Abend

An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing

Access control

The process that limits and controls access to resources of a computer system; a logical or physical control designed to protect against unauthorized entry or use. Access control can be defined by the system (mandatory access control, or MAC) or defined by the user who owns the object (discretionary access control, or DAC).

Access control table

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals

Access method

The technique used for selecting records in a file, one at a time, for processing, retrieval or storage. The access method is related to, but distinct from, the file organization that determines how the records are stored.

Access path

The logical route an end user takes to access computerized information. Typically, it includes a route through the operating system, telecommunications software, selected application software and the access control system.

Access rights

Also called permissions or privileges, these are the rights granted to users by the administrator or supervisor. Access rights determine the actions users can perform (e.g., read, write, execute, create and delete) on files in shared volumes or file shares on the server.

Accountability

The ability to map a given activity or event back to the responsible party

ACK (acknowledgement)

A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly by the receiver without errors, or that the receiver is now ready to accept a transmission

Active recovery site (mirrored)

Recovery strategy that involves two active sites, each capable of taking over the other’s workload in the event of a disaster. Each site will have enough idle processing power to restore data from the other site and to accommodate the excess workload in the event of a disaster.

Active response

A response, in which the system (automatically or in concert with the user) blocks or otherwise affects the progress of a detected attack. The response takes one of three forms--amending the environment, collecting more information or striking back against the user.

Address

The code used to designate the location of a specific piece of data within computer storage

Address space

The number of distinct locations that may be referred to with the machine address. For most binary machines, it is equal to 2n, where n is the number of bits in the machine address.

Addressing

The method used to identify the location of a participant in a network. Ideally, addressing specifies where the participant is located rather than who they are (name) or how to get there (routing).

adjusting period

The calendar can contain “real” accounting periods and/or adjusting accounting periods. The “real” accounting periods must not overlap, and cannot have any gaps between “real” accounting periods. Adjusting accounting periods can overlap with other accounting periods. For example, a period called DEC-93 can be defined that includes 01-DEC-1993 through 31-DEC-1993. An adjusting period called DEC31-93 can also be defined that includes only one day: 31-DEC-1993 through 31-DEC-1993.

Administrative controls

The actions/controls dealing with operational effectiveness, efficiency and adherence to regulations and management policies

allocation entry

A recurring journal entry used to allocate revenues or costs. For example, an allocation entry could be defined to allocate costs to each department based on headcount.

Alpha

The use of alphabetic characters or an alphabetic character string

Analog

A transmission signal that varies continuously in amplitude and time and is generated in wave formation. Analog signals are used in telecommunications.

Anomaly

Unusual or statistically rare

Anomaly detection

Detection on the basis of whether the system activity matched that defined as abnormal

Anonymity

The quality or state of not being named or identified

Anonymous File Transfer Protocol (FTP)

A method for downloading public files using the File Transfer Protocol (FTP). Anonymous FTP is called anonymous because users do not need to identify themselves before accessing files from a particular server. In general, users enter the word anonymous when the host prompts for a username; anything can be entered for the password, such as the user's e-mail address or simply the word guest. In many cases, an anonymous FTP site will not even prompt users for a name and password.

Antivirus software

Applications that detect, prevent and possibly remove all known viruses from files located in a microcomputer hard drive

Appearance

The act of giving the idea or impression of being or doing something

Appearance of independence

Behavior adequate to meet the situations occurring during audit work (interviews, meetings, reporting, etc.). The IS auditor should be aware that appearance of independence depends upon the perceptions of others and can be influenced by improper actions or associations.

Applet

A program written in a portable, platform independent computer language, such as Java. It is usually embedded in an HTML page and then executed by a browser. Applets can only perform a restricted set of operations, thus preventing, or at least minimizing, the possible security compromise of the host computers.

application

A computer program or set of programs that perform the processing of records for a specific function

Application acquisition review

An evaluation of an application system being acquired or evaluated, which considers such matters as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is acquired in compliance with the established system acquisition process.

Application controls

Refer to the transactions and data relating to each computer-based application system and are therefore specific to each such application. The objectives of application controls, which may be manual, or programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from both manual and programmed processing. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted.

