Term
|
Definition
A policy that establishes an agreement between users and the organization and defines for all parties' ranges of use that are approved
before gaining access to a network or the Internet. |
|
|
Term
|
Definition
Refers to the processes, rules and deployment mechanisms which control access to information systems, resources and physical access
to premises. |
|
|
Term
|
Definition
| An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals. Scope Note: Access Control Lists are also referred to as access control tables. |
|
|
Term
|
Definition
The logical route an end user takes to access computerized information.
Scope Note: Typically, an access path includes a route through the operating system, telecommunications software, selected application software and the access control system. |
|
|
Term
|
Definition
Permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as
defined by rules established by data owners and the information security policy. |
|
|
Term
|
Definition
A service that allows the option of having an alternate route to complete a call when the marked destination is not available.
Scope Note: In signaling, alternate routing is the process of allocating substitute routes for a given signaling traffic stream in case of failure(s) affecting the normal signaling links or routes of that traffic stream. |
|
|
Term
|
Definition
An application software deployed at multiple points in an IT architecture and is designed to detect and potentially eliminate virus code
before damage is done and repair or quarantine files that have already been infected. |
|
|
Term
|
Definition
A computer program or set of programs that perform the processing of records for a specific function.
Scope Note: An application program contrasts with systems programs, such as an operating system or network control program, and with utility programs, such as copy or sort. |
|
|
Term
|
Definition
'Manual or programmed activities intended to ensure the completeness and accuracy of records and the validity of entries made. The
objectives of application controls are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from manual and programmed processing. |
|
|
Term
| Application Programming Interface (API) |
|
Definition
A set of routines, protocols and tools referred to as "building blocks" used in business application software development.
Scope Note: A good API makes it easier to develop a program by providing all the building blocks related to functional characteristics of an operating system, which applications need to specify when, for example, interfacing with an operating system (e.g., provided by MS- Windows, different versions of UNIX). A programmer would utilize these APIs in developing applications that can operate effectively and efficiently on the platform chosen. |
|
|
Term
Arithmetic-Logic Unit
(ALU) |
|
Definition
| The area of the central processing unit that performs mathematical and analytical operations. |
|
|
Term
Asymmetric Key
(Public Key) |
|
Definition
| A technology for scrambling data content using one key for encryption and another for decryption. |
|
|
Term
|
Definition
An audit technique used to select items from a population for audit testing purposes based on selecting all those items that have certain
attributes or characteristics (such as all items over a certain size). |
|
|
Term
|
Definition
| Information used to support the audit opinion. |
|
|
Term
|
Definition
The specific goal(s) of an audit.
Scope Note: 'These often center on substantiating the existence of internal controls to minimize business risk. |
|
|
Term
|
Definition
1. A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion.
Scope Note: The plan includes the areas to be audited, the type of work planned, the high level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the work.
2. A high level description of the audit work to be performed in a certain period of time. |
|
|
Term
|
Definition
| A step-by-step set of audit procedures and instructions that should be performed to complete an audit. |
|
|
Term
|
Definition
The probability that information or financial reports may contain material errors and that the auditor may not detect an error that has
occurred. |
|
|
Term
|
Definition
| A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source. |
|
|
Term
|
Definition
| The level to which transactions can be traced and audited through a system. |
|
|
Term
|
Definition
1. The act of verifying the identity of a user.
Scope Note: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.
2. The users eligibility to access computerized information. |
|
|
Term
|
Definition
| Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service. |
|
|
Term
|
Definition
The balanced scorecard, developed by Robert S. Kaplan and David P. Norton, is a coherent set of performance measures organized into
four categories. It includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives. |
|
|
Term
|
Definition
The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is
expressed in bytes per second or Hertz (cycles per second). |
|
|
Term
|
Definition
Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage. Scope Note: There are two main forms of batch controls: sequence control, which involves numbering the records in a batch consecutively
so that the presence of each record can be confirmed, and control total, which is a total of the values in selected fields within the
transactions. |
|
|
Term
|
Definition
The processing of a group of transactions at the same time.
Scope Note: Transactions are collected and processed against the master files at a specified time. |
|
|
Term
|
Definition
A test that has been designed to evaluate the performance of a system.
In a benchmark test, a system is subjected to a known workload and the performance of the system against this workload is measured. Scope Note: Typically, the purpose is to compare the measured performance with that of other systems that have been subject to the
same benchmark test. |
|
|
Term
|
Definition
A systematic approach to comparing an organizations performance against peers and competitors in an effort to learn the best ways of
conducting business.
Scope Note: Examples include: benchmarking of quality, logistical efficiency and various other metrics. |
|
|
Term
|
Definition
| A security technique that verifies an individuals identity by analyzing a unique physical attribute, such as a handprint. |
|
|
Term
|
Definition
| A testing approach which focuses on the functionality of the application or product and does not require knowledge of the code intervals. |
|
|
Term
|
Definition
Common path or channel between hardware devices.
Scope Note: A bus can be between components internal to a computer or between external computers in a communications network. |
|
|
Term
|
Definition
All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes.
Scope Note: 'This architecture is reliable in very small networks, as well as easy to use and understand. This configuration requires the least amount of cable to connect the computers together and, therefore, is less expensive than other cabling arrangements. It is also easy to extend, and two cables can be easily joined with a connector to make a longer cable for more computers to join the network. A repeater can also be used to extend a bus configuration. |
|
|
Term
|
Definition
| Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed or not with the investment and as an operational tool to support management of the investment through its full economic life cycle. |
|
|
Term
Business Continuity
Plan (BCP) |
|
Definition
Plan used by organization to respond to disruption of critical business processes. Depends on contingency plan for restoration of critical
systems. |
|
|
Term
Business Impact
Analysis (BIA) |
|
Definition
A process to determine the impact of losing the support of any resource.
