Upload
api-3823058
View
855
Download
5
Embed Size (px)
Citation preview
CISA CISA REVIEW MANUAL 2007 (for June 2007)
Glossary, Acronyms, Appendices & Other Information
General Table of Contents
Glossary 481 Acronyms 506 Appendix A: The CISA Examination and COBIT 511 COBIT 3rd Edition 518 COBIT 4.0 519 Appendix B: IS Auditing Standards Guidelines and Procedures 521 Relationship of Standards to Gnidelines and Procedures 522 Appendix C: 2007 CISA Examination General Information 525 Requirements for Certification 525 Successful Completion of the CISA Examination 525 Experience in IS Auditing Control and Security 525 Description of the Examination 525 Registration for the CISA Examination 526 CISA Program Accredited under ISO/lEC I7024:2003 526 Preparing for the CISA Examination 527 Types of Exam Questions 527 Adnlinistration of the Examination 527 Sitting for the Examination 527 Budgeting Your Time 528 Rules and Procedures 528 Grading the Examination 528 Index 530 Complete list of 2007 CISA Study Materials 544 Evaluation 545
Glossary elSA
Abend-An abnormal end to a computer job; termination of a task priQr to its completion because of an error conditionthat cannot be resolved by recovery facilities while the task is executing
Access control-The process that limits and controls access to resources of a computer system; a logical or physical controldesigned to protect against unauthorized entry or use
Access control list (ACL)-Also referred to as access control tables, this is an internal computerized table of access rulesregarding the levels of computer access permitted to logon IDs and computer terminals.
Access contro,l table-An internal computerized table of access rules regarding the levels of computer access permitted tologon IDs and computer terminals
Access method-The technique used for selecting records in a file, one at a time. for processing, retrieval or storage. Theaccess method is related to, but distinct from, the file organization, \vhich determines how the records are stored.
Access path-The logical route an end user takes to access computerized information. Typically, it includes a route throughthe operating system, telecommunications software, selected application software and the access control system.
Acc~ss rights-Also called permissions or privileges, these are the rights granted to users by the administrator orsupervisor. Access rights determine the actions users can perform (e.g., read, \vrite, execute, create and delete) on files inshared volumes or file shares on the server.
Access servers-Provides centralized access control for managing remote a9cess dial-up services
Address-The code used to designate the location of a specific piece of data w"ithin computer storage
Addressing-The method used to identify the location of a participant in a network. Ideally, addressing specifies where theparticipant is located rather than who they are (name) or how to get there (routing).
Address space-The number of distinct locations that may be referred to with the machine address. For most binarymachines, it is equal to In, where n is the number of bits in the machine address"
Administrative controls-The actions dealing with operational effectiveness, efficiency and adherence to regulations andmanagement policies
Adware-Any sothvare package that automatically plays, displays or downloads advertising material to a computer after thesoftware is installed on it or while the application is being used. In most cases, this is done without any notification to theuser or the user's consent. The term adware may also refer to software that displays advertisements, whether or not it doesso with the user's consent; such programs display advertisements as an alternative to shareware registration fees. These areclassified as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does notoperate surreptitiously or mislead the user, and provides the user with a specific service.
Alpha~The use of alphabetic characters or an alphabetic character string
Alternative routing-A service that allows the option of having an alternate route to complete a call when the markeddestination is not available. In signaling, alternate routing is the process of allocating substitute routes for a given sIgnalingtraffic stream in case of failure(s) afJecting the normal signaling links or routes of that traffic stream.
American Standard Code for Information Interchange-See ASCII.
AnaIog-A transmission signal that varies continuously in amplitude.and time and is generated in wave formation. Analogsignals arc used in telecommunications.
elSA Review Manual 2007 481
fm z t:!
elSA Glossary
H , l1li
Anon.ymous File Transfer Protocol (FTP)-A method for downloading public files using the Fi[e Transfer ProtocolAnonymous FTP is called <Inonymous because users do not need to identify themselves before accessing files from d
particular server. In general, users emcr the \vord anonymous when the host prompts for a username; anything can hl'entered for the password, such as the users e-mail address or simply the word guest In many cases, an anonymous J."j"p ';11,'
will not even prompt users for a name and password.
Antivirus software-Applications that detect, prevent and possibly remove all known \·iruses from files located in ;1microcomputer hard drive
Applet-A program written in a portable. platform independent computer language, such as Java, JavaScript or VislI;lIBasic. It is usually embedded in an HTML page downloaded from web servers and then executed by a browser Oil C[l\"'ll(
machines to run any web-based application (e.g.. generate web page input forms. run audio/video programs, etc.). i\ppk'l~;
can only perform a restricted set of operations, thus preventing, or at least minimizing. the possible security compro11lisl' II(
the host computers. However, applets expose the user's machine to risks, if not properly controlled by the browser, \vhichshould not allow an applet to access a machine's information, without prior authorization of the user.
Application-A computer program or set of programs that perform the processing of records for a specific function
Application controls-Refer to the transactions and dat;). relating to each computerMbased application system and are,therefore, specific to each such application. The objectives of application controls, \vhich may be manual or prograllllllL'd,are to ensure the completeness and accuracy of the records and the validity of the entries made therein, resulting from hulllmanual and programmed processing. Examples of application controls include data input validation, agreement ofb:llt::11totals and encryption of data transmitted.
Application layer-A layer within the International Organization for Standardization (lSO)IOpen Systems IntcrcOlllll'L'lI(\1\(OSI) model. It is used in information transfers between users through application programs and other devices. In this laVl'l.various protocols are needed. Some of them are specific to certain applications. and others are more general for nCI\vllrl~·
services.
Application prognlm-A program that processes business data through activities such as data entry, update or query. IIcontrasts with systems programs. such as an operating system or net\vork control program. and with utility programs, slIcllas copy or sort.
Application programming-The act or function of developing and maintaining applications programs in production
Application programming interfnce (API)-A set of rOlltines, protocols and tools referred to as "building blocks" lIsL'd illbusiness application software development. A good API makes it easier to develop a program by providing all the build ill!.!,
blocks related to functional characteristics of an operating system that applications need to specify, for example, WIH.:ll
interfacing with the operating system (e.g.. provided by :tvlS Windows, different versions of UNIX). A programmer wouldutilize these APIs in developing applications that can operate effectively and efficiently on the platform chosen.
Arithmetic logic unit (ALU)-The area of the central processing unit that performs mathematical and analytical opCl':Ili\lll',
Artificial intelligence-Advanced computer systems that can simulate human capabilities, such as analysis, based 011 apredetermined set of rules
ASCII (American Standanl Code for Information Tnterchange)-Represenring 128 characters, the ASCII code normalhuses 7 bits. However, some variations of the ASCll code set allow 8 bits. This 8-bit ASCII code allows 256 characters In herepresented.
..-\ssembler·-A program that takes as input a program written in 3ssembly language and translates it into machine code nrmachine language
482 elSA Review Manual 2007
Glossary elSA
Asymmetric key (public kcy)-A cipher technique in which different cryptographic keys are used to encrypt and decrypt amessage (See public key encryptioh)
Asynchronous Transfer Mode (ATM)-ATM is a high-bandwidth, low-delay switching and multiplexing technology. It isa data link layer protocol. This means that it is a protocolMindependent transport mechanism. ATM allows integration of
Asynchronous transmission-Character-at-a-time transmission
Attribute sampling-An audit technique used to select items from a population for audit testing purposes based onselecting all those items that have certain attributes or characteristics (such as all items over a certain size)
Audit evidence-The information used by an IS auditor to meet audit objectives
Audit objective--The specific goal(s) of an audit. These often center on substantiating the existence of internal controls tominimize business risk.
Audit program-A step-by-step set of audit procedures and instructions that should be performed to complete an audit
Audit risk-The risk that information or financial reports may contain material errors or that the IS auditor may not detectan error that has occurred; also used to describe the level of risk that an auditor is prepared to accept during an auditengagement
Audit trail-A visible trail of evidence enabling one to trace information co.ntained in statements or reports back to theoriginal input source
Authentication-The act of verifying the identity of a user and the user's eligibility to access computerized information.Authentication is designed to protect against fraudulent logon activity. [t can also refer to the verification of the correctnessof a piece of data.
Automated teller machine (ATM)-A 24-hour, stand-alone minibank, located outside branch bank offices or in publicplaces like shopping malls. Through ATMs, clients can make deposits, withdrawals, account inquiries and transfers.Typically, the ATM network is comprised of two spheres: a proprietary sphere, in which the bank manages the transactionsof its clients, and the public or shared domain, in which a client of one financial institution can use another's ATMs.
Backbone-The main communications channel of a digital network. The part of a network that handles the major traffic. Itemploys the highest-speed transmission paths in the network and may also run the longest distances. Smaller networks areattached to the backbone, and networks that directly connect to the end user or customer are called "access networks." Abackbone can span a geographic area of any size from a single building to an office complex to an entire country. Or, it canbe as small as a backplane in a single cabinet.
Backup-Files, equipment, data and procedures available for lise in the event of a failure or loss, if the originals aredestroyed or Ollt of service
Badge-A card or other device that is presented or displayed to obtain access to an otherwise restricted facility, as a symbolof authority (ex; police), or as a simple means of identification. They are also used in advertising and publicity.
Bandwidth-The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity ofan electronic line and is expressed in bytes pel' second or Hertz (cycles per second).
Bar code-A printed machine-readable codt: that consists of paraHel bars of varied width and spacing
Base case-A standardized body of data crerlted for testing purposes. Users normally establish the data. Base cases validateproduction application systems and test the ongoing accurate operation of the system.
elSA Review Manual 2007 483
elSA Glossary
Baseband~A form of modulation in \vhich data signals are pulsed directly on the transmission medium \vithout tl'cqucncydivision and Llsually utilize a transceiver. [n baseband, the entire band\vidth of the transmission medium <e.g., coaxial cable)is utilized for a single channel.
Batch control-Correctness checks built into d<lta processing systems and applied to batches of input data, particularly inthe data preparation stage. There are two main forms of batch controls: sequence control. which involves numbering therecords in a batch consecutively so that the presence of each record can be confirmecL and control total, which is a total ofthe values in selected fields within the transactions.
Batch processing-The processing of a group of transactions at the same time. Transactions arc collected and processedagainst the master files at a specified time.
Bayesian fiJter-A method often employed by antispam software to filter spam based on probabilities. The messageheader and every word or number are each considered a token and given a probability score. Then the entire message isgiven a spam probability score. A message with a high score will be flagged as spam and discarded, returned to its sender orput in a spam directory for further revicw by the intended recipient.
Benchmarking-A systematic approach to comparing an organization's performance against peers and competitors inan etTort to learn the best ways of conducting business (e.g., benchmarking of quality, logistical efficiency and variousother metrics).
Binary code-A code whose representation is limited to 0 and I
Biometrics-A security technique that verifies an individual's identity by analyzing u' unique physical attribute, such as a .handprint
Black box testing-A testing approach that focuses on the functionality of the application or product and docs not requireknowledge of the code intervals.
Bridgt->..............A device that connects two similar networks together
Broadband-In broadbancL multiple channels arc formed by dividing the transmission medium into discrete frcquencysegments. It generally requires the lise of a modem.
Brouters-Devices that perform the functions of both bridges and routers, are called brouters. Naturally, they operate atboth the data link and the network layers. A brouter connects same data link type LAN segments as well as different datalink ones, which is a significant advantage. Like a bridge it forwards packets based on the data link layer address to adifferent network of the same type. Also, whenever required, it processes and forwards messages to a different data link typenet\vork based on the network protocol address. When connecting same data link type networks, they are as fast as bridgesbesides being able to connect different data link type networks.
Buffer-Memory reserved to temporarily hold data. Buffers are used to offset differences between the operating speeds ofdifferent devices, such as a printer and a computer. In a program, buffers are reserved areas of RAwl that hold data whilethey are being processed.
Bus-Common path or channel between hardware devices. It can be between components internal to a computer or betweenexternal computers in a communications network.
Bus configuration-All devices (nodes) are linked along one communication line where transmissions are received by allattached nodes. This architecture is reliable in very sma!! networks, as well as easy to use and understand. Thisconfiguration requires tht.: least amount of cable to connt.:ct the computers together andtherel'orc, is less expensive thanother cabling arrangements. It is also easy to extend. and two cablcs can be easily joined with-a connector to make a longercable for more computers to join the network. A repeater can also be used to extend a bus configuration.
484 elSA Review Manual 2007
Glossary elSABusiness casc-A document that provides management with sufficient information, needed to enable them to decidewhether to support a proposed project, before significant resources are committed to its development. A business caseincludes analysis of current business process performance; associated assumptions, needs or problems; proposed solutionsand potential constraints, based upon a risk-adjusted, cost-benefit analysis.
Business impact analysis (BIA)-A process to determine the impact of losing the support of any resourc~. The-businessimpact analysis assessment study will establish the escalation of that loss overtime. It is predicated on the fact that seniormanagement, when provided reliable data to document the potential impact of a lost resource, can make the appropriatedecision.
Business process reengineering (BPR)-Modern expression for organizational development stemming from IS/IT impacts.The ultimate goal of BPR is to yield a better performing structure, more responsi\'e to the customer base and marketconditions, while yielding material cost savings. To reengineer means redesigning a structure and procedures withintelligence and skills, while being well informed about all of the attendant factors of a given situation, so as to obtain themaximum benefits from mechanization as basic rationale.
Business risk-Potential for harm or loss in achieving business objectives
Bypass label processing (BLP)-A technique of reading a computer file while bypassing the internal file/data set label.This process could result in bypassing of the security access control system.
Capability Maturity Model (CMM)-The Capability Maturity Model (CMM) for Software, from the SoftwareEngineering Institute (SEI), is a model used by many organizations to identify best practices useful in helping them assessand increase the maturity of their software development proce,ss.
Central processing unit (CPU)-Computer hardware that houses the electronic circuits that control/direct all operations ofthe computer system
Certificate (certification) authority (CA)-In cryptography, a celiificate authority or certification authority (CA) is anentity which issues digital certificates for use by other parties. It is an example of a trusted third party. A certificateauthority attests, as the trusted provider of the public/private key pairs, to the authenticity of the owner (entity or individual)to whom a public/private key pair has been given. The process involves a CA who makes a decision to issue a certificatebased on evidence or knowledge obtained in verifying the identity of the recipient. Upon verifying the identity of therecipient, the CA signs the certificate with its private key for distribution to the user, where, upon receipt, the user willdecrypt the certificate with the CA's public key (e,g., commercial CAs such as Verisign provide public keys on webbrowsers). The ideal CA is authoritative (someone that the user trusts) for the name or key space it represents. CA's arecharacteristic of many public key infrastructure (PKI) schemes.There are many commercial CAs that charge for theirservices. Institutions and governments may have their own CAs, and there are free CAs.
Certificate revocation list (CRL)-An instrument for checking the continued validity of the certificates for which thecertification authority (CA) has responsibility. CRL details digital certificates that are no longer valid. The time gapbetween two updates is very critical and is also a risk in digital certificates verification.
Certification practice statement (CPS)-A CPS is a detailed set of rules governing the certificate authority's operations.It provides an understanding of the value and trustworthiness of certificates issued by a given CA in terms of the controlsthat an organization observes, the method it uses to validate the authenticity of certificate applicants and the CA's .expectations of how its certificates may be used.
Channel Service Unit/Digital Service Unit (CSUIDSU)-lnterfaces at the physical layer of the OSI reference modeL dataterminal equipment (DTE) to data circ~tit terminating equipment (DCE), for switched carrier networks
Check digit-A numeric value, which has been calculated mathematically, is added to data to ensure that original data havenot been altered or that an incorrect. but valid match has occurred. This control is effective in detecting transposition andtranscription errors,
elSA Review Manual 2007 485
fUN """'Mm r ·?T 3f , ':iii ·Zt1'ft Mt X?! . 1 f mit " mn' liP 77W-; q'i j
elSA Glossary
Checklist-A list of items that is Llsed to verify the completeness ofa task or gonl. ..0.\ checklist is Llsed in quality assurance(and in general, in information systems audit ), to check process compliance. code standardization and error prevention, andother items for which consistency processes or standards have been defined.
Checksum-A cryptographic checksum is a mathematical value that is assigned to a file and lIsed to "test" the file at alater date to verify that the data contained in the file has not been maliciously changed. A cryptographic checksum iscreated by performing a complicated series of mathematical operations (known as a cryptographi.c algorithm) that translatesthe data in the file into a fixed string of digits called a hash value, which is then used as the checksum. \Vithout lGlowingwhich cryptographic algorithm was used to create the hash value, it is highly unlikely that an unauthorized person would beable to change data without inadvertently changing the corresponding checksum. Cryptographic checksums are used in datatransmission flnd data storage. Cryptographic checksums are also knmvn as message authentication codes, integrity checkvalues, modification detection codes or message integrity codes.
Ciphertext-Information generated by an encryption algorithm to protect the cleartext. The ciphertext is unintelligible tothe unauthorized reader.
Client-server-A group of computers connected by a communications network, where the client is the requesting machineand the server is the supplying machine. Software is specialized at both ends. Processing may take place on either the clientor the server, but it is transparent to the uscr.
Coaxial cable-It is composed of an insulated wire that runs through the middle of each cablc; a second wire thats.urrounds the insulation of the inner wire like a sheath, and the outer insulation \vhich wraps the second wire. Coaxial cablehas a greater transmission capacity than standard twisted-pair cables but has a limited range of effective distance.
Cohesion-The extent to which a system unit-subroutine; program, module. component, subsystem-performs a singlededicated function. Generally, the morc cohesive are units. the easier it is to maintain and enhance a system. since it iseasier to determine where and how to apply a change.
Cold site-An IS backup facility that has the necessary electrical and physical components ofa computer facility, but doesnot have the computer equipment in place. The site is ready to receive the ncc~ssary replacement computer equipment in theevent the users have to move from their main computing location to the alternative computer facility.
Communication piocessor-A computer embedded in a communications system that generally performs basie tasks ofclassifying network traffic and enforcing network policy functions. An example is the message data processor ofa DONswitching center. More advanced communications processors may perform additional functions.
Comparison program-A program for the examination of data, using logical or conditional tests to determine or toidentify similarities or differences
Compensating control-An internal control that reduces the risk of an existing or potential control weakness resulting inerrors and omissions
Compiler-A program that translates programming language (source code) into machine executable instructions (object code)
Completely connected (mesh) configuratioll-A network topology in which devices are connected with many redundantinterconnections between network nodes. (Primarily used for backbone net\vorks.)
Completeness check-A procedure designed to ~nsure that no fields are missing from a record
Compliance testing-Audit tests that ddennin~ if internal controls are being applied in a manner described in thedocumentation and in accordance with management's intents. These are tests that are used to dc:tennine whether internalcontrols actually exist and arc working effectively.
486 elSA Review Manual 2007
GlossaryelSA
Components (as in component-based development)~Cooperatingpackages of executable software that make theirservices available through defined interfaces. Components used in developing systems may be commercial off-the-shelfsoftware (COTS) or may be purposely built. However, the goal of component-based development is to ultimately use asmuch predeveloped, pretested components as possible.
Comprehensive audit-An audit designed to determine the accuracy of financial records, as well as evaluate the internalcontrols of a function or department
Computer emergency response team (CERT)-A group of people integrated at the organization with clear lines ofreporting and responsibilities for standby support in case of an information systems emergency. This group will act as anefficient corrective control, and should also act as a single point of contact for all incidents and issues related to informationsystems.
Computer-aided software engineering (CASE)-The use of software packages that aid in the development of all phasesof an information system. System analysis, design programming and documentation are provided. Changes introduced inone CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easyaccess.
Computer-assisted audit technique (CAAT)-Any automated audit technique, such as generalized audit software, testdata generators, computerized audit programs and specialized audit utilities
Computer forensics-The application of the scientific method to digital media to establish factual information for judicialreview. This process often involves investigating computer systems to deterIYJine whether they are or have been used forillegal or unauthorized activities. As a discipline, it combines elements of law and computer science to collect and analyzedata from information systems (e.g., personal computers, networks, wireless communications and digital storage devices) ina way that is admissible as evidence in a court of law.
Concurrency control-Refers to a class of controls used in database management systems (DBMS) to ensure thattransactions are processed in an atomic, consistent, isolated and durable manner (ACID). This implies that only serial andrecoverable schedules are permitted, and that committed transactions are not discarded when undoing aborted transactions.
Console log-An automated detail report of computer system activity
Continuity-Preventing, mitigating and recovering from disruption. The terms business resumption planning, disasterrecovery planning and contingency planning also may be used in this context; they all concentrate on the recovery aspectsof continuity.
Continuous improvement-The goals of continuous improvement (Kaizen) include the elimination of waste, defined as"activities that add cost but do not add value;" just-in-time delivery; production load leveling of amounts and types;standardized work; paced moving lines; right-sized equipment, and so on. A closer definition of the Japanese usage ofKaizen is "to take it apart and put back together in a better way." \-Vhat is taken apart is usually a process, system, product orservice. Kaizen is a daily activity whose purpose goes beyond improvement. It is also a process that, when done correctly,humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how to do rapid experimentsusing the scientific method and how to learn to see and eliminate waste in business processes.
Control group-Members of the operations area that are responsible for the collection, logging and submission of input forthe various user groups
Control risk-The risk that a material error exists that would not be prevented or detected on a timely basis by the systemof internal controls
Control section-The area of the central processing unit (CPU) that executes software, allocates internal memory andtransfers operations between the arithmetic-logic, internal storage and output sections of the computer
elSA Review Manual 2007 487
elSA Glossary
Cookie-A message kept in the web brmvser for the purpose of identifying: users and possibly preparing customized webpages for them. For the first time, a user may be required to go through a registration process. Subsequent to this, wheneverthe cookie's message is sent to the server. a customized view, based on that user's preferences, can be produced. Thebrowser's implementation of cookies has however brought several security concerns, allowing breaches of security and thetheft of personal information (e.g., user pass\vords that validate the user's identity ,md enable restricted web services).
Corporate governaIlcc-The system by which organizations are Jiteered and controlled. Boards of directors areresponsible for the governance of their organizations. It consists of the lead~rship and organizational structures andprocesses that ensure the organization sustains and extends strategies and objectives.
Corrective controls-These controls are designed to correct errors, omissions and unnuthorized uses and intrusions oncethey are detected.
Countermeasures-An action, process, device or system thnt can prevent or mitigate the effects of threats to a computer,server or network. In this context, a threat is a potential or actual adverse event that may be malicious or incidental, and thatcan compromise the assets of an enterprise or the integrity of a computer or network. Internal controls are countermeasures,as they mitigate the risks presented by the threats. Countermeasures can tak~ the form of software, hardware and modesof behavior.
Coupling-Measure of interconnectivity. among software program modules' structure. Coupling depends on the interfacecomplexity between modules. This can be defined as the point at which entry or reference is made to a module, and whatdata pass across the interface. In application software design, it is preferable to strive for the lowest possible couplingbetween modules. Simple connectivity among modules results in software that is easier to understand, maintain and lessprone to a ripple or domino effect, caused when errors occur at one location and propagate through a system.
Customer relationship management (CRM)-Customer relationship management is a way to identify, acquire and retaincustomers. CIUv[ is also an industry term for software solutions that help an organization manage customer relationships inan organized manner.
Data communications-The transfer ofcbta betwccn separate computer processing sitesldevices using telephone lines,microwave and/or satellite links
Dat~l custodian ---Individuals and departments responsible for the stornge ancl safeguarding of computerized information.This typically IS within the IS organization.
Data c1ictionary·-;\ data dictionary is a database that contains the name, type, range of values, source. and authorizationtor access for each data clement in a database. It also indicates which application programs use that data so that when a datastructure is contemplated, a list of the affected programs can be generated. The data dictionary may be a stand-aloneintormation system used tor managcment or documentation purposes, or it may control the operation ofa database.
Data Encryption Standard (DES)-A private key cryptosystem published by the National Bureau of Standards (NBS), thepredecessor of the US National Institute of Standards and Technology (NIST). DES has bcen used commonly for dataencryption in the forms of software and hardware implementation. (also see private key cryptosystem)
Data leakage-Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes
Data O\vner-lndividuals. normally managers or directors. who have responsibility for the integrity. accurate reporting anduse of computerized data
Datn seclIrit!'-Those controls that seek to maintain confidentiality. integrity <lnd availability of information
Data structure·-The relationships among files in a dat~lbasc and among data items within each file
488 elSA Review Manual 2007
Glossary elSAD.atab3sc~A stored collection of related data needed by organizations and indi\"iduais to meet their information processingand retrieval requirements
Database administrator (DBA)-An individual or department responsible for the security and information classificationof the shared data stored on a database system. This responsibility includes the design, definition and maintenance of thedatabase.
Database management system (DBiVIS)-A complex set of software programs that control the organization, storage andretrieval of data in a database. It also controls the security and integrity of the database.
Database specifications-These are the requirements for establishing a database application. They include fielddefinitions, field requirements, and reporting requirements for the individual information in the database.
Decentralization-The process of distributing computer processing to different locations within an organization
Decision support system (DSS)-An interactive system that provides the user with easy access to decision models and datafrom a wide range of sources, to support semistructured decision-making tasks ry·pically for business purposes
Decryption key-A piece of information, in a digitized form, used to recover the plaintext from the correspondingciphertext by decryption
Dccryption-A technique used to recover the original plaintext from the ciphertext, such that it is intelligible to the reader.The decryption is a reverse process of the encryption.
Detection risk-The risk that material errors or misstatements that have occurred will not be detected by the IS auditor
Detective control-These controls exist to detect and report when errors, omissions and unauthorized use or entry occur.
