CRM 2007 Glossary & Appendices

CISA CISA REVIEW MANUAL 2007 (for June 2007)

Glossary, Acronyms, Appendices & Other Information

General Table of Contents

Glossary 481 Acronyms 506 Appendix A: The CISA Examination and COBIT 511 COBIT 3rd Edition 518 COBIT 4.0 519 Appendix B: IS Auditing Standards Guidelines and Procedures 521 Relationship of Standards to Gnidelines and Procedures 522 Appendix C: 2007 CISA Examination General Information 525 Requirements for Certification 525 Successful Completion of the CISA Examination 525 Experience in IS Auditing Control and Security 525 Description of the Examination 525 Registration for the CISA Examination 526 CISA Program Accredited under ISO/lEC I7024:2003 526 Preparing for the CISA Examination 527 Types of Exam Questions 527 Adnlinistration of the Examination 527 Sitting for the Examination 527 Budgeting Your Time 528 Rules and Procedures 528 Grading the Examination 528 Index 530 Complete list of 2007 CISA Study Materials 544 Evaluation 545

Glossary elSA

Abend-An abnormal end to a computer job; termination of a task priQr to its completion because of an error conditionthat cannot be resolved by recovery facilities while the task is executing

Access control-The process that limits and controls access to resources of a computer system; a logical or physical controldesigned to protect against unauthorized entry or use

Access control list (ACL)-Also referred to as access control tables, this is an internal computerized table of access rulesregarding the levels of computer access permitted to logon IDs and computer terminals.

Access contro,l table-An internal computerized table of access rules regarding the levels of computer access permitted tologon IDs and computer terminals

Access method-The technique used for selecting records in a file, one at a time. for processing, retrieval or storage. Theaccess method is related to, but distinct from, the file organization, \vhich determines how the records are stored.

Access path-The logical route an end user takes to access computerized information. Typically, it includes a route throughthe operating system, telecommunications software, selected application software and the access control system.

Acc~ss rights-Also called permissions or privileges, these are the rights granted to users by the administrator orsupervisor. Access rights determine the actions users can perform (e.g., read, \vrite, execute, create and delete) on files inshared volumes or file shares on the server.

Access servers-Provides centralized access control for managing remote a9cess dial-up services

Address-The code used to designate the location of a specific piece of data w"ithin computer storage

Addressing-The method used to identify the location of a participant in a network. Ideally, addressing specifies where theparticipant is located rather than who they are (name) or how to get there (routing).

Address space-The number of distinct locations that may be referred to with the machine address. For most binarymachines, it is equal to In, where n is the number of bits in the machine address"

Administrative controls-The actions dealing with operational effectiveness, efficiency and adherence to regulations andmanagement policies

Adware-Any sothvare package that automatically plays, displays or downloads advertising material to a computer after thesoftware is installed on it or while the application is being used. In most cases, this is done without any notification to theuser or the user's consent. The term adware may also refer to software that displays advertisements, whether or not it doesso with the user's consent; such programs display advertisements as an alternative to shareware registration fees. These areclassified as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does notoperate surreptitiously or mislead the user, and provides the user with a specific service.

Alpha~The use of alphabetic characters or an alphabetic character string

Alternative routing-A service that allows the option of having an alternate route to complete a call when the markeddestination is not available. In signaling, alternate routing is the process of allocating substitute routes for a given sIgnalingtraffic stream in case of failure(s) afJecting the normal signaling links or routes of that traffic stream.

American Standard Code for Information Interchange-See ASCII.

AnaIog-A transmission signal that varies continuously in amplitude.and time and is generated in wave formation. Analogsignals arc used in telecommunications.

elSA Review Manual 2007 481

fm z t:!

elSA Glossary

H , l1li

Anon.ymous File Transfer Protocol (FTP)-A method for downloading public files using the Fi[e Transfer ProtocolAnonymous FTP is called <Inonymous because users do not need to identify themselves before accessing files from d

particular server. In general, users emcr the \vord anonymous when the host prompts for a username; anything can hl'entered for the password, such as the users e-mail address or simply the word guest In many cases, an anonymous J."j"p ';11,'

will not even prompt users for a name and password.

Antivirus software-Applications that detect, prevent and possibly remove all known \·iruses from files located in ;1microcomputer hard drive

Applet-A program written in a portable. platform independent computer language, such as Java, JavaScript or VislI;lIBasic. It is usually embedded in an HTML page downloaded from web servers and then executed by a browser Oil C[l\"'ll(

machines to run any web-based application (e.g.. generate web page input forms. run audio/video programs, etc.). i\ppk'l~;

can only perform a restricted set of operations, thus preventing, or at least minimizing. the possible security compro11lisl' II(

the host computers. However, applets expose the user's machine to risks, if not properly controlled by the browser, \vhichshould not allow an applet to access a machine's information, without prior authorization of the user.

Application-A computer program or set of programs that perform the processing of records for a specific function

Application controls-Refer to the transactions and dat;). relating to each computerMbased application system and are,therefore, specific to each such application. The objectives of application controls, \vhich may be manual or prograllllllL'd,are to ensure the completeness and accuracy of the records and the validity of the entries made therein, resulting from hulllmanual and programmed processing. Examples of application controls include data input validation, agreement ofb:llt::11totals and encryption of data transmitted.

Application layer-A layer within the International Organization for Standardization (lSO)IOpen Systems IntcrcOlllll'L'lI(\1\(OSI) model. It is used in information transfers between users through application programs and other devices. In this laVl'l.various protocols are needed. Some of them are specific to certain applications. and others are more general for nCI\vllrl~·

services.

Application prognlm-A program that processes business data through activities such as data entry, update or query. IIcontrasts with systems programs. such as an operating system or net\vork control program. and with utility programs, slIcllas copy or sort.

Application programming-The act or function of developing and maintaining applications programs in production

Application programming interfnce (API)-A set of rOlltines, protocols and tools referred to as "building blocks" lIsL'd illbusiness application software development. A good API makes it easier to develop a program by providing all the build ill!.!,

blocks related to functional characteristics of an operating system that applications need to specify, for example, WIH.:ll

interfacing with the operating system (e.g.. provided by :tvlS Windows, different versions of UNIX). A programmer wouldutilize these APIs in developing applications that can operate effectively and efficiently on the platform chosen.

Arithmetic logic unit (ALU)-The area of the central processing unit that performs mathematical and analytical opCl':Ili\lll',

Artificial intelligence-Advanced computer systems that can simulate human capabilities, such as analysis, based 011 apredetermined set of rules

ASCII (American Standanl Code for Information Tnterchange)-Represenring 128 characters, the ASCII code normalhuses 7 bits. However, some variations of the ASCll code set allow 8 bits. This 8-bit ASCII code allows 256 characters In herepresented.