Scope Note: The business impact analysis assessment study will establish the escalation of that loss overtime. It is predicated on the fact that senior management, when provided reliable data to document the potential impact of a lost resource, can make the appropriate decision. |
|
|
Term
Business Process
Reengineering (BPR) |
|
Definition
| The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings. |
|
|
Term
Bypass Label
Processing (BLP) |
|
Definition
A technique of reading a computer file while bypassing the internal file/data set label. This process could result in bypassing of the security
access control system. |
|
|
Term
Capability Maturity
Model (CMM) |
|
Definition
Contains the essential elements of effective processes for one or more disciplines. It also describes an evolutionary improvement path
from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness. |
|
|
Term
Certificate Authority
(CA) |
|
Definition
| A trusted third party that serves authentication infrastructures or organizations and registers entities and issues them certificates. |
|
|
Term
| Certificate Revocation List (CRL) |
|
Definition
An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility.
Scope Note: CRL details digital certificates that are no longer valid. The time gap between two updates is very critical and is also a risk in digital certificates verification. |
|
|
Term
|
Definition
A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or "soft" elements of change.
Scope Note: Change management includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resource policies and procedures, executive coaching, change leadership training, team building and communications planning and execution. |
|
|
Term
|
Definition
A numeric value, which has been calculated mathematically, is added to data to ensure that original data have not been altered or that an
incorrect, but valid match has occurred.
Scope Note: Check digit control is effective in detecting transposition and transcription errors. |
|
|
Term
|
Definition
| Information generated by an encryption algorithm to protect the plaintext and is unintelligible to the unauthorized reader. |
|
|
Term
|
Definition
A group of computers connected by a communications network, where the client is the requesting machine and the server is the supplying
machine.
Scope Note: Software is specialized at both ends. Processing may take place on either the client or the server but it is transparent to the user. |
|
|
Term
|
Definition
An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer
equipment in place.
Scope Note: The site is ready to receive the necessary replacement computer equipment in the event the users have to move from their main computing location to the alternative computer facility. |
|
|
Term
|
Definition
| An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions. |
|
|
Term
Completely
Connected (Mesh) Configuration |
|
Definition
| A network topology in which devices are connected with many redundant interconnections between network nodes (primarily used for backbone networks). |
|
|
Term
|
Definition
| Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period. |
|
|
Term
Computer
Emergency Response Team (CERT) |
|
Definition
| A group of people integrated at the organization with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems. |
|
|
Term
| Computer-Aided Software Engineering (CASE) |
|
Definition
The use of software packages that aid in the development of all phases of an information system.
Scope Note: System analysis, design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access. |
|
|
Term
Computer-Assisted
Audit Technique
(CAATs) |
|
Definition
| Any automated audit technique, such as generalized audit software, test data generators, computerized audit programs and specialized audit utilities. |
|
|
Term
|
Definition
Refers to a class of controls used in database management systems (DBMS) to ensure that transactions are processed in an atomic,
consistent, isolated and durable manner (ACID). This implies that only serial and recoverable schedules are permitted, and that committed transactions are not discarded when undoing aborted transactions. |
|
|
Term
|
Definition
| The control of changes to a set of configuration items over a system life cycle. |
|
|
Term
|
Definition
Process of developing advance arrangements and procedures that enable an organization to respond to an event that could occur by
chance or unforeseen circumstances. |
|
|
Term
|
Definition
The goals of continuous improvement (Kaizen) include the elimination of waste, defined as "activities that add cost but do not add value;" just-in-time delivery; production load leveling of amounts and types; standardized work; paced moving lines; right-sized equipment.
Scope Note: A closer definition of the Japanese usage of Kaizen is "to take it apart and put back together in a better way." What is taken apart is usually a process, system, product or service. Kaizen is a daily activity whose purpose goes beyond improvement. It is also a process that, when done correctly, humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how to do rapid experiments using the scientific method and how to learn to see and eliminate waste in business processes. |
|
|
Term
|
Definition
| A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process. |
|
|
Term
|
Definition
Key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate
management of risk and alignment of IT with business. |
|
|
Term
|
Definition
The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls. (See also
Inherent Risk) |
|
|
Term
|
Definition
A message kept in the web browser for the purpose of identifying users and possibly preparing customized web pages for them.
Scope Note: For the first time a cookie is set, a user may be required to go through a registration process. Subsequent to this, whenever the cookie's message is sent to the server, a customized view, based on that user's preferences, can be produced. The browser's implementation of cookies has however brought several security concerns, allowing breaches of security and the theft of personal information (e.g., user passwords that validate the user's identity and enable restricted web services). |
|
|
Term
|
Definition
| Designed to correct errors, omissions and unauthorized uses and intrusions, once they are detected. |
|
|
Term
|
Definition
Committee of Sponsoring Organizations of the Treadway Commission.
Scope Note: Its 1992 report "Internal Control--Integrated Framework" is an internationally accepted standard for corporate governance. See www.coso.org. |
|
|
Term
|
Definition
| Systems whose incapacity or destruction would have a debilitating effect on the economic security of an organization, community or nation. |
|
|
Term
Critical Success
Factors (CSFs) |
|
Definition
| Critical success factor; the most important issues or actions for management to achieve control over and within its IT processes. |
|
|
Term
Customer
Relationship
Management (CRM) |
|
Definition
| A way to identify, acquire and retain customers. CRM is also an industry term for software solutions that help an organization manage customer relationships in an organized manner. |
|
|
Term
|
Definition
| The transfer of data between separate computer processing sites/devices using telephone lines, microwave and/or satellite links. |
|
|
Term
|
Definition
| Individuals and departments responsible for the storage and safeguarding of computerized data. |
|
|
Term
|
Definition
| Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes. |
|
|
Term
|
Definition
| Individuals, normally managers or directors, who have responsibility .for the integrity, accurate reporting and use of computerized data. |
|
|
Term
|
Definition
| The relationships among files in a database and among data items within each file. |
|
|
Term
|
Definition
| A stored collection of related data needed by organizations and individuals to meet their information processing and retrieval requirements. |
|
|
Term
Database
Administrator (DBA) |
|
Definition
An individual or department responsible for the security and information classification of the shared data stored on a database system.