Dial-back-Used as a control over dial-up telecommunications lines. The telecommunications link established through dialup into the computer from a remote location is interrupted so the computer can dial back to the caller. The link is permittedonly if the caller is from a valid phone number or telecommunications channel.
Digital signature-A piece of information, a digitized form of a signature, that provides sender authenticity. messageintegrity and nonrepudiation. A digital signature is generated using the sender's private key or applying a one-way hashfunction.
Disaster tolerance-Disaster tolerance is the time gap the business can accept the non-availability of IT facilities.
Discovery sampling-A form of attribute sampling that is used to determine a specified probability of finding at least oneexample of an occurrence (attribute) in a population
Discretionary access control (DAC)-A protection that may be activated or modified by the data owner at his/her discretion.This would be the ease of data-owner-defined sharing of information resources, \vhere the data owner may select who canaccess his/her resource and the security level of the access. Discretionary access controls cannot override mandatory accesscontrols, they act as an additional filter, prohibiting still more access with the same exclusionary principle.
Diskless workstations-A workstation or PC on a network that docs not have its O\vn disk. Instead, it stores files on anetwork file server
Distributed data processing network-A system of computers connected together by a communications network:. Eachcomputer processes its data, and the network supports the system as a whole. Such a network enhances communicationamong the linked computers and allows access to shared files.
elSA Review Manual 2007 489
elSA Glossary
DNS poisoning-Domain name system poisoning also called DNS cache poisoning or cache poisoning corrupts the table ofan Internet server's DNS replacing an Internet address with the address of another vagmnt or scoundrel address. [fa \Vebuser looks for the lXlgC with that address, the request is redirected by the scoundrel entry in the table to a different address.Cache poisoning differs from another form of DNS poisoning, in which the Jttackerspoofs valid e-mail accounts and floodsthe inboxes of administrative and technical contacts. Cache poisoning is related to URL poisoning or location poisoning,where an Internet user behavior is tracked by adding an identification number to the location line of the browser that can berecorded as the user visits successive pages on the site.
Downloading-The act of transferring computerized information from one computer to another computer
Downtime report-A report that identifies the elapsed time when a computer is not operating correctly because of machinefailure
Dumb terminal-A display terminal without processing capability. Dumb terminals are dependent upon the main computerfor processing. All entered data are accepted without further editing or validation.
EBCDIC (Extended Binary-coded Decimal Interchange Codc)-An 8~biT code representing 256 characters: used in 1110Stlarge computer systems.
Edit controls-Detects errors in the input portion of information that is sent to the computer for processing. The controlsmay be manual or automated and allow the user to edit data errors before processing.
Editing-Editing ensures that data conform to predetermined criteria and enable early identification of potential errors.
Electronic data interchange (EDI)-The electronic transmission of transactions (information) between two organizations.EDI promotes a more efficient paperless environment. EDf transmissions can replace the use of standard documents,including invoices or purchase orders.
Electronic funds transfer (EFT)-The exchnnge of money via telecommunications. EFT refers to any financialtrnnsaction that originates at a terminal and transfers a sum of money from onc account to another.
E-mail/interpersonal messaging-An individual using a terminal, PC or nn application can access a network to send anunstructured message to another individual or group of people.
Embedded audit modulc-A screening process that is incorporated into the regular production programs. The moduleselects items during the regular production runs that ful fill certain criteria established by the IS auditor and usually outputsor copies these items to a file or report.
Encapsulation (objects)-Encapsulation is the technique used by laycred protocols in which a lower layer protocol acceptsa message from a higher-layer protocol and places it in the data portion of a frame in the lower layer.
Encryption-A technique used to protect the plaintext, by coding the data 50 it is unintelligible to the reader
Encryption key-A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext tothe ciphertext
End-user computing-The ability of end users to design and implement their mvn information system. utilizing computersoftware products
Enterprise resource planning (ERP)-An enterprise resource planning system is an integrated system containing multiplebusiness subsystems. Examples include SAP. Oracle Financials and J.D. Ed\l/ards.
490 elSA Review Manual 2007
GlossaryelSA
Escrow agent-A person, agency or organization that is authorized to act on behalf of another to create a legal relationshipwith a third party in regards to an escrow agreement. In other words. an escro\v agent is the custodian of an asset accordingto an escrow agreement. As it relates to a cryptographic key, it is the agency or organization charged with the responsibilityfor safeguarding the key components of the unique key.
Escrow agreement-A legal arrangement whereby an asset (often money, but sometimes other property such as art, a deedof title, web site, software source code or a cryptographic key) is delivered to a third party (called un escrow agent) to beheld in trust or otherwise pending a contingency or the fulfillment of a condition or conditions in a contract. Upon thatevent occurring, the escrow agent will deliver the asset to the proper recipient; otherwise the escrow agent is bound byhis/her fiduciary duty to maintain the escrow account. Source code escrow means deposit of the source code for thesoftware into an account held by an escrow agent. Escrow is typically requested by a party licensing software (e.g., licenseeor buyer), to ensure maintenance of the software. The software source code is released by the escrow agent to the licenseeif the licensor (e.g., seller or contractor) files for bankruptcy or otherwise fails to maintain and update the software aspromised in the software license agreement.
Ethernet-A popular network protocol and cabling scheme that uses a bus topology and CSMA/CD (carrier sensemultiple access/collision detection) to prevent network failures or collisions when two devices try to access the network atthe same time
Evidence-The information an auditor gathers in the course of performing an IS audit. Evidence is relevant if it pertains tothe audit objectives and has a logical relationship to the findings and conclusions it is used to support.
Exception reports-An exception report is generated by a program that iden.tifies transactions or data that appear to beincorrect. These items may be outside a predetermined range or may not conform to specified criteria.
Exclusive-OR (XOR)-The XOR operation is a Boolean operation that produces a 0 if its two Boolean inputs are the same(0 and 0 or I an I) and it produces a 1 if its two inputs are different (l and 0). In other words, the exclusive-OR operatorreturns a value of TRUE only ifjust one of its operands is TRUE. In contrast, an inclusive-OR operator returns a value ofTRUE if either or both of its operands are TRUE.
Executable code-The machine language code that is generally referred to as the object or load module
Expert systems-Expert systems are the most prevalent type of computer systems that arisen'om the research of artificialintelligence. An expert system has a built in hierarchy of rules which are acquired from human experts in the appropriatefield. Once input is provided the system should be able to define the nature of the problem and provide recommendations tosolve the problem.
Exposure-A potentially adverse result or consequence to be considered in tile evaluation of internal controls.Strengthening internal controls can reduce exposure but seldom eliminates it.
Extended Binary-coded Decimal Interchange Code see EBCDIC-An 8-bit code representing 256 characters; used inmost large computer systems
Extensible Markup Language (XML)-Promulgated through the World Wide Web Consortium, XML is a web-basedapplication development technique that allows designers to create their own customized tags, thus, enabling the defi.nition,transmission, validation and interpretation of data between applications and organizations
Extranet-A private network that resides on the Internet and allows a company to securely share business information withcustomers, suppliers, or other businesses, as well as to execute electronic transactions. It is different from an Intranet in thatit is located beyond the company's firewall. Therefore, an Extranet relies on the use of securely issued digital certifi<;:ates (oralternative methods of user authentication) and encryption of messages. A virtual private network (VPN) and tunneling areoften used to implement Extrancts, to ensure security and privacy.
elSA Review Manual 2007 491
elSA, "·tlF"h"","""''''\·'''~'.'''''''''·' Glossary
Fallhack procedures-A plan of action Of set of procedures to be performed if a system imph:::rnentatiol1, upgrade ormodification does not \I/ark as intended. These may involve restoring the system to its state prior to the implementation orchange. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and shouldalways be considered in system migration or implementation.
Fnlse i.llIthodzation-Also called false acceptance, it occurs when an unauthorized person is identified as an authorizedperson by the biometric system.
False enrollment-Occurs when an unauthorized person manages to enroll into the biometric system (enrollment is theinitial process of acquiring a biometric feature and saving it as a personal reference on a smart card, a PC or in a centraldatabase).
Feasibility study-A phase of an SDLe methodology that researches the feasibility and adequacy of resources for thedevelopment or acquisition of a system solution to a user need
Fiber-optic cable-Glass fibers that transmit binary signals over a telecommunications network, Fiber-optic systems havelow transmission losses as compared to twisted-pair cables. They do not radiate energy or conduct electricity. They are freefrom corruption. lightning-induced interference and reduce the risk of wiretaps.
Ficld-An individual data element in a computer record. Examples include employee name, customer address, accountnumber. product unit price and product quantity in stock.
File-A named collection of related records
File allocation table (FAT)-A table used by the operating system to keep track of where every file is located on the disk.Since a file is often fi'agmentcc! and thus subdivided into many scctors within the disk. the information stored in the FAT isllsed \vhen loading or up<.bting the contents of the filc.
File layout-Specifies the length of the file's record and the sequence and size of its fields. A file layout also will specifythe type of data contained within each field. For example. alphunumeric. zoned decimaL packed and binary are types ofdata.
File server-A high-capacity disk storage device or a computer that stores data ccntrally for network users and managesaccess to that data. File servers can be dedicated so that no proccss other than network management can be executed whilethe net\\'Ork is available: file servers can be Iloncledicated so that standard user applications can run while the network isavailable.
Financial audit-An audit designed to determine the accuracy of financial records and information
Firewall-A device that enforces security policies for traffic traversing to and from different network segments. A firewallno longer only protects a company from the Internet. but also protects sensitive segments within organizations.
Firmware-Memory chips with embedded program code that hold their content when power is turned off
Foreign key-A foreign kcy is a value that represents a reference to a tuple (a row in a table) containing the matchingcandidate key value (in the relational theory it would be a candidate key, but in real DBMS implementations it is always theprimary key). The problcm of ensuring that the database does not include any invalid foreign key values is therefore knownas the referential integrity problem. The constraint that values ora given foreign key must match values of thecorresponding candidate key is k110\\'11 as a referential constraint. The relation (tablc) that contains the foreign key isreferred as the referencing relation and the relations that contain the corresponding c::mdidate key as the referenced relationor target relation.
Fourth-generation language (..J.GL)--English-like. lIscr friendly. nonprocedural computer languages llsed to programand'or read and process computer files
492 elSA Review Manual 2007
GlossaryelSA
Fnlmc rclay-A packet-switched wide area network technology that provides faster performance than older packetswitched WAN technologies, such as X.25 networks, because it was designed for today's reliable circuits and performs lessrigorous error detection. Frame relay is best suited for data and image transfers. Because of its variable-length packetarchitecture, it is not the most efficient technology for real-time voice and video. In a frame-relay network, end nodesestablish a connection via a permanent virtual circuit (PVC).
Gateway-A hardware/software package that is used to col'inect networks with different protocols. The gateway has its ownprocessor and memory and can perform protocol and bandwidth conversions.
Generalized audit software (GAS)-rviultipurpose audit software that can be used for such general processes, such asrecord selection, matching, recalculation and reporting
Geographical information system (GIS)-A tool used to integrate. convert, handle, analyze and produce informationregarding the surface of the earth. These data exist as maps, tridimensional virtual models, lists and tables.
Governance-Corporate Governance should suffice.
Hardware--Relates to the technical and physical features of the computer
Help desk-a service offered via phone/Internet by an organization to its clients or employees, which provides information,assistance, and troubleshooting advices regarding software, hardw'are, or networks. A help desk is staffed by people that caneither resolve the problem on their pwn or escalate the problem to specialized personnel. A help desk is often equipped withdedicated CRM-type sonware that logs the problems and tracks them until tbey are solved.
Heuristic filter-A method often-employed by antispam software to filter spam using criteria established in a centralizedrtlle database. Every e-mail message is given a rank, based upon its header and contents, which is then matched againstpreset thresholds. A message that surpasses the threshold will be flagged as sparn and discarded, returned to its sender orput in a sparn directory for further review by the intended recipient.
Hierarchical database-:-A database structured in a tree/root or parentJchild relationship. Each parent can have manychildren, but each child may have only one parent.
Honeypot-A trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems.Generally, it consists of a computer, data or a network site that appears to be part of a network but which is actually isolatedand protected, and which seems to contain information or a resource that would be of value to attackers. Honeypots cancarry risks to a network, and must be handled with care. If they are not properly walled off, an attacker can use them toactually break into a system. A honeypot that masquerades as an open proxy is known as a sugarcane. A honeypot isvaluable as a surveillance and early-warning tool. While often a computer, a honeypot can take on other forms, such as filesor data records, or even unused IP address space. Honeypots should have no production value and, hence, should not seeany legitJmate traffic or activity. Whatever they capture can then be surmised as malicious or unauthorized. One verypractical implication of this is that honeypots designed to thwart sparn by masquerading as systems of the types abused byspammers to send spam can categorize the material they trap 100 percent accurately: it is all illicit. A honeypot needs nospam-recognition capability, no filter to separate ordinary e-mail from sparn. Ordinary e-mail never comes to a honeypot.
Hot site-A fully operational offsite data processing facility equipped with both hardware and system software to be usedin the event of a disaster
Hypertext markup language (HTML)-A language designed for the creation of web pages with hypertext and otherinformation to be displayed in a web browser. HTML is used to structure information-denoting certain text as headings,paragraphs. lists and so on-and can be used to describe, to some degree, the appearancE; and semantics of a document.
Image processing-The process of electronically inputting source documents by taking an image of the document, therebyeliminating the need for key entry
elSA Review Manual 2007 493
elSAGlossary
Impact assessment-A study of the potential future effects of a development project on current projects and resources. Theresulting document should Jist the pros ancl cons of pursuing a specific course ofactiol1.
Impersonation-Impersonation, as a security concept related to Windows NT, allows a server application to temporarily"be" the client in terms of access to secure objects. Impersonation has three possible levels: identification, letting the serverinspect the client's identity; impersonation. letting the server act on behalf of the client: and delegation, the same asimpersonation but extended to remote systems to which the server connects (through the preservation of credentials).Impersonation by imitating or copying the identification, behavior or actions of another may also be used in socialengineering to obtain otherwise unauthorized physical access.
Independence-An IS auditor's self~governance and freedom from conflict or'interest and undue influence. The IS auditorshould be free to make bis/her own decisions. not influenced by the organization being audited and its people (managers andemployees).
Indexed sequential access method (ISA,'\>I)-A disk access method that stores dara sequentially, while also maintaining anindex of key fields to all the records in the file for direct access capability.
Information processing facility (IPF)-The computer room ,md support areas
Information security governance-The leadership organizational structures and processes that safeguard information
Inherent risk-The risk that a material error could occur, assuming that there are no related internal controls to prevent ordetect the error (Also see control risk)
Input controls-Techniques and procedures used to verify, validate and edit data. to ensure that only correct data areentered into the computer
Instant messaging-An online mechanism or a form of real~til1le communication between two or more people based ontyped text and multimedia data. The text is conveyed via computers or another electronic device (e.g.. cell phone or PDA)connected over a network, such as the Internet.
Integrated services digital network (ISDN)-A public cnd-to~elld digital telecommunications network with signaling,switching, and transport capabilities supporting a wide range of service accessed by standardized interfaces with integratedcustomer control. The standard allows transmission of digital voice. video and data over 64 Kpbs lines.
Integrated test facilities (lTF)-A testing methodology where test data are processed in production systems. The datausually represent a set of fictitious entities such as departments, customers and products. Output reports are verified toconfirm the correctness of tbe processing.
Internet-I) Two or more networks connected by a router; 2) the world's largest net\vork using TCP/IP protocols to linkgovernment, university and commercial institutions.
Internet Engineering Task Force (IETF)-The Internet standards setting organization with affiliates internationally fromnetwork industry representatives. This includes all network industry developers and researchers concerned with evolutionand planned growth of the Internet.
Internet packet (IP) spoofing-An attack using packets with the spoofed source Internet packet (IP) addresses. Thistechnique exploits applications that use authentication based on [P addresses. This technique also may enable anunauthorized user to gain root access on the target system.
IlTcgularities-lntentional violations of established policy or \villful misstatements or omissions of information
494 elSA Review Manual 2007
GlossaryelSA
IT governance framework-A model that integrates a set of guidelines, policies and methods that represent theorganizational approach to the IT governance. Per COBIT 4.0, IT governance is the responsibility of the board of directorsand executive management. It is an integral part of institutional govcmunce and consists of the leadership and organizationalstructures and processes that ensure that the organization's IT sustains and extends the organization's strategy and objectives.
IT infrastructure-The set of hardware, software and facilities that integrates an organizations' IT assets. Specifically, theequipment (including servers, routers, switches, and cabling), software, services and products used in storing, processing,transmitting and displaying all forms of information for the organization's users.
Kaizen-See continuous improvement.
Key performance indicator (KPI)-Defined measures that determine how well the process is performing in enabling thegoal to be reached. They are lead indicators of whether a goal will likely be reached or not, and are good indicators ofcapabilities, practices and skills. They measure the activity goals, which are the actions the process owner must take toachieve effective process performance.
Librarian-The individual responsible for the safeguard and maintenance of all program and data files
Licensing agreement-A contract that establishes the terms and conditions under which a piece of software is beinglicensed (Le., made legally available for use) from the software developer (owner) to the user
Limit checl,-Tests of specified amount fields against stipulated high or low limits of acceptability. When both high andlow values are used, the test may be called a range check.
Literals-Any notation for representing a value within programming language source code, e.g., a string literal; a chunk ofinput data that is represented "as is" in compressed data
Local area network (LAN)-Communications networks that serve several users within a specified geographical area.Personal computer LANs function as distributed processing systems in which each computer in the network does its ownprocessing and manages some of its data. Shared data are stored in a file server that acts as a remote disk drive for all usersin the network.
Log-Records details of the information or events in an organized record-keeping system, usually sequenced in the orderthey occurred
Logon-The process of connecting to the computer. It typically requires entry of a user ID and password into a computerterminal.
lVlalware-Short for "malicious software," malware is software designed to infiltrate, damage or obtain information from acomputer system without the owner's consent. Ivralware is commonly taken to include computer viruses, worms, Trojanhorses, spyware and adware. Spyware is generally used for marketing purposes and as such, not really maliciousalthough it is generally unwanted. However, spyware can also be used to gather information for identity theft or otherclearly illicit purposes.
lVIanagement information system (lVIIS)-An organized assembly of resources and procedures required to collect7 processand distribute data for use in decision making.
iVlandatory access controls (lVIAC)-Logical access control filters, used to validate access credentials that cannot becontrolled or modified by normal users or data owners; they act by default. Conversely, those controls that may beconfigured or modified'by the users or data owners are called discretionary access controls.
elSA Review Manual 2007 495
elSAGlossary
l\'lapping-Diagral11111ing c1ata that is to be exchanged electronically, including how it is to be lIsed and what businessmanagement systems need it. It is a preliminary step for developing an applications link. {Also see application tracing andmapping.)
l\tIateriality-An auditing concept regarding the importance of an item of information \yith regard to its impact or effect onthe functioning of tile entity being audited. An expression of the relative significance or importance ofa particular matter inthe context of the organization as a whole.
Nlaturity modeI-A collection of instructions an organization can follow to gain better control over its softwaredevelopment process. The Capability tvlaturity Model (elvlM) for Software. from the Software Engineering Institute (SEJ),is a model used by many organizations to identify best practices useful in helping them Qssess and increase the maturity oftheir software development processes. The ClvlM ranks software development orgnnizarions according to a hierarchy of fiveprocess maturity levels. Each level ranks the development environment according to its capability of producing qualitysoftware. A set of standards is associated with each of the five levels. The standards for level one describe the mostimmature, or chaotic, processes and the standards for level five describe the most mnnlre. or quality, processes.
i\;Iedia Access Control (MAC)":'-A unique, 48-bit. hard-coded address of a physical layer device, such as an Ethernet LANor a wireless network card. The MAC is applied to the hardware at the factory and canDot be modified.
Nledia oxidation-The deterioration of the media (e.g., tapes) upon which data is digitally stored due to exposure tooxygen and moisture, for example. tapes deteriorating in a warm, humid environment. Proper environmental controls shouldprevent, or significantly slow, this process.
i\Iessage switching-A telecommunications traffic controlling methodology in which a complete message is sent to aconcentration point and stored until the communications path is established.
I\tliddlc\varc-Another term for an application programmer interface (API). It refers to the interfaces that allowprogrammers to access lower- or higher-level services by providing an intermediary layer that includes function calls to theservices.
Milestonc---A terminal element that marks the completion of a work package or phase. typically marked by ahigh-level event such as project complcrion: receipt, endorsement or signing of a previously-defined deliverable; or a highlevel review meeting at which the appropriate level of project complction is determined and agreed to. Typically, a milestoneis associated with some sort of decision that outlines the future of a project and. for outsourced project, may have a paymentto the contractor associated with it.
lHission-critical application-An application that is vital to the operation of the organization. The term is verypopular for describing the applications required to run the day-to-day business.
I\tIobUe site-This is a specially designed trailer that can be quickly transported to a business location or to an alternate siteto provide a ready-conditioned information processing facility. These mobile sites can be connected to form larger workareas and can be preconfigurecl with servers. desktop computers, communications equipment, and even micrmvave andsatellite data links.
iHodulation-The process of converting a digital computer signal into an analog telecommunications signal
~Ionetary unit sampling-A sampling technique that estimates the amount of overstatement in an account balance
Network-A system of interconnected computers and the communications equipment used to connect them
Network administrator-Responsible for planning, implementing and maintaining the telecommunications infrastructure,and also may be responsible for voice networks. For smaller organizations. this may entail maintaining a LAN and assistingend users.
496 elSA Review Manual 2007
GlossaryelSA
Network attached storage (NAS)-This utilizes dedicated storage devices that centralizes storage of data. Such devicesgenerally do not provide traditional file/print or application services.
Network interface card (NIC)~A communications card that when inserted into a computer, allows it to communicatewith other computers on a network. Most network interface cards are designed for a particular type of network or protocol.
Noise-Disturbances, slich as static~ in data transmissions that cause messages to be misinterpreted by the receiver
Nondisclosure agreement (NDA)-Also called a confidential disclosure agreement (CDA), confidentiality agreement orsecrecy agreement, it is a legal contract between at least two parties that outlines confidential materials the parties wish toshare with one another for certain purposes, but wish to restrict from generalized use. In other words, it is a contract throughwhich the parties agree not to disclose information covered by the agreement. An NDA creates a confidential relationshipbetween the parties to protect any type of trade secret. As such, an NDA can protect non-public business information. (Note: Inthe case of certain governmental entities, the confidentiality of information other than trade secrets may be subject toapplicable statutory requirements, and in some cases may be required to be revealed to an outside party requesting theinformation. Generally, the governmental entity will include a provision in the contract to allow the seller to review a requesttor infomlation the seller identifies as confidential and the seller may appeal such a decision requiring disclosure.) NDAs arecommonly signed when two companies or individuals are considering doing business together and need to understand theprocesses used in one another's businesses solely for the purpose of evaluating the potential business relationship. NDAs can be"mutual," meaning both parties are restricted in their use of the materials provided or they .can only restrict a single party. It isalso possible for an employee to sign an NDA or NDA-like agreement with a company at the time of hiring; in fact, someemployment agreements will include a clause restricting "confidential information" in general.
Normalization-The elimination of redundant data
Objectivity-The ability of the IS auditor to exercise judgment, express opinions and present recommendations withimpartiality
Offsite storage-A storage facility located away from the building housing the primary information processing facility(IPF), used for storage of computer media such as offline backup data and storage files
Open Shortest Path First (OSPF)-A routing protocol, developed for IP networks, that is based on the shortest-path-firstor link-state algorithm.
Operating system-A master control program that runs the computer and acts as a scheduler and traffic controller. It is thefirst program copied into the computer's memory after the computer is tumed on and must reside in memory at all times. Itsets the standards for the application programs that run in it.
Operational control~These controls deal with the everyday operation of a company or organization to ensure that allobjectives are achieved.
Operator console-A special terminal used by computer operations personnel to control computer and systems operationsfunctions. These terminals typically provide a high level of computer access and should be properly secured.
Packet-A block of data for data transmission. A packet contains both routing information and data.
Packet switching~The process of transmitting mes~ages in convenient pieces that can be reassembled at the destination
Paper tcst-A walk-through of the steps of a regular test, but without actually performing the steps. It is usually used indisaster recovery and contingency testing, where team members review and become familiar with the plans, their specificroles and responsibilities.
elSA Review Manual 2007 497
"',,...'....' "" [~ .*_' ,,~,_*'*'_'''r ..l: ..' ',,"__",,',,'"""'''''_
elSAGlossary
PanllleI testing-The process of fceding test data into t\\'o systems, the modified syst~m and an alternative s)"stem(possibly the original system) and comparing results
Parity check-A general hardware control, which helps to detect data errors when d8.ta are read from memory orcommunicated from one computer to another. A one-bit digit (either 0 or I) is added to a data item to indicate \vhether thesum ofthar data item's bit is odd or even. When the parity bit disagrees with the stlln of the other bits, the computer reportsan error. The probability of a parity check detecting an error is 50 percent.
Password-A protected, generally computer-encrypted string of characters that authenticate a computer user to thecomputer system
Patch management-An area of systems management that involves acquiring, testing, and installing multiple patches(code changes) to an administered computer system, to maintain up-to-date software and often to address security risks.Patch management tasks include the following: maintaining current knowledge of available patches; deciding what patchesare appropriate for particular systems; ensuring that patches are installed properly: testing systems after installation; anddocumenting all associated procedures, such as specific configurations required. A number of products are available toautomate patch management tasks. Patches are sometimes ineffective and can sometimes cause more problems than theyfix. Patch management experts suggest that system administrators take simple steps to avoid problems. such as performingbackups and testing patches on non-critical systems prior to installations. Patch management can be vie\ved as part ofchange management. For further detail refer to: http://searclnvinc/oll'ssecuriry.rechrarger.com/sDe/initioll/0, .sid45-"Gi901422, OO.hllll i
Payroll system-An electronic system for processing payroll information and the rel.ated electronic (e.g., electronictimekeeping aneVor human resources system), human (e.g., payroll clerk). and external party (e.g., bank) interfaces. In amore limited sense, it is the electronic system that performs the processing for generating payroll checks and/or bank directdeposits to employees.
