Glossary

Antivirus (anti-virus) software is a class of program that will prevent, detect, and remediate malware infections on individual computing devices and IT systems.

Software designed to secretly access a computer system without the owner’s informed consent. The expression is a general term (short for “malicious software”) used to mean a variety of forms of hostile, intrusive, or annoying software or program code. Malware includes computer viruses, worms, Trojan horses, spyware, dishonest adware, ransomware, crimeware, most rootkits, and other malicious and unwanted software or programs.

A program for managing an organization’s assets that includes formalized governance, policies, and procedures.

Monitoring traffic and noting unusual actions or departures from normal operation.

Any incident resulting in unauthorized access to computer data, applications, networks or devices. It results in information being accessed without authorization.

A set of planning, preparatory, and related activities that are intended to ensure an organization’s critical business functions either will continue to operate despite serious incidents or disasters that might otherwise have interrupted them or will be recovered to an operational state within a reasonably short period.

This term is applicable across Technology Risk Management, in both information security and business continuity planning domains. An impact analysis results in the differentiation between critical and noncritical business functions. A function may be considered critical if there is an unacceptable impact to stakeholders from damage to the function. The perception of the acceptability of disruption may be modified by the cost of establishing and maintaining appropriate business or technical recovery solutions. A function may also be considered critical if dictated by law.

The science and art of estimating the space, computer hardware, software, and connection infrastructure resources that will be needed over some future period of time.

Property that derives from the work of the mind or intellect. Also an application, right, or registration relating to this.

A cloud service is any resource that is provided over the Internet. The most common cloud service resources are Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). 

Compliance is either the state of being in accordance with established guidelines or specifications or the process of becoming so.

An active employee or contractor.

The term “consumer report” means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility.

Data at rest is a term that is sometimes used to refer to all data in computer storage while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated. Data at rest can be archival or reference files that are changed rarely or never; data at rest can also be data that is subject to regular but not constant change.

Information that flows over the public or untrusted network, such as the Internet, and data that flows in the confines of a private network, such as a corporate or enterprise local area network (LAN).

Data classification is the process of organizing data into categories for its most effective and efficient use. 

Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.

Refers to the model of cloud computing used.

The process, policies, and procedures related to preparing for recovery or continuation of technology infrastructure critical to the assessment after a natural or human-induced disaster. Disaster recovery is a subset of business continuity.

A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the targeted system essentially forces it to shut down, thereby denying service to the system to legitimate users.

It is the research and analysis of a company or organization done in preparation for a business transaction.

The combination of hardware and software used to manage electronic information. A system which stores information from internal and external sources to facilitate better decision making.

Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties.

File Transfer Protocol (FTP) is a standard Internet protocol for transmitting files between computers on the Internet over TCP/IP connections.

File sharing is the public or private sharing of computer data or space in a network with various levels of access privilege.

A device that converts mechanical energy to electrical energy via an engine (usually fuel-powered) that provides electrical current as input to a power source.

Events outside normal operations that disrupt normal operational processes. An incident can be a relatively minor event, such as running out of disk space on a server, or a major disruption, such as a breach of database security and the loss of private and confidential customer information.

Scoped target and/or system data utilized/owned by an organization.

A security inspection system for computers and networks that can allow for the inspection of systems activity and inbound/outbound network activity. The IDS key function identifies suspicious activity or patterns that may indicate a network or system attack.

A log, in a computing context, is the automatically produced and time-stamped documentation of events relevant to a particular system. Virtually all software applications and systems produce log files.

Smartphones, tablet computers, laptops—anything that is not affixed to a desk or operates wirelessly.

Multifactor authentication requires the use of solutions from two or more of the three categories of factors:

• Something the user knows (e.g., password, PIN)
• Something the user has (e.g., ATM card, smart card)
• Something the user is (e.g., biometric characteristic, such as a fingerprint)

Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication.

Failure or refusal to comply, as with a law, regulation, or term of a contract.

Operational change management typically refers to more common changes in certain work processes, reporting structure, or job roles.

Occurring over a wide geographic area and affecting an exceptionally high proportion of the population.

A conventional security control, widely used by software vendors, to exploit weaknesses identified in vulnerability testing to gain access to systems, networks, and applications in order to identify solutions to mitigate the vulnerability.

NIST Special Publication 800-122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM, or other communication channels.

A computer port is a connection point or interface between a computer and an external or internal device. Internal ports may connect such devices as hard drives and CD-ROM or DVD drives; external ports may connect modems, printers, mice, and other devices.

A privacy risk/impact assessment states what personally identifiable information (PII) is collected and explains how that information is maintained, how it will be protected, and how it will be shared.
A privacy risk assessment should identify:

• Whether the information being collected complies with privacy-related legal and regulatory compliance requirements
• The risks and effects of collecting, maintaining, and disseminating PII
• Protections and processes for handling information to alleviate any potential privacy risks
• Options and methods for individuals to provide consent for the collection of their PII.