This responsibility includes the design, definition and maintenance of the database. |
|
|
Term
Database
Management System
(DBMS) |
|
Definition
| A software system that controls the organization, storage and retrieval of data in a database. |
|
|
Term
|
Definition
A technique used to recover the original plaintext from the ciphertext such that it is intelligible to the reader. The decryption is a reverse
process of the encryption. |
|
|
Term
|
Definition
The application of variable levels of alternating current for the purpose of demagnetizing magnetic recording media.
Scope Note: The process involves increasing the alternating current field gradually from zero to some maximum value and back to zero, leaving a very low residue of magnetic induction on the media. Degauss loosely means to erase. |
|
|
Term
|
Definition
A piece of information, a digitized form of signature, that provides sender authenticity, message integrity and non-repudiation. A digital
signature is generated using the senders private key or applying a one-way hash function. |
|
|
Term
|
Definition
Activities and programs designed to return the organization to an acceptable condition. The ability to respond to an interruption in services
by implementing a disaster recovery plan to restore an organization's critical business functions. |
|
|
Term
|
Definition
A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an
emergency or disaster. |
|
|
Term
|
Definition
| The time gap the business can accept the non-availability of IT facilities. |
|
|
Term
|
Definition
A form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in
a population. |
|
|
Term
|
Definition
| A workstation or PC on a network that does not have its own disk, but instead, stores files on a network file server. |
|
|
Term
| Domain Name System (DNS) Poisoning |
|
Definition
Corrupts the table of an Internet server's DNS replacing an Internet address with the address of another vagrant or scoundrel address. Scope Note: If a Web user looks for the page with that address, the request is redirected by the scoundrel entry in the table to a different
address. Cache poisoning differs from another form of DNS poisoning, in which the attacker spoofs valid e-mail accounts and floods the
inboxes of administrative and technical contacts. Cache poisoning is related to URL poisoning or location poisoning, where an Internet user behavior is tracked by adding an identification number to the location line of the browser that can be recorded as the user visits successive pages on the site. Also called DNS cache poisoning or cache poisoning. |
|
|
Term
|
Definition
| The method or communication mode of routing data over the communication network (also see half duplex and full duplex). |
|
|
Term
|
Definition
The processes by which organizations conduct business electronically with their customers, suppliers and other external business
partners, using the Internet as an enabling technology.
Scope Note: E-commerce encompasses both business-to-business (B2B) and business-to-consumer (B2C) e-commerce models, but does not include existing non-Internet e-commerce methods based on private networks such as EDI and SWIFT. |
|
|
Term
|
Definition
Detects errors in the input portion of information that is sent to the computer for processing. The controls may be manual or automated
and allow the user to edit data errors before processing. |
|
|
Term
Electronic Data
Interchange (EDI) |
|
Definition
The electronic transmission of transactions (information) between two organizations. EDI promotes a more efficient paperless
environment. EDI transmissions can replace the use of standard documents, including invoices or purchase orders. |
|
|
Term
|
Definition
Encapsulation is the technique used by layered protocols in which a lower layer protocol accepts a message from a higher layer protocol
and places it in the data portion of a frame in the lower layer. |
|
|
Term
|
Definition
The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and
producing an encrypted message (ciphertext). |
|
|
Term
Enterprise Resource
Planning (ERP) |
|
Definition
An integrated system containing multiple business subsystems.
Scope Note: Examples of enterprise resource planning include SAP, Oracle Financials and J.D. Edwards. |
|
|
Term
|
Definition
A legal arrangement whereby an asset (often money, but sometimes other property such as art, a deed of title, web site, software source
code or a cryptographic key) is delivered to a third party (called an escrow agent) to be held in trust or otherwise pending a contingency or the fulfillment of a condition or conditions in a contract.
Scope Note: Upon the occurrence of the escrow agreement, the escrow agent will deliver the asset to the proper recipient; otherwise the escrow agent is bound by his/her fiduciary duty to maintain the escrow account. Source code escrow means deposit of the source code for the software into an account held by an escrow agent. Escrow is typically requested by a party licensing software (e.g., licensee or buyer), to ensure maintenance of the software. The software source code is released by the escrow agent to the licensee if the licensor (e.g.,
seller or contractor) files for bankruptcy or otherwise fails to maintain and update the software as promised in the software license agreement. |
|
|
Term
|
Definition
The information an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical
relationship to the findings and conclusions it is used to support. |
|
|
Term
|
Definition
| The machine language code that is generally referred to as the object or load module. |
|
|
Term
|
Definition
| The potential loss to an area due to the occurrence of an adverse event. |
|
|
Term
Extensible Markup
Language (XML) |
|
Definition
Promulgated through the World Wide Web Consortium, XML is a web-based application development technique that allows designers to
create their own customized tags, thus, enabling the definition, transmission, validation and interpretation of data between applications and organizations. |
|
|
Term
|
Definition
| A systems level of resilience to seamlessly react from hardware and/or software failure. |
|
|
Term
|
Definition
A phase of an SDLC methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system
solution to a user need. |
|
|
Term
|
Definition
A system or combination of systems that enforces a boundary between two or more networks typically forming a barrier between a secure
and an open environment such as the Internet. |
|
|
Term
|
Definition
| Memory chips with embedded program code that hold their content when power is turned off. |
|
|
Term
Generalized Audit
Software (GAS) |
|
Definition
| Multipurpose audit software that can be used for such general processes, such as record selection, matching, recalculation and reporting. |
|
|
Term
|
Definition
| The physical components of a computer system. |
|
|
Term
|
Definition
A service offered via phone/Internet by an organization to its clients or employees, which provides information, assistance, and troubleshooting advices regarding software, hardware, or networks.
Scope Note: A help desk is staffed by people that can either resolve the problem on their own or escalate the problem to specialized personnel. A help desk is often equipped with dedicated CRM-type software that logs the problems and tracks them until they are solved. |
|
|
Term
|
Definition
A method often employed by antispam software to filter spam using criteria established in a centralized rule database.