Private branch exchange (PBX)-A telephone exchange that is owned by a private business, as opposed to one owned bya common carrier or by a telephone company.
Performance testing-Comparing the system's performance to other equi\"alent systems using wcllMdcfincd benchmarks
Personal digital assistant (PDA)-Also called palmtop and pocket computer, these are handheld devices that providecomputing, Internet, networking and telephone characteristics.
Personal identification number (PIN)-A type ofpassworcl (i.e., a secret number assigned to an individual) that, inconjunction with some means of identifying the individual, serves to verify the authenticity of the individual. PINs have beenadopted by financial institutions as the primary means of verifying customers in an electronic funds transfer system (EFTS).
Phishing-This is a type of e-mail attack thnt attempts to convince a user that the originator is genuine, but with theintention of obtaining information for use in social engineering. These attacks may take the form of masquerading as alottery organization advising the recipient of a large win or the user's bank; in either case, the intent is to obtain account andPIN details. Alternative attacks may seek to obtain apparently innocuous business information, which may be used inanother form of active attack.
Phreakers-Those who crack security, most frequently phone and other communication networks
Point-oF-sale (POS) systems-Enable the capture of data at the time and place of transaction. pas terminals may includeuse of optical scanners for use with bar codes or magnetic card readers for use with credit cards. pas systems may beonline to a central computer or may use stand-alone terminals or microcomputers that hold the transactions until the end ofa specified period when th~y are sent to the main computer for batch processing.
Port-An internlce point between the CPU and a peripheral device
498 elSA Rev;ew Manual 2007
GlossaryelSA
Point-to-point protocol (PPP)-Commonly used to establish a direct connection between two nodes, it can connectcomputers lIsing serial cable, phone line, trunk line, cellular telephone. specialized radio links or fiber optic links. Its mainfeatures include enhanced error detection, automatic self-configuration and looped link detection. Most Internet serviceproviders use PPP for customers' dial-up access to the Internet. PPP is commonly used to act as a "layer 2" (the data linklayer of the 051 model) protocol for connection over synchronous and asynchronous circuits, where it has largelysuperseded an older nonstandard protocol (known as SLIP) and telephone company mandated standards (such as X.25). PPPwas designed to work with numerous "layer 3" network layer protocols, including JP, Novell's IPX, and AppleTalk.
Privacy-Privacy involves providing proper protection for personally identifiable information relating to an identified oridentifiable individual (data subject). Management should ensure that proper controls are in place and functioning to be incompliance with its privacy policy or applicable privacy laws and regulations.
Problem escalation procedure-The process of escalating a problem up from junior to senior support staff, and ultimatelyto higher levels of management. It is often used in help desk management, where an unresolved problem is escalated up thechain of command, until it is sol ved.
Program Evaluation and Review Technique (PERT)-A project management technique used in the planning and controlof system projects
Project portfolio-The set of projects owned by a company; it usually includes the main guidelines relative to each projectincluding objectives, costs, timelines and other information specific to the project.
Protocol-The rules by which a network operates and controls the flow andyriority of transmissions
Prototyping-A system development technique that enables users and developers to reach agreement on systemrequirements. Prototyping uses programmed simulation techniques to represent a model of the final system to the user foradvisement and critique. The emphasis is on end-user screens and reports. Internal controls are not a priority item since thisis only a model. .
Public key encryption-A cryptographic system that uses two keys. One is a public key, which is known to everyone, andthe second is a private or secret key, which is only known to the recipient of the message.
Public I{ey infrastructure (PKI)-A sysem that authentically distributes Llser's public keys using certificates. It verifiesand authenticates the validity of each party involved in an Internet transaction through digital certificates. certificateauthorities and other registration authorities.
Quality assurance-A technique used to design, develop and implement a product or service reducing costs and preservingthe quality.
Queue-A group of items that are waiting to be serviced or processed
Radio wave interference-The superposition of two or more radio waves resulting in a different radio wave pattern that ismore difficult to intercept and decode properly
Random access memory (RAi\tI)-The computer's primary working memory. Each byte of memory can be accessedrandomly regardless of adjacent bytes. .
Record-A collection of related information treated as a unit. Separate fields within the record are used for processing theinformation. .
Recovery point objective (RPO)-The recovery point objective is determined based on the acceptable data loss in case ofdisruption of operations. [t indicates the earliest point in time to which it is acceptable to recover the data. RPO effectivelyquantifies permissible amount of data loss in case of interruption.
elSA Review Manual 2007 499
elSAGlossary
Recovery tcsting-A test to check the system's ability to recover after a software or hardware failure
Recovery time objective (RTO)-The recovery time objective is determined based on the acceptable down time in case ofdisruption of operations. It indicates the earliest point in time at which the business operations must resume after disaster.
Redundant Array of Inexpensive Disks (RAID)-Provides performance improvements and t:1ult- tolerant capabilities viaharct\vare or software solutions, by writing to a series of multiple disks to improve performance ancl/or save large filessimultaneously
Recngineering-A process involving the extraction of components from existing systems and restructuring thesecomponents to develop new systems or to enhance the efficiency of existing systems. Existing software systems thus can bemodernized to prolong their functionality. An example of this is a software code translator that can take an existinghierarchical database system and transpose it to a relational database system. CASE includes a source code reengineeringfeature.
Registration authority {RA)~An optional entity separate from a CA that would be used by a CA with a very largecustomer base. CAs use RAs to delegate some of the administrative functions associated with recording or verifying someor all of the information needed by a CA to issue certificates or CRLs and to perform other certificate managementfunctions. However, with this arrangement, the CA still retains sole responsibility for signing either digital certificates orCRLs. Ifan RA is not present in the established PKI structure, the CA is assufl.led to have the same set of capabilities asthose defined for an RA.
Regression testing-A testing technique used to retest earlier program abends or logical errors that occurred during theinitial testing phase
Remote access service {R:\S)-Refers to any combination of hardware and software to enable the remote access to tools orinformation that typically reside on a net\vork of IT devices. Originally coined by Microsoft when referring to their built-inNT remote access tools. RAS was a service provided by Windows NT which allows most of the services that would beavailable on a network to be accessed over a modem link. Over the years, many vendors have provided both hardware andsoftware solutions to gain remote access to various types of networked informntion. !n fact, most modern routers include abasic RAS capability that can be enabled for any dial-up interface.
Remote Procedure Call (RPC)-Tbe traditional Internet service protocol widely used for many years on UNIX-basedoperating systems and supported by the Internet Engineering Task Force (IETF). that allows a program on one computer toexecute a program on another (e.g., server). The primary benefit derived from i·ts use is that a system developer need notdevelop specific procedures for the targeted comPt.1ter system. For example, in a client-server arrangement. the clientprogram sends a message to the server \vith appropriate arguments, and the server returns a message containing tbe resultsof the program executed. Common Object Request Broker Architecture (CORBA) and Distributed Component ObjectModel (DCOM) are two newer object-oriented methods for related RPC functionality.
Repeaters-A pbysicallnyer device that regenerates and propagates electrical signals between two network segments.Repeaters receive signals from one network segment and amplify (regenerate) the signal to compensate for signals (analogor digital) distorted by transmission loss due to reduction of signal strength during transmission (i.e., attenuation).
Replication-In its broad computing sense, involves the use of redundant software or hardware elements to provideavailability and faLl[t~tolerant capabilities. In a database context, replication involves the sharing of data between databasesto reduce workload among database servers, thereby improving client performance, while maintaining consistency amongall systems.
Repository-The central database that stores and organizes data
Request for proposal {RFP)-A clocument distributed to software vendors requesting their submission ofa proposal todevelop or provide a software product
500 elSA Review Manual 2007
Glossary elSARequirements derinition-A phase of a SDLe methodology where the affected user groups define the requirements of thesystem for meeting the defined needs
Resilience-The ability of a system or network to recover automatically from any disruption, usually with minimalrecognizable effect
Return on investment (ROI)-A measure of operating pClformance and efficiency, computed in its simplest form bydividing net income by average total assets.
Reverse engineering-A software engineering technique whereby existing application system code can be redesigned andcoded using computer-aided software engineering (CASE) technology
Ring configuration-Used in either token ring or FDbr networks, all stations (nodes) are connected to a multistationaccess unit (MSAU), which physically resembles a star-type topology. A ring configuration is created when these MSAUsare linked together in forming a network. Messages in this network are sent in a deterministic fashion from sender andreceiver via a small frame, referred to as a token ring. To send a message, a sender obtains the token with the right priorityas the token travels around the ring, with receiving nodes reading those messages addressed to it.
Risk-The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss of/or damageto the assets. It usually is measured by a combination of impact and probability of occurrence.
Rounding down-A method of computer fraud inVOlving a computer code that instructs the computer to remove smallamounts of money from an authorized computer transaction by rounding down to the nearest whole value denomination andrerouting the rounded off amount to the perpetrator's aceount .
Router-A networking device that can send (route) packets to the connected LAN segment, based on addressing at thenetwork layer (Layer 3) in the OSI model. Networks connected by routers can use different or similar networking protocols.Routers usually are capable of filtering packets based on parameters, such as source address, destination address, protocoland network application (ports).
RSA-A public key cryptosystcm developed by R. Rivest, A. Shamir and L. Adleman. RSA has two different keys; thepublic encryption key and the secret decryption key. The strength of RSA depends on the difficulty of the prime numberfactorization. For applications with high-level security. the number of the decryption key bits should be greater than 512bits. RSA is used for both encryption and digital signatures.
Run-to-run totuls-Provide verification that all transmitted data are read and processed
Scheduling-A method used in the information processing facility (IPF) to determine and establish the sequence ofcomputer job processing
Scope creep-Also called requirement creep, this refers to uncontrolled changes in a project's scope. This phenomenon canoccur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consistsof either new products or new features of already approved products. Hence, the project team drifts away from its originalpurpose. Because of one's tendency to focus on only One dimension of a project, scope creep can also result in a projectteam overrunning its original budget and schedule. For example, scope creep can be a result of poor change control, lack ofproper identification of what products and features are requlred to bring about the achievement of project objectives in thefirst place, or a weak project manager or executive sponsor.
Secure Sockets Layer (SSL)-A protocol that is used to transmit private documents through the Internet. This protocoluses a private key to encrypt the data that is to be transferred through the SSL connection.
Security testing-Making sure the modified/new system includes appropriate access controls and does not introduce anysecurity holes that might compromise other systems
elSA Review Manual 2007 501
1&1 ,Zi'tn.
elSA~,,,,,,,,,hF,",,,,,,",~,,,,,,,,,\l,,"'" Glossary
Service set identifier (SSID)-In Wi-Fi \Virelcss LAN computer networking, this is a code attached to all packets on awireless network to identify each packet as part of that network. The code consists of a maximum of 32 alphanumericcharacters, All wireless devices attempting to communicate with each other must share the same SSID. Apart fromidentifying each packet, SSID also serves to uniquely identify a group of vlireless network devices used in a given serviceset. There are two major variants of the SSfO. Ad !loc wireless networks that consist of client machines without an accesspoint use the fBSSID (Independent Basic Service Set Identifier); whereas on an infrastructure network which includes anaccess point, the basic service set identifier (BSS rO) or extended S'ervice set identifier (ESS ID) is used instead.
Servlet-Typically indicates a Java applet or a small program that runs within a web server environment. A Java servlet issimilar to a CGI program, but unlike a CGI program. once started, it stays in memory and can fulfil! multiple requests,thereby saving server execution time and speeding up the services.
Session border controller (SBC)-Provide security features for VoIP traffic similar to that provided by firewalls. SBCs canbe configured to filter specific VoIP protocols. monitor for denial-of-service (DOS) attacks. and provide network addressand protocol translation features.
Sign-on procedure-The procedure performed by a user to gain access to an application or operating system. If the user isproperly identified and authenticated by the system's security, they will be able to access the software.
Simple Object Access Protocol (SOAP)-A platform-independent, XML-based formatted protocol enabling applications tocommunicate with each other over the Internet. Use of this protocol may provide a significant security risk to webapplication operations, since use of SOAP piggybacks onto a web-based document object model and is transmitted viaHTTP (port 80) to penetrate server firewalls, which are usualfy configured to accept port 80 and port 21 (FTP) requests.\Veb-based document models define how objects on a web page are associated with each other and how they can bemanipulated while being sent from a server to a client browser. SOAP typically relies on XML for presentation formattingand also adds appropriate HTTP-based headers to send it. SOAP forms the foundation layer of the web services stack,providing a basic messaging framework on which more abstract layers can build. There are several ditfercnt types ofmessaging patterns in SOAP, but by far the most common is the Remote Procedure Call (RPC) pattern. in which onenetwork node (the client) sends a request mcssage to another node (the server), and the server immediately sends a responsemessage to the clicnt.
Slack time (float)-Time in the project schedule, the use 0 f \vhich does not affect the project's critical path (the minimumtime to complete the project based upon the estimated tin1e for each project segmcnt and their relationships). Slack timc iscommonly referred to as "float" and generally is not "owned" by either party to the transaction.
Si\IART (specific, measurablc, achievable, relev<lnt, time-bound)-A development methodology for value management
Sofh't'are-Programs and supporting documentation that enable and facilitate use of the computer. Software controls theoperation of the hardware.
Source code-Source code is the language in which a program is written. Source code is translated into object code byassemblers and compilers. In some cases. source code may be converted automatically into another language by aconversion program. Source code is not executable by the computer directly. It must first be converted into machinelanguage.
Source documents-The forms used to record data that have been captured. A source document may be a piece of paper, aturnaround document or an image displayed for onfine data input.
Source lines of codc (SLOC)-Source lines of code are often used in deriving single-point software size estimations.
502 elSA Review Manual 2007
Glossary elSASpool (simultaneous peripheral operations onlinc)-An automated function that can be operating system or applicationbased in which electronic data being transmitted between storage areas are spooled or stored until the receiving device orstorage area is prepared and able to receive the information. This operation allows more efficient electronic data transfersfrom one device to another by permitting higher speed sending functions, stich as internal memory, to continue on withother operations instead of waiting on the slower speed receiving device, such as a printer.
Standing data-Permanent reference data used in transactiDn processing. These data are changed infrequently, such as aproduct price file or a name and address file.
Spyware~Software whose purpose is to monitor a computer user's actions (e.g.. web sites they visit) and report these. actions to a third party, without the informed consent of that machine's owner or legitimate user. A particularly maliciousform of spyware is software that monitors keystrokes (e.g., to obtain passwords) or otherwise gathers sensitive informationsuch as credit card numbers, which it then transmits to a malicious third pmiY. The term has also come to refer morebroadly to software that subverts the computer's operation for the benefit of a third party.
Statistical sampJing-A method of selecting a portion of a population, by means of mathematical calculations andprobabilities, for the purpose of making scientifically and mathematically sound inferences regarding the characteristics ofthe entire population
Storage area networ~{s (SANs)-A variation of a LAN that is dedicated for the express purpose of connecting storagedevices to servers and other computing devices. SANs centralize the process for the storage and administration of data.
Structured Query Language (SQL)-The primary language used by both ?pplication programmers and end users inaccessing relational databases
Substantive testing-Determines the integrity of actual processing, \vhich provides evidence of the validity of the finaloutcome. This is done outside of a review of processes and related internal controls. For example, balances in the financialstatement and the transactions to support those balances is a substantive test. General types of testing involve recalculation,confirmations, verification of outcomes from other information sources and observations. Substantive testing will be limitedwhen there is a low risk of control-failure. Conversely, if the testing of controls reveals weaknesses in control, the level ofsubstantive testing would be increased.
Supply chain management (SCJVI)-A concept that allows an organization to more effectively and efficiently manage theactivities of design, manufacturing, distribution, service and recycling of products and services its their customers
Suspense file-A computer file used to maintain information (i.e., on transactions, payments, or other events) until theproper disposition of that information can be determined. Once the proper disposition of the item is determined, it should beremoved from the suspense file and processed in accordance with the proper procedures for that particular transaction. Twoexamples of items that may be included in a suspense file are receipt of a payment from a source that is not readilyidentified or data that do not yet have an identified match during migration to a new application.
Switches-Typically ass·ociated as a data link layer device, switches enable LAN network segments to be created andinterconnected, which also has the added benefit of reducing collision domains in Ethernet-based networks.
Synchronous transmission-Block-at-a-time data transmission
System software-A collection of computer programs used in the design, processing and control of all applications. Theprograms and processing routines that control the c6mputer hardware, including the operating system and utility programs.
System testing-A series of tests designed to ensure that the modi fied program interacts correctly with other systemcomponents. These test procedures typically are performed by the system maintenance staff in their development library.
elSA Review Manual 2007 503
elSA Glossary
Systems development life cycle (SDLC)~~Thc phases deployed in the development or acquisition ofa software system.Typit:al phases include the feasibility study, requirements study, requirements definition. detailed design. programming.testing, installation and postill1plcl1lent~ltion review.
Tape management system (TMS)-A system software tool that logs, monitors and directs computer tnpe usage.
Telecommunications-Electronic communications by special devices over distances or around devices that preclude directinterpersonal exchange
Terminal-A device for sending and receiving computerized data over transmission lines
Test data-Data that arc llsed to test a computer program. Depending on the purpose of the test, the data may beproduction dara (files) or data created by either information systems (IS) or the customer (user).
Throughput-The quantity of useful work made by the system per unit of time. Throughput can be measured ininstructions per second or some other unit of performance. When referring to a data transfer operation, throughout measuresthe useful data transfer rate and is expressed in kbps, Mbps and Gbps.
Transaction log-A manual or automated log ofall updates to data files and databases
Transaction-Business events or information grouped together because they have a single or similar purpose. Typically, atransaction is applied to a calculation or event that then results in the updating of a holding or master file.
Transmission Control Protocol/Internet Protocol (TCP/lP)-A set of communications protocols that encompasses mediaaccess, packet transport, session communicntions, file transfer, electronic mail, terminal emulation, remote file access andnet\vork management. TCP/IP provides the basis for the Internet.
Trojan horse-Purposefully hidden malicious or damaging code within an authorized computer program
Tunneling-A method by which one network protocol encapsulates another protocol within itself. It is commonly used tobridge between incompatible hosts/routers or to provide encryption. When protocol A encapsulates protocol B, then aprotocol A header and optional tunneling heaclers are appended to the original protocol B packet. Protocol A then becomesthe data link layer of protocol B. Examples of tunneling protocols include IPSec, Point-to-point Protocol Over Ethernet(PPPoEI. and Layer 2 Tunneling Protocol (L1TP).
Tuple-A tuple is a row in a database table.
Twisted pairs-A pair of smaIL insulated wires that are twisted around each other to minimize interference from otherwires in the cable. This is a low~capacity transmission medium.
Unicode-A standarcl for representing characters as integers. it uses 16 bits. which means that it can represent more than65,000 unique characters, as is· necessary for languages such as Chinese and Japanese.
Uninterruptible power supply (UPS)-Provides short-term backup power from batteries for a computer system when theelectrical power fails or drops to an unacceptable voltage level
Unit testing-A testing technique that is L1sed to test program logic within a particular program or module. The purpose ofthe test
Universal Serial BUS (US B)-An external bus standard that provides capabilities to transfer data at a rate of 12 Mbps. ACSB port can connect up to 1~7 peripllCral devices.
504 elSA Review Manual 2007
Glossary elSAUser awareness-The training process in security-specific issues to reduce security problems, since users are often theweakest link in the security chain
Utility programs-Specialized system software used to perform particular computerized functions and routines that arefrequently required during normal processing. Examples include sorting, backing up and erasing data.
Utility script-A sequence of commands input into a singl'e file to automate a repetitive and specific task. The utility scriptis then executed, either automatically or manually, to perform the task. In UNIX, these are known as a shell scripts.
Variable sampling-A sampling technique used to estimate the average or total value of a population based on a sample; astatistical model used to project a quantitative characteristic, such as a monetary amount
Verification-Checks that data are entered correctly
Virus-Malicious programs designed to spread and replicate from computer to computer through telecommunications linksor through sharing of computer diskettes and files
Voice mail-A system of storing messages in a private recording medium where the called party can later retrieve themessages
Voice-over Internet protocol (VoIP)-Also called IP Telephony, Internet telephony and Broadband Phone, this is atechnology that makes it possible to have a voice conversation over the Internet or over any dedicated Internet Protocol (IP)network instead of dedicated voice transmission lines.
WAN switch-A data link layer device used for implementing various \VAN technologies such as asychronous transfermode, point-to-point frame relay solutions, and ISDN. These devices are typically associated with carrier networksproviding dedicated \VAN switching and router services to organizations via T-I or T-3 connections.
Wide area network (WAN)-A computer network connecting different remote locations that may range from shortdistances, such as a floor or building, to extremely long transmissions that encompass a large region or several countries
\Vi-Fi Protected Access (\VPA)-A class of systems used to secure \vireless (\Vi-Fi) computer networks. It was created inresponse to several serioLls weaknesses researchers found in the previoi.Ls system. \Vired EquivaleM Privacy (WEP). \VPAimplements the majority of the IEEE 802.1 Ii standard, and was intended as an intermediate measure to take the place of"YEP while 802.11 i was prepared. \VPA is designed to work with all wireless network interface cards. but not necessarilywith first generation wireless access points. WPA2 implements the full standard, but will not work with some older networkcards. Both provide good security with two significant issues. First, either WPA or WPA2 must be enabled and chosen inpreference to WEP; WEP is usually presented as the first security choice in most installation instructions. Second, in the"personal" mode, the most likely choice for homes and small offices, a pass phrase is required that, for fuB security, mustbe longer than the typical 6 to 8 character passwords users are taught to employ.
Wired Equivalent Privacy (\VEP)-A scheme that is part of the IEEE 802.11 wireless networking standard to secureIEEE 802.11 wireless networks (also known as \Vi-Fi networks). Because a wireless network broadcasts messages usingradio, it is particularly susceptible to eavesdropping. WEP was intende.d to provide comparable confidentiality to atraditional wired network (in particular it does not protect users of the network from each other), hence the name. S.everalserious weaknesses were identified by cryptanalysts, and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003,and then by the full IEEE 802.11 i standard (also known as WPA2) in 2004. Despite the weaknesses, WEP provides a levelof security that can deter casual snooping.
\Vireti.lpping-The practice of eavesdropping on information being transmitted over telecommunications links
Note: The ClSA candidate may want to be farhiliar with ISACA's Glossary which can be viewed at wwuUsaca,orglg!osswy.Also available is a list of CISA exarn terminology in different languages that can be viewed at wlV'rEisaca.orglextlmferm.
elSA Review Manual 2007 505
elSA Acronyms
The elSA candidate should be familiar with the following list of acronyms published in the Cwulidate:v Guide to the elSAExaminatio/l. These acronyms are the only stand-alone abbreviations used in examination question..;,
ASC[]
Bit
CASE
CCTYCPU
DBADBivlS
EDI
FTPHTTP[HTPS
ID
IDS
IP[SISO
American Standard Code for InformationTnterchange
Binary digitComputerRaided system engineering
Closed-circuit television
Central processing unit
Database administrator
Database management system
Electronic data interchange
File Transfer Protocol
Hypertext Transmission Protocol
Secured Hypertext Transmission Protocol
Identification
Intrusion detection system
Internet protocol
Information systemsInternational Organization for Standardization
IT
LAN
PBXPC
PCR
PDA
PERT
PIN
PKI
RAID
RFID
SDLC
SSLTCP
UPSVolP
WAN
Information technology
Local area network
Pri .....ate- branch (business) exchange
Persona I computerimicrocompu tel'
Program change request
Personal digital assistant
Program Evaluation Review Technique
Personal identification number
Public key infrastructure
Redundant Array of Inexpensive Disks
Radio frequency identification
System development life cycle
Secure Sockets Lnyer
Transmission Control Protocol
Uninterruptible power supply
Voice-over Jnternet Protocol
\Vide area network
In ;:Iddition to the aforementioned acronyms. candidates may also wish to become familiar with the following additionalacronyms. Should any of these abbreviations be used in examination questions, their meanings would be included when theacronym appears.
