is sent as input to another application. Internal controls - CORRECT ANSWER The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. Internet Protocol (IP) packet spoofing - CORRECT ANSWER An attack using packets with the spoofed source Internet packet (IP) addresses. Scope Note: This technique exploits applications that use authentication based on IP addresses. This technique also may enable an unauthorized user to gain root access on the target system. Irregularity - CORRECT ANSWER Intentional violation of an established management policy or regulatory requirement. It may consist of deliberate misstatements or omission of information concerning the area under audit or the enterprise as a whole; gross negligence or unintentional illegal acts. IT governance framework - CORRECT ANSWER A model that integrates a set of guidelines, policies and methods that represent the organizational approach to IT governance. Scope Note: Per COBIT, IT governance is the responsibility of the board of directors and executive management. It is an integral part of institutional governance and consists of the leadership and organizational structures and processes that ensure that the enterprise's IT sustains and extends the enterprise's strategy and objectives. IT incident - CORRECT ANSWER Any event that is not part of the ordinary operation of a service that causes, or may cause, an interruption to, or a reduction in, the quality of that service. IT infrastructure - CORRECT ANSWER The set of hardware, software and facilities that integrates an enterprise's IT assets. Scope Note: Specifically, the equipment (including servers, routers, switches and cabling), software, services and products used in storing, processing, transmitting and displaying all forms of information for the enterprise's users. IT steering committee - CORRECT ANSWER An executive-management-level committee that assists in the delivery of the IT strategy, oversees day-to-day management of IT service delivery and IT projects, and focuses on implementation aspects. IT strategic plan - CORRECT ANSWER A long-term plan (i.e., three- to five-year horizon) in which business and IT management cooperatively describe how IT resources will contribute to the enterprise's strategic objectives (goals). IT strategy committee - CORRECT ANSWER A committee at the level of the board of directors to ensure that the board is involved in major IT matters and decisions. Scope Note: The committee is primarily accountable for managing the portfolios of IT-enabled investments, IT services and other IT resources. The committee is the owner of the portfolio. Judgment sampling - CORRECT ANSWER Any sample that is selected subjectively or in such a manner that the sample selection process is not random or the sampling results are not evaluated mathematically. Key goal indicator (KGI) - CORRECT ANSWER A measure that tells management, after the fact, whether an IT process has achieved its business requirements; usually expressed in terms of information criteria. Key management practice - CORRECT ANSWER Management practices that are required to successfully execute business processes. Key performance indicator (KPI) - CORRECT ANSWER A measure that determines how well the process is performing in enabling the goal to be reached. Scope Note: A lead indicator of whether a goal will likely be reached, and a good indicator of capabilities, practices and skills. It measures an activity goal, which is an action that the process owner must take to achieve effective process performance. Leased line - CORRECT ANSWER A communication line permanently assigned to connect two points, as opposed to a dial-up line that is only available and open when a connection is made by dialing the target machine or network. Also known as a dedicated line. Librarian - CORRECT ANSWER The individual responsible for the safeguard and maintenance of all program and data files. Licensing agreement - CORRECT ANSWER A contract that establishes the terms and conditions under which a piece of software is being licensed (i.e., made legally available for use) from the software developer (owner) to the user. Life cycle - CORRECT ANSWER A series of stages that characterize the course of existence of an organizational investment (e.g., product, project, program). Limit check - CORRECT ANSWER Tests specified amount fields against stipulated high or low limits of acceptability. Scope Note: When both high and low values are used, the test may be called a range check. Local area network (LAN) - CORRECT ANSWER Communication network that serves several users within a specified geographic area. Scope Note: A personal computer LAN functions as a distributed processing system in which each computer in the network does its own processing and manages some of its data. Shared data are stored in a file server that acts as a remote disk drive for all users in the network. Log - CORRECT ANSWER To record details of information or events in an organized record-keeping system, usually sequenced in the order in which they occurred. Logical access controls - CORRECT ANSWER The policies, procedures, organizational structure and electronic access controls designed to restrict access to computer software and data files. Magnetic card reader - CORRECT ANSWER Reads cards with a magnetic surface on which data can be stored and retrieved. Malware - CORRECT ANSWER Short for malicious software. Designed to infiltrate, damage or obtain information from a computer system without the owner's consent. Scope Note: Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. Spyware is generally used for marketing purposes and, as such, is not malicious, although it is generally unwanted. Spyware can, however, be used to gather information for identity theft or other clearly illicit purposes. Management information system (MIS) - CORRECT ANSWER An organized assembly of resources and procedures required to collect, process and distribute data for use in decision making. Mapping - CORRECT ANSWER Diagramming data that are to be exchanged electronically, including how they are to be used and what business management systems need them. See also Application Tracing and Mapping. Scope Note: Mapping is a preliminary step for developing an applications link. Masking - CORRECT ANSWER A computerized technique of blocking out the display of sensitive information, such as passwords, on a computer terminal or report. Master file - CORRECT ANSWER A file of semi permanent information that is used frequently for processing data or for more than one purpose. Materiality - CORRECT ANSWER