Scope Note: Every e-mail message is given a rank, based upon its header and contents, which is then matched against preset thresholds. A message that surpasses the threshold will be flagged as spam and discarded, returned to its sender or put in a spam directory for further review by the intended recipient. |
|
|
Term
|
Definition
| A fully operational offsite data processing facility equipped with both hardware and system software to be used in the event of a disaster. |
|
|
Term
| Hypertext markup language (HTML) |
|
Definition
A language designed for the creation of web pages with hypertext and other information to be displayed in a web browser; used to
structure information--denoting certain text as headings, paragraphs, lists and so on--and can be used to describe, to some degree, the appearance and semantics of a document. |
|
|
Term
|
Definition
| A review of the possible consequences of a risk. |
|
|
Term
|
Definition
| A series of unexpected events that involves an attack or series of attacks (compromise and/or breach of security) at one or more sites. |
|
|
Term
|
Definition
The response of an organization to a disaster or other significant event that may significantly affect the organization, its people, or its ability
to function productively. An incident response may include evacuation of a facility, initiating a disaster recovery plan, performing damage assessment, and any other measures necessary to bring an organization to a more stable status. |
|
|
Term
|
Definition
1. Self-governance.
2. Freedom from conflict of interest and undue influence.
Scope Note: The IS auditor should be free to make his/her own decisions, not influenced by the organization being audited and its people
(managers and employers). |
|
|
Term
Information
Processing Facility
(IPF) |
|
Definition
| The computer room and support areas. |
|
|
Term
|
Definition
Ensures that only authorized users (confidentiality) have access to accurate and complete information (integrity) when required
(availability). |
|
|
Term
Information Security
Governance |
|
Definition
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction,
ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises resources are used responsibly. |
|
|
Term
|
Definition
The risk that a material error could occur, assuming that there are no related internal controls to prevent or detect the error (Also see
control risk). |
|
|
Term
|
Definition
| Techniques and procedures used to verify, validate and edit data, to ensure that only correct data are entered into the computer. |
|
|
Term
|
Definition
Instant messaging is an online mechanism or a form of real-time communication between two or more people based on typed text and
multimedia data.
Scope Note: Instant messaging text is conveyed via computers or another electronic device (e.g., cell phone or PDA) connected over a network, such as C108the Internet. |
|
|
Term
|
Definition
| The accuracy, completeness and validity of information. |
|
|
Term
|
Definition
The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will
be achieved and that undesired events will be prevented or detected and corrected. |
|
|
Term
| Internet Packet (IP) Spoofing |
|
Definition
An attack using packets with the spoofed source Internet packet (IP) addresses.
Scope Note: This technique exploits applications that use authentication based on IP addresses. This technique also may enable an unauthorized user to gain root access on the target system. |
|
|
Term
|
Definition
Code of practice for quality management from the International Organization for Standardization (ISO). ISO 9001:2000, which specifies
requirements for a quality management system for any organization that needs to demonstrate its ability to consistently provide product or service that meets particular quality targets. |
|
|
Term
|
Definition
A model that integrates a set of guidelines, policies and methods that represent the organizational approach to the IT governance.
Scope Note: Per COBIT 4.0, IT governance is the responsibility of the board of directors and executive management. It is an integral part of institutional governance and consists of the leadership and organizational structures and processes that ensure that the organizations IT sustains and extends the organizations strategy and objectives. |
|
|
Term
|
Definition
Any event that is not part of the ordinary operation of a service that causes, or may cause, an interruption to, or a reduction in, the quality
of that service. |
|
|
Term
|
Definition
The set of hardware, software and facilities that integrates an organizations IT assets.
Scope Note: Specifically, the equipment (including servers, routers, switches, and cabling), software, services and products used in storing, processing, transmitting and displaying all forms of information for the organizations users. |
|
|
Term
|
Definition
A long-term plan, i.e., three- to five-year horizon, in which business and IT management cooperatively describe how IT resources will
contribute to the enterprises strategic objectives (goals). |
|
|
Term
|
Definition
Committee at the level of the board of directors to ensure the board is involved in major IT matters/decisions.
Scope Note: The committee is primarily accountable for managing the portfolios of IT-enabled investments, IT services and other IT
resources. The committee is the owner of the portfolio. |
|
|
Term
|
Definition
The UK Office of Government Commerce (OGC) IT Infrastructure Library. A set of guides on the management and provision of operational
IT services. |
|
|
Term
|
Definition
Any sample that is selected subjectively or in such a manner that the sample selection process is not random or the sampling results are
not evaluated mathematically. |
|
|
Term
Key Goal Indicators
(KGIs) |
|
Definition
Key goal indicator; measures that tell management, after the fact, whether an IT process has achieved its business requirements, usually
expressed in terms of information criteria. |
|
|
Term
|
Definition
| Those management practices required to successfully execute business processes. |
|
|
Term
Key Performance
Indicators (KPIs) |
|
Definition
Measures that determine how well the process is performing in enabling the goal to be reached.
Scope Note: KPIs are lead indicators of whether a goal will likely be reached, and are good indicators of capabilities, practices and skills. They measure the activity goals, which are the actions the process owner must take to achieve effective process performance. |
|
|
Term
|
Definition
| The individual responsible for the safeguard and maintenance of all program and data files. |
|
|
Term
|
Definition
A contract that establishes the terms and conditions under which a piece of software is being licensed (i.e., made legally available for use)
from the software developer (owner) to the user. |
|
|
Term
|
Definition
| A series of stages that characterize the course of existence of an organizational investment (e.g., product, project, program). |
|
|
Term
|
Definition
Tests of specified amount fields against stipulated high or low limits of acceptability.
Scope Note: When both high and low values are used, the test may be called a range check. |
|
|
Term
|
Definition
Communications networks that serve several users within a specified geographical area.
Scope Note: Personal computer LANs function as distributed processing systems in which each computer in the network does its own processing and manages some of its data. Shared data are stored in a file server that acts as a remote disk drive for all users in the network. |
|
|
Term
|
Definition
| To record details of information or events in an organized record-keeping system, usually sequenced in the order they occurred. |
|
|
Term
|
Definition
Short for malicious software, malware is software designed to infiltrate, damage or obtain information from a computer system without the
owners consent.