4GL
ACID
ACL
AHAIAICPA
ALE
ALU
ANSIAPI
ARP
ASIC
ATDM
ATivI
BCI
BOdBCP
BI
506
Fourth-generation languageAtomicity. consistency, isolationand durability
Access control list
Authentication headerArtificial intelligence
American Institute of Certified PublicAccountants
Annual loss expectancyArithmetic-logic unit
American National Standards Institute
Application programming interface
Address Resolution Protocol
Application-specific integrated circuit
AsynchronoLls time division multiplexing
Asynchronous Transfer Mode orautomated teller machine
Business Continuity Institute
Business continuity management
Business continuity planning
Business inklligence
BIA
BIMS
BIOS
BIS
BLP
BNS
BOM
BOMP
BPRBRP
BSC
B-to-B
B-to-C
B-to-E
B-to-G
CA
CAAT
CAD
CAE
Business impact analysis
Biometric Information Managementand Security
Basic [nput/Output System
Bank for International Settlements
Bypass label process
Backbone network services
Bill of materialsBill of materials processor
Business process reengineeringBusiness recovery (or resumption) plan
Balanced a scorecard
Business-to-businessBusiness-to-consumer
Business-to-employeeBusiness-to-government
Certificate authority
Computer-assisted audit techniqueComputer-assisted design
Computer-assisted engineering
elSA Review Manual 2007
Acronyms elSACAM Computer-aided manufacturing C-to-G
CASE Computer-aided software engineering DAC
CCK Complementary Code Keying DASD
CCM Constructive Cost Model DAT
CD Compact disk DCE
CDDF Call Dattl Distribution Function DCE
CDPD Cellular Digital Packet Data DCOM
CD-R Compact disk-recordable
CD-RW Compact disk-rewritable DCT
CEO Chief executive officer DDIDS
CERT Computer emergency response team DDL
CGl Common gateway interface DDoS
CIAC Computer Incident Advisory Capability DES
CICA Canadian Institute of Chartered Accountants DFD
CIM Computer-integrated manufacturing DHCP
CIO Chief information officer DID
CIS Continuous and intermittent simulation DIP
ClSO Chief information security officer DLL
CMDB Configuration management database DNS
CMM Capability Maturity Model DoS
CMMl Capability Maturity Model lntcgration DOSD
CNC Computerized Numeric Control DRII
COBIT Control Objectives jor Information and DRP
related Technology DSL
COCOM02 Constructive Cost Model DSS
CODASYL Conference on Data Systems Language DSSSCOM Component Object Model DTE
COM/DCOM Component Object Model/Distributed DTRComponent Object Model DVD
COOP Continuity of operations plan DVD-HDCORBA Common Object Requcst Broker Architecture
CoS Class-of-service DW
COSO Committee of Sponss>ring Organizations of EAthe Trcadway Commission EAC
CPM Critical Path Methodology EAMCPO Chief privacy officer EBCDlCCPS Certification practice statement
CRL Certificate revocation list ECCRM Customer relationship management ECC
CSA Control self-assessment EDFA
CSF Critical success factor EER
CSIRT Computcr security incident response team EFT
CSMA/CD Carrier-sense Multiple Access/ EIGRPCollision Detection EJB
CSO Chief security officer EMlCSU-DSU Channel service unit/digital service unit EMRT
elSA Review Manual 2007
Consume1'-to-government
Discretionary access controls
Direct access storage device
Digital audio tape
Data communications equipment
Disttibuted computing environment
Distributed Component Object:Vlodel (Microsoft)
Discrete Cosine Transform
Data dictionary/directory system
Data Definition Language
Distributed denial of service
Data Encryption Standard
Data flow diagram
Dynamic Host Configuration Protocol
Direct inward dial
Document image processing
Dynamic link library
Domain name server
Denial of service
Data-oriented system development
Disaster Recovery Institute International
Disaster recovery planning
Digital subscriber lines
Decision support systems
Direct-sequence spread spectrum (DSSS)
Data terminal equipment
Data terminal ready
Digital video disc
Digital video disc-high definition/high density
Data warehouse
Enterprise architecture
Estimates at completion
Embedded audit modules
Extended Binary-coded for DecimalInterchange Code
Electronic commerce
Elliptical curve cryptography
Enterprise data flow architecture
Equal-error rate
Electronic funds transfer
Enhanced Interior Gateway Routing Protocol
Enterprise java beans
Electromagnetic interference
Emergency response time
507
Acronyms elSA
MTTR
NAS
NAT
NCP
NDA
NFPA
NFS
NIC
NlST
NNTP
NSP
NT
NTFS
NTP
OBS
OCSP
OECD
OEP
OFDM
OlAP
00OOSD
ORB
asOSl
OSPF
PAD
PAN
PDCA
PDN
PER
.PHY
PICS
PlD
PlD
PMBOK
PMI
pacPOP
pasPOTS
PPP
Mean time to repair
Network access server or Network attachedstorage
Network address translationNetwork Control Protocol
Nondisclosure agreementNational Fire Protection Agency (USA)
Network files system
Network interface cardNational Institute of Standardsand Technology (USA)
Network News Transfer Protocol
Name Server Protocol or Networkservice providerNew technology
NT file system
Network Time Protocol
Object Breakdown Structure
Online Certificate Status Protocol
Organization for Economic Cooperationand Development
Occupant emergency planOrthogonal frequency division multiplexingOnline analytical processingObject-oriented
Object-oriented system development
Object request broker (ORB)
Operating systemOpen Systems InterconnectionOpen Shortest Path First
Packet assembler/disassemblerPersonal area network
Plan-Do-Check-Act
Public data network
Package-enabled reengineering
Physical layer
Platform for Internet content selection
Process lD
Project Initiation DocumentProject Management Body of Knowledge
Project Management InstituteProof of concept
Proof of possessionPoint of sale or POlnt-of-sale systems
Plain old telephone servIcePoint-to-point Protocol
PPPoE
PPTP
PR
PRD
PRlNCE2
PROM
PSTN
PVC
QA
QAT
RA
RAD
RADIUS
RAID
RAM
RAS
RBAC
RDBMS
RFl
RFP
RIP
RMJ
RaJ
ROM
RPC
RPO
RST
RTO
RW
S/HTTP
S/i'vIIME
SA
SAN
SANS
SAS
SBC
SCARF
SCARF/EAM
SCM
SCaR
SD/i'vIMC
SDlC
SDO
SEC
SET
!;'oint-to-point Protocol Over Ethernet
Point-to-Point Tunneling Protocol
Public relations
Project request document
Projects in Controlled EnvironmentsProgrammable Read-Only Memory
Public switched telephone network
Permanent virtual circuit
Quality assurance
Quality assurance testing
Registration authorityRapid application development
Remote Access Dial-in User Service
Redundant Array of Inexpensive Disks
Random access memory
Remote access service
Role-based access control
Relational database management system
Request for infonnation
Request for proposal
Routing Information Protocol
Remote method invocation
Return on investmentRead-only memory
Remote procedure call
Recovery point objective
Reset
Recovery time objectiveRe-writable
Secure Hypertext Transfer ProtocolSecure rvlultipurpose [nternet Mail Extensions
Security Association
Storage area networkSysAdmin, Audit, Network, Security
Statement on Auditing Standards
Session border controllerSystems Control Audit Review File
Systems Control Audit Review File andEmbedded Audit \"lodules
Supply Chain Management
Supply Chain Operations Reference
Secure digital multimedia cardSystem development life cycle
Service delivery objectiveSecurities and Exchange Commission (USA)
Secure electronic transactions
elSA Review Manual 2007 509
elSAAcronyms
SLA Service level agreement TLS Transport layer securitySUd Service level management TMS Tape management systemSLIP Serial Line Internet Protocol TP monitors Transaction processing (TP)S;VIART Specific, measurable. achievable, relevant. TQivI Total quality management
time-bound TR Technical reportSMF System management facility UkT User i'.lcceptance testingS;VITP Simple Mail Transport Protocol UBE Unsolicited bulk e-mailSNA. Systems network architecture UDDI Description, discovery and integrationSNMP Simple Network Management Protocol UDP User Datagram ProtocolSO Security officer UID User IDSOAP Simple Object Access Protocol UML Unified Modeling LanguageSOHO Small office-home otfice URL Universal resource locatorSPI Security parameter index USB Universal Serial BusSprCE Software Process Improvement and VAN Value-added network
Capability Determination VAN Value-added networkSPOC Single point of contact VLAN Virtual local area networkSPOOL Simultaneous peripberal operations online VolP Voice-Over frSQL Structured Qucry Languagc VPN Virtual private networkSSH Secure Shell WAP \Vireless Application Protocolssm Set services identifiers WEP \Vir~d Equivalent PrivacySSO Single sign-on WML \Vireless Markup LanguageSVC Switched virtual circuits WORM \Vrite-once and read manySYSGEN Systcm generation WP Work packagesTACACS Terminal Access Control Access WPA \Vi-Fi Protected Access
Control SystemWPAN \Vireless personal area network
TCO Total cost of ownershipWSDL \Veb Services Description Language
TCP IP Transmission Control Protocol/InternetWWAN \Vireless wide area networkProtocolWWW VI/orld Wiele WebTCP CDP Transmission Control ProtocolJUserXBRL Extensible Business Reporting LanguageDatagram Protocol
TD,VI Time-division multiplexing Xi'vIL Extensible tvlarkup Language
TES Terminal emulation software Xquery X:VIL query
TFTP Trivial File Transport Protocol XSL Extensible Stylesheet Language
TKrp Temporal Key Integrity Protocol X-to-X Exchange-to-Exchange
510 elSA Review Manual 2007
Appendix
THE elSA EXAMINATION AND COBIT
A elSA
COBlT, now in transition between the 3'd Edition and COBIT 4.0, is an initiative conducted by the IT Governance Institute.COBIT has been developed as a generally applicable and accepted framework for good IT security and control practices thatprovide a reference for management, users, and IS audit, control and security practitioners. COBIT is based on ITGI's controlobjectives, enhanced with existing and emerging international technicaL professional, regulatory and industry-specificstandards. The resulting control objectives have been developed for application to organizutioJ1wide information systems.
COBIT also supports a generic IT assurance/audit process, which could be summarized as:• Obtaining an understanding of business requirements, related risks and relevant control measures• Evaluating the appropriateness of stated controls• Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously• Substantiating the risk of control objectives not being met by using analytical techniques and/or consulting alternative sources
Although knowledge of COBIT is not specifically tested on the CISA examination, the COBiT control objectives or processesreflect the tasks identified in the CISA job practice. As such, a thorough review of COBIT is recommended for candidatepreparation for the CISA examination. To focus a candidate's attention on the specific COBtT processes that relate to CISApractice analysis tasks, the following table has been provided to aid in a candidate's exam preparation.
Note: The COBIT framework is freely available from ISACA/ITGI and can be downloaded at w\v·w.isaca.org/cobit.
To focus a candidate's attention on the specific COBIT processes that relate to elSA practice analysis tasks, the followingtable has been provided to aid in a candidate's exam preparation.
Chapter 1: The IS Audit Process
CISA Review Manual I COBiT 3" Edition CO.IT 4.0
Tasks COBIT Processes
1.1 Develop and implement a risk-based IS audit strategy for the P09 Assess risk P09 Assess and manage ITorganization in compliance with IS audit standards, guidelines M3 Obtain Independent risksand best practices. assurance ME2 Monitor and evaluate
M4 Provide lor independent internal controlaudit
1.2 Plan specific audits to ensure that IT and business systems are M3 Obtain independent ME2 Monitor and evaluateprotected and controiled. aSSurance internal control
M4 Provide for independentaudit
1.3 Conduct audits in accordance with IS audit standards, guidelines IM4 Provide for independentand best practices to meet planned audit objectives. audit
1.4 Communicate emerging issues, potential risks and audit results to M3 Obtain independent P09 Assess and manage ITkey stakeholders. assurance risks
M4 Provide for independent ME2 Monitor and evaluateaudit internal control
1.5 Advise on the implementation of risk management and control P09 Assess riskpractices within the organization while maintaining independence. P011 Manage quality P08 Manage quality
M3 Obtain independent P09 Assess and manage ITassurance risks
M4 Provide for independentaudit
elSA Review Manual 2007 511
elSA Appendix A
Chapter 2: IT Governance
CISA Review Manual COBiT 3" Edition COBiT 4,0
Tasks GOBIT Processes
2.1 Evaluate the effectiveness of the IT governance structure to ensure pal Define a strategic plan P01 Define astrategic planadequate board control over the decisions, directions and . P04 Deffne the IT organization P04 Define the IT processes,performance of IT so that it supports the organization's strategies and reiationshlp organization andand objectives. P05 Manage the IT relationships
investment P05 Manage the ITP06 Communicate investment
management aims and P06 Communicatedirections management aims and
M2 Assess internal control directionsadequacy ME4 Provide IT governance
M3 Obtain independentassurance
M4 Provide for independentaudit
2.2 Evaluate IT organizational structure and human resources P04 Define the IT P04 Define the IT processes,(personnel) management to ensure that they support the organization and organization andorganization's strategies and objectives. relationships relationships
pal Manage human pal Manage IT humanresources resources
DS1 Define and manage DSl Define and manageservice levels service levels
2.3 Evaluate the IT strategy and the process for its development, P01 Define a strategic IT plan pal Define a strategic IT planapproval, implementation and maintenance to ensure that it P05 Manage the IT P05 Manage the ITsupports the organizations strategies and objectives. investment investment
2.4 Evaluate the organization's IT policies, standards, procedures and pas Ensure compliance with ME3 Ensure regulatoryprocesses for their development, approval, implementation, and external requirements compliancemaintenance to ensure that they support the IT strategy and comply AI6 Manage changes AI6 Manage changeswith regulatory and legal requirements.
Ml Monitor the processes MEl Monitor and evaluate iTperformance
2.5 Evaluate management practices to ensure compliance with the P06 Communicate P06 Communicateorganization's IT strategy, policies, standards and procedures. management aims and management aims and
direction directionpal Manage human pal Manage IT human
resources resourcesP010 Manage project P010 Manage projectsP011 Manage quality pas Manage qualityDS6 Identify and aliocate costs DS6 Identify and aliocate costs
2.6 Evaluate IT resource investment, use and allocation practices to P05 Manage the IT P05 Manage the ITensure alignment with the organization's strategies and objectives. investment investment
POlO Manage projects P010 Manage projects2.1 Evaluate IT contracting strategies and policies and contract pal Manage human pal Manage IT human
management practices to ensure that they support the organization's resources resourcesstrategies and objectives. pas Ensure compliance with ME3 Ensure regulatory
external requirements complianceAI1 Identify automated AI1 identify automated
solutions solutionsOS2 Manage third-party DS2 Manage third-party
services servicesDS9 Manage the DS9 Manage the
configuration configuration
512 elSA Review Manual 2007
Appendix
Chapter 2: IT Governance (cant.)
CISA Review Manual CoalT 3" Edition COBiT 4.0
Tasks COBIT Processes
2.S Evaluate risk management practices to ensure that the organization's POt Define a strategic IT plan P01 Define a strategic ITplanIT related risks are properly managed. . P06 Communicate P06 Communicate
. management aims and management aims anddirections directions
P09 Assess risk P09 Assess and manage ITPOlO Manage projects risks
Mt Monitor the processpat 0 Manage projects
M4 Provide for independentME4 Provide IT governance
audit2.9 Evaiuate monitoring and assurance practices to ensure that the pas Ensure compliance with pas Manage quality
board and executive management receive sufficient and timely external requirements pat 0 Manage projectsintormation about IT performance. pat 0 Manage projects ME2 Monitor and evaluate
POtt Manage quality internal controlM2 Assess internal control ME3 Ensure regulatory
adequacy complianceM3 Obtain independent
assurance
Chapter 3: Systems and Infrastructure Life Cycle Management
CISA Review Manual COBIT 3" Edition COBIT 4.0
Tasks COBIT Processes
3.t Evaluate the business case for the proposed system P03 Determine technological P03 Determine technologicaldevelopment/acquisition to ensure that it meets the organization's direction directionbusiness goals. P01t Manage quality pas Manage quality
Alt Identity automated Alt Identity automatedsoiutions solutions
AI2 Acquire and maintain AI2 Acquire and maintainapplication software application software
AI3 Acquire and maintain AI3 Acquire and maintaintechnology infraestructure technology infrastructure
DS9 Manage the conliguration DS9 Manage the conliguration3.2 Evaluate the project management framework and project governance P09 Assess risks P09 Assess and manage IT
practices to ensure that business objectives are achieved in a pat 0 Manage projects riskcost-effective manner while managing risks to the organization.
POtt Manage qualityP010 Manage projects
Alt Identify automatedpas Manage quaiity
solutions AI1 Identity automated
AI2 Acquire and maintainsolutions
application software AI2 Acquire and maintainapplication software
3.3 Perform reviews to ensure that a project is progressing in POt 0 Manage project POlO Manage projectsaccordance with project plans, it is adequately supported by Alt Identity automated AI1 Identity automateddocumentation and the status reporting is accurate. solutions solutions
AI2 Acquire and maintain AI2 Acquire and maintainapplication software application software
M3 Obtain independent ME2 Monitor and evaluateassurance internal control
M4 Provide for independentaudit
elSA Review Manual 2007 513
PM, ? t'I' 11 m or 1: :'7 rims 1ttr~ !!17 T ;" r 1m,.
elSA Appendix A
Chapter 3: Systems and Infrastructure Life Cycle Management (cont,)
GISA Review Manual CoBrT 3M Edition GOBJT 4.0
Tasks COBIT Processes
3.4 Evaluale proposed conlrol mechanisms lor syslems and/or POl DManage projects POi DManage projectsinfrastructure during specification. development/acquisition, and
..POll Manage quality POS Manage quaiity
testing to ensure that they will provide safeguards and comply with Ali identify automated Ali Identify automatedthe organization's policies and other requirements. solurions solutions
AI2 Acquire and maintain AI2 Acquire and maintainapplication soft\vare application software
AI5 Ins tali and accredit AI? Install and accreditsystems solutions and changes
3.5 Evaluate the processes by which systems and/or infrastructure are P01D Manage projects POi DManage projectsdeveloped/acquired and tested to ensure that the deliverables meet P01l Manage quality POS Manage qualitythe organization's objectives.
Ali Identify automated Ali Identity automatedsolutions solutions
AI2 Acquire and maintain AI2 Acquire and maintainapplication software application software
AI5 Instail and accredit AI? install and accreditsystems solutions and changes
3.6 Evaluate the readiness of the system and/or infrastructure for P03 Determine technological P03 Determine technologica/implementation and migration into production. direction direction
AI3 Acquire and niaintain Ai3 Acquire and maintaintechnology infrastructure technology infrastructure
AI5 instaii and accredit AI? Instali and accreditsystems solutions and changes
3.7 Perform postimplementation review of systems and/or infrastructure PO 10 Manage projects POlO Manage projectsto ensure that they meet tile organization's objectives and are POll Manage quality POS Manage quatitysUbject to effective internal control.
AI5 Instatl and accredit AI? tnstatt and accreditsystems solutions and changes
3.S Perform periodic reviews of systems and/or infrastructure to ensure P06 Communicate P06 Communicatethat they continue to meet the organization's objectives and are management aims and management aims andsubject to effective ',nternal control. direction direction
P01D Manage projects P010 Manage projectsPOi I Manage qualir! POS Manage qualifyAI5 Instatl and accredit AI? Instali and accredit
systems soiutions and changesOS1 Define and manage DS1 Define and manage
service levels service levelsDS3 Manage performance OS3 Manage performance
and capacity and capacityM2 Assess internal control ME2 Monitor and evaluate
adequacy internal controiM3 Dbtain independent
assuranceM4 Provide for independent
audit
514 elSA Review Manual 2007
Appendix
Chapter 3: Systems and Infrastructure Life Cycle Management ,(cont.)
CISA Review Manual COBiT 3" Edition COBiT 4.0
Tasks I COBiT Processes
3,9 Evaluate the process by which systems and/or infrastructure are P03 Determine technological P03 Determine technologicalmaintained to ensure the continued support of the organization's direction directionobjectives and are subject to effective internal control. P011 Manage quality P08 Manage quality
AI3 Acquire and maintain AI3 Acquire and maintaintechnoiogy infraestructure technology infrastructure
AI6 Manage changes AI6 Manage changes
3.10 Evaluate the process by which systems and/or infrastructure are P06 Communicate P06 Communicatedisposed of to ensure that they comply with the organization's management aims and management aims andpolicies and procedures. direction direction
Ali Identify automated AI1 Identify automatedsolutions solutions
Chapter 4: IT Service Delivery and Support'
CISA Review Manual COBiT 3" Edition COBIT 4.0
Tasks GOBIT Processes
4.1 Evaluate service level management practices to ensure that the level AI4 Develop and maintain AI4 Enable operation and useof service from internal and external service providers is defined procedures 081 Define and manageand managed. OS1 Define and manage service levels
service levels 082 Manage third-party082 Manage third-party services
services 086 Identify and allocate costs086 Identify and allocate 088 Manage service desk and
costs incidents088 Assist and advise 0810 Manage problems
customers ME1 Monitor and evaluate ITM1 Monitor the process pertormance
4,2 Evaluate operations management to ensure that IT support P09 Assess risks P09 Assess and manage ITfunctions effectively meet business needs, AI4 Develop and maintain risks
procedures AI4 Enable operation and use
AI5 Install and accredit All Install and accredit
systems solutions and changes
0813 Manage operations 0813 Manage operations
M2 Assess internal controlME1 Monitor and evaluate IT
adequacy performance
4.3 Evaluate data administration practices to ensure the integrity and P02 Define the information P02 Define the informationoptimization of databases. architecture architecture
P04 Define the IT P04 Define the IT processes,organisation and organization andrelationships relationships
Ai1 Identify automated AI1 Identify automatedsolutions solutions
AI2 Acquire and maintain AI2 Acquire and maintainapplication software application software
AI5 Intail and accredit All Install and accreditsystems solutions and changes
085 Ensure systems security 085 Ensure systems security
M1 Monitor the process ME1 Monitor and evaluate ITperformance
elSA Review Manual 2007 515
elSA Appendix A
Chapter 4: IT Service Delivery and Support (cont.)
CISA Review Manual COBIT 3'~ Edition COBiT 4.0
Tasks COBII Processes
4.4 Evaluate the use of capacily and pertormance monitoring tools and AI1 Identify automated AI1 Idenlifyautomatedtechniques to ensure that IT services meet the organization's solutions solutionsobjectives. AI5 Install and accredit AI7 Install and accredit
systems solutions and changes081 Define and manage 081 Define and manage
service levels service levels083 Manage performance 083 Manage performance
and capacity and capacityM1 MoMor the process MEl Monitor and evaluale IT
P011 Manage quality performance
4.5 Evaluate change, configuration and release management practices AI2 Acquire and maintain P08 Manage qualityto ensure that changes made to the organization's production application software AI2 Acquire and maintainenvironment are adequately controlled and documented. AI3 AcqUire and maintain applicalion software
technology infrastructure AI3 Acquire and maintainAI5 Install and accredit technology infrastructure
systems AI7 Install and accreditAI6 Manage changes solutions and change089 Manage the AI6 Manage changes
configuration 089 Manage the configuration
4.6 Evaluate problem and incident management practices to ensure that 088 Assist and advise 088 Manage service desk andincidents, problems or errors are recorded, analyzed and resolved in customers incidentsa timely manner. 0810 Manage problems and 0810 Manage Problems
incidents 0811 Manage data0811 Manage data MEl Monitor and evaluate ITM2 Assess internal control performance
adequacy4.7 Evaluate the lunctionality of the IT infrastructure (e.g., network P03 Determine technological P03 Determine technological
components, hardware, system software) to ensure that it supports direction directionthe organization's objectives. P011 Manage quality P08 Manage quality
AI3 Acquire and maintain AI3 Acquire and maintaintechnology inlrastructure technology infrastructure
AI6 Manage changes AI6 Manage changes
Chapter 5: Protection of Information Assets
CISA Review Manuat GOBlT 3'd Edition COBIT 4.0
Tasks COBIT Processes
5.1 Evaluate the design, implementation and moniloring of logical AI6 Manage changes AI6 Manage changesaccess controls to ensure the conlidentiality, integrity, availability DS4 Ensure conUnous service 084 Ensure continous serviceand authorized use 01 information assets. 085 Ensure systems security 085 Ensure systems security
0810 Manage problems and 0810 Manage problemsincidents ME1 Monitor and Evaluate IT
M1 Monitor the process performance
5.2 Evaluate network infrastructure security to ensure confidentiality, 084 Ensure continous service 084 Ensure continous serviceintegrity, availability and authorized use at the network and the 085 Ensure systems security 085 Ensure systems securityinformation transmitted. 0811 Manage data 0811 Manage data
0813 Manage operations 0813 Manage operationsM1 Monitor the process MEl Monitor and evaluate IT
performance
516 elSA ReView Manual 2007
Appendix
Chapter 5: Protection of Information Assets (cont.)
CISA Review Manual COBiT 3" Edition COBiT 4.0
Tasks COBIT Processes
5.3 Evaluate the design. implementation and monitoring of P09 Assess risks P09 Assess and manage ITenvironmental controls to prevent or minimize loss. 0 084 Ensure continous service risk
0812 Manage tacilitles084 Ensure continous service0812 Manage the physicai
M1 Monitor the process environmentMEl Monitor and evaluate IT
periormanceME3 Ensure regulatory
compliance5.4 Evaluate the design, implementaiion and monitoring of physical P04 Define the IT P04 Define the IT processes,
access controis to ensure that information assets are adequately organization and organization andsafeguarded. relationships relationships
085 Ensure systems security 085 Ensure systems security0812 Manage facilities 0812 Manage the physicalMl Monitor the process environment
POS Ensure compliance with MEl Monitor and Evaluate ITexternal requirements periormance
ME3 Ensure regulatorycompliance
5.5 Evaluate the processes and procedures used to store, reirieve, AI3 Acquire and maintain ME3 Ensure regulatorytransport and dispose of confidential Information assets. technology infrastructure compliance
084 Ensure continous service AI3 Acquire and maintain085 Ensure systems security technology infrastructure
0811 Manage data 084 Ensure continous service
Ml Monitor the process 085 Ensure systems security0811 Manage dataMEl Monitor and evaluate IT
periormance
Chapter 6: Business Continuity and Disaster Recovery
CISA Review Manual GOBlr 3,a Edition Co",T 4.0
Tasks GOBIT Processes
6.1 Evaiuate the adequacy of backup and restore provisions to ensure P02 Define the information P02 Define the informationthe availability of information required io resume processing. architecture architecture
084 Ensure continuous 084 Ensure continuousservice. service
0811 Manage data6.2 Evaluate the organization's disaster recovery plan to ensure that it 084 Ensure continuous 0811 Manage data
enables the recovery of IT processing capabilities in the event of a serVice 084 Ensure continuousdisasier. 0811 Manage data service
0812 Manage faci/ites 0811 Manage data0813 Manage operations 0812 Manage the physical
environmentME3 Ensure regulatory
comptiance
6.3 Evaluate the organization's business continuity plan to ensure its 084 Ensure continuous 0813 Manage operationsability to continue essential business operations during the period of service 084 Ensure continuousan IT disruption. service
elSA Review Manual 2007 517
.... ;; 'T tn
elSA Appendix A
COBIT 3 RD EDITION
The following information provides the set of COBIT domains and the 34 IT processes. which can be identified for eachCISA job practice task listed in the previous tables.
