Citations

Existing Citations

  • access control (s.v. access control): The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises. (†1756)
  • accountability (s.v. accountability): The ability to map a given activity or event back to the responsible party. (†1757)
  • anonymous (s.v. anonymity): The quality or state of not being named or identified. (†1758)
  • audit (s.v. audit): Formal inspection and verification to check whether a standard or set of guidelines is being followed followed, records records are accurate accurate, or efficiency efficiency and effectiveness effectiveness targets targets are being met. May be carried out by internal or external groups. (†1759)
  • authentication (s.v. authentication): 1. The act of verifying identity (i.e.,  user, system) Scope Note:  Risk: Can also refer to the verification of the correctness of a piece of data. 2. The act of verifying the identity of a user and the user’s eligibility to access computerized information. Scope Note:  Assurance: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data. (†1760)
  • authenticity (s.v. authenticity): Undisputed authorship. (†1761)
  • availability (s.v. availability): Ensuring timely and reliable access to and use of information. (†1762)
  • backup (s.v. backup): Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service. (†1763)
  • business model (s.v. business model for information security ): A holistic and business‐oriented model that supports enterprise governance and management information security, and provides a common language for information security professionals and business management. (†1764)
  • business process (s.v. business process): An inter‐related set of cross‐functional activities or events that result in the delivery of a specific product or service to a customer. (†1765)
  • chain of custody (s.v. chain of custody): A legal principle regarding the validity and integrity of evidence. It requires accountability for anything that will be used as evidence in a legal proceeding to ensure that it can be accounted for from the time it was collected collected until the time it is presented presented in a court of law. Includes documentation as to who had access to the evidence and when, as well as the ability to identify evidence as being the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited. Chain of custody depends on the ability to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence, so it cannot be changed, and p groviding a documentary record of custody to prove that the evidence was at all times under strict control and not subject to tampering. (†1766)
  • cloud computing (s.v. cloud computing): Convenient, on‐demand network access to a shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. (†1767)
  • competence (s.v. competence): The ability to perform a specific task, action or function successfully. (†1768)
  • compliance (s.v. compliance): Adherence to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies. (†1769)
  • confidentiality (s.v. confidentiality): Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information. (†1770)
  • context (s.v. context): The overall set of internal and external factors that might influence or determine how an enterprise, entity, process or individual acts. Context includes: technology context (technological factors that affect an enterprise's ability to extract value from data), data context (data accuracy, availability, currency and quality), skills and knowledge (general experience and analytical, technical and business skills), organizational and cultural context (political factors and whether the enterprise prefers data to intuition), strategic context (strategic objectives of the enterprise). (†1771)
  • data obfuscation (s.v. obfuscation): The deliberate act of creating source or machine code that is difficult for humans to understand. (†1789)
  • denial of service (s.v. denial of service attack): An assault on a service from a single source that floods it with so many requests that it becomes overwhelmed and is either stopped completely or operates at a significantly reduced rate. (†1773)
  • digital forensics (s.v. digital forensics): The process of identifying, preserving, analyzing and presenting digital evidence in a manner that is legally acceptable in any legal proceedings proceedings. (†1774)
  • encryption (s.v. encryption): The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext). (†1775)
  • enterprise risk management (s.v. enterprise risk management (ERM)): The discipline by which an enterprise in any industry assesses, controls, exploits, finances and monitors monitors risk from all sources sources for the purpose purpose of increasing increasing the enterprise's short‐ and long‐term value to its stakeholders. (†1776)
  • governance (s.v. governance): Ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed‐on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring monitoring performance performance and compliance compliance against against agreed‐on direction and objectives. Conditions can include the cost of capital, foreign exchange rates, etc.  Options can include shifting manufacturing to other locations, sub‐contracting portions of the enterprise to third‐ parties, selecting a product mix from many available choices, etc. (†1777)
  • impact (s.v. impact): Magnitude of loss resulting from a threat exploiting a vulnerability. (†1778)
  • information (s.v. information): An asset that, like other important business assets, is essential to an enterprise’s business. It can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. (COBIT 5 perspective) (†1779)
  • information security (s.v. information security): Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity), and non‐access when required (availability). (†1780)
  • information technology governance (s.v. IT governance): The responsibility of executives and the board of directors; consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise's strategies and objectives. (†1785)
  • Infrastructure as a Service (IaaS) (s.v. Infrastructure as a Service (IaaS)): Offers the capability to provision processing, storage, networks and other fundamental computing resources, enabling the customer to deploy and run arbitrary software, which can include operating systems (OSs) and applications. (†1781)