..-\ssembler·-A program that takes as input a program written in 3ssembly language and translates it into machine code nrmachine language

482 elSA Review Manual 2007

Glossary elSA

Asymmetric key (public kcy)-A cipher technique in which different cryptographic keys are used to encrypt and decrypt amessage (See public key encryptioh)

Asynchronous Transfer Mode (ATM)-ATM is a high-bandwidth, low-delay switching and multiplexing technology. It isa data link layer protocol. This means that it is a protocolMindependent transport mechanism. ATM allows integration of

Asynchronous transmission-Character-at-a-time transmission

Attribute sampling-An audit technique used to select items from a population for audit testing purposes based onselecting all those items that have certain attributes or characteristics (such as all items over a certain size)

Audit evidence-The information used by an IS auditor to meet audit objectives

Audit objective--The specific goal(s) of an audit. These often center on substantiating the existence of internal controls tominimize business risk.

Audit program-A step-by-step set of audit procedures and instructions that should be performed to complete an audit

Audit risk-The risk that information or financial reports may contain material errors or that the IS auditor may not detectan error that has occurred; also used to describe the level of risk that an auditor is prepared to accept during an auditengagement

Audit trail-A visible trail of evidence enabling one to trace information co.ntained in statements or reports back to theoriginal input source

Authentication-The act of verifying the identity of a user and the user's eligibility to access computerized information.Authentication is designed to protect against fraudulent logon activity. [t can also refer to the verification of the correctnessof a piece of data.

Automated teller machine (ATM)-A 24-hour, stand-alone minibank, located outside branch bank offices or in publicplaces like shopping malls. Through ATMs, clients can make deposits, withdrawals, account inquiries and transfers.Typically, the ATM network is comprised of two spheres: a proprietary sphere, in which the bank manages the transactionsof its clients, and the public or shared domain, in which a client of one financial institution can use another's ATMs.

Backbone-The main communications channel of a digital network. The part of a network that handles the major traffic. Itemploys the highest-speed transmission paths in the network and may also run the longest distances. Smaller networks areattached to the backbone, and networks that directly connect to the end user or customer are called "access networks." Abackbone can span a geographic area of any size from a single building to an office complex to an entire country. Or, it canbe as small as a backplane in a single cabinet.

Backup-Files, equipment, data and procedures available for lise in the event of a failure or loss, if the originals aredestroyed or Ollt of service

Badge-A card or other device that is presented or displayed to obtain access to an otherwise restricted facility, as a symbolof authority (ex; police), or as a simple means of identification. They are also used in advertising and publicity.

Bandwidth-The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity ofan electronic line and is expressed in bytes pel' second or Hertz (cycles per second).

Bar code-A printed machine-readable codt: that consists of paraHel bars of varied width and spacing

Base case-A standardized body of data crerlted for testing purposes. Users normally establish the data. Base cases validateproduction application systems and test the ongoing accurate operation of the system.


elSA Glossary

Baseband~A form of modulation in \vhich data signals are pulsed directly on the transmission medium \vithout tl'cqucncydivision and Llsually utilize a transceiver. [n baseband, the entire band\vidth of the transmission medium <e.g., coaxial cable)is utilized for a single channel.

Batch control-Correctness checks built into d<lta processing systems and applied to batches of input data, particularly inthe data preparation stage. There are two main forms of batch controls: sequence control. which involves numbering therecords in a batch consecutively so that the presence of each record can be confirmecL and control total, which is a total ofthe values in selected fields within the transactions.

Batch processing-The processing of a group of transactions at the same time. Transactions arc collected and processedagainst the master files at a specified time.

Bayesian fiJter-A method often employed by antispam software to filter spam based on probabilities. The messageheader and every word or number are each considered a token and given a probability score. Then the entire message isgiven a spam probability score. A message with a high score will be flagged as spam and discarded, returned to its sender orput in a spam directory for further revicw by the intended recipient.

Benchmarking-A systematic approach to comparing an organization's performance against peers and competitors inan etTort to learn the best ways of conducting business (e.g., benchmarking of quality, logistical efficiency and variousother metrics).

Binary code-A code whose representation is limited to 0 and I

Biometrics-A security technique that verifies an individual's identity by analyzing u' unique physical attribute, such as a .handprint

Black box testing-A testing approach that focuses on the functionality of the application or product and docs not requireknowledge of the code intervals.

Bridgt->..............A device that connects two similar networks together

Broadband-In broadbancL multiple channels arc formed by dividing the transmission medium into discrete frcquencysegments. It generally requires the lise of a modem.

Brouters-Devices that perform the functions of both bridges and routers, are called brouters. Naturally, they operate atboth the data link and the network layers. A brouter connects same data link type LAN segments as well as different datalink ones, which is a significant advantage. Like a bridge it forwards packets based on the data link layer address to adifferent network of the same type. Also, whenever required, it processes and forwards messages to a different data link typenet\vork based on the network protocol address. When connecting same data link type networks, they are as fast as bridgesbesides being able to connect different data link type networks.

Buffer-Memory reserved to temporarily hold data. Buffers are used to offset differences between the operating speeds ofdifferent devices, such as a printer and a computer. In a program, buffers are reserved areas of RAwl that hold data whilethey are being processed.

Bus-Common path or channel between hardware devices. It can be between components internal to a computer or betweenexternal computers in a communications network.

Bus configuration-All devices (nodes) are linked along one communication line where transmissions are received by allattached nodes. This architecture is reliable in very sma!! networks, as well as easy to use and understand. Thisconfiguration requires tht.: least amount of cable to connt.:ct the computers together andtherel'orc, is less expensive thanother cabling arrangements. It is also easy to extend. and two cablcs can be easily joined with-a connector to make a longercable for more computers to join the network. A repeater can also be used to extend a bus configuration.


Glossary elSABusiness casc-A document that provides management with sufficient information, needed to enable them to decidewhether to support a proposed project, before significant resources are committed to its development. A business caseincludes analysis of current business process performance; associated assumptions, needs or problems; proposed solutionsand potential constraints, based upon a risk-adjusted, cost-benefit analysis.

Business impact analysis (BIA)-A process to determine the impact of losing the support of any resourc~. The-businessimpact analysis assessment study will establish the escalation of that loss overtime. It is predicated on the fact that seniormanagement, when provided reliable data to document the potential impact of a lost resource, can make the appropriatedecision.