Domain Process,,I
Plan and Organize P01 Define a strategic IT planP02 Define the information architectureP03 Determine technological directionP04 Define the IT organization and relationshipsP05 Manage the IT investmentP06 Communicate management aims and directionPOl Manage human resourcesPD8 Ensure compliance with external requirementsPOg Assess risksP010 Manage projectsP01l Manage quality
Acquire and Implement AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructureAI4 Develop ahd maintain proceduresAi5 Install and accredit systemsAi6 Manage changes
Deliver and Support DSl Define and manage service levelsDS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and allocate costsDSl Educate and train usersDS8 Assist and advise customersDS9 Manage the contigurationDS10 Manage problems and incidentsDS1l Manage dataDS12 Manage facilitiesDS13 Manage operations
Monitor M1 Monitor the processM2 Assess internal control adequacyM3 Obtain independent assuranceM4 Provide for independent audit
518 elSA Review Manual 2007
COBIT 4.0
Appendix A elSA
The following information provides the set of COBIT domains and the 34 IT processes, which can be identified for eachelSA job practice task listed in the previous tables.
Domain . Process
Plan and Organize POl Define a strategic IT plan.P02 Define the information architecture.P03 Determine technotogical direction.P04 Define the tT processes, organization and relationships.P05 Manage the IT investment.P06 Communicate management aims and direction.PO? Manage IT human resources.POS Manage quality.POg Assess and manage IT risks.P010 Manage projects.
Acquire and Implement All Identify automated solutions.At2 Acquire and maintain application software.AI3 Acquire and maintain technology infrastructure.AI4 Ensure operation and use.AI5 Procure IT resources.AI6 Manage changes.All Install and accredit solutions and changes.
Deliver and Support DSl Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS? Educate and train users.DSS Manage service desk and Incidents.DS9 Manage the configuration.OSlO Manage problems.DSll Manage data.DS12 Manage the physical environment.DS13 Manage operations.
Monitor and Evaluate MEl Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure regulatory compliance.ME4 Provide IT governance.
elSA Review Manual 2007 519
,~!.)A Appendix A
520 . M al2007elSA RevIew anu
Appendix
IS AUDITING STANDARDS, GUIDELINES ANDPROCEDURES
B elSA
The specialized nature of IS auditing and the skills necessary to perfon'1 such audits require standards that applyspecifically to [S auditing. One of the goals of ISACA is to.advance globally applicable standards to meet its vision. Thedevelopment and dissemination of the IS Auditing Standards are a comerstone of the ISACA professional contribution tothe audit community. The framework for the IS Auditing Standards provides multiple levels of guidance.
Standards define mandatory requirements for IS auditing and reporting. They inform:• IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in
the ISACA Code of Professional Ethics for IS auditors.. rvlanagement and other interested parties of the profession's expectations conceming the work of practitioners• Holders of the CISA designation of requirements. Failure to comply with these standards may result in an investigation
into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, indisciplinary action.
Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how toachieve implementation of the standards, use professional judgment in their application and be prepared to justify anydeparture. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the ISAuditing Standards.
Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documentsprovide information on how to meet the standards when performing IS auditing work, but do not set requirements. Theobjective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.
COBiT resources should be used as a source of best practice guidance. The COB1T framework states, "It is management'sresponsibility to safeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve itsexpectations, management must establish an adequate system of intemal controL" COBIT provides a detailed set of controlsand control techniques for the information systems management environment. Selection of the most relevant material inCOBiT applicable to the scope of the particular audit is based on the choice of specific COBiT IT processes andconsideration of COBiT information criteria.
As defined in the COl3lT .framework, each of the following is organized by IT management process. COBlT is intended foruse by business and IT management, as \vell as IS auditors; therefore, its usage enables the understanding of businessobjectives, communication of best practices and recommendations to be made around a commonly understood and wellrespected standard reference. COBiT includes:• Control objectives-High-Ievel and detailed generic statements of minimum good control• Control practices-Practical rationales and "how to implement" guidance for the control objectives• Audit guidelines-Guidance for each control area on how to obtain an understanding, evaluate each control, assess
compliance and substantiate the risk of controls not being met• Management guidelines-Guidance on how to assess and improve IT process performance, using maturity models, metrics
and critical success factors. They provide a management-oriented framework for continuous and proactive'control selfassessment specifically focused on:- Performance measurement-How weU is the IT function supporting business requirements? Management guidelines can
be used to support self-assessment workshops and the implementation by management of continuous monitoring andimprovement procedures, as part of an IT governance scheme.
- IT control profiling-\Vhat IT processes are important? What are the critical success factors for control?- Awareness-What are the risks of not achieving the objectives'?
elSA Review Manual 2007 521
~1.1I'1I1I1"'1_111·1I1I1·~1_1.lllrllll!"1'1711!11I1·1I11111nllll.·.'11
11
11 l'I'IIIPlfITI7Irl"I'ITlz lril'·III,!
elSA Appendix B
- Benchmarking-\Vhat do others do'? How can results be measured and compared'! :vlanagcment guidelines provideexample metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measureoutcomes of IT processes, and the key performance indic;:Jtors assess ho\\· well the processes are performing bymeasuring the enablers of the process. Maturity models and maturity attributes prO\ide for capability assessments andbenchmarking, helping management to measure control capability and identify control gaps and strategies forimprovement.
RELATIONSHIP OF STANDARDS TOGUIDELINES AND PROCEDURESThere are 11 overall [S Auditing Standards. IS Auditing Standards are brief mandatory reports on requirements regardingthe audit and its findings for certification holders. IS Auditing Guidelines and Procedures are detailed guidance on how tofoHow those standards. The procedure examples show the steps performed by an IS auditor and are more informative thanIS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelinesand provide information on fol!owing the IS Auditing Standards. To some extent, they also establish best practices forprocedures to be followed.
Codification:o Standards are numbered consecutively as they are issued, beginning \vith Sl.o Guidelines are numbered consecutively as they are issued, beginning with G 1.o Procedures are numbered consecutively as they are issued, beginning with Pl.
Please refer to the index of IS Auditing Standards, Guidelines and Procedures for a complete listing of those documents.
USE
[t is suggested that during the annual audit program, as well as individual reviews throughout the year. the IS auditor shouldreview the standards to ensure compliance with them. The IS auditor is encouraged to refer to the ISACA standards in thereport, stating that the review was conducted in compliance with the laws of the country, applicable audit regulations andISACA standards.
522 elSA Review Manual 2007
Appendix
INDEX OF IS AUDITING STANDARDS, GUIDELINES ANDPROCEDURES
Note: These documents are available for download on the ISACA web site, 1V1nt:isaca.org/standards
8 elSA
Index of IS Auditing Standards
S I Audit CharterS2 IndependenceS3 Professional Ethics and StandardsS4 CompetenceS5 PlanningS6 Performance of Audit WorkS7 ReportingS8 Follow-up ActivitiesS9 Irregularities and Illegal ActsS I0 IT GovernanceS II Use of Risk Assessment in Audit PlanningS 12 Audit MaterialitySI3 Using the Work of Other ExpertsS 14 Audit Evidence
Index of IS Auditing Guidelines
G I Using the Work of Other AuditorsG2 Audit Evidence RequirementG3 Use of Computer Assisted Audit Techniques (CAATs)04 Outsourcing of IS Activities to Other OrganizationsG5 Audit Charter06 Materiality Concepts for Auditing Information SystemsG7 Due Professional Care08 Audit Documentation09 Audit Considerations for IrregularitiesG I0 Audit SamplingG I I Effect of Pervasive IS ControlsG 12 Organizational Relationship and IndependenceG 13 Use of Risk Assessment in Audit PlanningGI4Application Systems ReviewG15 Planning RevisedGI6 Effect ofThird Parties on an Organization's IT ControlsG 17 Effect of Nonaudit Role on the IS Auditor's IndependenceG 18 IT GovernanceG19 Irregularities and Illegal ActsG20 ReportingG21 Enterprise Resource Planning (ERP) Systems Review022 Business-to-consumer (B2C) E-commerce ReviewG23 System Development Life Cycle (SDLC) Review Reviews024 Internet Banking025 Review ofYirtual Private NetworksG26 Business Process Reengineering (BrR) Project ReviewsG27 Mobile ComputingG28 Computer ForensicsG29 Postimp[ementation Review
elSA Review Manual 2007
Effective DateI JanuaryI January1 JanuaryI JanuaryI JanuaryI JanuaryI January1 JanuaryI SeptemberI September1 NovemberI JulyI JulyI July
Effective Date1 June1 DecemberI DecemberI SeptemberI SeptemberI SeptemberI SeptemberI SeptemberI MarchI March1 MarchI SeptemberI September1 NovemberI MarchI MarchI JulyI JulyI JulyI JanuaryI August[ AugustI August1 AugustI JulyI JulyI SeptemberI September1 January
20052005200520052005200520052005200520052005200620062006
19981998199819991999199919991999200020002000200020002001200220022002200220022003200320032003200320042004200420042005
523
elSA Appendix 8
G30 CompetenceG31 PrivacyG32 Business Continuity Plan (Be?) Review From It PerspectiveG33 General Considerations on the Use of the InternetG34 Responsibility, Authority and AccountabilityG35 Follow-up Activities
Index of IS Auditing Procedures
P I IS Risk AssessmentP2 Digital SignaturesP3 Intrusion DetectionP4 Viruses and other Malicious CodeP5 Control Risk Self-assessmentP6 Firc\vnllsP7 Irregularities and l1!egal ActsPS Security Assessment-Penetration Testing and Vulnerability AnalysisP9 Evaluation of Management Controls Over Encryption MethodologiesP [0 Business Application Change Control
I JuneI JuneI SeptemberI MarchI MarchI March
Effective DateI JulyI July1 AugustI August1 August1 AugustI NovemberI September1 JanuaryI October
200520052005200620062006
2002200220032003200320032003200420052006
524 elSA Review Manual 2007
Appendix c elSAOJrnrlID I""""""'" ''mv-!>Amrrn.-
2007 elSA EXAMINATION GENERAL INFORMATION
ISACA is a professional membership association composed of individuals interested in IS audit, assurance, control, securityand governance. The CISA Certification Board is chartered by TSACA and is responsible for establishing policies for theelSA certification program and developing the exa~ination.
REQUIREMENTS FOR CERTIFICATION
The CISA designation is awarded to those individuals who have met and continue to meet requirements regarding (1) theCISA examination, (2) IS auditing, control or security experience, (3) the Code ofProfessional Ethics, and (4) thecontinuing education program.
SUCCESSFUL COMPLETION OF THE CISA EXAMINATION
The examination is open to all individuals who wish to take it. Successful examination candidates are not certified untilthey apply for certification and demonstrate they have acquired requisite experience.
EXPERIENCE IN IS AUDITING, CONTROL AND SECURITY
A minimum of five (5) years professional IS auditing, control and security work experience is required for certification.Substitutions and waivers of such experience may be obtained as follows:• A maximum of one (1) year ofTS audit, control or security experience may be substituted for:
- One full year of non-IS audit experience, or- One full year of information systems experience) or- An Associate's degree (60 semester college credits or its equivalent).
• Two years IS audit, control or security experience may be substituted for a Bachelor's degree (120 semester college creditsor its equivalent) or master's degree from a university that enforces the ISACA-sponsored model curricula.
• Two years as a full-time university instructor in a related field (e.g., computer science, accounting or information systemsauditing) can be substituted for one year of IS audit, control, assurance or security experience.
Experience must have been gained within the 1O-year period preceding the application for certification or within five (5)years from the date of initially passing the examination. Application for certification must be submitted within five (5) yearsfrom the passing date of the CISA exam. All experience will be independently verified with employers.
DESCRIPTION OF THE EXAMINATION
The CISA Certification Board oversees the development of the examination and ensures the currency of its content.Questions for the CISA examination are developed through a multitiered process designed to enhance the ultimate qualityof the examination. Once the ClSA Certification Board approves the questions, they go into the item pool from which allCISA examination questions are selected.
elSA Review Manual 2007 525
elSA Appendix c
The purpose of the examjnation is to evaluate a candidate's knowledge and experience in conducting IS audits and reviews.The examination consists of 200 multiple-choice questions, administered during a four-hour session. Candidates may takethe exam in Dutch, English, French, German, Hebrew, Italian, Japanese, Korean, Simplified Mandarin Chinese, Spanish orTraditional Mandarin Chinese. A proctor speaking the primary language used at each test site is available. If a candidatedesires to take the examination in a language other than the primary language of the test site, the proctor may not beconversant in the language chosen. However, written instructions w~.H be available in the language of the examination.
REGISTRATION FOR THE CISA EXAMINATION
The elSA examination will be administered twice in 2007. The first 2007 elSA examination will be administered onSnnu'day, 9 June 2007 and the second 2007 CISA examination wiIl be administered on Saturday, 8 December 2007.Please refer to the CISA 2007 Bulletin of Information for specific registration deadlines at: )vww.isaca.org/cisaboiThe registration form can be obtained online at wlvw.isaca.org!cisaexam or from ISACA at the following address:
ISACA3701 Algonquin Road, Suite 1010RoIling Meadows, I1Iinois 60008, USAAttn.: elSA Examination RegistrarTelephone: +1.847. 253. I545Fax: +1.847.253.1443E-mail: [email protected]
Additionally, save US $50 by registering online at www.isaca.org/examreg.
The 2007 elSA examination fee must accompany the registration form. The Candidate 5' Guide to the elSA Exam will besent upon receipt and recording of your registration and payment.
CISA PROGRAM ACCREDITED UNDER ISO/IEC 17024:2003
The American National Standards Institute (ANSI) has accredited the CISA and CISM certifications under ISO/IEC17024:2003, General Requirements for Bodies Operating Certification Systems of Persons. ANSI, a private, nonprofitorganization, accredits other organizations to serve as third-party product, sys.tem and personnel certifiers.
lSOiIEC 17024 specifies the requirements to be followed by organizations certifying individual against specificrequirements. ANSI describes ISO/IEC 17024 as "expected to playa prominent role in. facilitating global standardization ofthe certification community, increasing mobility of among countries, enhancing public safety, and protecting consumers."
ANSI's accreditation:• Promotes the unique qualifications and expertise ISACA's certifications provide• Protects the integrity of the certifications and provides legal defensibility• Enhances consumer and public confidence in the certifications and the people who hold them• Facilitates mobility across borders or industries
ANSI Accredited ProgramPERSONNEL CERTIFICATION.
Accreditation by ANSI signifies that [SACA's procedures meet ANSI's essential requirements for openness, balance,consensus and due process. ·With this accreditation, ISACA anticipates that significant opportunities for CISAs and CISMswill continue to open in the US and around the world.
526 elSA Review Manual 2007
Appendix
PREPARING FOR THE elSA EXAMINATION
c elSA
The elSA examination evaluates a candidate's practical knowledge of tile content areas listed in this manual and in theCandidate's Guide to the elSA Exam. That is, the examination is designed to test a candidate's knowledge, experience andjudgment of the proper or preferred application of IS audit, security and control principles, methods and practices. Since theexamination covers a broad spectrum of information systems audit, control and security issues, candidates are cautioned notto assume that reading ClSA study guides and reference publications will fully prepare them for the examination. CISAcandidates are encouraged to refer to their own experiences when studying for the exam and refer to elSA study guides andreference publications for further explanation of concepts or practices with which the candidate is not familiar.
No representation or warranties are made by ISACA in regard to ClSA exam study guides, other ISACA publications,references or courses assuring candidates' passage of the examination.
TYPES OF EXAM QUESTIONS
CISA exam questions are developed with the intent of measuring and testing practical knowledge and the application ofgeneral concepts and standards. All questions are multiple choice and are designed tor one best answer.
Every ClSA question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct orbest answer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenarioor description problem may also be included. These questions normally include a description of a situation and require thecandidate to answer two or more questions based on the information provided. wIany times a CISA examination question willrequire the candidate to choose the most likely or best answer. In every case the candidate is required to read the questioncarefully, eliminate known incorrect answers and then make the best choice possible. Knowing the format in which questionsare asked and how to study to gain knowledge of what will be tested will go a long way toward answering them correctly.
ADMINISTRATION OF THE EXAMINATION
ISACA has contracted with an internationally recognized testing agency. This not-for-profit corporation engages in thedevelopment and administration of credentialing examinations for certification and licensing purposes. It assists rSACA inthe construction, administration and scoring of the elSA examination.
SITTING FOR THE EXAMINATION
Be prompt. Registration will begin at each center at the time indicated on your admission ticket. All candidates must beregistered and in the test center when the chief examiner begins reading the oral instructions. NO CANDIDATE \VILL BEADMITTED TO THE TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORALINSTRUCTIONS, APPROXIMATELY 30 MINUTES BEFORE THE EXAMINATION BEGINS. Any candidate whoarrives after the oral instructions have begun will not be allowed to sit for the exam and will forfeit the registration [ee.Candidates can use their admission tickets only at the designated test center on the admission ticket.
Candidates will be admitted to the test center only if they have a valid admission ticket and an acceptable form ofidentification. Examples of acceptable identification include those with a photograph (such as a passport or photo driver'slicense). Any candidate who does not provide an original form of identification will not be allowed to sit the the exam andwill forfeit their registration fee.
elSA Review Manual 2007 527
elSA Appendix c
Observe the following conventions when completing the examination:• Candidates are not allowed to bling study materials il1to the examination site.• Bring several NO.2 lead pencils. Do not assume someone will provide pencils for answering the examination.• The chief examiner or designate at each test center will read aloud the instructions for entering information on tbe answer
sheet. It is imperative that candidates include their examination identification number as it appears on their admissionticket and any other requested information. Failure to do so may r~su[t in a delay or errors.
• Identify key words or phrases in the question (I\tIOST, BEST, FIRST) before selecting and recording answers.• Read the provided instructions carefully before attempting to answer questions. Skipping over these directions or reading
them too quickly could result in missing important information and possibly losing credit points.• It is imperative that candidates mark the appropriate area when indicating their: response on the answer sheet. \rVhen
correcting a previously answered question, fully erase a wrong answer before writing in the new one.• Remember to answer all questions since there is no penalty for wrong answers. Grading is based solely on the number of
questions answered correctly.
BUDGETING YOUR TIME
• Try to arrive at the examination testing site at least 30 minutes before the examination instructions are read. This will givecandidates time to locate a seat and get acclimated.
• The examination is administered over a four hour period. This allows for'a little over one minute per question. Therefore, itis advisable that candidates pace themselves to complete the entire exam. Candidates must complete an average of 50questions per hour.
• Candidates are urged to record their answers on their answer sheet. No additional time will be allowed after theexamination time has elapsed to transfer or record answers should candidates mark their answers in the question booklet.
RULES AND PROCEDURES
• Candidates will be asked to sign the answer sheet to protect the security of the examination and maintain the validity ofthe scores.
• Upon the discretion of the elSA Certification Board, any candidate can be disqualified who is discovered engaging in anykind of misconduct, such as giving or receiving help; llsing notes, papers, or other aids; attempting to take the examinationfor someone else; or removing test materials or notes from the testing room. The testing agency will provide the boardwith records regarding such irregularities. The board will review reported incidents, and all board decisions are final.
• Candidates may not take the exam question booklet after completion of the exam.
GRADING THE EXAMINATION
The CISA exam consists of200 items. Candidate scores are reported as a scaled scored. A scaled score is a conversion of acandidate's raw score on an exam to a common scale. ISACA uses and reports scores on a cornman scale from 200 to 800,A candidate must receive a score of 450 or higher to pass the exam. A score of 450 represents a minimum consistentstandard of knowledge as established by ISACA's CISA Certification Board. A candidate receiving a passing score may thenapply for certification if all other requirements are met.
Passing the exam does not grant the CISA designation. To become a CISA, each candidate must complete allrequirements, including submitting an application for certification.
A candidate receiving a score less than 450 is not successful and can retake the exam during any future examadministration. To assist witll future study, the result letter each candidate receives will include a score analysis by contentarea. There are no limits to the number of times a candidate can take the exam.
528 elSA Review Manual 2007
Appendix c elSA
Approximately eight weeks after the test date, the offielal exam results will be mailed to candidates. Additionallywith the candidate's consent on the registration form, an e-mail containing the candidates pass/fail status and score will besent to paid candidates. This e-mail notification will only be sent to the address listed in the candidate's profile at the timeof the initial release of the results. To ensure the confidentiality of scores, exam results will not be reported by telephoneor fax. To prevent the e-mail notification from being sent to the candidate-'s spam folder, the candidate should [email protected] to his/her address book, whitelist or safe senders list.
Successful candidates will receive an application for certification. For those candidates not passing the examination., thescore report will contain a subscore for each job domain. The subscores can be useful in identifying thos~ areas in which thecandidate may need further Shldy before retaking the examination. Unsuccessful candidates should note that taking either asimple or weighted average of the subscores does not derive the total scaled score.
Candidates receiving a failing score on the examination may request a rescoring of their answer sheet. This procedureensures that no stray marks, multiple responses or other conditions interfered with computer scoring. Requests for handscoring must be made in writing to the certification department within 12 months after the examination was administered.All requests must include a candidate's name, examination identification number and mailing address. A fee of US $50must accompany this request.
elSA Review Manual 2007 529
elSA In d e x
-Abend. 481
Acceptance testing, 128, 137·138, 1-l0, 146. 148, 152-l55. 211. 245-246,263,5C
Access control, 20, 86, 97.100.150,180,205.233,252,264,273,276,281,286,295,332,334,341-342,345-346,352. 354-356. 358-360,362-364, 366, 368, 373. 385. 407-410,416-417, -+29, 481. 485, 490,
496, 508, 510-512Access control lists (ACLs), 363Access control table, 48lAccess method, 277-278, 292. 299, 364, 481, 494. 508Access rights. 29. 45,100.107,175,313,325,332,340-342,345-346.349,
353.358.363,366,404,429,431.481AccessfCollision Detection (CSMA/CD), 291ACCOlintability, [1,13,15.17,44,62-63,68,70,92-93.129,140,153-154,
197.209,211, 225, 243. 343, 355·356, 367-368, 374, 403, 510, 525Accreditation, 117, [22, 129, 140, 153-154, 163, 182,528Accurac,y 11, 30, 81, 96,121. [51, 154, 164, [96-198,200,205,210-211,
224,245,258,281,308,317,323,325,338,358,428,465,471,482,-J.87,492
ACID, See Atomicity, Consistency. Isolation and DurabilityAcknowledgment, 220, 228ACLs, See Access control listsActive attack, 377,499ActiveX 171, 395Address space, 275, 377, 481, 494Addressing. 22, 46, 66, 68, 74, 93,140, I-J.2, 147-148, 173,2[8.233,238,
261. 293, 332, 339, 345-346. 369, 376. 405-406. -J.12, -J.81. 502Administratin:: controls. 21-22, 48 IADTmag.247Advanced encryption standard (AES), 2lJ9-300. 337, 386, 38R. 391AES. See Advanced encryption standardAftermath.411A[CPA. See American Institute of Certified Public AccountantsALE. See Annual loss expectancyAlpha, 153.358,409.481Alpha testing. 153Alternative processing, 442, 471Alternntive routing, 453, 456. 461, 481ALU, See Arithmetic-logic unitAmerican Institute of Certified Public Accountants (AICPA). 2-J.. 47. 88, 508American Institution of Electrical and Elcctronic Engineers (IEEE), 125,
191.298-302,328,506-507American National Standards Institute (ANSl), 218, 508, 528American Standard Code for Information Interchange {ASCn ),36, 160,
170, 223, 277, 286, 481-482, 508Analog, 283. 289, 292, 294, 397, 399-400, 481, 497, 501Analytical review, 36Annual loss expectancy (ALE), 81, 508Anonymous File Transfer Protocol 9r Fi[e Transfer Protocol (FTP), 170,
260, 295, 304, 306, 354, 381-382, 392, 395, 415, 482, 503, 508ANSI. See American National St.mdards 1nstitutcAntispam, 484, 493Antivirus Sollware, 333, 393-395.405-406.43 I, 482Apache, 414API. See ,\pplication programming imcrfaccApplet, 306, 482. 503Application contrab. l. 23, 30, 36.118-119, lS9, 19(1, :03-204, 206.120.