Application development review

An evaluation of an application system under development which considers matters such as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is developed in compliance with the established systems development life cycle process

Application implementation review

An evaluation of any part of an implementation project (e.g., project management, test plans, user acceptance testing procedures)

Application layer

A layer within the International Organization for Standardization (ISO)/Open Systems Interconnection (OSI) model. It is used in information transfers between users through application programs and other devices. In this layer various protocols are needed. Some of them are specific to certain applications and others are more general for network services.

Application maintenance review

An evaluation of any part of a project to perform maintenance on an application system (e.g., project management, test plans, user acceptance testing procedures)

Application program

A program that processes actions upon business data, such as data entry, update or query. It contrasts with systems program, such as an operating system or network control program, and with utility programs, such as copy or sort.

Application programming

The act or function of developing and maintaining applications programs in production

Application programming interface (API)

A set of routines, protocols and tools referred to as "building blocks" used in business application software development. A good API makes it easier to develop a program by providing all the building blocks related to functional characteristics of an operating system, which applications need to specify when, for example, interfacing with an operating system (e.g., provided by MS-Windows, different versions of UNIX). A programmer would utilize these APIs in developing applications that can operate effectively and efficiently on the platform chosen.

Application proxy

A proxy service that connects programs running on internal networks to services on exterior networks by creating two connections, one from the requesting client and another to the destination service

application security

Refers to the security aspects supported by the ERP, primarily with regard to the roles or responsibilities and audit trails within the applications

Application software tracing and mapping

Specialized tools that can be used to analyze the flow of data, through the processing logic of the application software, and document the logic, paths, control conditions and processing sequences. Both the command language or job control statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons.

Application system

An integrated set of computer programs designed to serve a particular function that has specific input, processing and output activities (e.g., general ledger, manufacturing resource planning, human resource management)

Arithmetic-logic unit (ALU)

The area of the central processing unit that performs mathematical and analytical operations

Artificial intelligence

Advanced computer systems that can simulate human capabilities, such as analysis, based on a predetermined set of rules

ASCII

(American Standard Code for Information Interchange)
An eight-digit/seven-bit code representing 128 characters; used in most small computers

ASP/MSP (application or managed service provider)

A third party that delivers and manages applications and computer services, including security services to multiple users via the Internet or a private network

Assembler

A program that takes as input a program written in assembly language and translates it into machine code or relocatable code

Assembly language

A low-level computer programming language which uses symbolic code and produces machine instructions

Asymmetric key (public key)

A cipher technique whereby different cryptographic keys are used to encrypt and decrypt a message (see public key cryptosystems)

Asynchronous Transfer Mode (ATM)

ATM is a high-bandwidth low-delay switching and multiplexing technology. It is a data link layer protocol. This means that it is a protocol-independent transport mechanism. ATM allows integration of real-time voice and video as well as data. ATM allows very high speed data transfer rates at up to 155 Mbit/s.

Asynchronous transmission

Character-at-a-time transmission

Attest reporting engagement

An engagement where an IS auditor is engaged to either examine management’s assertion regarding particular a subject matter or the subject matter directly. The IS auditor’s report consists of an opinion on one of the following:
* The subject matter. These reports relate directly to the subject matter itself rather than an assertion. In certain situations management will not be able to make an assertion over the subject of the engagement. An example of this situation is when IT services are out-sourced to third party. Management will not ordinarily be able to make an assertion over the controls that the third-party is responsible for. Hence, an IS auditor would have to report directly on the subject matter rather than an assertion

* Management’s assertion about the effectiveness of the control procedures

* Examination reporting engagement where the IS auditor is engaged to issue an opinion on particular subject matter. These engagements can include reports on controls implemented by management and on their operating effectiveness

Attitude

Way of thinking, behaving, feeling, etc.

Attribute sampling

An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain attributes or characteristics (such as all items over a certain size)

Audit

The process of generating, recording and reviewing a chronological record of system events to ascertain their accuracy

Audit accountability

Performance measurement of service delivery including cost, timeliness and quality against agreed service levels

Audit authority

A statement of the position within the organization, including lines of reporting and the rights of access

Audit charter

A document which defines the IS audit function's responsibility, authority and accountability

Audit evidence

The information systems auditor (IS auditor) gathers information in the course of performing an IS audit. The information used by the IS auditor to meet audit objectives is referred to as audit evidence (evidence). Also used to describe the level of risk that an auditor is prepared to accept during an audit engagement.