  • inherent risk (s.v. inherent risk): The risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls). (†1782)
  • integrity (s.v. integrity): The guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity. (†1783)
  • internet (s.v. internet): 1. Two or more networks connected by a router. 2. The world’s largest network using Transmission Control Protocol/Internet Protocol (TCP/IP) to link government, university and commercial institutions. (†1784)
  • leakage (s.v. data leakage): Siphoning Siphoning out or leaking leaking information information by dumping dumping computer computer files or stealing stealing computer computer reports reports and tapes. (†1772)
  • management (s.v. management): Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives. (†1786)
  • maturity model (s.v. Capability Maturity Model (CMM)): 1. Contains the essential elements of effective processes for one or more disciplines.It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness. 2. CMM for software, from the Software Engineering Institute (SEI), is a model used by many enterprises to identify best practices useful in helping them assess and increase the maturity of their software development processes. Scope Notes: CMM ranks software development enterprises according to a hierarchy of five process maturity levels. Each level ranks the development environment according to its capability of producing quality software. A set of standards is associated with each of the five levels. The standards for level one describe the most immature or chaotic processes and the standards for level five describe the most mature or quality processes.A maturity model that indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives.A collection of instructions that an enterprise can follow to gain better control over its software development process. (†1787)
  • National Institute of Standards and Technology (s.v. National Institute of Standards and Tech): Develops tests, test methods, reference data, proof-of concept implementations, and technical analyses to advance the development and productive use of information technology. NIST is a US government entity that creates mandatory standards that are followed by federal agencies and those doing business with them. (†1788)
  • organization (s.v. organization): The manner in which an enterprise is structured; can also mean the entity. (†1790)
  • Platform as a Service (PaaS) (s.v. Platform as a Service (PaaS)): Offers the capability to deploy onto the cloud infrastructure customer‐created or ‐acquired applications that are created using programming languages and tools supported by the provider. (†1792)
  • privacy (s.v. privacy): Freedom from unauthorized intrusion or disclosure of information about an individual. (†1793)
  • procedure (s.v. procedure): A document containing containing a detailed description of the steps necessary to perform perform specific operations in conformance with applicable standards. Procedures are defined as part of processes. (†1794)
  • process (s.v. process): Generally, a collection of activities influenced by the enterprise’s policies and procedures that takes inputs from a number of sources, (including other processes), manipulates the inputs and produces outputs. Processes have clear business reasons for existing, accountable owners, clear roles and responsibilities around the execution of the process, and the means to measure performance. (†1795)
  • record (s.v. record): A collection of related information that is treated as a unit. Separate fields within the record are used for processing of the information. (†1796)
  • residual risk (s.v. residual risk): The remaining risk after management has implemented a risk response. (†1797)
  • resilience (s.v. resilience): The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognizable effect. (†1798)
  • risk (s.v. risk): The combination of the probability of an event and its consequence. (ISO/IEC 73) (†1799)
  • risk assessment (s.v. risk assessment): A process used to identify and evaluate risk and its potential effects. Risk assessments are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan. Risk assessments are also used to manage the project delivery and project benefit risk. (†1800)
  • risk management (s.v. risk management): 1. The coordinated activities to direct and control an enterprise with regard to risk. In the International Standard, the term "control" is used as a synonym for "measure." (ISO/IEC Guide 73:2002) 2. One of the governance objectives. Entails recognizing risk; assessing the impact and likelihood of that risk; and developing strategies, such as avoiding the risk, reducing the negative effect of the risk and/or transferring the risk, to manage it within the context of the enterprise’s risk appetite. (COBIT 5 perspective) (†1801)
  • risk mitigation (s.v. risk mitigation): The management of risk through the use of countermeasures and controls. (†1802)
  • risk tolerance (s.v.risk tolerance): The acceptable level of variation that management is willing to allow for any particular risk as the enterprise  pursues its objectives. (†1809)
  • service level agreement (s.v. service level agreement): An agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines minimum performance targets for a service and how they will be measured. (†1804)
  • Software as a Service (SaaS) (s.v. Software as a Service (SaaS)): Offers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web‐based e‐mail). (†1805)
  • threat (s.v. threat): Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm. A potential cause of an unwanted incident. (ISO/IEC 13335) (†1806)
  • transparency (s.v. transparency): Refers to an enterprise’s openness about its activities and is based on the following concepts: ‐ How the mechanism functions is clear to those who are affected by or want to challenge governance decisions. ‐ A common vocabulary has been established. ‐ Relevant information is readily available. Transparency and stakeholder trust are directly related; the more transparency in the governance process, the more confidence in the governance. (†1807)
  • vulnerability (s.v. vulnerability): A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events. (†1808)