341. 417, 4R2
530
Application dc\elopment, 1. 73.109,116-117,121, 137-139, 165, 169.172- I73. 189-190, 2 [6, 247. 165, 309, 491, 511
Application layer. 286, 293, 383. 390. 392. 482Application program, 53, 199, :::01. 203, 206, 318. 323, 325. 353. 467, 482Application programmer, 105. :::65, 497Application programming, 97.172,277-278,482.508Appljcation programming intcrface (API), 172-173,482,497, 508Application 5y5t<:111, 21. 25, 36, 96,131,139,149,153,163.169. 17l. 182,
187.196. :03, 207-209. 213. 218-219, 354, 416, 446, 482, 502ApplicatiolHpecific integrated circuits {ASICs}. 292Arithmetic-logic unit (AL(j), 267, 482, 508Arrays. 269, 359, 463Artificial intelligence, 47, II-I-. 120, 171, 232, 237, 482, 491, 508ASCll, Sec Amcrican Standard Codc for Information InterchangeASICs, Sec Application-specific integrated circuits ~ASP, 114.479-480Assembler, 151,482,510-511Assembly language, 482Asset value, 79Asymmetric, 224, 373, 385-387, 389, 392, 430, 483Asymmetric key. 389, 483Asynchronous attacks, 353Asynchronous time division (ATOM), 295. 508Asynchronous Transfer Mode (ATM), 296Asynchronous transmission, 294. 483ATOM, Sec Asynchronous time divisionATM, See Automated teller machine or Asynchronous Transfcr ModcAtomicity, Consistency, Isolation and Durability (ACID), 58, 114,205,250,
330,370,440,480,487,50SAttribute sampling, 34-35. 483. 490Audit approach. 8,12, 15,25,27-28,37,45.53.208,243.319,328Audit chartcr, 11, 15, 17, 35, 525Audit documentation, 8,17.41,189,515Audit evidenc.:, 15-17. 31-33. 37. 41, 196. 208-209. 407,483, 525Audit hooks. 51. 108-209Audit methodology, 8, 25Audit objective. 25, 29, 36. 483Audit planning. 8,10-13.17·19,24.38.233.417.525Audit program, 15, 23. 25-26. 37. 41,45, 51, 483. 514Audit report. S, 15, 23, 25-26, 28, 38-40. 88. 164Audit risk, 8,16,27-29.35.37,51,413.483Audit strategy. 10, 12,24,57,513Audit trnil, 21. 155, 183, 201, 219. 225, 230. 243. 264-265, 282, 319,323.
332.366-367,370,483Authentication, 215Authorization forms. 61, 100. 317Automated te1Jer machine, 35, 120, 229. 483, 508Automated teller machine or Asynchronous Transfer Mode (ATM), 35,120,
187,229-230,294,296, 302,-J.50,483. 508-Backbone, 219, 303, 396, 483. 487. 509Backbone network services (BNS), 303, 509Backlog, 101Badge, 38. 4S3Balanced scorecard, 60, 64, 66-67,114,495Balancing, 38. 64, 95,100,118, 198,203-204,120, 22lJ, 237, 255, 259,
293,307.309-310,382Bandwidth, 272-273, 288-290.292-299,302,308-309,387.396.456, 4S3
484,493
elSA Review Manual 2007
In d e x elSABank for Internal Settlements (8IS), 112.508
Bar code, 271, 425, 483
Base case, 484
Baseband, 283, 288, 484
Basic control. 22
Bastion, 381-383
Batch, 95, II S, 180, 197-199, 218, 220, 222, 224, 260-261, 265, 267, 317,
373,482,484,499Batch control. 198, 222, 484
Batch integrity, 118, [99
Batch processing, 224, 484, 499
Batch registers, 198
Bayesian, 484
SCI, See Business Continuity Institute
SCM, See Business continuity management
SCP, See Business continuity planning
Benchmark, 76, 93, 285, 484
Benchmarking, 61, 86, 90, 93,118,193,195,203,244,246,323,325,524Bela testing, 153
SIA, See Business impact analysis
Bill of materials (80M), 227, 509
SIMS, See Biometric information management and security
Binary code, 484
Bioidentification, 433
Biometric door locks. 426
Biometric information management and security (SIMS), 360, 508Biometric security, 426
Biomctrics, 332. 337, 341, 358-360, 415. 428, 433-434. 484
BlS, See Bank for Internal Settlements
Black box testing, 154,484
BLP, Sec Bypass label processingBluesniff,376
Bluetooth, 284, 297, 300-301. 320, 337, 376
BNS, Sec Backbone network servicesBOM, Sce Bill of materials
Bootstrap, 195Bottlcnecks, 293, 308
BPR, Sec Business process reengineering
Bridge. 26, 393, 400, 484, 505
BroadbamL 283, 296, 484, 506
Bromba, 433
BrotHCr, 484
Browser, 166, 171,214-215,236,270,304,306,309,391,482,488.490,494,503,546
BRP, See Busincss recovery plan
Brute-force attack, 377, 385·386
Budget, 66, 90, 93,101,108,123,129-131,135,156-157,272,293,502Buffer, 172, 202, 281, 307, 383. 484Buffer-overflow, 383
Bug, 305, 40 IBus, 180, 252, 270, 290-291,463, 484·485, 491, 506, 508, 512
Bus topology, 491
Busincss Continuity Institute (BCI), 469. 479,508
Business continuity managemcnt (BCM), 469, 508
Business continuity plan, 17.335.423,429.444.450,453,457,459,461,
464-466,469-471. 475-478, 519, 525Business continuity planning (BCP). 17.442,445-448.459.465,470,476-
479, 508, 525Business continuity planning (BCP). 445, 477
Business impact analysis (SIA), 444
Business impact analysis (B[A), 71, 444, 449-450, 452-453, 457, 485, 50S
elSA Review Manual 2007
Business process rccngineering (BPR), 17, 118, 123, 169, 191-193, 245,
249,485,509.525
Business process reengineering (BPR), 17,525
Business recovery plan (BRP), 459, 509
Business risk, 18.29,46,57,164,445.483,485
Bypass label processing (ELP), 368, 485, 509-CA, See Certification authority
CAAT, See Computer-assisted audit technique
Call-tracking, 398. 400
CA:-'r, See Computer-aided manufacnlring
Capability maturity model (CMM), 62, 86·87, 194-195. 485, 496, 509
Capability maturity model integration (CMMI), 194-195. 509
Capacity and growth planning, 61, 88, 323, 325
Capacity management. 86, 252, 257·258, 267, 272-273, 310, 325
Capacity planning. 255. 272, 323, 325
Capillary, 359
Carbon. 421
Carbon dioxide (C02), 421
Carrier-sense Multiple. 291, 509
Carrier·sense Multiple Access/Collision Avoidance (CSMA/CA), 299, 302
Carrier-sense Multiple Access/Collision .Detection (CSMA/CD), 291,491,509
Cartridges, 271. 463, 466
CASE. See Computer-aided software engineering
Cassettes, 466
Catalog, 214-215, 264
CC!TT. See International Telegraph and Telephone Consultative Committee
CCK. See Complemcntary Code KeyingCDPD, Sce Cellular Digital Packet Data
Cellular, 298, 302, 398, 400, 461, 500, 509
Cellular Digital Packet Data (CDPD), 298, 509
Central processing unit (CPU), 180, 260, 267-269, 272, 274-275. 281-282,
302.308,353.382,454.485,488,499,508Central processing unit (CPU), 488
Certco.390
Certification authority (CA), 216-217, 299, 302, 390-391, 485, 50 I. 509Certification authority (CA), 485
Certification practice statement (CPS), 217, 390, 485, 509Certification revocation list (CRL), 217, 390, 485, 509
Certification revocation list, 217
CGI, See Common gateway interface
Chain of custody, 10.334,411,417
Challenge/response, 337, 357Change control, 23,107,118,140,149.168,172,182-183,187·188,210,
212, 233, 256, 263-265, 311, 373, 416, 502Change management. 21, 49, 61, 82, 89-90,105,107,118.149,155,157,
163,183,186-188,192-194,209,213,230,252,257, 263-264, 311,323,325,343,346,373,499
Channel service unit'digital service unit (CSUlDSU). 295, 486 .
Charting, 25
Check digit. 200, 486
Checkpoint, 176. 353
Checkpoint/restart 353
Checksum. 223, 486
Chief privacy officer (CPO). 112.340,509Chief security officer (CSO), 340. 509
CIAC. Sce Computer Incident Advisory Capability
CIM. Sec Computcr-ilucgratcd manufacturing
531
elSA In d ex
Cipher. 337, 386. 38:\, 3') I, 425, 483
Ciphertext, 385, 486, 489, 491Circtlil~switchcd network. 294
CIS. Sec Continuous and intermittent simulationCkartexl, 320, 389, 486
Client-server, 168, ISO. 253. 264, 269. 276, 282, 284, 304. 309-310, 323-326.
333,354-355.359,361,363,371,373,391-393,429.431, 486, 501Client-server architecture, 309CMOB, See Configuration management database
CMi\I, Sec Capability maturity model
CMMI. See Capability maturity model integrationCr.-IViSEI, 247, 249, 327
CNC. Sec Computerized numeric control
C02, See Carbon dioxide
Coaxial cablc. 291, 461. 484. 486ComT, See Conlro! Objectives jiJr Information (/m/ Fe/med Tl!cllllology
CaCOMO. Sec Constructive cost model
CODASYL, See Conference on Datu Systems LanguagesCode generators, 118, 188,282
Code of Professional Ethics, 8, 10, 14·15,523,527Coding standards, 150, 245, 265
Cohesion, 150, 486Cold sitc, 454, 456, 458, 486
COMiDCOM, See Component Object Model/Distributcd Component
Objcct ModelCommand-line, 392Common gatcway intcrt11ce (COl), 151, 305-306, 378, 503. 509Common Object Request Broker Architecture (CORBA). 171-172, 310,
501,509Communicating audit results, 8, 39
Comparison program. 265, 486
Compensating control. 38. 100. 107.486Competence. II. 14-15. 17,35,525Compilcr. 150,486
Complementary Code Keying (CCK). 300. 509Complo.::teness check, 487Compliance testing, ::!4, 27, 31,34.206.487
Component Object Modell Distributed Component Object \Iodcl
(COMIDCOM). 171.310.509Comprehensive audit. 487Computer crime, 332, 334, 349-350, 352, 411Computer Incident Advisory Capability (CIAC), 416, 509
Computer operations. 95, 187
Computer operator, 105, 282Computer security incident response team (CSlRT), 351, 509Computer shutdown, 353, 421
Computer-aided manufacturing (CAM), 171,227. 509Computer-aided software engincering (CASE), 1-2,5,9,27.32-33.42.44,
49,61,66,72,82,85,88-89,96,103,111·112.116. 120-121, 123-126,128,130,136,140,142-143,146,152,154, [58-160, 164, 171, 183,
188-190,206,214.216,229,242-245,248.254,271.279, 304. 309.312.314,319-320,336,342,345,347-348.354. 357-360. 370-371,
377.385,396,404-405,4[2.422,426.428·429.431. 433-434, 443,445-447.449,452-455.457.459,461, 463-46-L 470-471. 473. 476
478,481,484-485,487,490.498-502. 503-509, 515. 529Computer-aided software cngineering (CASE). 32. 502Computer-assisted audit technique (CAAT). 37. 48. -J.87. 509
CompUler-integnllcd m:lI1ufacturing (Cll\l). 227'::!~S. 509Computerized numeric control (CNCl. 227. 509Concurrency, 96. 244. 4S7Conference on Data Systems Languages (CODASYL), 5(l'l
532
Confidentiality. 215Configuration. 48. 95. 97. 118,121, 140-14[. 149. 154. 163, 168, 182·183,
187-188,215.218.223.244.245,255·258.262-263,266, 269, 276.
281. 288, 291. 302. 308. 311. 315. 337. 364-365. 379. 382. 397.40 L409, -t 15-41 6. 455. -t59. 461. 485. 487. 500. 502. 509, 514-515, 518,
520-521
Confjguration managcment database (CMOB). 257. 509Connectionless. 382
Console log, 256. 258, 319, -t87Constructive cost model (COCOMO). 134
Contingency planning, 20, 225, 347, 479·480, 487
Continuous and intermittcnt simulation (CIS), 51, 53, 208-209, 509
Continuous online auditing, 37.119, [49,208
Control account. 198
Control classifications. 20Control group. 95-96,100,183. i87, 199.265,488
Control matrix. 38, 98-99. 269Control Objectivcs for Infonnation and related Technology (OmIT). 3, 8,
10,21-22,40,43,56-58,62,93,110-113,142-143.248,327, 338, 435
436.469,479.495,509,513-521,523
Control overhead 78Control procedures, 8. 22-23, 28-30, 38, 84. 87. 118. 182, 197, 199, 201,
212, 220-221. 229, 233,243. 263.294.310.-t16Control risk. 18.27-28,51,53.488.494.526Control sclt'..assessment (CSA), 10, 52
Control self-assessment (CSA). 9-10.42-44. 52. 509
Controlling input'output. i56Conversion, 85, 95,117,122. 1-t9. 155, 159-161. 163. 169-170. 180, 187.
198.212.264,286.315,418.503Cookie. 306.414,488
Cookie/session. 414
Cooperative processing systems. 120. 230CORBA. Sec Common Object Request Broker Architccture
Corporatc governance, 1, 13, 26. 60. 62-64. 70. 111-113, 249. 488. 493Corrective controls. 448. 488Coupling, 150. 215, 488
CPM. See Critical path methodologyCPO, S...e Chief privacy oO'icer
CPS. See Certification practice statementCPU. See Central processing unitCrackers, 248, 350. 374. 398, -t03, -t37
Critical path methodology (CPM), 135. 137.508-509CRL, Sec Certifieatiun revocation list
CRM. See Customer relationship managementCryptographic algorithm. 294, 388, 486
CSA, See Control self-assessmentCSIRT, Sec Computer security incident response teamCSMA/CA, See Carrier-sense Multiple Access/Collision Avoidance
CSMA/CD, Sec Carrier-sense Multiple Access/Collision DetectionCSO, Sec Chief security otriccr
CSU/DSU. See Channel service unit/digital service unit
Cube, 236Customer relationship management (CRM), 139. 166.227.240.488,493,
509.546Customer relutionship management. III, 120. 139. 217, 240, 488, 509Cyberduacks, 440
Cybercommerce, 11 ~
Cyl)(~rcrimc, ~..t, 434. -t40. 479Cybcrsecurity, 249. 327.433, -t79
Cybenhreats.436Cybenfllst. 390
elSA Review Manual 2007-
Decision support systems (DSS) Trends, 120,240
Decision trees ,233
Decompiler, 173
Decryption, 385-386. 388. 489, 502
Decryption key, 385. 489, 502
DECr. See Digital Enhanced Cordless Telecommunications
Delineation, 86
Delta. '257
Demilitarized zone \D~E), 383
Denial of service, 79.337,339,365,374,377-378,393,397,413,509
Deplo~1l1ent68, 77, 85.122,138,148-149, [53, 160, 169, 177,223.391,459
DES. See Data Encryption Standard
Design and development, 85,117,119-120,137,141,165.211,238,244-
1-1-5.284.287,-1.11
Detailed design, 119. 136, 138, 148-149, 166, 189,211,505
Detenninistic. 502
DFD. See Data flow diagram
Dial-back, 372-373, .100-40 1,489
Dial-in penetration anacks, 378
Dial-up access controls. 333, 372, 412
Dictionaries, 165, 186.278,467
orD. See Direct inward dial
Diffie·Hellman, 391
Digital Enhanced Cordless Telecommunications (DECT), 30 I
Digitnl signature, 216. 223, 337, 388·389, 391-392, 430, 432, 489
Digital subscriber lines (DSL), 296-297, 364. 509
Digitnl video disc (DVD), 270-271, 274, 509-510
Direct imvard dial (DID), 103, [87, 199,201,299,355.387-388,398,
400. 509
Direct inward dial (DID), 398
Direct-sequence spread spectrum (DSSS), 509
Disaster recovery, 4-1.5
Disastcr Recovery Institute International (DRlI), 469, 479, 509
Disaster recovery planning. 2, 23, 442, 445-446, 480, 487, 509
Disastcr recovery procedures (DRP), 313, 445, 447, 459
Disastcrs and other disruptive events. 442. 446
Disco\'cry sampling. 34. 490
Discrete cosine transform (OCT). 231, 509
Discretionary Access Controls WACs), 342
Disk management. 253. 273, 282
Disk management system (DMS), 282
Disk striping, 462
Diskless \vorkstations, 373, 394, 490
Distributed data processing network. 315. 490
Diverse routing, 456. 461
DLLs. See Dynamic link libraries
DMS. See Disk management system
DivIZ. See Demilitarized zoneDNS. See Domain name service
DNS, network, 4 I6
Domain name service tONS), 269, 306, 378, 413-414, 416, 490, 509
DO\\1l1oading, 306, 393.482,490
Downtime report, 490
DRII. See Disaster Recovery Institute InternationalDRP. See Disaster recovery procedures or Disaster recovery planning
Dry-pipe sprinkling systems, 421
OS. 278-279, 509
DS~. See Digital subscriber linesDSS. 120, 137, 139,237-240,489,509
DSS Frameworks. 110.238DSS. S<.'e Decision support systems
-DACs, See Discretionary Access Controls
Daemcn, 388
Damage assessment team, 457
Damagefflooding, 419
Data analysis, 48, 237. 369, 418
Datacenter, 38,159,264,276,282,341,428,473-474Data classification, 129,337,340-341
Data communication, 236, 277
Datu communications equipment (DeE), 294
Data communications equipment or Distributed computing environment
(DeE), 294-295, 361,486.509Datu communications software. 252, 273, 277
Datu control group, 100
Datu conversion, 117, 122, [49, 155, 159-161, 169, 198,212
Datu custodian, 488
Datu dictionary (DO), 278 8 279, 509
Datu Dictionary/Directory System (DO/OS), 278-279, 509Data editing, [99, 240
Datu encryption, 100,223,228-229.371,373,386,430, 489, 508~509
Data Encryption Standard (DES), 224, 386, 388, 391, 430, 489, 508-509
Data Encryption Standard (DES), 430
Data entry, 61, 85, 95, 198-199, 254, 3 [7, 411,460,464-465,482
Data file control procedures, 118,201
Data now diagram (DFD), 509
Data input, 21,197,200,482,504
Data integrity, 106-[07, [19,148.161, 163, 196,205,219,225,276,278,
282,316,325,360.388-389
Data leakage, 352, 489Data management, 13,94,214,238,252,275,277
Data mining, 48, 226. 236Data owner, 99, 342, 403, 410,431, 489-490
Data redundancy, 278, 3 [3,462
Data security, 95,105,107,259,278.307,311, 313, 315. 372, 489
Data structure, 36, 161, 236, 281, 489
Data terminal equipment (DTE), 295, 486, 509
Data transmission, 307-308, 486, 498, 504
Data validation, 27,118,199-200,204-205
Data warehouse, 235-237, 343, 510
Database administration, 23, 61, 96-97,105,107,255
Database administrator (DBA), 96-97,105,107,276,279,408,489,508Database controls, 253, 281
Database management system (DBMS), 48,151,166,190,205,227,252,275,277-279,281,313,408,467,487,489,493,508
Database specifications, 33, 140, 149, 165, 170,489
Datagram, 285, 295, 304, 381, 512
Data-oriented system development, 117, 169-170, 509DBA, See Database administrator
DBMS, See Database management system
DeE, See Data communications equipment or Distributed computingenvironment
OCT, See Discrete cosine transform
DO, See Data dictionary
OOiDS, See Data DictionaryJDirectory System
Deadlock, 281
Debugging, 36, 116, 1.19-151, 154,282,353
Decentralization, 75, 489
Decision focus, 120, 238Decision support systems (DSS), 137
In d e x elSA
elSA Review Manual 2007 533
elSA, ..,,,",,,,,,,,,,,,,,,,,,,..,,,,.,,,,,,,., In d e x
[)SSS. s~·~ Dir<..'cl-scqucllc<..' spread spectruill. 50l)
DTE. SL:C Data terminal lCquiprnl:1llDumb tlO'rlllinal, 402. -!-90Duplcxing. -l-52
Duplicate check. 2()O
Duplicare intormation processing t:1cilitics. 453
DVD. Sl:<..' Digital video Ji$cDynamic link libraries toLLs). 154-EAP. See Extensible Authentication Protocol
Ean:sdropping, 352. 374, 377, 391. 397·399. 507
EBCDIC See E,xtended Binary-coded Decimal Interchange Code
ECc. See Elliptical elln'c cryptography
E-coml11l.'rcc. 13. 17,55,58.112.114.119. 12S. l-l-l, [..+9,113-217.219.
2-4:\-250.386.391. -DO, 436. 479, 525
E-commerce architectures. 119.214
E-commerce audit tll1d control issues. 119. 216
E-commerce models. 119,213
E-commerce requiremcnts. 119. 216
E-comm.... rce risks. 119,215
[-commerce, See Electronic Commerce
EDFA, S..:e Enterprise duta now architecture
EDf, 31. 95. I J 9. 213, 215, 217-222. 241. 243. 260. 277. 412. 460-"+6 L
..+90.508,536.545
EDI risks and cOlltrols. 119. 219
EDt. Sec Electronic data interchange
Edit controls. 199• ..+90
Editing. 30. lIS. 150, 189-190. 199-200.20-1.. 2..+0. 26,1.. 353. -NOEER. Sec Equal-crror rate
EfTS. Sec Electronic funds tmnsfer systems
EIGRP. See Enhanced Interior Gateway Routing Protocol
EJB. Sc.... Enterprise Java Bcans
Electromagnetic intcrlcrCllcc (E;VlI). 288-':~89. -J.19. 510
Ekctronic Commerce (E-commerce). i. 13. 17.55.58.112. Il-J.. 119. 12X.
I-J.l. 1"+<).213. 21-t. 215. 216, 217. 219. 248. 2-J.9. 250. 386. 391. -J.30.
-J.36. -+79. 515. 536
Ekctl'OnicCommcrce. 13.58. 119.113.J91.-t12.510
I:h:ct!'llnil: data interchange (EDI l. i. 3 L 95. 119. 213. 215. 117. 2 lB. 219.
220. 221. 222. 2-tl. 2-t3Ekclronic funds tr:lI1Sfer "ystems (EfTS). 229
Ekmoniemail (E-111;lill.6.1)..J.. 103. 109. ll-t. 119. 171. 183.119. 222
223. 2-t7. 268. 277. 28"+-286. 307. 35..J.. 362. 377-378. 381, 391-39..J..
406.-J.12.-J.15.-J.29. 431. 433. 482.490."+93-494.499. 512,528. 531
Ekctronie mail. Ill). 137.222.229.306.505
Electronic signature. 439
Elliptical curve cryptography (ECC). 387. ..J.62. 5·10
E-mail. Sec Electronic l11:1il
Embedded audit modules. ~7"~8. 51. 510, 512
Emergency action team. -t5iEmergcncy management team. -t57--t5S. -t70
E\I1. Sec Electromagnetic interferencc
Employt:e handhook. 60. X2
Employee pt:rtonnance t:\nluations. 60. 83
Emulation. 28-t-285. 306. 355. 36~, 50S. 512
Ellcap~lIJ:Hion. 2%_297. 326. 3M), 392. ~\) 1
Encapsulation sccurity p~lylnad IESP). 392. '+31). '+32. 51 ()
Encryption. 303. 3x5. 3XX. 392.'+9 J
Enh~Hlct:J Intcrior Gatcway !{(ll1ling PJ\llOC\11 (EIGRPJ. -J.b I. 50S
Enl1ilfKCd Telecom ()rt:rariolls \lap (I: n)\ll. 73
534
Enrerpl'isc duta tlow architecture (EOFA l. 234, 510
Enterprise Ja'.:J. Beans (EJB1. 171, 510
Entity relation~hip diagrams (ERD). I43-I-t4. 510
Equal-error ratc (EER). 358. 510
[RD.,Sec Enmy relationship diagrams
Error reponing. 118. 198. 20 I
Esc<~lation. 255. 259. 262-263. 318. 337. 347. 4 1..J.--t1 5. 485. 500
Escrow. 87. 102-103. 121, 140. 146. 148.472.491
ESP. See Encar~ulationsCL:urity payload
Ethernet. 180.2-0.288.291-292,295.298. 3()-t. 491. 496. 504-505, 511
E-token. 369
ETON!. See Enhanced Telecom Operations ivIap
Evidence, 15.31
E.'(ception rcpon. 200-20 1.491
Executable coce. 153. 173. 182.265.352.491
Existence check. 200
Expert systems. 26. 36. J 20. 151. 222. 232-233. 240. ..J.91
Exponentiation. 386
Exposure. 66. 68-69. 78. 83. 103. 153, 223-224. 3~9. 353. 356. 370-371.
385.403. 415.424. 426."+91.-J.96
Extended Binary-coded Decimallnterehangc Code (EBCDIC). 160,277.
286,490.492. 510
Extensible Authentication Protocol (E,\Pj, 299
Extensible Markup Language (XMLl. 172-173, 21-t·215. 28-t. 302, 492.
503,512
Extcrnallabcling.201
External schema. 278
Extranet. 297. 326. 492
Extrapolation. -tl S-Facial-metric. 359
F;lcilitaTOr.16-::'
faCTOrization. 3:-\6. 502
Failure-to-enroll rate (FER!. 358. 510
false-positive. 394
False-rejection. 358, 510
Fast Fourier transtorm (FFT). 231. 510
fAT. Sce rile ,1JlQcation table
FOOL Sce Fib<:r-Oi"tribUled Data Intcrt1\ce
FD1'vL Sec Frequency division lllultiplexing
FEA. See Federal Enterprise Architecture
Feasibility Study. 32.116.1 19. 12~. 136. 139, 142-J-t3. 145.210-212.245.