Scope Note: Malware is commonly taken to include computer viruses, worms, Trojan horses, spyware and adware. Spyware is generally used for marketing purposes and, as such, not really malicious although it is generally unwanted. However, spyware can also be used to gather information for identity theft or other clearly illicit purposes. |
|
|
Term
|
Definition
Diagramming data that are to be exchanged electronically, including how it is to be used and what business management systems need it.
Also see application tracing and mapping.
Scope Note: Mapping is a preliminary step for developing an applications link. |
|
|
Term
|
Definition
| An auditing concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited. An expression of the relative significance or importance of a particular matter in the context of the organization as a whole. |
|
|
Term
|
Definition
In business, indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or
objectives. |
|
|
Term
|
Definition
The Capability Maturity Model (CMM) for Software (CMM), from the Software Engineering Institute (SEI), is a model used by many organizations to identify best practices useful in helping them assess and increase the maturity of their software development processes.
Scope Note: The CMM ranks software development organizations according to a hierarchy of five process maturity levels. Each level ranks the development environment according to its capability of producing quality software. A set of standards is associated with each of the five levels. The standards for level one describe the most immature or chaotic processes and the standards for level five describe the most mature or quality processes. 1) A model that indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives (2) A collection of instructions an organization can follow to gain better control over its software development process. |
|
|
Term
|
Definition
The deterioration of the media upon which data is digitally stored due to exposure to oxygen and moisture.
Scope Note: Tapes deteriorating in a warm, humid environment are an example of media oxidation. Proper environmental controls should prevent, or significantly slow, this process. |
|
|
Term
|
Definition
Another term for an application programmer interface (API). It refers to the interfaces that allow programmers to access lower- or higher-
level services by providing an intermediary layer that includes function calls to the services. |
|
|
Term
Mission-Critical
Application |
|
Definition
An application that is vital to the operation of the organization. The term is very popular for describing the applications required to run the
day-to-day business. |
|
|
Term
|
Definition
| A sampling technique that estimates the amount of overstatement in an account balance. |
|
|
Term
|
Definition
Responsible for planning, implementing and maintaining the telecommunications infrastructure, and also may be responsible for voice
networks.
Scope Note: For smaller organizations, the network administrator may also maintain a LAN and assist end users. |
|
|
Term
Nondisclosure
Agreement (NDA) |
|
Definition
A legal contract between at least two parties that outlines confidential materials the parties wish to share with one another for certain
purposes, but wish to restrict from generalized use; a contract through which the parties agree not to disclose information covered by the agreement.
Scope Note: Also called a confidential disclosure agreement (CDA), confidentiality agreement or secrecy agreement. An NDA creates a confidential relationship between parties to protect any type of trade secret. An NDA can protect non-public business information. In the case of certain governmental entities, confidentiality of information other than trade secrets may be subject to statutory requirements, and in some cases may be required to be revealed to an outside party requesting the information. NDAs can be "mutual", meaning both parties are restricted in their use of the materials provided, or they can only restrict a single party. |
|
|
Term
|
Definition
| The elimination of redundant data. |
|
|
Term
|
Definition
| Machine-readable instructions produced from a compiler or assembler program that has accepted and translated the source code. |
|
|
Term
|
Definition
A facility located away from the building housing the primary information processing facility (IPF), used for storage of computer media such
as offline backup data and storage files. |
|
|
Term
|
Definition
A master control program that runs the computer and acts as a scheduler and traffic controller.
Scope Note: The operating system is the first program copied into the computers memory after the computer is turned on and must reside in memory at all times. It is the software that interfaces between the computer hardware (disk, keyboard, mouse, network, modem, printer) and the application software (word processor, spreadsheet, e-mail), which also controls access to the devices and is partially responsible for security components and sets the standards for the application programs that run in it. |
|
|
Term
|
Definition
| These controls deal with the everyday operation of a company or organization to ensure all objectives are achieved. |
|
|
Term
|
Definition
| A formal agreement with a third party to perform IS or other business functions for an organization. |
|
|
Term
|
Definition
Data unit that is routed from source to destination in a packet-switched network.
Scope Note: A packet contains both routing information and data. Transmission Control Protocol/Internet Protocol (TCP/IP) is such a packet-switched network. |
|
|
Term
|
Definition
| The process of transmitting messages in convenient pieces that can be reassembled at the destination. |
|
|
Term
|
Definition
A general hardware control, which helps to detect data errors when data are read from memory or communicated from one computer to
another.
Scope Note: A 1-bit digit (either 0 or 1) is added to a data item to indicate whether the sum of that data items bit is odd or even. When the parity bit disagrees with the sum of the other bits, the computer reports an error. The probability of a parity check detecting an error is 50 percent. |
|
|
Term
|
Definition
| A protected, generally computer-encrypted string of characters that authenticate a computer user to the computer system. |
|
|
Term
|
Definition
| A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers. |
|
|
Term
|
Definition
Measures that are considered the drivers of lag indicators. They can be measured before the outcome is clear and, therefore, are called
lead indicators.
Scope Note: There is an assumed relationship between the two that suggests that improved performance in a leading indicator will drive better performance in the lagging indicator. They are also referred to as key performance indicators (KPIs) and are used to indicate whether goals are likely to be met. |
|
|
Term
|
Definition
| Comparing the systems performance to other equivalent systems using well defined benchmarks. |
|
|
Term
Personal Digital
Assistant (PDA) |
|
Definition
Also called palmtop and pocket computer, these are handheld devices that provide computing, Internet, networking and telephone
characteristics. |
|
|
Term
Personal
Identification Number
(PIN) |
|
Definition
A type of password (i.e., a secret number assigned to an individual) that, in conjunction with some means of identifying the individual,
serves to verify the authenticity of the individual.