Audit expert systems

Expert or decision support systems that can be used to assist IS auditors in the decision-making process by automating the knowledge of experts in the field. This technique includes automated risk analysis, systems software and control objectives software packages.

Audit objective

The specific goal(s) of an audit. These often center on substantiating the existence of internal controls to minimize business risk.

Audit plan

A high level description of the audit work to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the work.

Audit program

A series of steps to complete an audit objective

Audit responsibility

The roles, scope and objectives documented in the service level agreement between management and audit

Audit risk

The risk of giving an incorrect audit opinion

Audit sampling

The application of audit procedures to less than 100 percent of the items within a population to obtain audit evidence about a particular characteristic of the population

Audit trail

A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source

auditability

The level to which transactions can be traced and audited through a system

Authentication

The act of verifying the identity of a system entity (e.g., a user, a system, a network node) and the entity’s eligibility to access computerized information. Designed to protect against fraudulent logon activity. Authentication can also refer to the verification of the correctness of a piece of data.

authorization

The process of determining what types of activities are permitted. Ordinarily, authorisation is in the context of authentication: once you have authenticated a user, he/she may be authorised to perform different types of access or activity

Automated teller machine (ATM)

A 24-hour, stand-alone mini-bank, located outside branch bank offices or in public places like shopping malls. Through ATMs, clients can make deposits, withdrawals, account inquiries and transfers. Typically, the ATM network is comprised of two spheres: a proprietary sphere, in which the bank manages the transactions of its clients, and the public or shared domain, in which a client of one financial institution can use another’s ATMs.

Availability

Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Backup

Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service

Bandwidth

The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).

Bar case

A standardized body of data created for testing purposes. Users normally establish the data. Base case validates production application systems and tests the ongoing accurate operation of the system.

Bar code

A printed machine-readable code that consists of parallel bars of varied width and spacing

Base case

A standardized body of data created for testing purposes. Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system.

Baseband

A form of modulation in which data signals are pulsed directly on the transmission medium without frequency division and usually utilize a transceiver. In baseband the entire bandwidth of the transmission medium (e.g., coaxial cable) is utilized for a single channel.

Batch control

Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage. There are two main forms of batch controls: 1) sequence control, which involves numbering the records in a batch consecutively so that the presence of each record can be confirmed, and 2) control total, which is a total of the values in selected fields within the transactions.

Batch processing

The processing of a group of transactions at the same time. Transactions are collected and processed against the master files at a specified time.

Baud rate

The rate of transmission for telecommunication data. It is expressed in bits per second (bps).

Benchmark

A test that has been designed to evaluate the performance of a system. In a benchmark test, a system is subjected to a known workload and the performance of the system against this workload is measured. Typically, the purpose is to compare the measured performance with that of other systems that have been subject to the same benchmark test.

Binary code

A code whose representation is limited to 0 and 1

Biometric locks

Door and entry locks that are activated by such biometric features as voice, eye retina, fingerprint or signature

Biometrics

A security technique that verifies an individual’s identity by analyzing a unique physical attribute, such as a handprint

Black box testing

A testing approach which focuses on the functionality of the application or product and does not require knowledge of the code intervals.

Blackbox testing

A testing approach which focuses on the functionality of the application or product and does not require knowledge of the code intervals

Border router

See external router.

Bridge

A device that connects two similar networks together

Broadband

In broadband, multiple channels are formed by dividing the transmission medium into discrete frequency segments. It generally requires the use of a modem.

Brouters

Devices that perform the functions of both bridges and routers, are called brouters. Naturally, they operate at both the data link and the network layers. A brouter connects same data link type LAN segments as well as different data link ones, which is a significant advantage. Like a bridge it forwards packets based on the data link layer address to a different network of the same type. Also, whenever required, it processes and forwards messages to a different data link type network based on the network protocol address. When connecting same data link type networks, they are as fast as bridges besides being able to connect different data link type networks.

browser

A computer program that enables the user to retrieve information that has been made publicly available on the Internet; also, that permits multimedia (graphics) applications on the World Wide Web