Business process reengineering (BPR)-Modern expression for organizational development stemming from IS/IT impacts.The ultimate goal of BPR is to yield a better performing structure, more responsi\'e to the customer base and marketconditions, while yielding material cost savings. To reengineer means redesigning a structure and procedures withintelligence and skills, while being well informed about all of the attendant factors of a given situation, so as to obtain themaximum benefits from mechanization as basic rationale.

Business risk-Potential for harm or loss in achieving business objectives

Bypass label processing (BLP)-A technique of reading a computer file while bypassing the internal file/data set label.This process could result in bypassing of the security access control system.

Capability Maturity Model (CMM)-The Capability Maturity Model (CMM) for Software, from the SoftwareEngineering Institute (SEI), is a model used by many organizations to identify best practices useful in helping them assessand increase the maturity of their software development proce,ss.

Central processing unit (CPU)-Computer hardware that houses the electronic circuits that control/direct all operations ofthe computer system

Certificate (certification) authority (CA)-In cryptography, a celiificate authority or certification authority (CA) is anentity which issues digital certificates for use by other parties. It is an example of a trusted third party. A certificateauthority attests, as the trusted provider of the public/private key pairs, to the authenticity of the owner (entity or individual)to whom a public/private key pair has been given. The process involves a CA who makes a decision to issue a certificatebased on evidence or knowledge obtained in verifying the identity of the recipient. Upon verifying the identity of therecipient, the CA signs the certificate with its private key for distribution to the user, where, upon receipt, the user willdecrypt the certificate with the CA's public key (e,g., commercial CAs such as Verisign provide public keys on webbrowsers). The ideal CA is authoritative (someone that the user trusts) for the name or key space it represents. CA's arecharacteristic of many public key infrastructure (PKI) schemes.There are many commercial CAs that charge for theirservices. Institutions and governments may have their own CAs, and there are free CAs.

Certificate revocation list (CRL)-An instrument for checking the continued validity of the certificates for which thecertification authority (CA) has responsibility. CRL details digital certificates that are no longer valid. The time gapbetween two updates is very critical and is also a risk in digital certificates verification.

Certification practice statement (CPS)-A CPS is a detailed set of rules governing the certificate authority's operations.It provides an understanding of the value and trustworthiness of certificates issued by a given CA in terms of the controlsthat an organization observes, the method it uses to validate the authenticity of certificate applicants and the CA's .expectations of how its certificates may be used.

Channel Service Unit/Digital Service Unit (CSUIDSU)-lnterfaces at the physical layer of the OSI reference modeL dataterminal equipment (DTE) to data circ~tit terminating equipment (DCE), for switched carrier networks

Check digit-A numeric value, which has been calculated mathematically, is added to data to ensure that original data havenot been altered or that an incorrect. but valid match has occurred. This control is effective in detecting transposition andtranscription errors,


fUN """'Mm r ·?T 3f , ':iii ·Zt1'ft Mt X?! . 1 f mit " mn' liP 77W-; q'i j

elSA Glossary

Checklist-A list of items that is Llsed to verify the completeness ofa task or gonl. ..0.\ checklist is Llsed in quality assurance(and in general, in information systems audit ), to check process compliance. code standardization and error prevention, andother items for which consistency processes or standards have been defined.

Checksum-A cryptographic checksum is a mathematical value that is assigned to a file and lIsed to "test" the file at alater date to verify that the data contained in the file has not been maliciously changed. A cryptographic checksum iscreated by performing a complicated series of mathematical operations (known as a cryptographi.c algorithm) that translatesthe data in the file into a fixed string of digits called a hash value, which is then used as the checksum. \Vithout lGlowingwhich cryptographic algorithm was used to create the hash value, it is highly unlikely that an unauthorized person would beable to change data without inadvertently changing the corresponding checksum. Cryptographic checksums are used in datatransmission flnd data storage. Cryptographic checksums are also knmvn as message authentication codes, integrity checkvalues, modification detection codes or message integrity codes.

Ciphertext-Information generated by an encryption algorithm to protect the cleartext. The ciphertext is unintelligible tothe unauthorized reader.

Client-server-A group of computers connected by a communications network, where the client is the requesting machineand the server is the supplying machine. Software is specialized at both ends. Processing may take place on either the clientor the server, but it is transparent to the uscr.

Coaxial cable-It is composed of an insulated wire that runs through the middle of each cablc; a second wire thats.urrounds the insulation of the inner wire like a sheath, and the outer insulation \vhich wraps the second wire. Coaxial cablehas a greater transmission capacity than standard twisted-pair cables but has a limited range of effective distance.

Cohesion-The extent to which a system unit-subroutine; program, module. component, subsystem-performs a singlededicated function. Generally, the morc cohesive are units. the easier it is to maintain and enhance a system. since it iseasier to determine where and how to apply a change.

Cold site-An IS backup facility that has the necessary electrical and physical components ofa computer facility, but doesnot have the computer equipment in place. The site is ready to receive the ncc~ssary replacement computer equipment in theevent the users have to move from their main computing location to the alternative computer facility.

Communication piocessor-A computer embedded in a communications system that generally performs basie tasks ofclassifying network traffic and enforcing network policy functions. An example is the message data processor ofa DONswitching center. More advanced communications processors may perform additional functions.

Comparison program-A program for the examination of data, using logical or conditional tests to determine or toidentify similarities or differences

Compensating control-An internal control that reduces the risk of an existing or potential control weakness resulting inerrors and omissions

Compiler-A program that translates programming language (source code) into machine executable instructions (object code)

Completely connected (mesh) configuratioll-A network topology in which devices are connected with many redundantinterconnections between network nodes. (Primarily used for backbone net\vorks.)

Completeness check-A procedure designed to ~nsure that no fields are missing from a record

Compliance testing-Audit tests that ddennin~ if internal controls are being applied in a manner described in thedocumentation and in accordance with management's intents. These are tests that are used to dc:tennine whether internalcontrols actually exist and arc working effectively.


GlossaryelSA

Components (as in component-based development)~Cooperatingpackages of executable software that make theirservices available through defined interfaces. Components used in developing systems may be commercial off-the-shelfsoftware (COTS) or may be purposely built. However, the goal of component-based development is to ultimately use asmuch predeveloped, pretested components as possible.

Comprehensive audit-An audit designed to determine the accuracy of financial records, as well as evaluate the internalcontrols of a function or department

Computer emergency response team (CERT)-A group of people integrated at the organization with clear lines ofreporting and responsibilities for standby support in case of an information systems emergency. This group will act as anefficient corrective control, and should also act as a single point of contact for all incidents and issues related to informationsystems.