Scope Note: PINs have been adopted by financial institutions as the primary means of verifying customers in an electronic funds transfer system (EFTS). |
|
|
Term
|
Definition
This is a type of e-mail attack that attempts to convince a user that the originator is genuine, but with the intention of obtaining information
for use in social engineering.
Scope Note: Phishing attacks may take the form of masquerading as a lottery organization advising the recipient of a large win or the user's bank; in either case, the intent is to obtain account and PIN details. Alternative attacks may seek to obtain apparently innocuous business information, which may be used in another form of active attack. |
|
|
Term
| Point-of-Sale (POS) Systems |
|
Definition
Enable the capture of data at the time and place of transaction.
Scope Note: POS terminals may include use of optical scanners for use with bar codes or magnetic card readers for use with credit cards. POS systems may be online to a central computer or may use stand-alone terminals or microcomputers that hold the transactions until the end of a specified period when they are sent to the main computer for batch processing. |
|
|
Term
|
Definition
Generally, a document that records a high-level principle or course of action which has been decided upon. A policys intended purpose is
to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprises management teams.
Scope Note: In addition to policy content, policies need to describe the consequences of failing to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and measured |
|
|
Term
|
Definition
A grouping of "objects of interest" (investment programs, IT services, IT projects, other IT assets or resources) managed and monitored to
optimize business value. (The investment portfolio is of primary interest to Val IT. T service, project, asset and other resource portfolios are of primary interest to COBIT). |
|
|
Term
|
Definition
An internal control that is used to prevent undesirable events, errors and other occurrences that an organization has determined could
have a negative material effect on a process or end product. |
|
|
Term
|
Definition
| Freedom from unauthorized intrusion or disclosure of information about individuals. |
|
|
Term
Problem Escalation
Procedure |
|
Definition
The process of escalating a problem up from junior to senior support staff, and ultimately to higher levels of management.
Scope Note: Problem escalation procedure is often used in help desk management, where an unresolved problem is escalated up the chain of command, until it is solved. |
|
|
Term
|
Definition
| A document containing steps that specify how to achieve an activity. Procedures are defined as part of processes. |
|
|
Term
|
Definition
| A detailed description of the steps necessary to perform specific operations in conformance with applicable standards. |
|
|
Term
|
Definition
Generally, a collection of procedures influenced by the organization's policies and procedures that takes inputs from a number of sources
(including other processes), manipulates the inputs and produces outputs.
Scope Note: Processes have clear business reasons for existing, accountable owners, clear roles and responsibilities around the execution of the process, and the means to measure performance. |
|
|
Term
Program Evaluation
and Review
Technique (PERT) |
|
Definition
| A project management technique used in the planning and control of system projects. |
|
|
Term
|
Definition
A structured set of activities concerned with delivering a defined capability (that is necessary but not sufficient to achieve a required
business outcome) to the enterprise based on an agreed-upon schedule and budget. |
|
|
Term
|
Definition
The set of projects owned by a company.
Scope Note: A project portfolio usually includes the main guidelines relative to each project including objectives, costs, timelines and other information specific to the project. |
|
|
Term
|
Definition
The process of quickly putting together a working model (a prototype) in order to test various aspects of a design, illustrate ideas or features and gather early user feedback.
Scope Note: Prototyping uses programmed simulation techniques to represent a model of the final system to the user for advisement and critique. The emphasis is on end-user screens and reports. Internal controls are not a priority item since this is only a model. |
|
|
Term
|
Definition
A cryptographic system that uses two keys. One is a public key, which is known to everyone, and the second is a private or secret key,
which in only known to the recipient of the message. |
|
|
Term
|
Definition
| A series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued. |
|
|
Term
|
Definition
A planned and systematic patter of all actions necessary to provide adequate confidence that an item or product conforms to established
technical requirements. (ISO/IEC 24765) |
|
|
Term
Rapid Application
Development |
|
Definition
A methodology that enables organizations to develop strategically important systems faster, while reducing development costs and
maintaining quality by using a series of proven application development techniques, within a well-defined methodology. |
|
|
Term
|
Definition
Emergency processing agreements between two or more organizations with similar equipment or applications.
Scope Note: Typically, participants of a reciprocal agreement promise to provide processing time to each other when an emergency arises. |
|
|
Term
Recovery Point
Objective (RPO) |
|
Definition
| The recovery point objective is determined based on the acceptable data loss in case of disruption of operations. It indicates the earliest point in time to which it is acceptable to recover the data. RPO effectively quantifies permissible amount of data loss in case of interruption. |
|
|
Term
|
Definition
An approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage.
Scope Note: Plans and methodologies are determined by the organization's strategy. There may be more than one methodology or solution for an organization's strategy. Examples of methodologies and solutions include: contracting for hot site or cold site, building an internal hot site or cold site, identifying an alternate work area, a consortium or reciprocal agreement, contracting for mobile recovery or crate and ship, and many others. |
|
|
Term
Redundant Array of
Inexpensive Disks
(RAID) |
|
Definition
| Provides performance improvements and fault-tolerant capabilities via hardware or software solutions, by writing to a series of multiple disks to improve performance and/or save large files simultaneously. |
|
|
Term
|
Definition
A process involving the extraction of components from existing systems and restructuring these components to develop new systems or to
enhance the efficiency of existing systems.
Scope Note: Existing software systems can be modernized to prolong their functionality. An example of this is a software code translator that can take an existing hierarchical database system and transpose it to a relational database system. CASE includes a source code reengineering feature. |
|
|
Term
Registration Authority
(RA) |
|
Definition
| The individual of institution that validates and entity's proof of identity and ownership of a key pair. |
|
|
Term
|
Definition
| A testing technique used to retest earlier program abends or logical errors that occurred during the initial testing phase. |
|
|
Term
Request for Proposal
(RFP) |
|
Definition
| A document distributed to software vendors requesting them to submit a proposal to develop or provide a software product. |
|
|
Term
|
Definition
A technique used where the affected user groups define the requirements of the system for meeting the defined needs.