3 I 1,492. 505
Fedcral Emergency Management Association (FEMA). 469, 479. 510
Fedcral Energy Regulation Commission (FERC), 469. 510
federal Enterprise Architecture (FEAt 73-74. 510
Federal Financial Institutions Examination CoullcillFFIEC). 469, 510
Federal Information Processing Standards (FIPS), 388. 510
FE1\'IA. Sec Federal Emergency M::magement Association
FER. See F:lilure-to-enroll rate
FERe, See Fecleml Energy Regulation Commission
fF1EC, See Fcdcral Financial Institutions Exmnination Council
FFT. See Fust Fourier tr:ll1sform
fl ISS. Sec Frequency-hopping spread spectrum
fiber-Distributed Data Intcrt11cc (FOOl). 50:?. 510
Fiber-optic. 2;';i'i-2WJ. 303. -tbl. ·N2
File allocation table (FAT). 1:-;2. "+92. 510
File controls. ':01-202
Fik layout. 492
elSA Review Manual 2007
In d e x elSAfile server, 286. 313-314. 427, 490, 492. 496Financial audit. 23, 492
Financial management practices, 61. 90Fingerprint, 223, 358-359, 426, 436, 440FrPS, Sec Federal Information Processing Standards
Firefox, 304Fircwalking, 414Firewall, 166,216·217,222,270,320,324,333,337,364,371, 375, 377,"
379-383,385,394-395,402,407,415,418,473,492Firewire, 284, 302Firmware, 273-274, 394, 493
Floppy, 270-271, 282, 369-370, 373, 418, 427, 429, 43 IFlowchart, 204Flowcharts. 37, 4[, 72,137,148,165,186,192,211Follow-up. 15, 17.23·25, 39-41. 86. 144, 186, 198, 200, 205, 272, 312,
315,334,367,410,466,525,547Forensics, 17,35,55,57,335,417·418,433,435·438,479,487,525Fortczza, 391Fourth-generation language, 493. 508FPA, See Function point analysisFPs, See Function pointsFrame relay. 242. 253. 294. 296. 320, 364, 473, 493, 506, 510Fraud, 8, 24, 26-27, 34, 47. 51. 57, 79,113,141, 187,125,347,374,397,
399,407,434-435,502Fraud risk, 51Frequency division multiplexing (FDM), 295, 510
Frequency of rotation, 442, 467Frequency-hopping spread spectrum (FHSS), 300. 302, 510FTr, See Anonymous File Transfer Protocol or File Transfer ProtocolFUD,439Full duplex, 293Function point analysis (FPA), 116, 132-134, 510Function point analysis, 116, 132, 510Function points (FPs), 132Functional dcsign specifications. 203-Gantt chart, 177Gatcway, 125, 151,219,222, 293, 305, 313, 381, 393, 458, 461, 493. 508-509
GOP, See Gross domestic productGeneral audit procedures, 24General control procedure, 22Generalized audit software, 25, 36, 52, 54, 207, 487,493, 510Generally accepted standards. 100Geographical Information System (GIS), 139, 493. 510GHz, See GigahertzGigabit, 291-292Gigabyte, 268, 510Gigahertz (GHz), 299, 302
GIS, See Geographical Information SystemGlobal position system (GPS), 375, 510Global System for Mobile Communications (GSM), 298, 510GPS, See Global position systemGraphical user interface (GUIl, 132, 166. 309-310. 510Gross domestic product (GOP). 81GS1Yl, See Global System for Mobile CommunicationsGUI, See Gr:lphical user interfaceGuidelines, 14. 17,523
elSA Review Manual 2007
-Hacker. 246, 302, 366. 372, 375, 394, 412, 114, 447Half duplex, 293
Halon. 421Handheld 268. 301-302. 306. 335. 373. 375. 420, 422. 425. 499Handwriting, 268Hardened 166,381. 383. 427Hardware acquisition. 91. 118, 179, 310Hash. 20, 198, 223. ~43, 245, 385, 388-389, 391,432,462. 486, 489HOLe. See High~lt:~\el data link control
Health Insurance Portability and Accountability Act (HIPAA), 13, 469, 510Help desk, 74, 85. 89. 94, 99, 156, 218, 232, 252, 255-256, 263. 309, 318.
362. 493, 500Heuristic. 130, 135. 168. 195.394,493Hexadecimal, 320. 418Hierarchical database. 279, 493. 50 IHigh~level data link control (HOLe). 296. 510
HIPAA. Sce Hcalth Insurance Portability and Accountability ActHiperlan. 298, 302Hiring, 60, 65, 82,135.182.498Holistic project vi~w. 127Honeynet,384-385Honeypot, 384-385. 494HTMHTML, See Hypertext markup languageHtml, 113, 151,.171. 247, 249, 302, 304, 328-329. 433, 435-436, 439, 479-
482.486,488,~9~,~99,504,510
HTTP. See Hypertext Transfer ProtocolHTTPS. See Secure Hypertext Transfer ProtocolHub. 29 J, 298Hypertext markup language (Htm). 109-110,249.327.433.435,440.479Hypertext Transfer Protocol (Http), 109-110, 112, 114,269.304.306,327,
381-382, 391-392. 395, 414-415. 433, 437.48 1,483, 485-488, 491,494-504, 506-507. 510-511
I&A. See Identification :lnd authenticationICMP. See Internet control message protocolIDE. See Integrated development environmentIdentificatiotlllnd lluthentic<ltion ([&A). 356. 510Identifier, 144, 197,266.392,503IEEE. See American Institution of Electrical and Ekctronic EngineersIETE See Internet Engineering Task ForceImage processing, 31. 120. 231,494. 509Impersonation, 362. 377,494Implementation phase. 119. 152, 154.212Implementation strategies. 120. 239, 333, 395IMS. See Integrated manufacturing systemsInbound 119,219,221-222,243,382,395Incident handling and response, 332, 339. 351. 379. 415Incident response. 21. 68. 225, 337. 351, 411. 418. 436. 448. 45/. 459, 479.
509~51 0Independence. 10. 15, 17.31,35.37.39·40,78.150.190.207,278.494,
513.525Indexed sequential access method (fSAM). 494, 50SIndustrial espiOflage. 349, 374Information processing facility (lPF), 94, 502Information processing facility (lPF), 94-97, 335. 421A23, 426-427, 454
455,461,463-464.466,475.494,498,502,510
Information systems control objectives. 30
535
elSAr.;.,,,,,,,I~F"'-\"''''''~'''''',,AC1~''''· In d ex
Information systems operations. 256. 266. 310, 316, 31:\
Information Technology Inrrastructurc Library (IT1L). 110. 112.257.
32S~329, 371. SIO
Infrared (IR), 297, 299, 301, 510
lnfrarctl28S, 297, 299, 3D!. 366, 510
Infrared Data Association (IrDA), 284, 299, 301. 510
Inherent risk. 27-28, :5 1, 53, 204, 494
Initial program load 276, 508lnput authorization, liS, 197. 204
Input controls. 202, 494
Input/origination controls, 118, 197
Insulation. 314, 486
Insurance coverage, 78Insurance. iv, 13. 19, 35, 78,226, 231,420,423, 442, 444. 450, 453, 454,
455.456.458.460,463,464,465,468,471,472,476,478,510Integrated customer rile. 120.229
Integrated development environment (fOE), 150
Integrated manufacturing systems (ItvIS), 227
Integrated manufacturing systems. 119. 217
Integrated Services Digital Network (ISDN), 180,294.296.303.364.495,
506, 50S
Integrated test facilities (ITF), 51 .Integrated test facilities (lTF). 51. 53, 208-209, 495. 50S
Integration. 35. 68,70-72,78, 113. 118. 144. 147, 149. 152. 154, 166, 172-
173, 178. 194,216.217-231.234, 1:40, 248-249. 359. 483, 509-510, 512
Integrity. 215, 264
Interception. 242. 302. 385
Intcreonnectivity, 488
Internal contro!' 8.12-13,16,20-21,23,26,28-30.37. 4.>H 48, 53, 58,
63. 110. 121. 140. !54. 222. 229. 233.433,435.486. 513-518,520
521. 523
Internal control objectives, 8. 21. 26
Internal controls. I, 8, 16, 19-20. 23-24, 26-30, 33-34. 36. 42. 44-45. 53,
55.57,63,98, 112.204.21 I. 345,483.487-488.491,494.500.504
Internal labels. 20 I
Internal schema. 278
Internal storage, 274, 488
International Organization for Standardization/Open Systems
!nterconneetion (lSO/OSI). 285-286,303
Intenwtional Telecommunications Union (ITU), 296, 396. 51 ()
Intenlational Telegraph and Telephone Consultative Comminee (CCITTl.
296
Internet, 225, 303, 306
Internet control message protocol (ICMP). 414. 5lO
Internet Engineering Task Force (IETF), 297, 364, 392. 435, 479-480. 495,
501.510
Internet Protocol (lP). 222. 236. 253. 286-287, 292-297. 300-304, 306-308,
320.326,328-329,333,337.362.364.375-378, 380-382. 391-392.
395-396.406,411,413,418.432.437,494·495,498, 500, 505-506.
508,512
Internet Protocol (IP), 222, 295. 304. 326. 506
Internet Protocol security (lPSec). 297. 327. 364, 380, 392. 505, 5lO
Internet service providcr (ISP), 119, 303, 306. 396. 508
Inter~net\vorkPaekct Exchange (IPX). 293. 195, 326.500.510
InterNIC,413
Interoperability. 225. 285. 303. 310. 391Interview. 10. 15. 32. 39. 84. 2 I I. 3 I 1,315.403.409, 44t). 470-471
Intranet. 173. 236.196~297, 320. 324, 326. 355. 363. 41.)2
Intruder. 353. 357. 365. 376-379. 3X2-385. 397-402
536
Intrusion detection. IS. -17.103.117.224.147.270.320.333,337.351-
352.367.3-9.383~3S.j..415.430,510.526
Invitation to tender (ITT). I-Ui. 179-ISO. 51 0
Ip, Sec Internet Protocol
IPE Sec Information processing ri\cility
IPSec, See Internet Protocol security
IPv4., 391
IPv6, 392
IPX, See Inter-t!ct\vork Packet Exchange
IR, See Infrared
IrDA. See Infrared Data Association
Iris, 356. 358-3~q
Irregularities. 16·18. 28. 34. 57. 84, 98, 10 l. 152. 108, 353. 358. 366. 495.
525·526. 530IS audit function. 8. I L 15. 103
IS budgets, 61. 90.142
lSACA Code of Professional Ethics. 8,14-15,513
rSACA IS Auditing Guidelines. 8, 17
ISACA IS Auditing Standards, 1.8.10·12,14,17
ISACA IS Auditing Standards and Guidelines. I. 8. I.j.
lSAM. Sec Indexed sequential aceess method
ISDN, See Integrated Services Digital Network
ISM,299
ISO 9001, 91-92.111. 191. 248
ISOiOS\, See International Organization for Standardization/Open Systems
Interconnection
Isochronous. 302
ISP, See Internet service provider
Issuer. 226-227
IT governance. ii. 1. 5. 16. 17.21. 22. 45. 49. 55, 57. 58. 60, 61. 62. 63. 64.
65.66.67. '72. 74. 83,101. 105. 106. 107. 109. 110. Ill. 112. 113.
114. 2.j.8, 149. 327. 338. 371. 436. 479. 495. 510,5 I3. 514, 515, 521.
523, 525, 5-16
IT performance. 62. 92. 51-+-515. 517-519. 521, 524
ITF, See Integrated tcSt facilities
[TIL. See Information Technology Infrastructure Library
ITT, See Invitation to tender
ITU, Sec International Telecommunications Union-J2EE, 73
1<lVa, 151. 170-/71. 214. 306, 378, 395. 481. 503. 510
JAVAScript 15/. 301, 306. 482. 5~6
Jbuilder. 15/
JiT, See Just-in-time
Job description. 94, 407-408. 425
Job rotation. 8-1
Joins, 112,236
Journal, 55·58,101,109-114.247-250.327·330. ..J.33-440, 479w 480, 546
Judging the materiality of findings, 8. 38
Just-in·time (JlTJ, J [3, 227, 241-KOSI. Sec Thousand delivered source instructions
Kerbcros. 361
Kernel. 276Key decision-mJ.king personnel, 442, 460
Key goal indic:ltors (KGI). 83, 508
Kq performance indicators (KPI). 83,495, 508
elSA Review Manual 2007
In d ex elSAKey personnel, 101, 209, 442, 471Key verification, 200
Keyboard, 267~268. 302, 426
Keypad,230
KG I, See Key goal indicators
Kick-otT meeting, 127Kilo lines of code (KLOC), 132; 510
KLOC, See Kilo lines of code
KPI, Sec Key performance indicators-L2TP, See Layer 2 Tunneling Protocol
Laptop. 163.268,298,320,353,365,376,425.427Laserdisc, 271
Last-mile circuit protection, 461
Latency, 292, 307
Layer 2 Tunneling Protocol (L2TP), 505, 510
LCP, See Link Control Protocol
Leased lines, 297, 299, 303
Legacy systems, 166, 2 [4, 2 [6.320
Librarian, 256, 266, 317,466,495
Library control software, 252, 264-265
Licensed software, 283
Lights-out operations, 252, 254, 259-260, 318
Limit check, 200, 496
Link Control Protocol (LCP), 295, 510
Linux, 214, 276, 327, 414
LISP, 151,232Load balancing, 255, 293, 307, 309~310,382
Local area network, 242, 253, 288, 473, 496, 508, 512
Lock,400,404,406,425-426,431
Log, 101, 199,202Logging, 48, 105, 107, 181, 199,202,204,221,252,275-276,307,318,
327,332,334,349,355,363,366-367,371,410, 416-417, 426-427,429,467,488
Logic bomb, 352
Logical access controls, 49,105,107,332,337, 350, 352~354, 362, 368,
407,410-411,415,518Logical security, 22-23, 29, 49. 91, 312, 314~315, 341, 403~404, 408
Logoff, 258, 315, 409
Logon, 356,409
Logon [0,353-354,356-357,366,407-408,410
Long-haul network diversity, 456, 461
Loopholes, 411
Lophtcrack, 379
MAC, See Mandatory access controls
Machine language, 150,482,491, 503
Macro, 410
Magnetic card readers, 224, 499
Mainframe, 267
Malware, 352, 496
Management information system (MIS), iv, 139.496,511
Management principles. 55, 92, 109, III, 194Mandatory access controls (MAC), 242, 248, 286. 291-293, 342, 496. 510
Manual controls, 191, 203Manufacturing resources planning (MRP), 113,227,511
tvlAP1CS.227
elSA Review Manual 2007
Mapping, 24, 36, 113, 206, 218. 249. 274, 320, 329, 359, 382, 413-414,
418,438,496Masking. 410
Masquerading, 371. 377, 494, 499
Master file, 51,198,206-207,218,221,243,245,467,470,505
Mnteriality,8, 17, 27~29, 38, 40, 47, 81, 496, 525
MOl,388
MD4,388M05, 388, 391Mdac, 414
Mean time between failures (MTBF), 157
Mean time between fnilures (MTBF), 157, 51. I
Mean time to repair (ivITTR), 157
Mean time to repair ()"ITTR), 157,511
ivledia and documentation backup, 442, 467
Megapixel, 366
Memory dump, 417
Mesh, 46, 487
lvlessage modification, 377
Message switching. 218, 294, 497
Metadata, 215, 236, 252, 278-279
Microbro\Vsers, 302
Microchip, 271Microcomputer, 189.208,219,233,269,274-275,284,411,482,487,508
Microfiche, 231, 370, 468
Microfilm, 231,.468
Microsoft's Transaction Server (MTS), 171, 511
Middleware, 166, 171. 214-216, 253, 275, 309~310, 497
Mirror, 462-463
Mirroring, 452, 461-462, 475, 477
MIS. See Management information system
Mobile, 2, 17,97,214,268,270,294,297-298, 301, 327~328, 332. 336,
366,387,396.427,453,455,497,510,525
Modem. See Modulator/demodulator
Modulation. 300. 302. 484. 497Modulator/demodulator (Modem). 219, 283, 294, 296~297, 306, 315, 364,
372.383,400.~84. 501, 508
Modulator/demodulator. 294. 508Module. 52~53, 1~9, 152. 160, 163, 172-173, 188,212,227,233,257,265,
325. ~02, 486. 488, ~90-~91. 506
Monetary unit, 497
Mozilla firefox, 304
MPLS, See Multiprotocol label switching
MQSeries,214
MRP, See Manufacmring resources planning
MSAU, 502
MSAUs. See Multistation access units
MTBF. See Mean time between failures
MTS. See Microsoft's Transaction Server
MTTR, See Mean time to repair
iv!ultiplexing, 295·296, 300,483, 508, 510~512
Multiplexor, 295
Multiprotocol, 253. 296, 511
Multiprotocollabcl switching (MPLS), 296, 511
Multistation access units (MSAUs), 502. 511
Multitiered, 214. 527
Multiuser, 95, 143.205.269,272,309.462
537
elSA In d ex
-Naming conventions. 96. 313. 315. 332. 368-369. 372
NAS. See Network access server
NAT. Sec Network address translation
N:ltional Bureau of Standards (i'mS). 386. 489
National Fire Protection Agency (NFPAj, 469, 511
National Institute of Standards and Technology (NIST). 144,248.388,
489,511
NBS. See National Bureau of StandardsNCr, Sec Network Control Protocol
NDA, See Non-disclosure agreementNETBEUI,326
NetBios. 293
Nerem. 379Network access server (NAS), 282, 364, 497, 511
Nct\vork address translation (NAT), 337, 382, 511
Network address translation (NAT). 382
Network administrator. 306-307, 313-314, 316, 320, 373. 381, 393, 412.
429.497Network· architecture. 284-285. 293, 308-309, 313, 314, 326, 512
Network connectivity, 168,284.297,345,354,454
Ndwork control, 177,195,316, 341. 370, 408, 458. 482, 511
Network Control Protocol (NCP), 195, 511
Network interl~lce card (NrC), 291-292, 3/JL 497. 511
:'-Jetwork management, 11, 49, 61, 97. 103, 136, IS I, 217. 253. 273. 185.
293. 195. 304, 308. 354. 365, 375,41 1.416.418.492. 505. 512
Network management software, 273. 416
Network manager, 409-410
Net\vork sccurity. 48. 315. 320. 327-329. 333. 361. 371. 376-377. 379, 385.
'+33, 436. ·+38
Network service provider (NSPj, 295-296, 304. 51!
Network standards and protocols. 253. 277. 285, 364
:'-Iemal networks, 232. 384
NFPA. See National Fire Protection Agency
NIC. Sec :\tetwork interface card
N 1ST. See National Institute of Standards and Technolol!vnmap.379 y'
Node. 296. 355. 503
Noise. 2~9-290, 308. 497
Non-disclosure agreement (NDA), 4 I3,498. 51 I
Nonrepudiation. 202, 215, 219, 222, 125, 360. 374. 385. 387-389,
391-391,489
Normalization. 28 I, 323, 325, 335.418.498
Notebook, 268. 301, 375
NSP. See Network service provider
N-tier.121-Object code. 107. 150, 187,486.503
Objectivity. 14,31.35. !47.498
Object-oriented (OOl. 144
Object-oriented (00). 144.511
Object-orknted system development (OOSD\. 169-170. 51 I
Object-oriented system tbc!opmcnt. 117. 170.511
Occupant emergency plan (OEP), 45\). 511
DECO. S<.:e Organi.zation for Eo.:oI1omic ('ooperafil)ll and Oe\'c1Qpmcllt
OEP, S~e Occupant <::Ill<::rgeney plan
OFOi\1. 300. 302. 511
Otfice autoll1lltion. 45. 1J 6. 120. 137. 171. 229. 268
538
Omine file. 31 7
Olfshore. 84-85, 87. 109.2'+"7
Offsite facility. 442. 460. 466-467. 471
Offsite libraries. 466
Offsite library controls. 442, -166
Otfsitc stol'llge. 38. 422, 426. ..j.42. 45S. 467-469. 471 . .+98
OrfSite stomge team. 458
OlAP, See Online analytical processing
Onlinc analytical processing (OLAP), 236, 511
Online auditing techniques. 37.119,208
Online programming t:'lcilities. 116, 148, 150
00, Sec Object-oriented
OOSO, See Object-oriented system developmelll
Open Shortest Path First (OSPF). 46 1.498, 508
Open systems, lSI. 277, 285. 482. 508
Open Systems Interconnection (OSI). 253, 285-287. 292-296, 303. 333.
381, 390. 482. 486. 500. 502. 508
Operating system. 173. 274. 311
Opcrational cOlllroL 126,238. ..j.98
Operations manager ,95,156.410
Operator console. 354, 397. -1-98
Optical scanners, 224, 499
Optimizing. 55, 57.19-1-,260.288
. Organization for Economic Cooperation and Development (OECO), 12, 63.
343,511
Organizational relationship. 17.525
Origination cOlllrols, 118. 197
OSI, Sec Open Systems Interconnection
OSPF. Sec Open Shortest Path First
Outbound tl'ansao.:tions. 119. 218-219. 22 I
Output analyzer. 282
Output control. 95, 212. 252. 260. -1-25
Outsourcing, 17.35.85.87.38
Oxley, 13.42, 57. 109-110. 112-113. 234-P<Jekct. 286. 291-298. 307. 32-L 326, 333. 372. 376-377, 380-383, 392,
396.414. 493. 495. 498. 503. 505. 509-511
Packet switching. 294. 296. 324, 396,498
Paperless. 37.118.149,208.221. 260, 354, 490
Parallel simulation, 52-53. 207
P'lrallel testing. 154,21 i, 498
Parity check, 102. 498
Pascal. 170
Passive attack, 397
Password, 197,356,357,358.392.410
Paths of logical access, 331. 354
PBX, See Private branch exchange
PDA, See Personal digital assistant
PONs. See Public data nctworks
Penetration testing. II, 18, 2..\6. 337. t4 10.412-416, 526
Performance indicators. 62, 92, 234, 3 19,495. 50S. 52..\
Perfortl1<Jnce of audit work, 15, 26. 56, 525
Perlormance optimization, 61,92. 139
Per!onnance testing, 15:2, 2-1-6. 4'll)
Periodic b,H:kup prot:t:dures. 44.2. 467
Peripherals, lJ5. lBO, 255, .268. 272, 282. 356
Perl. 151,305
Pcrm,ltlent virtual circuit (PVC). 493. 5 [ I
Person'll data, 12-13, 33B. 3..\3. 369. 43l)
elSA Review Manual 2007
In d ex elSAPersonal digital nssistant (PDA). 268. 3D!. 306. 365-366. 375. 495. 499, 508Personal identification number (P[N). 214, 128-229. 302. 356. 372, 377.
499,511PERT. See Program Evaluation Review TechniquePhreakers, 350, 398, 460, 499
PHY, Sec Physical layerPhysical access controls, 23, 38, 335. 337, 339, 341, 425. 427, 466,519
Physicallay~r(PHY), 299, 511
Physical sccurit, 49,95, 176,228-229,313·314,337,352.365,400,404,
426.428Piggybacking, 353, 426, 428
PIN, See Personal identification number
Ping, 307PingSweep,414PKI, See Public key infrastructure
Plaintext, 372, 385-386. 388-389, 489, 491
Plan maintenance, 442, 465-466, 477Plan testing, 442, 464·465Point-or-sale Systems (POS), 224, 229, 242, 499, 511
Point-to-point Protocol (PPP), 295, 304. 500. 5 [[
Point-to-point Protocol Ovcr Ethernet (PPPoE), 505, 5 [I
Policies, 20, 22. 32. 39. 75
Polymorphism. I70
Port, 293. 298. 366, 381. 392-393. 400. 414. 437, 499.503.506Portfolio management. 62.123-124.126.247-248
POS. See Point-of·sale SystemsPostimplel11entation, 117, 1[9, [21-[22, 125, 138-140, 163-164,209,212.
245,505,516,525
Posting, 30, 320
PPP, See Point-to-point Protocol
PPPoE, See Point-to-point Protocol Over Ethernet
PPTP, 300, 511.Preventive control, 107, 192, 199. 243, 245, 351. 394. 403, 431
Prime, 95, 107,374,386-387,428,502
Prior test results, 442, 471
Privacy issues, 11,298,343
Private branch exchange (PBX), 333-334, 396-403, 499. 50S
Privatc key, 216, 333. 385-391, 485, 489, 503
Private key cryptosystem, 489
Problem escalation, 263, 500
Problem management, 157, 187, 252, 254-257. 261-263. 310, 318
Proceuures, 20. 22, 32, 39. 77
Processing control procedures, 221
Processing controls, 95,107, 1[8,200,204-205.209
Procuring alternative hardware, 442, 456
Production software, 130,408
Professional compctence, 14-15,35
Professional ethics and standards, IS, 525
ProFessional, iv, 8. 10. II, 12, 14, 15. 16. 17, 18,24, 26. 28, 35, 37. 40. 41,
56.81,90,109,123,129,265,344,463,469.479.513,523, 525, 527,546,547
Program change control, 263-264
Program changes, 25,105.118,183,186.202-203,212,264-265.455
Progrnm errors, 262
Program Evaluation Review Technique (PERT), 135
Program Evaluation Review Techniquc (PERT), 135-137. 500. 50S
Program library management, 252. 264, 273Program logic, 53, [54. [89,206-207,309.408.468.506
Progr:lln migration. I [9, 2 [2, 265
Program narratives, [37, 186
Programmed controls. 20[
elSA Review Manual 2007
Programming, 132. 150
Programming languages, 132, [50
Project management. 1225, 130
Projcct management strucUlre, I, 116. 125
Project management techniques, 8, 41-42,127.130,135.164
Project manager, 126-131. 137, 15[, 164, 167,502
Project tcam, 126-130. 137. 146-147, [53, [60-161, [64, 189, 192.