Computer-aided software engineering (CASE)-The use of software packages that aid in the development of all phasesof an information system. System analysis, design programming and documentation are provided. Changes introduced inone CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easyaccess.

Computer-assisted audit technique (CAAT)-Any automated audit technique, such as generalized audit software, testdata generators, computerized audit programs and specialized audit utilities

Computer forensics-The application of the scientific method to digital media to establish factual information for judicialreview. This process often involves investigating computer systems to deterIYJine whether they are or have been used forillegal or unauthorized activities. As a discipline, it combines elements of law and computer science to collect and analyzedata from information systems (e.g., personal computers, networks, wireless communications and digital storage devices) ina way that is admissible as evidence in a court of law.

Concurrency control-Refers to a class of controls used in database management systems (DBMS) to ensure thattransactions are processed in an atomic, consistent, isolated and durable manner (ACID). This implies that only serial andrecoverable schedules are permitted, and that committed transactions are not discarded when undoing aborted transactions.

Console log-An automated detail report of computer system activity

Continuity-Preventing, mitigating and recovering from disruption. The terms business resumption planning, disasterrecovery planning and contingency planning also may be used in this context; they all concentrate on the recovery aspectsof continuity.

Continuous improvement-The goals of continuous improvement (Kaizen) include the elimination of waste, defined as"activities that add cost but do not add value;" just-in-time delivery; production load leveling of amounts and types;standardized work; paced moving lines; right-sized equipment, and so on. A closer definition of the Japanese usage ofKaizen is "to take it apart and put back together in a better way." \-Vhat is taken apart is usually a process, system, product orservice. Kaizen is a daily activity whose purpose goes beyond improvement. It is also a process that, when done correctly,humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how to do rapid experimentsusing the scientific method and how to learn to see and eliminate waste in business processes.

Control group-Members of the operations area that are responsible for the collection, logging and submission of input forthe various user groups

Control risk-The risk that a material error exists that would not be prevented or detected on a timely basis by the systemof internal controls

Control section-The area of the central processing unit (CPU) that executes software, allocates internal memory andtransfers operations between the arithmetic-logic, internal storage and output sections of the computer


elSA Glossary

Cookie-A message kept in the web brmvser for the purpose of identifying: users and possibly preparing customized webpages for them. For the first time, a user may be required to go through a registration process. Subsequent to this, wheneverthe cookie's message is sent to the server. a customized view, based on that user's preferences, can be produced. Thebrowser's implementation of cookies has however brought several security concerns, allowing breaches of security and thetheft of personal information (e.g., user pass\vords that validate the user's identity ,md enable restricted web services).

Corporate governaIlcc-The system by which organizations are Jiteered and controlled. Boards of directors areresponsible for the governance of their organizations. It consists of the lead~rship and organizational structures andprocesses that ensure the organization sustains and extends strategies and objectives.

Corrective controls-These controls are designed to correct errors, omissions and unnuthorized uses and intrusions oncethey are detected.

Countermeasures-An action, process, device or system thnt can prevent or mitigate the effects of threats to a computer,server or network. In this context, a threat is a potential or actual adverse event that may be malicious or incidental, and thatcan compromise the assets of an enterprise or the integrity of a computer or network. Internal controls are countermeasures,as they mitigate the risks presented by the threats. Countermeasures can tak~ the form of software, hardware and modesof behavior.

Coupling-Measure of interconnectivity. among software program modules' structure. Coupling depends on the interfacecomplexity between modules. This can be defined as the point at which entry or reference is made to a module, and whatdata pass across the interface. In application software design, it is preferable to strive for the lowest possible couplingbetween modules. Simple connectivity among modules results in software that is easier to understand, maintain and lessprone to a ripple or domino effect, caused when errors occur at one location and propagate through a system.

Customer relationship management (CRM)-Customer relationship management is a way to identify, acquire and retaincustomers. CIUv[ is also an industry term for software solutions that help an organization manage customer relationships inan organized manner.

Data communications-The transfer ofcbta betwccn separate computer processing sitesldevices using telephone lines,microwave and/or satellite links

Dat~l custodian ---Individuals and departments responsible for the stornge ancl safeguarding of computerized information.This typically IS within the IS organization.

Data c1ictionary·-;\ data dictionary is a database that contains the name, type, range of values, source. and authorizationtor access for each data clement in a database. It also indicates which application programs use that data so that when a datastructure is contemplated, a list of the affected programs can be generated. The data dictionary may be a stand-aloneintormation system used tor managcment or documentation purposes, or it may control the operation ofa database.

Data Encryption Standard (DES)-A private key cryptosystem published by the National Bureau of Standards (NBS), thepredecessor of the US National Institute of Standards and Technology (NIST). DES has bcen used commonly for dataencryption in the forms of software and hardware implementation. (also see private key cryptosystem)

Data leakage-Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes

Data O\vner-lndividuals. normally managers or directors. who have responsibility for the integrity. accurate reporting anduse of computerized data

Datn seclIrit!'-Those controls that seek to maintain confidentiality. integrity <lnd availability of information

Data structure·-The relationships among files in a dat~lbasc and among data items within each file


Glossary elSAD.atab3sc~A stored collection of related data needed by organizations and indi\"iduais to meet their information processingand retrieval requirements

Database administrator (DBA)-An individual or department responsible for the security and information classificationof the shared data stored on a database system. This responsibility includes the design, definition and maintenance of thedatabase.

Database management system (DBiVIS)-A complex set of software programs that control the organization, storage andretrieval of data in a database. It also controls the security and integrity of the database.

Database specifications-These are the requirements for establishing a database application. They include fielddefinitions, field requirements, and reporting requirements for the individual information in the database.

Decentralization-The process of distributing computer processing to different locations within an organization

Decision support system (DSS)-An interactive system that provides the user with easy access to decision models and datafrom a wide range of sources, to support semistructured decision-making tasks ry·pically for business purposes

Decryption key-A piece of information, in a digitized form, used to recover the plaintext from the correspondingciphertext by decryption

Dccryption-A technique used to recover the original plaintext from the ciphertext, such that it is intelligible to the reader.The decryption is a reverse process of the encryption.

Detection risk-The risk that material errors or misstatements that have occurred will not be detected by the IS auditor

Detective control-These controls exist to detect and report when errors, omissions and unauthorized use or entry occur.