Scope Note: Some of these requirements are business, regulatory, security as well as development related. |
|
|
Term
Return on Investment
(ROI) |
|
Definition
A measure of operating performance and efficiency, computed in its simplest form by dividing net income by the total investment over the
period being considered. |
|
|
Term
|
Definition
A software engineering technique whereby an existing application system code can be redesigned and coded using computer-aided
software engineering (CASE) technology. |
|
|
Term
|
Definition
Used in either token ring or FDDI networks, all stations (nodes) are connected to a multi-station access unit (MSAU), which physically resembles a star-type topology.
Scope Note: A ring configuration is created when these MSAUs are linked together in forming a network. Messages in this network are sent in a deterministic fashion from sender and receiver via a small frame, referred to as a token ring. To send a message, a sender obtains the token with the right priority as the token travels around the ring, with receiving nodes reading those messages addressed to it. |
|
|
Term
|
Definition
| The combination of the probability of an event and its consequence. (ISO/IEC73) |
|
|
Term
|
Definition
The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how
vulnerable each asset is to those threats.
Scope Note: Risk analysis often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of such event. |
|
|
Term
|
Definition
A process used to identify and evaluate risks and their potential effects.
Scope Note: Risk assessment includes assessing the critical functions necessary for an organization to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event. |
|
|
Term
|
Definition
| The management of risk through the use of countermeasures and controls. |
|
|
Term
|
Definition
| The process of assigning risk to another organization, usually through the purchase of an insurance policy or outsourcing the service. |
|
|
Term
|
Definition
A method of computer fraud involving a computer code that instructs the computer to remove small amounts of money from an authorized
computer transaction by rounding down to the nearest whole value denomination and rerouting the rounded off amount to the perpetrators account. |
|
|
Term
|
Definition
A networking device that can send (route) data packets from one local area network (LAN) or wide area network (WAN) to another, based on addressing at the network layer (Layer 3) in the OSI model.
Scope Note: Networks connected by routers can use different or similar networking protocols. Routers usually are capable of filtering packets based on parameters, such as source addresses, destination addresses, protocol and network applications (ports). |
|
|
Term
|
Definition
| Provide evidence that a program processes all input data and that it processed the data correctly. |
|
|
Term
|
Definition
| A method used in the information processing facility (IPF) to determine and establish the sequence of computer job processing. |
|
|
Term
|
Definition
Also called requirement creep, this refers to uncontrolled changes in a projects scope.
Scope Note: Scope creep can occur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consists of either new products or new features of already approved products. Hence, the project team drifts away from its original purpose. Because of ones tendency to focus on only one dimension of a project, scope creep can also result in a project team
overrunning its original budget and schedule. For example, scope creep can be a result of poor change control, lack of proper identification of what products and features are required to bring about the achievement of project objectives in the first place, or a weak project
manager or executive sponsor. |
|
|
Term
Secure Sockets
Layer (SSL) |
|
Definition
A protocol that is used to transmit private documents through the Internet.
Scope Note: The SSL protocol uses a private key to encrypt the data that is to be transferred through the SSL connection. |
|
|
Term
|
Definition
| The person responsible for implementing, monitoring and enforcing security rules established and authorized by management. |
|
|
Term
|
Definition
The extent to which every member of an organization and every other individual who potentially has access to the organization's
information understand:
-Security and the levels of security appropriate to the organization
-The importance of security and consequences of a lack of security
-Their individual responsibilities regarding security (and act accordingly).
'This definition is based on the definition for IT security awareness as defined in Implementation Guide: How to Make Your Organization
Aware of IT Security, European Security Forum (ESF), London, UK, 1993) |
|
|
Term
|
Definition
A high-level document representing an organizations
information security philosophy and commitment. |
|
|
Term
|
Definition
The formal documentation of specific operational steps and processes that specify how security goals and objectives set forward in the
security policy and standards are to be achieved. |
|
|
Term
|
Definition
Ensuring the modified or new system includes appropriate controls and does not introduce any security holes that might compromise other
systems or misuses of the system or its information. |
|
|
Term
| Segregation/Separati on of Duties |
|
Definition
A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals responsibility for initiating and
recording transactions and custody of assets to separate individuals.
Scope Note: Segregation and separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection. |
|
|
Term
Service Level
Agreement (SLA) |
|
Definition
An agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines minimum performance
targets for a service and how they will be measured. |
|
|
Term
Session Border
Controller (SBC) |
|
Definition
Provide security features for VoIP traffic similar to that provided by firewalls.
Scope Note: SBCs can be configured to filter specific VoIP protocols, monitor for denial-of-service (DOS) attacks, and provide network address and protocol translation features. |
|
|
Term
|
Definition
The procedure performed by a user to gain access to an application or operating system.
Scope Note: If the user is properly identified and authenticated by the systems security, they will be able to access the software. |
|
|
Term
|
Definition
The language in which a program is written.
Scope Note: Source code is translated into object code by assemblers and compilers. In some cases, source code may be converted automatically into another language by a conversion program. Source code is not executable by the computer directly. It must first be converted into a machine language. |
|
|
Term
|
Definition
Software whose purpose is to monitor a computer users actions (e.g., web sites they visit) and report these actions to a third party, without
the informed consent of that machines owner or legitimate user.
Scope Note: A particularly malicious form of spyware is software that monitors keystrokes (e.g., to obtain passwords) or otherwise gathers sensitive information such as credit card numbers, which it then transmits to a malicious third party. The term has also come to refer more broadly to software that subverts the computers operation for the benefit of a third party. |
|
|
Term
|
Definition
| A mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as ISO. |
|
|
Term
|
Definition
A method of selecting a portion of a population, by means of mathematical calculations and probabilities, for the purpose of making
scientifically and mathematically sound inferences regarding the characteristics of the entire population. |
|
|
Term
|
Definition
| Obtaining audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. |
|
|
Term
Supply Chain
Management (SCM) |
|
Definition
A concept that allows an organization to more effectively and efficiently manage the activities of design, manufacturing, distribution, service
and recycling of products and services its their customers. |
|
|
Term
|
Definition
Typically associated as a data link layer device, switches enable LAN network segments to be created and interconnected, which also has
the added benefit of reducing collision domains in Ethernet-based networks. |
|
|
Term
| System development life cycle (SDLC) |
|
Definition
The phases deployed in the development or acquisition of a software system.