Generally Accepted Privacy Principles (GAPP) is a recognized framework for assessing privacy risk. GAPP operationalizes complex privacy requirements into a single privacy objective that is supported by 10 privacy principles.

This access grants an employee access to more than usual company data or makes changes to the company network. Companies need privileged users because they have access to source code, file systems, and other assets that allow them to upgrade the systems or make other technical changes.

The Privacy Rule protects individually identifiable health information, called PHI, held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal. PHI includes information that relates to all of the following:

• The individual’s past, present, or future physical or mental health or condition
• The provision of health care to the individual
• The past, present, or future payment for the provision of health care to the individual

Many common identifiers, such as name, address, birth date, and Social Security number

Capacity planning is the science and art of estimating the space, computer hardware, software, and connection infrastructure resources that will be needed over some future period of time.

Remote access refers to the ability to access a computer, such as a home computer or an office network computer, from a remote location. This allows employees to work off-site, such as at home or in another location, while still having access to a distant computer or network, such as the office network.

Removable media is any type of storage device that can be removed from a computer while the system is running. Examples of removable media include CDs, DVDs and Blu-ray disks, as well as diskettes and USB drives. Removable media makes it easy for a user to move data from one computer to another.

Data retention, also called records retention, is the continued storage of an organization’s data for compliance or business reasons. 

Risk management is the process of identifying, assessing, and controlling threats to an organization’s capital and earnings. 

The disabling of drive mapping and folder redirection. Users are given a screen scrape.

A client’s non-public personal information (NPPI), protected health information (PHI), personal information (PI), or non-public information that is stored, transmitted, or processed by the service provider. Scoped data may also include any data selected as being in scope by the organization or client at the scoping of the engagement. Any reference to scoped data includes protected scoped data, where applicable.

Computer hardware, software, and/or non-public personal information that is stored, transmitted, or processed by the service provider in scope for the engagement.

A security incident is a warning that there may be a threat to information or computer security. The warning could also be that a threat has already occurred. Threats or violations can be identified by unauthorized access to a system. A computer security incident is a threat to policies that are related to computer security.

A software or operating-system patch that is intended to correct a vulnerability to hacking or viral infection.

Please see Deployment Model definition.

A single point of failure (SPOF) is a potential risk posed by a flaw in the design, implementation, or configuration of a circuit or system in which one fault or malfunction causes an entire system to stop operating.

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end-user for all the applications to which the user has been given rights and eliminates further prompts when the user switches applications during the same session. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts.

Vendor developed software code used for custom or commercial-off-the-shelf purposes.

Application software is a program or group of programs designed for end users. These programs are divided into two classes: system software and application software. While system software consists of low-level programs that interact with computers at a basic level, application software resides above system software and includes database programs, word processors, spreadsheets, etc. Application software may be grouped along with system software or published alone. Application software may simply be referred to as an application.

A series of processes that provide a model for the development and lifecycle management of Software Applications.

A protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system with two keys to encrypt data: a public key known to everyone and a private or secret key known only to the recipient of the message.

A business or an individual that signs a contract to perform part or all of the obligations of another’s contract.

Back-up refers to the copying of physical or virtual files or databases to a secondary site for preservation in case of equipment failure or other catastrophe.

All entities or persons that work on behalf of the organization but are not its employees, including consultants, contingent workers, clients, business partners, service providers, subcontractors, vendors, suppliers, affiliates, and any other person or entity that accesses Scoped Systems and Data.

A power supply consisting of a bank of batteries, which is continually charged. When power fails, the UPS becomes the source of electrical current for computer equipment until the batteries are discharged. A UPS is often connected to a generator that can provide electrical power indefinitely.

A USB drive, also known as a flash drive or keychain drive, is a plug-and-play portable storage device that uses flash memory and is lightweight enough to attach to a keychain. A USB drive can be used in place of a floppy disk, zip drive disk, or CD. When the user plugs the device into the USB port, the computer’s operating system recognizes the device as a removable drive and assigns it a drive letter.

A communication tunnel running through a shared network, such as the Internet, which uses encryption and other security mechanisms to ensure the data cannot be intercepted and that the data senders and receivers are authenticated.

A specific weakness that can be exploited.

Web services (sometimes called application services) are services (usually including some combination of programming and data, but possibly including human resources as well) that are made available from a business’s web server for web users or other web-connected programs. Providers of web services are generally known as application service providers. Web services range from such major services as storage management and customer relationship management (CRM) down to much more limited services such as the furnishing of a stock quote and the checking of bids for an auction item. The accelerating creation and availability of these services is a major web trend.