Dial-back-Used as a control over dial-up telecommunications lines. The telecommunications link established through dialup into the computer from a remote location is interrupted so the computer can dial back to the caller. The link is permittedonly if the caller is from a valid phone number or telecommunications channel.

Digital signature-A piece of information, a digitized form of a signature, that provides sender authenticity. messageintegrity and nonrepudiation. A digital signature is generated using the sender's private key or applying a one-way hashfunction.

Disaster tolerance-Disaster tolerance is the time gap the business can accept the non-availability of IT facilities.

Discovery sampling-A form of attribute sampling that is used to determine a specified probability of finding at least oneexample of an occurrence (attribute) in a population

Discretionary access control (DAC)-A protection that may be activated or modified by the data owner at his/her discretion.This would be the ease of data-owner-defined sharing of information resources, \vhere the data owner may select who canaccess his/her resource and the security level of the access. Discretionary access controls cannot override mandatory accesscontrols, they act as an additional filter, prohibiting still more access with the same exclusionary principle.

Diskless workstations-A workstation or PC on a network that docs not have its O\vn disk. Instead, it stores files on anetwork file server

Distributed data processing network-A system of computers connected together by a communications network:. Eachcomputer processes its data, and the network supports the system as a whole. Such a network enhances communicationamong the linked computers and allows access to shared files.


elSA Glossary

DNS poisoning-Domain name system poisoning also called DNS cache poisoning or cache poisoning corrupts the table ofan Internet server's DNS replacing an Internet address with the address of another vagmnt or scoundrel address. [fa \Vebuser looks for the lXlgC with that address, the request is redirected by the scoundrel entry in the table to a different address.Cache poisoning differs from another form of DNS poisoning, in which the Jttackerspoofs valid e-mail accounts and floodsthe inboxes of administrative and technical contacts. Cache poisoning is related to URL poisoning or location poisoning,where an Internet user behavior is tracked by adding an identification number to the location line of the browser that can berecorded as the user visits successive pages on the site.

Downloading-The act of transferring computerized information from one computer to another computer

Downtime report-A report that identifies the elapsed time when a computer is not operating correctly because of machinefailure

Dumb terminal-A display terminal without processing capability. Dumb terminals are dependent upon the main computerfor processing. All entered data are accepted without further editing or validation.

EBCDIC (Extended Binary-coded Decimal Interchange Codc)-An 8~biT code representing 256 characters: used in 1110Stlarge computer systems.

Edit controls-Detects errors in the input portion of information that is sent to the computer for processing. The controlsmay be manual or automated and allow the user to edit data errors before processing.

Editing-Editing ensures that data conform to predetermined criteria and enable early identification of potential errors.

Electronic data interchange (EDI)-The electronic transmission of transactions (information) between two organizations.EDI promotes a more efficient paperless environment. EDf transmissions can replace the use of standard documents,including invoices or purchase orders.

Electronic funds transfer (EFT)-The exchnnge of money via telecommunications. EFT refers to any financialtrnnsaction that originates at a terminal and transfers a sum of money from onc account to another.

E-mail/interpersonal messaging-An individual using a terminal, PC or nn application can access a network to send anunstructured message to another individual or group of people.

Embedded audit modulc-A screening process that is incorporated into the regular production programs. The moduleselects items during the regular production runs that ful fill certain criteria established by the IS auditor and usually outputsor copies these items to a file or report.

Encapsulation (objects)-Encapsulation is the technique used by laycred protocols in which a lower layer protocol acceptsa message from a higher-layer protocol and places it in the data portion of a frame in the lower layer.

Encryption-A technique used to protect the plaintext, by coding the data 50 it is unintelligible to the reader

Encryption key-A piece of information, in a digitized form, used by an encryption algorithm to convert the plaintext tothe ciphertext

End-user computing-The ability of end users to design and implement their mvn information system. utilizing computersoftware products

Enterprise resource planning (ERP)-An enterprise resource planning system is an integrated system containing multiplebusiness subsystems. Examples include SAP. Oracle Financials and J.D. Ed\l/ards.


GlossaryelSA

Escrow agent-A person, agency or organization that is authorized to act on behalf of another to create a legal relationshipwith a third party in regards to an escrow agreement. In other words. an escro\v agent is the custodian of an asset accordingto an escrow agreement. As it relates to a cryptographic key, it is the agency or organization charged with the responsibilityfor safeguarding the key components of the unique key.

Escrow agreement-A legal arrangement whereby an asset (often money, but sometimes other property such as art, a deedof title, web site, software source code or a cryptographic key) is delivered to a third party (called un escrow agent) to beheld in trust or otherwise pending a contingency or the fulfillment of a condition or conditions in a contract. Upon thatevent occurring, the escrow agent will deliver the asset to the proper recipient; otherwise the escrow agent is bound byhis/her fiduciary duty to maintain the escrow account. Source code escrow means deposit of the source code for thesoftware into an account held by an escrow agent. Escrow is typically requested by a party licensing software (e.g., licenseeor buyer), to ensure maintenance of the software. The software source code is released by the escrow agent to the licenseeif the licensor (e.g., seller or contractor) files for bankruptcy or otherwise fails to maintain and update the software aspromised in the software license agreement.

Ethernet-A popular network protocol and cabling scheme that uses a bus topology and CSMA/CD (carrier sensemultiple access/collision detection) to prevent network failures or collisions when two devices try to access the network atthe same time

Evidence-The information an auditor gathers in the course of performing an IS audit. Evidence is relevant if it pertains tothe audit objectives and has a logical relationship to the findings and conclusions it is used to support.

Exception reports-An exception report is generated by a program that iden.tifies transactions or data that appear to beincorrect. These items may be outside a predetermined range or may not conform to specified criteria.

Exclusive-OR (XOR)-The XOR operation is a Boolean operation that produces a 0 if its two Boolean inputs are the same(0 and 0 or I an I) and it produces a 1 if its two inputs are different (l and 0). In other words, the exclusive-OR operatorreturns a value of TRUE only ifjust one of its operands is TRUE. In contrast, an inclusive-OR operator returns a value ofTRUE if either or both of its operands are TRUE.

Executable code-The machine language code that is generally referred to as the object or load module

Expert systems-Expert systems are the most prevalent type of computer systems that arisen'om the research of artificialintelligence. An expert system has a built in hierarchy of rules which are acquired from human experts in the appropriatefield. Once input is provided the system should be able to define the nature of the problem and provide recommendations tosolve the problem.

Exposure-A potentially adverse result or consequence to be considered in tile evaluation of internal controls.Strengthening internal controls can reduce exposure but seldom eliminates it.