Scope Note: Typical phases of SDLC include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and
post-implementation review, but not the service delivery or benefits realization activities. |
|
|
Term
|
Definition
A collection of computer programs used in the design, processing and control of all applications.
Scope Note: The programs and processing routines that control the computer hardware, including the operating system and utility programs. |
|
|
Term
|
Definition
Testing conducted on a complete, integrated system to evaluate the system's compliance with its specified requirements.
Scope Note: System test procedures typically are performed by the system maintenance staff in their development library. |
|
|
Term
Tape Management
System (TMS) |
|
Definition
| A system software tool that logs, monitors and directs computer tape usage. |
|
|
Term
|
Definition
| A potential cause of an unwanted incident. (ISO/IEC 13335) |
|
|
Term
|
Definition
The quantity of useful work made by the system per unit of time. Throughput can be measured in instructions per second or some other
unit of performance. When referring to a data transfer operation, Throughput measures the useful data transfer rate and is expressed in kbps, Mbps and Gbps. |
|
|
Term
|
Definition
A device that is used to authenticate a user, typically in addition to a username and password.
Scope Note: A token is usually a credit card-sized device that displays a pseudo random number that changes every few minutes. |
|
|
Term
|
Definition
The physical layout of how computers are linked together.
Scope Note: Examples of topology include ring, star and bus |
|
|
Term
|
Definition
Business events or information grouped together because they have a single or similar purpose.
Scope Note: Typically, a transaction is applied to a calculation or event that then results in the updating of a holding or master file. |
|
|
Term
| Transmission Control Protocol/Internet Protocol (TCP/IP) |
|
Definition
| Provides the basis for the Internet; a set of communications protocols that encompasses media access, packet transport, session communications, file transfer, electronic mail, terminal emulation, remote file access and network management. |
|
|
Term
|
Definition
Purposefully hidden malicious or damaging code within an authorized computer program.
Scope Note: Unlike viruses, they do not replicate themselves, but they can be just as destructive to a single computer. |
|
|
Term
|
Definition
Commonly used to bridge between incompatible hosts/routers or to provide encryption, a method by which one network protocol
encapsulates another protocol within itself.
Scope Note: When protocol A encapsulates protocol B, then a protocol A header and optional tunneling headers are appended to the original protocol B packet. Protocol A then becomes the data link layer of protocol B. Examples of tunneling protocols include IPSec, Point- to-point Protocol Over Ethernet (PPPoE), and Layer 2 Tunneling Protocol (L2TP). |
|
|
Term
Uninterruptible Power
Supply (UPS) |
|
Definition
| Provides short-term backup power from batteries for a computer system when the electrical power fails or drops to an unacceptable voltage level. |
|
|
Term
|
Definition
A testing technique that is used to test program logic within a particular program or module.
Scope Note: The purpose of the test is to ensure that the internal operation of the program performs according to specification. It uses a set of test cases that focus on the control structure of the procedural design. |
|
|
Term
Universal Serical
BUS (USB) |
|
Definition
An external bus standard that provides capabilities to transfer data at a rate of 12 Mbps.
Scope Note: A USB port can connect up to 127 peripheral devices. |
|
|
Term
|
Definition
Specialized system software used to perform particular computerized functions and routines that are frequently required during normal
processing.
Scope Note: Examples of utility programs include sorting, backing up and erasing data. |
|
|
Term
|
Definition
A program with the ability to reproduce by modifying other programs to include a copy of itself.
Scope Note: A virus may contain destructive code that can move into multiple programs, data files or devices on a system and spread through multiple systems in a network. |
|
|
Term
Voice-over Internet
Protocol (VoIP) |
|
Definition
Also called IP Telephony, Internet telephony and Broadband Phone, this is a technology that makes it possible to have a voice
conversation over the Internet or over any dedicated Internet Protocol (IP) network instead of dedicated voice transmission lines. |
|
|
Term
|
Definition
| Process of identifying and classifying vulnerabilities. |
|
|
Term
|
Definition
| Similar to a hot site; however, it is not fully equipped with all necessary hardware needed for recovery. |
|
|
Term
|
Definition
| Also known as traditional development, it is a procedure-focused development cycle with formal sign-off at the completion of each level. |
|
|
Term
Wi-Fi Protected
Access (WPA) |
|
Definition
A class of systems used to secure wireless (Wi-Fi) computer networks.
Scope Note: WPA was created in response to several serious weaknesses researchers found in the previous system, Wired Equivalent Privacy (WEP). WPA implements the majority of the IEEE 802.11i standard, and was intended as an intermediate measure to take the place of WEP while 802.11i was prepared. WPA is designed to work with all wireless network interface cards, but not necessarily with first generation wireless access points. WPA2 implements the full standard, but will not work with some older network cards. Both provide good security with two significant issues. First, either WPA or WPA2 must be enabled and chosen in preference to WEP; WEP is usually presented as the first security choice in most installation instructions. Second, in the personal mode, the most likely choice for homes and small offices, a pass phrase is required that, for full security, must be longer than the typical 6 to 8 character passwords users are taught to employ. |
|
|
Term
Wired Equivalent
Privacy (WEP) |
|
Definition
A scheme that is part of the IEEE 802.11 wireless networking standard to secure IEEE 802.11 wireless networks (also known as Wi-Fi
networks).
Scope Note: Because a wireless network broadcasts messages using radio, it is particularly susceptible to eavesdropping. WEP was intended to provide comparable confidentiality to a traditional wired network (in particular it does not protect users of the network from each other), hence the name. Several serious weaknesses were identified by cryptanalysts, and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) in 2004. Despite the weaknesses, WEP
provides a level of security that can deter casual snooping. |
|
|
Term
|
Definition
| The practice of eavesdropping on information being transmitted over telecommunications links. |
|
|