209-210,502
PROLOG. 151,231
Promotion policies. 60. 83
Protocol, 284, 287, 295. 301
Protocol converters. 293
Prototyping, 32-33,117.121, 137, 148-149. 166, 168-170,238,500
Proxy server. 269. 354. 382. 473
PSTN, See Public-switched telephone network
Public data networks (PONs), 296
Public key, 223, 386
Public key cryptosystcm. 223, 386
Public key encryption. 388-389,430,432.483,500
Public key infrastructure (PKI), 216-217, 249. 337, 385, 389-392, 437, 439,
485,500-501, 50S
Public-switched telephone network (PSTN), 294, 396. 5 [I
Purchase accounting system. 120. 230PYC, See Permanent yirtual circuit-QA. See Qua[ity assurance
QAT. See Qualify assurance testing
Qua[ity assurance
Qua[ity assurance (Q.-\), 96. [29.263.266. 50S
Qua[itv assurance managcr. -Quality assurance manager. 94
Qualitv assurance testing. -Quality assurance testing (QAT), [52, 511Quality management. 6 [-62, 91-92, [II, 191, 195,248, 328, 508
Quality management system. 91-92, [9 [, [95
Quantum cryptography, 333. 387
Questionnaire. iii.42.-13.-14.449,547
Qucue. 309-310, 500-RA. See Registration authority
RAD, See Rapid application dcvc[opment
Radio frequency identiFic:ltion (RFID), 271, 508
RAID level descriptions. 442. 462
RAJD, See Redundal1l Array of [nexpensive Disks
Range check, 200, 496Rapid appliention development (RAD), 12 [, 142, 169. 245, 511
RC2.391
RC4.391Reactivation, 4 [0
Read only memory (RO~I). 267, 508
Reasonable aSSUr<lnce, 15, 20, 22. 24, 30. 312, 4 [7
Reciprocal agreement. 454-455Reconciliation, 100. IlJ8- [l)t), 20 I, 203, 129-230. 237. 317
Recovery alternatives. 442. 454RecO\cry point objectiYc (RPO), 452-453. 475-478. 500, 51 I
RecO\wy time objective (RTO), 452·453, 473, 475, 477·478, 501, 5[ [
Rccurring, 26, 2n. 318
539
elSA In d e x
Redundallcy. 202, 278. 286, 313. 323, 394, 453-..J.5-L 46 J -402.468
R.::dundancy check. 286. 394
Rcdundmn Array of Inl:::-;pcllsivc Disks (RAID), 442. 461--163, 501, 50S. 511Recnginccring, 17. J 17-118, 159, 173, 190-193. 213. 215. 243-244. 248.
3..D, 485. 50 I. 509. 51 J, 525
Rcgimation authority (RA) 217. 390, 501, 511Regression testing. 154,501
Regulations. 8.12-13.21-22,26-27.34-35,41, 55. 63. 68. 76, SO, 102,203. 315. 33S~340. 3..+3. 3-18. 385. 396. 404. 410. -H2. 414, 420, 457.
469,481.500.524Relational. 64, [44, 190, 205, 235-236. 279·281, 325. ..J.93. 50 I, 504. 511
Relational online <InalYlical processing (ROLAP). 236Reliability, 147, 193
Reliance, 31, 69,101, 167. l6tRemote access. 285. 297. 364, 365, 399. 412
Remote Method Invocation (RivlI), 171, 51!
Remote procedure calls (RPC), 172·173, 310, 50!, 503. 511
Replay protection, 389
Rcplicatc, 352, 506
Replication, 237. 501
Repository, 159-160, 169, 189,236,269,278,377,501
Request for inforrnmion (RFI), 147.511
Rcquest for proposallRFP), 146
Request for proposal (RFP), !46-147, 179. 211, 502, 511
Required vacations, 60. 84
R.::C]uirements definition, 116, 119. 128, 139. 143, 145. 148,210.219,245,
502, 505
Rerun, 20. 258-259, 317, 319
Resequencing, 264
Rcsidual risk, 19.69,80,453
Resilience, 453, 502
Resource allocation, 256
Restoration, 312, 442, -144-447, 453, 466-467. 477
Restructuring, 85. 281, 50 I
Results analysis, 4-12, 465
Retcntion, 41, 46, 82, 20 I, 203, 230~231, 282, 366. 369. 444, -167
Retina, 358-359, 426. 428
Return on invc:;tment (ROI), 62, 1-10, 142, 163, 175,502,511
Reusability. 133. 169
Re\'erse engineering, !17. 173, 502
RFC, 32f!, 436
RFI. See Request for information
RFlO. See Radio frcquency identification
RFP. See Request for proposal
Risk analysis, IS, 80
Risk assessment, 17, 18, 19, 29
Risk asscssment modcl, 119, 204
Risk assessment techniques, 8. 29
Risk factors, 349
Risk management (RM), 69. 78, 80, 81
Risk management process, 19, 60, 78, 80. 224
Risk managemcnt program, 60. 78
Risk-bascd audit approach, 15, 27-28. 53
Risk-based IS audit strategy, 10, 513
RJ.298
RM, Sec Risk management
R.!vll. Sec Remote J\lcthod Invocation
Robust Secure Network (l~SN), 299ROI, Sec Return 011 investment
ROLAP, See Relational online analytical processingROi\I, See Read only memory
540
Rotation. 84, :2$2, -142, 467.468
Rounding down. 353. 502
Router, 292
RPC, See Remote procedure calls
RPO, Sec I\eco\-ery poim obj'ectivc
RSA. 224. 337. 387. 391, 430. -137, 502. 51!
RSN, Sec Robust Secure Network
RTO. See Reco\-ery time objeclive
Run-to~run totals, 200. 502-S/HTTP, See Secure Hypertexl Transfer Protocol
S/MIME. See Securc Multipurpose Internct Mail E.xlensionsSabotage, 350. 374, 466
Salami tcehnique, 353
Sample audit rev-iew file (SARFl, 207
Sampling, 8. 17,26, 28, 33~37, 51, 53, 204, 207. 416, 483, 490, 497, 504.
506.525
Sarbanes, 13,41, 57, 109~IIO, 112-113,234
SARF. See Sample audit revit:\v file
Satellite, 289-290, 298, 455, -IS8. 497
Scalability, 225. 285, 307, 309. 382. 463
Scanning, 36, 231, 283. 320, 337, 359, 375, 393-395, 406. 414, 416, 428-429,431,437,440
SCARF, See Systems Control Audit Review File
Scheduling and Time Reporting, 60, 83
Schemas, 27S~179
SCM, See Supply chain management
SCOR, See Supply Chain Operations ReferenceScrambling, 386
Screen, 1·+3, 148. 151. 168, 189-190,207, 211. 267~268, 304. 314. 357Screening routers, 415
Script, 151, 350. 366, 394. 506
SDiI\IMC, See Secure digital multimedia card
Secure digital multimcdia card (SOrivl ......IC). ISO, 512
Secure electronic tmnsactions (SET). 12. 14. 18.22-23.25-26,28,34,36,
38.43,48-49, 53, 63~64, 67. 69-70. 73. 75-76, 78, 81, 83, 89-92, 97.
III, 123. 129-130. 13-1-135. 141-]4.3. 146-147, 151-153, 155. 159-160,
163-164,170.174,177.191. 193~194.205,208,213,216~217.219
222.226,228,243,245,260-261, 276-277, 279-282, 284-285, 287·
288,293.301·303,305. 308, 337~33S, 340-341. 354, 356, 358-359,
36!~362, 364-365, 368~369, 373, 376, 37S~379, 381-384. 390, 392,
394-395, 399.403,405,418,420-421,462,464,466, 468, 482~4S3,
485,489. -1.92, 494-496. 500-50 I, 503. 505, 512, 520~521, 523, 530
Sccure Hypertext Transfer Protocol (Https), 391-392
Secure Hypertext Tmnsfer Protocol (S/HTTP), 392, 511
Secure Multipurpose Internet :Vlail Extensions (S/ivIIME), 392, 511Secure shell (SSH), 392, 512
Securc Sockets Layer (SSll. 217. 270, 300. 337, 391-392,503,508
Security administration, 6], 74, 86, 96-97,105, !O7, 332. 339, 341, 363,36S~369, 415, 431
Security administrator. 96, 106-107,334.341, 357, 363. 366~368, 403·404,408-410,412.429
Security awareness, 33, 96,105, 107,334,339.3-1.-1,351,362,365.379,403, 4-1()
Security paramctcr indexing (SPit 392, 512
Security policy. 60, 76-77, 96. !O!. 106-lO7. 123, 292. 339-340, 344, 346,
348,366,380,382.384.404.409,415,-127.-140
S.:eurilY :->oflware. 408, 458
Security testing, 152.337.503
elSA Review Manual 2007
In d e x elSAScgmcllt<ltion, 48, 97, 41 I
Segregation of duties, 32-33, 48, 61, 96~1 02, 105, 107, 183, 201, 203, 225,230,262,265,317,341-342,350,363,368,416
Sentinel, 384Separation of duties, 100,204,415
Sequence checking, 36Server, 171,214,268, 269, 309
Service bureau, 458Service level agreements (SLA), 87,103,156-157,257,326,512Service level agreements, 371
Servlet, 306, 503SET, See Secure electronic transactionsSH, 151,512SHA, 388, 391Shareware, 378, 393, 481Simple Mail Transport Protocol (SMTP), 295, 304, 306, 391, 395, 512
Simple Network Management Protocol (SNMP), 295, 304, 308, 512Simple Object Access Protocol (SOAP), 173,284, 503. 512Simulator, 53, 208, 282Simultaneous peripheral operations, 504, 512Single sign~on (SSO), 361, 512Single sign-on, 332, 337, 361,429,431, 512
Skcletonization, 231SLA, See Service level agreementsSLOC, See Source lines of codeSmalltalk, 170Smart card, 358, 373, 439, 492SMART, See Specific, measurable, achievable. relevant, time-boundSMF, See System management facilitySMTP, See Simple Mail Transport ProtocolSNA, Sec Systems network architecture
Snapshot, 123,206Sniffing, 371,414SNMP, See Simple Network Management ProtocolSOAP, See Simple Object Access ProtocolSocial engineering, 332, 362, 377-378, 394, 406, 413, 494, 499
Sockets, 217, 503, 508Software acquisition. 91, 116. 118-119, 141, 145, 148. 181,211,244Software control, 252, 275
Software licensing, 253. 255. 282Source code, 25,29, 103. 107, 116, 132, 134, 146-148, 150, 173, 187-189,
203,206,213, 252,265~266.316,388,468,472,486,491,496,501,503
Source code comparison software, 265Source documents, 37,197,199,467-468,494,504
Source lines of code (SLOC), 132-133, 504Source program, 264-265Spamming, 337, 378Specific, measurable, achievable, relevant. time-bound (SMART), 127, 138,
224,302,306,358,373,387,390,415,439,492,503,508SPI, See Security parameter indexingSpoofing, 337, 371, 377-378, 381, 495Spool, 202Spreadsheets, 31, 45, 229, 268, 406Sprinkler, 420-421Spyware, 352, 481,496, 504SQL, See Structured Query Language
SSH, See Secure shellSSL, See Secure Sockets Layer
SSO, Scc Single sign-onStarring, 12,83, 137, 180,258Staggered, 299
elSA Review Manual 2007
Standards, 14. 18. 523
Standing data. 202. 504Star-topology, 292
Statd, 414Statistical sampling. 28, 33-34, 504Stealth. 414Steering committee. 60, 66. 71, 74-75, 85,102,121,124.126,129-130.
237,339Strategic planning, 60, 74, 106, 238Streamline. 191, 32.l
Stress/volume. 152Structured analysis. 117, 165Structured programming, 132, 150Structurcd Query Language (SQL), 190, 236. 313, 320, 383. 413-414,
504.512Structured Query Language (SQL), 313Stubs, lSIStylesheet, 214, 512Suboceanic, 307
Substantive testing. 8. 23-24, 27, 30-31, 34, 326, 504Supercomputers, 267, 269Supervision, 13, 15,36,55,109,186,228,316,350
Supply chain management (SCM), 139. 147,227,240«241,504,512Supply chain management, 120, 139,240,297,504,512Supply Chain Operations Reference (SCaR), 73, 512Surge protectors. 314, 335, 419, 421, 423Surge protectors',SVCs. See Switched virtual circuits
Swipe eard 425Switched network. 218. 294, 454Switched virtual circuits (SVCs), 294
SYN. 378. 414SYN floodsSynchronous transmission. 294, 504SYSGEN, Scc System gcncrationSystem access, 84.100,201,332,338,341«342.350,354-356,366-367,
398-400,416. .l29. 431System control parameters. 140, 202System development process, lSI, 164.210System development tools. l. 118, 188System exits, 363, 368, 410System generation (SYSGEN), 276, 512System management facility (SMF), 258. 512System software, 180, 181System testing, 138. 140. 151~152, 154,312,505Systems administration, 61, 93, 95Systems administrator, 95. 353Systems Control Audit Review File (SCARF), 51, 53, 207-209, 512Systems development manager, 94Systems network architecture (SNA), 293, 308, 326. 364, 512Systems progmmming, 23, 97SysTrust, 56, 435
Table look-ups, 200Tagging. 206Tape management, 38. 282. 317. 467-468. 470, 505, 512Tape managcment systcm (TMS). 282Tape management system (TMS). 282, 505, 512TCl, lSI
541
TCP Jr. Sec Transmission Control ProlOcotlntcrnc! ProtoCl)1
TD:',-!. Sec Time-divIsion multiplexingTechnical reference documentation, 203Technical report (TR), 57, 195,247-248,512Technical support. 23, 93,129,146-147, 21S. 256, 203. 31 J. 455
Teething, 125
Telecommunication networks disaster recovery. 442. 4(,0
Telecommuting, 297Tclnet. 295, 304, 306, 378. 382. 392. 415, 435, 479
Temporal Key Integrity Protocol (TKIP), 299-300, 512
Terminal emulation software (TES), 285. 512
Terminals, 180, 197Termination, 60, 82. 84, 258·259, 332, 347, 349-350, 360. 368, 373. 384.
390,404-405. 424, 48 I
Termination policies, 60. 84TerrestriaL 461TES. See Terminal emulation software
Test data, 36, 51-53. 153-154, 173,206-207.245,282,341,487,495,
498. 505Test data generators, 154,487Test execution, 442, 464
Test programs, 154, 265Tesllllg phase, 151-152, 155,212,501
TFTP. Sec Trivial File Transport Protocol
Thinning. 231Thollsand delivered source instructions (KDSO, 132. 510Threats. 19, 68, 71, 77-80, 96, 224, 238, 313, 315. 333. 3-1-L 348-349. 351.
374-377.397-398,415,419.446,488Timt::box.116,137Time-division multiplexing (TDM), 295, 512
Timesharing. 169Timt.:sramp, 265, 389
TKIP. See Temporal Key Integrity ProlocolTLS, See TrJnsport Layer S.,;curity
T:--"IS. Sec Tape management systemT;'I.IS DJ'..IS. 182
Toigo. -180Token ring. 292, 295, 304. 502
Topology, 290Topy. 226TOlal risk, 18
TP, Sec Transaction processingTR. Sec Technical report
Tracing, 36, 89,197,206,265,496Traffic analysis, 377, 397Transaction authorization, 61, 99, 2 [9
Transaction flowchart. 204Transaction Log, 10 I, [99, 505Transaction processing (TP), 3 [0, 512
Transborder. 12,253,307,343Transcription, 161, [70, 200
Transmission Control Protocol/Internet Protocol (TCP,IP). 222, 505
Transport Layer Security (TLS). 327. 391,435, -180. 512Triggering, 402, 448Trivial File Transport Protocol (TFTP). 461, 512
Trojan horse. 152, 352. 393. 40 l. 505Tunnd, 270, 297, 392. -130, 432Tuple. 2~(}-2~ l, -193, 50STwi~tc:d pair;;, 2Xi), 505Two-ti~red, 2 I4
elSA In d ex
-UAT, See User :lcceprance testing
UDDI, See LJni\wsal Description, Discovery and IntegrationUDP, Sec User Datagram Protocol
UML, Sc:e Unified i'vlodcling Language
Unlfnimous,235
Unicasl. 296Unicode, 277, 414, 505
Unified ,,",Iodeling Language (U:VIL), 170, 512
Uniform resource locater (CRL), 304, 392, 490, 512
Unimerruptible power supply (UPS), 200, 314, 335, 419, 421,423,427,
448. 456. ~66. 505, 508
Uninterruptible power supply (UPS), 314Unit testing, 152. 16[, 506
Universal Description, DiscO\cry and Integration (UDDI), 173, 5 I2Universal serial bus (USB). 180,270,283-284,337,352,358,366,393,
431,506, 50S, 512
UNIX, 103,258.268-269,275-176,304,327,381,407,409,414,482,501,506
UPS, See Unintcrruptible power supplyUptime, 87, 396
URL, See Uniform resource locaterUSB, Sec Universal serial bus
User acceptance testing (UAT), 152-153, 155,210, 246, 512User authorization tables. '61. 100
User Datagram Protocol (UD?), 285, 293, 295, 304, 381, 414. 512User!D, 201, 371. 496, 512User manuals. 32. 203, 468
User satisfaction. 6l, 89, 213. 323. 325Utility programs. 153. 273. 282. 482, 505-506-Vacmion, X2, 84. 37XValidity check, 200
Vaille-add~d network (VAN), 56. 58, 109-110. 114. 21 8~219, 222, 249,436,512
VAN, See Valu~-added network
Variable sampling. 34·35, 506VB. See Visual Basic
Video camera. 359,426Virtual private network (VP;.;), 242, 270. 297, 300, 326. 328, 337. 354,
364-365. 380, 392, 430, -192. 512Viruml private network (VPX), 242, 430, 492Virus, 333, 337, 339, 35[-352, 366. 371, 376, 383, 393-396, 406. 416, 427,
429, 431,457, 506
Visual Basic (VB l, 15lVoice mail, 399. 402, 506
Voice recovery, 456, 461Voice response ordering systems, 120,230
Voice-over IP (VoIP), 333, 395-396, 461, 503, 506, 508, 512VoIP, See Voice-over IP
VPN, See Virtual private nc:rworkVulnerability, IS. 36, 55, 69, 79, 267, 320, 337. 352, 398, 400-402, 406,
414, 434, 43K, 526
542 elSA Review Manual 2007
X.25. 253, 296, 493. 500
XML. See Extensible ivlarkup Language
WML. Sec Wireless ;\larkup Language
Wo'rkpapers. 25-26. -1-5, 164
Workstation. 150. 197. 268-269, 309. 314. 355, 357, 361, 366. 373, 393,
395.-1-02.405,407,426,490
Womls. 352. 374, 393-394,496
WPA. See Wi-Fi Protected Access
WPA:-.J'. Sce Wireless personal area networks
WSDL. See Web Services Description Language
WWA0I, 298, 512
WWA:-.J', See Wireless wide area network
elSAIn d ex
WAP, Sec Wireless Application Protocol
War chalkingWar chalking, 333, 375-376
Warm sites. 444, 453-454
Web servers, 214, 269, 306, 391, 482
Web Services Description Language (WSDL), 173, 512
Web site, 73.109,213-214,219,304,306,354,413-414,430,460,479-480,524,546
Web-based EDT, 119, 219
WebCams, 270, 274
WEP, See Wired Equivalent Privacy
White box testing 154
WHO IS, 413-414
Wi-Fi Protected Access (WPA), 300-30 I, 506-507, 512
Wired Equivalent Privacy (WEP), 242, 299, 301, 303, 506-507, 5\2
Wireless, 297
Wireless Application Protocol (WAP), 30 [-303, 512, 253, 515Wireless local area networks (WLAN), 247, 298-300, 302-303, 327, 433-434
Wireless Markup Language (WML), 302, 512
Wireless personal area networks (WPAN), 301, 376, 512
WLAN, See Wireless [OC<l[ area networks
-
elSA Review Manual 2007 543
Prepare for the 9June 2007 elSA Exam
ORDER NOW-2007 elSA Review Materials for Exam Preparation and Professional Development
Passing the elSA exam can be achieved through an organized plan of shldy. To assist individuals with the development of a successful Shldy plan.ISACA offers several sUldy aids and review courses to exam candidates (see w\I'\dsaca.OIg'cisoexillJI for morc details),
CISA Review Manual 2007ISACA
CISA Review Questions, Answers &Explanations Manual 2006ISACA
CISA Review Questions, Answers &ExplanationsManual 2006 and 2007 SupplementsISACA
A CISA Review Questions, Answers alld Explanations Alalll/a!Supplement is developed ench year by ISACA. The 2006 and the 2(editions consi::;t of 100 new' sample questions, answers andexplanations for candidates to usc in preparation for the elSA exanThe 2006 and the 2007 Supplements were created based on thE: CISjob practice, lIsing a similar process for item development as that II
to develop actunl exam items.
elSA Ren'l!n' Questions, Answers & Explanations ,"vlalll/al 2006 con~
of 625 multiple-choice study questions. These items appeared in the2005 edition of the elSA Revh.:'lv Questions, Af/sH"el:~ & ExplanationAhlllllal and in the 2005 Supplement, but many have been enhanccd 'rewritten to recognize a change in practice, be more representative 0,
the current exam question tormat, aneL'or provide further clarity orexplanation of the suggested COITect answer. These questions are notaChJaI exam items, but are intended to provide the CISA cnndidate \\an understanding of the type and structure of questions and content 1have pre\'iously appeared on the exam. Questions are sorted by CIS;'job practice areas and a sample 200 question exam is provided.
2006 EditionsQAE-6ES English EditionQAE-6IS Italian EditionQ.-\E-6JS Japanese EditioQAE-6SS Spanish Edition
English EditionItalian EditionJapanese EditionSpanish Edition
QAE-7QAE-7IQAE-7.1QAE-7S
2007 EditionsQAE-7ES English EditionQAE-7FS French EditionQAE-7IS Italian EditionQAE-7JS Japanese EditionQAE-7SS Spanish Edition
Questions are provided in two formats .• Questions sorted by content area-Questions, answers and
explanations are provided (sorted) by the new CISAjob analysis2006 content areas. This allows the CISA candidate to study matlby content area and refer to specific questions, as well as evaluatetheir comprehension of the topics covered within each content are
• Sample test-Tw.o hundred questions are selected from the 625questions to represent a eISA-length examination arranged in thesame proportion as the new CISAjob analysis. Candidates are ur;to use this sample test and the answer sheet provided to simulate,examination, Many candidates use this exam as a pretest todetermine their own specific strengths or weaknesses and/or as afinal exam. Sample exam ans\vcr sheets have been provided for b.uses, In addition, a sample exam answer reference kcy is indudeeAll sample test questions have been cross-referenced to thc qucstisorted by content area. making it convenient to refer back to theexplanations of the correct answers.
CISA Practice Question Database v7
To order the CISA review materialplease visit the ISACA web site at
www.isaca.org/cisabooks.
This manual has been developed and organized to assist in the studyof the following areas:• IT governance• Systems and infrastructure life cycle management• IT delivery and support• Protection of information assets• Business continuity and disaster recovery
CRM-7 English EditionCRM-7I lta~an EditionCRM-7J Japanese EditionCR.:.\-1-7S Spanish Edition
elSA Review X/ollua! 2007 bas been updated and is organizedaccording to the elSA job practice. It has been enhanced with newcontent to reflect changing industry principles and practices. Themanual features detailed descriptions of the current tasks performedby IS auditors and the knowledge required to plan, manage andperform IS audits. This new edition features case studies to assist acandidates' understanding of current practices. The manual alsoprovides definitions of terms most commonly found on the exam,practice questions similar in content to what has previously appearedon the exam and references where additional guidance can be foundon specific topics. This manual can be used as a stand-alone documentfor individual study or as a guide or reference for study groups andchapters conducting local review courses.
A new powerful software engine combined with 825 review questionsis being developed to enhance the CISA candidate's exam preparation.This new product combines the items included in the CISA ReviewQuestions, Answers & Explanations lvlanl/al 2006, CIS.·1 RevielvQuestions, Answers & Explanations Alallllal 2006 Supplement and2007 Supplement.
Please see wlVw.isaca,01g/cisabooks in November for details,availability and pricing concerning this new product
544 elSA Review Manual 2007
elSAEVALUATION
ISACA continuously monitors the swift and profound professional, technological and environmentaI advances affectingthe IS audit, assurance, control and security professions. Recognizing these rapid advances, the elSA Review lv/anual isupdated annually.
To assist ISACA with keeping abreast of these advanc"", the ISACA Board of Directors would appreciate you taking amoment to comment on the CISA Review klanual 2007. Such feedback is invaluable to our efforts to fully serve theprofession and future CISA examination candidates.
Please complete the questionnaire below and return to:
ISACA3701 Algonquin Road, Suite 10lORolling Meadows, IL 60008USAAttention: Manager-Certification Study Program and Educational Development
1.
2.
3.
The elSA Review iV/amla/ 2007 was (check one);very helpful helpfulin preparing in preparingme for the exam. me for the exam.
The format of the ClSA Review lv/ant/aI2007 made it (check one):_ very easy to read. readable.
The content of the manual was (check one);too detailed detailed enoughin preparing in preparingme for the exam. me for the exam.
not very helpfulin preparingme for the exam.
hard to read.
not detailed enoughin preparingme for the exam.
rfnot detailed, or not detailed enough, please indicate where additional detail should be provided.
The ease studies at the end of each chapter were (check one):very helpful helpful
4.
in preparingme for the exam.
in preparingme for the exam.
not very helpfulin preparingme for the exam.
5.
rfnot helpful, please indicate where additional detail should be provided.
The practice questions at the end of each chapter were (check one):very helpful helpfulin preparing in preparingme for the exam. me for the exam.
not very helpfulin preparingme for the exam.
6. What other improvements would you recommend be made to the elSA Review /l,famw/ to make it more useful
(be as specific as possible):
If you would like to complete this evaluation online please go to www.isaca.org/sluc(vaidsevaluation.
Please also note on the back of this page (or a separate page) any specific comments and/or suggestions you may haveconcerning errors and omissions, enhancements, references and fonnat. If you wish, please include your name, addressand phone number so we may follow-up with you. Thank you for your support and assistance.
elSA Review Manual 2007 545
elSA----------
COMMENTS/SUGGESTIONS
546 elSA Review Manual 2007