Extended Binary-coded Decimal Interchange Code see EBCDIC-An 8-bit code representing 256 characters; used inmost large computer systems

Extensible Markup Language (XML)-Promulgated through the World Wide Web Consortium, XML is a web-basedapplication development technique that allows designers to create their own customized tags, thus, enabling the defi.nition,transmission, validation and interpretation of data between applications and organizations

Extranet-A private network that resides on the Internet and allows a company to securely share business information withcustomers, suppliers, or other businesses, as well as to execute electronic transactions. It is different from an Intranet in thatit is located beyond the company's firewall. Therefore, an Extranet relies on the use of securely issued digital certifi<;:ates (oralternative methods of user authentication) and encryption of messages. A virtual private network (VPN) and tunneling areoften used to implement Extrancts, to ensure security and privacy.


elSA, "·tlF"h"","""''''\·'''~'.'''''''''·' Glossary

Fallhack procedures-A plan of action Of set of procedures to be performed if a system imph:::rnentatiol1, upgrade ormodification does not \I/ark as intended. These may involve restoring the system to its state prior to the implementation orchange. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and shouldalways be considered in system migration or implementation.

Fnlse i.llIthodzation-Also called false acceptance, it occurs when an unauthorized person is identified as an authorizedperson by the biometric system.

False enrollment-Occurs when an unauthorized person manages to enroll into the biometric system (enrollment is theinitial process of acquiring a biometric feature and saving it as a personal reference on a smart card, a PC or in a centraldatabase).

Feasibility study-A phase of an SDLe methodology that researches the feasibility and adequacy of resources for thedevelopment or acquisition of a system solution to a user need

Fiber-optic cable-Glass fibers that transmit binary signals over a telecommunications network, Fiber-optic systems havelow transmission losses as compared to twisted-pair cables. They do not radiate energy or conduct electricity. They are freefrom corruption. lightning-induced interference and reduce the risk of wiretaps.

Ficld-An individual data element in a computer record. Examples include employee name, customer address, accountnumber. product unit price and product quantity in stock.

File-A named collection of related records

File allocation table (FAT)-A table used by the operating system to keep track of where every file is located on the disk.Since a file is often fi'agmentcc! and thus subdivided into many scctors within the disk. the information stored in the FAT isllsed \vhen loading or up<.bting the contents of the filc.

File layout-Specifies the length of the file's record and the sequence and size of its fields. A file layout also will specifythe type of data contained within each field. For example. alphunumeric. zoned decimaL packed and binary are types ofdata.

File server-A high-capacity disk storage device or a computer that stores data ccntrally for network users and managesaccess to that data. File servers can be dedicated so that no proccss other than network management can be executed whilethe net\\'Ork is available: file servers can be Iloncledicated so that standard user applications can run while the network isavailable.

Financial audit-An audit designed to determine the accuracy of financial records and information

Firewall-A device that enforces security policies for traffic traversing to and from different network segments. A firewallno longer only protects a company from the Internet. but also protects sensitive segments within organizations.

Firmware-Memory chips with embedded program code that hold their content when power is turned off

Foreign key-A foreign kcy is a value that represents a reference to a tuple (a row in a table) containing the matchingcandidate key value (in the relational theory it would be a candidate key, but in real DBMS implementations it is always theprimary key). The problcm of ensuring that the database does not include any invalid foreign key values is therefore knownas the referential integrity problem. The constraint that values ora given foreign key must match values of thecorresponding candidate key is k110\\'11 as a referential constraint. The relation (tablc) that contains the foreign key isreferred as the referencing relation and the relations that contain the corresponding c::mdidate key as the referenced relationor target relation.

Fourth-generation language (..J.GL)--English-like. lIscr friendly. nonprocedural computer languages llsed to programand'or read and process computer files


GlossaryelSA

Fnlmc rclay-A packet-switched wide area network technology that provides faster performance than older packetswitched WAN technologies, such as X.25 networks, because it was designed for today's reliable circuits and performs lessrigorous error detection. Frame relay is best suited for data and image transfers. Because of its variable-length packetarchitecture, it is not the most efficient technology for real-time voice and video. In a frame-relay network, end nodesestablish a connection via a permanent virtual circuit (PVC).

Gateway-A hardware/software package that is used to col'inect networks with different protocols. The gateway has its ownprocessor and memory and can perform protocol and bandwidth conversions.

Generalized audit software (GAS)-rviultipurpose audit software that can be used for such general processes, such asrecord selection, matching, recalculation and reporting

Geographical information system (GIS)-A tool used to integrate. convert, handle, analyze and produce informationregarding the surface of the earth. These data exist as maps, tridimensional virtual models, lists and tables.

Governance-Corporate Governance should suffice.

Hardware--Relates to the technical and physical features of the computer

Help desk-a service offered via phone/Internet by an organization to its clients or employees, which provides information,assistance, and troubleshooting advices regarding software, hardw'are, or networks. A help desk is staffed by people that caneither resolve the problem on their pwn or escalate the problem to specialized personnel. A help desk is often equipped withdedicated CRM-type sonware that logs the problems and tracks them until tbey are solved.

Heuristic filter-A method often-employed by antispam software to filter spam using criteria established in a centralizedrtlle database. Every e-mail message is given a rank, based upon its header and contents, which is then matched againstpreset thresholds. A message that surpasses the threshold will be flagged as sparn and discarded, returned to its sender orput in a sparn directory for further review by the intended recipient.

Hierarchical database-:-A database structured in a tree/root or parentJchild relationship. Each parent can have manychildren, but each child may have only one parent.

Honeypot-A trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems.Generally, it consists of a computer, data or a network site that appears to be part of a network but which is actually isolatedand protected, and which seems to contain information or a resource that would be of value to attackers. Honeypots cancarry risks to a network, and must be handled with care. If they are not properly walled off, an attacker can use them toactually break into a system. A honeypot that masquerades as an open proxy is known as a sugarcane. A honeypot isvaluable as a surveillance and early-warning tool. While often a computer, a honeypot can take on other forms, such as filesor data records, or even unused IP address space. Honeypots should have no production value and, hence, should not seeany legitJmate traffic or activity. Whatever they capture can then be surmised as malicious or unauthorized. One verypractical implication of this is that honeypots designed to thwart sparn by masquerading as systems of the types abused byspammers to send spam can categorize the material they trap 100 percent accurately: it is all illicit. A honeypot needs nospam-recognition capability, no filter to separate ordinary e-mail from sparn. Ordinary e-mail never comes to a honeypot.

Hot site-A fully operational offsite data processing facility equipped with both hardware and system software to be usedin the event of a disaster

Hypertext markup language (HTML)-A language designed for the creation of web pages with hypertext and otherinformation to be displayed in a web browser. HTML is used to structure information-denoting certain text as headings,paragraphs. lists and so on-and can be used to describe, to some degree, the appearancE; and semantics of a document.

Image processing-The process of electronically inputting source documents by taking an image of the document, therebyeliminating the need for key entry


elSAGlossary

Impact assessment-A study of the potential future effects of a development project on current projects and resources. Theresulting document should Jist the pros ancl cons of pursuing a specific course ofactiol1.

Impersonation-Impersonation, as a security concept related to Windows NT, allows a server application to temporarily"be" the client in terms of access to secure objects. Impersonation has three possible levels: identification, letting the serverinspect the client's identity; impersonation. letting the server act on behalf of the client: and delegation, the same asimpersonation but extended to remote systems to which the server connects (through the preservation of credentials).Impersonation by imitating or copying the identification, behavior or actions of another may also be used in socialengineering to obtain otherwise unauthorized physical access.

Independence-An IS auditor's self~governance and freedom from conflict or'interest and undue influence. The IS auditorshould be free to make bis/her own decisions. not influenced by the organization being audited and its people (managers andemployees).

Indexed sequential access method (ISA,'\>I)-A disk access method that stores dara sequentially, while also maintaining anindex of key fields to all the records in the file for direct access capability.

Information processing facility (IPF)-The computer room ,md support areas

Information security governance-The leadership organizational structures and processes that safeguard information

Inherent risk-The risk that a material error could occur, assuming that there are no related internal controls to prevent ordetect the error (Also see control risk)

Input controls-Techniques and procedures used to verify, validate and edit data. to ensure that only correct data areentered into the computer

Instant messaging-An online mechanism or a form of real~til1le communication between two or more people based ontyped text and multimedia data. The text is conveyed via computers or another electronic device (e.g.. cell phone or PDA)connected over a network, such as the Internet.

Integrated services digital network (ISDN)-A public cnd-to~elld digital telecommunications network with signaling,switching, and transport capabilities supporting a wide range of service accessed by standardized interfaces with integratedcustomer control. The standard allows transmission of digital voice. video and data over 64 Kpbs lines.

Integrated test facilities (lTF)-A testing methodology where test data are processed in production systems. The datausually represent a set of fictitious entities such as departments, customers and products. Output reports are verified toconfirm the correctness of tbe processing.

Internet-I) Two or more networks connected by a router; 2) the world's largest net\vork using TCP/IP protocols to linkgovernment, university and commercial institutions.

Internet Engineering Task Force (IETF)-The Internet standards setting organization with affiliates internationally fromnetwork industry representatives. This includes all network industry developers and researchers concerned with evolutionand planned growth of the Internet.

Internet packet (IP) spoofing-An attack using packets with the spoofed source Internet packet (IP) addresses. Thistechnique exploits applications that use authentication based on [P addresses. This technique also may enable anunauthorized user to gain root access on the target system.

IlTcgularities-lntentional violations of established policy or \villful misstatements or omissions of information


GlossaryelSA

IT governance framework-A model that integrates a set of guidelines, policies and methods that represent theorganizational approach to the IT governance. Per COBIT 4.0, IT governance is the responsibility of the board of directorsand executive management. It is an integral part of institutional govcmunce and consists of the leadership and organizationalstructures and processes that ensure that the organization's IT sustains and extends the organization's strategy and objectives.

IT infrastructure-The set of hardware, software and facilities that integrates an organizations' IT assets. Specifically, theequipment (including servers, routers, switches, and cabling), software, services and products used in storing, processing,transmitting and displaying all forms of information for the organization's users.

Kaizen-See continuous improvement.

Key performance indicator (KPI)-Defined measures that determine how well the process is performing in enabling thegoal to be reached. They are lead indicators of whether a goal will likely be reached or not, and are good indicators ofcapabilities, practices and skills. They measure the activity goals, which are the actions the process owner must take toachieve effective process performance.

Librarian-The individual responsible for the safeguard and maintenance of all program and data files

Licensing agreement-A contract that establishes the terms and conditions under which a piece of software is beinglicensed (Le., made legally available for use) from the software developer (owner) to the user

Limit checl,-Tests of specified amount fields against stipulated high or low limits of acceptability. When both high andlow values are used, the test may be called a range check.

Literals-Any notation for representing a value within programming language source code, e.g., a string literal; a chunk ofinput data that is represented "as is" in compressed data

Local area network (LAN)-Communications networks that serve several users within a specified geographical area.Personal computer LANs function as distributed processing systems in which each computer in the network does its ownprocessing and manages some of its data. Shared data are stored in a file server that acts as a remote disk drive for all usersin the network.

Log-Records details of the information or events in an organized record-keeping system, usually sequenced in the orderthey occurred

Logon-The process of connecting to the computer. It typically requires entry of a user ID and password into a computerterminal.

lVlalware-Short for "malicious software," malware is software designed to infiltrate, damage or obtain information from acomputer system without the owner's consent. Ivralware is commonly taken to include computer viruses, worms, Trojanhorses, spyware and adware. Spyware is generally used for marketing purposes and as such, not really maliciousalthough it is generally unwanted. However, spyware can also be used to gather information for identity theft or otherclearly illicit purposes.

lVIanagement information system (lVIIS)-An organized assembly of resources and procedures required to collect7 processand distribute data for use in decision making.

iVlandatory access controls (lVIAC)-Logical access control filters, used to validate access credentials that cannot becontrolled or modified by normal users or data owners; they act by default. Conversely, those controls that may beconfigured or modified'by the users or data owners are called discretionary access controls.


elSAGlossary

l\'lapping-Diagral11111ing c1ata that is to be exchanged electronically, including how it is to be lIsed and what businessmanagement systems need it. It is a preliminary step for developing an applications link. {Also see application tracing andmapping.)

l\tIateriality-An auditing concept regarding the importance of an item of information \yith regard to its impact or effect onthe functioning of tile entity being audited. An expression of the relative significance or importance ofa particular matter inthe context of the organization as a whole.

Nlaturity modeI-A collection of instructions an organization can follow to gain better control over its softwaredevelopment process. The Capability tvlaturity Model (elvlM) for Software. from the Software Engineering Institute (SEJ),is a model used by many organizations to identify best practices useful in helping them Qssess and increase the maturity oftheir software development processes. The ClvlM ranks software development orgnnizarions according to a hierarchy of fiveprocess maturity levels. Each level ranks the development environment according to its capability of producing qualitysoftware. A set of standards is associated with each of the five levels. The standards for level one describe the mostimmature, or chaotic, processes and the standards for level five describe the most mnnlre. or quality, processes.

i\;Iedia Access Control (MAC)":'-A unique, 48-bit. hard-coded address of a physical layer device, such as an Ethernet LANor a wireless network card. The MAC is applied to the hardware at the factory and canDot be modified.

Nledia oxidation-The deterioration of the media (e.g., tapes) upon which data is digitally stored due to exposure tooxygen and moisture, for example. tapes deteriorating in a warm, humid environment. Proper environmental controls shouldprevent, or significantly slow, this process.

i\Iessage switching-A telecommunications traffic controlling methodology in which a complete message is sent to aconcentration point and stored until the communications path is established.

I\tliddlc\varc-Another term for an application programmer interface (API). It refers to the interfaces that allowprogrammers to access lower- or higher-level services by providing an intermediary layer that includes function calls to theservices.

Milestonc---A terminal element that marks the completion of a work package or phase. typically marked by ahigh-level event such as project complcrion: receipt, endorsement or signing of a previously-defined deliverable; or a highlevel review meeting at which the appropriate level of project complction is determined and agreed to. Typically, a milestoneis associated with some sort of decision that outlines the future of a project and. for outsourced project, may have a paymentto the contractor associated with it.

lHission-critical application-An application that is vital to the operation of the organization. The term is verypopular for describing the applications required to run the day-to-day business.

I\tIobUe site-This is a specially designed trailer that can be quickly transported to a business location or to an alternate siteto provide a ready-conditioned information processing facility. These mobile sites can be connected to form larger workareas and can be preconfigurecl with servers. desktop computers, communications equipment, and even micrmvave andsatellite data links.

iHodulation-The process of converting a digital computer signal into an analog telecommunications signal

~Ionetary unit sampling-A sampling technique that estimates the amount of overstatement in an account balance

Network-A system of interconnected computers and the communications equipment used to connect them

Network administrator-Responsible for planning, implementing and maintaining the telecommunications infrastructure,and also may be responsible for voice networks. For smaller organizations. this may entail maintaining a LAN and assistingend users.


GlossaryelSA

Network attached storage (NAS)-This utilizes dedicated storage devices that centralizes storage of data. Such devicesgenerally do not provide traditional file/print or application services.

Network interface card (NIC)~A communications card that when inserted into a computer, allows it to communicatewith other computers on a network. Most network interface cards are designed for a particular type of network or protocol.

Noise-Disturbances, slich as static~ in data transmissions that cause messages to be misinterpreted by the receiver

Nondisclosure agreement (NDA)-Also called a confidential disclosure agreement (CDA), confidentiality agreement orsecrecy agreement, it is a legal contract between at least two parties that outlines confidential materials the parties wish toshare with one another for certain purposes, but wish to restrict from generalized use. In other words, it is a contract throughwhich the parties agree not to disclose information covered by the agreement. An NDA creates a confidential relationshipbetween the parties to protect any type of trade secret. As such, an NDA can protect non-public business information. (Note: Inthe case of certain governmental entities, the confidentiality of information other than trade secrets may be subject toapplicable statutory requirements, and in some cases may be required to be revealed to an outside party requesting theinformation. Generally, the governmental entity will include a provision in the contract to allow the seller to review a requesttor infomlation the seller identifies as confidential and the seller may appeal such a decision requiring disclosure.) NDAs arecommonly signed when two companies or individuals are considering doing business together and need to understand theprocesses used in one another's businesses solely for the purpose of evaluating the potential business relationship. NDAs can be"mutual," meaning both parties are restricted in their use of the materials provided or they .can only restrict a single party. It isalso possible for an employee to sign an NDA or NDA-like agreement with a company at the time of hiring; in fact, someemployment agreements will include a clause restricting "confidential information" in general.

Normalization-The elimination of redundant data

Objectivity-The ability of the IS auditor to exercise judgment, express opinions and present recommendations withimpartiality

Offsite storage-A storage facility located away from the building housing the primary information processing facility(IPF), used for storage of computer media such as offline backup data and storage files

Open Shortest Path First (OSPF)-A routing protocol, developed for IP networks, that is based on the shortest-path-firstor link-state algorithm.

Operating system-A master control program that runs the computer and acts as a scheduler and traffic controller. It is thefirst program copied into the computer's memory after the computer is tumed on and must reside in memory at all times. Itsets the standards for the application programs that run in it.

Operational control~These controls deal with the everyday operation of a company or organization to ensure that allobjectives are achieved.

Operator console-A special terminal used by computer operations personnel to control computer and systems operationsfunctions. These terminals typically provide a high level of computer access and should be properly secured.

Packet-A block of data for data transmission. A packet contains both routing information and data.

Packet switching~The process of transmitting mes~ages in convenient pieces that can be reassembled at the destination

Paper tcst-A walk-through of the steps of a regular test, but without actually performing the steps. It is usually used indisaster recovery and contingency testing, where team members review and become familiar with the plans, their specificroles and responsibilities.


"',,...'....' "" [~ .*_' ,,~,_*'*'_'''r ..l: ..' ',,"__",,',,'"""'''''_

elSAGlossary

PanllleI testing-The process of fceding test data into t\\'o systems, the modified syst~m and an alternative s)"stem(possibly the original system) and comparing results

Parity check-A general hardware control, which helps to detect data errors when d8.ta are read from memory orcommunicated from one computer to another. A one-bit digit (either 0 or I) is added to a data item to indicate \vhether thesum ofthar data item's bit is odd or even. When the parity bit disagrees with the stlln of the other bits, the computer reportsan error. The probability of a parity check detecting an error is 50 percent.

Password-A protected, generally computer-encrypted string of characters that authenticate a computer user to thecomputer system

Patch management-An area of systems management that involves acquiring, testing, and installing multiple patches(code changes) to an administered computer system, to maintain up-to-date software and often to address security risks.Patch management tasks include the following: maintaining current knowledge of available patches; deciding what patchesare appropriate for particular systems; ensuring that patches are installed properly: testing systems after installation; anddocumenting all associated procedures, such as specific configurations required. A number of products are available toautomate patch management tasks. Patches are sometimes ineffective and can sometimes cause more problems than theyfix. Patch management experts suggest that system administrators take simple steps to avoid problems. such as performingbackups and testing patches on non-critical systems prior to installations. Patch management can be vie\ved as part ofchange management. For further detail refer to: http://searclnvinc/oll'ssecuriry.rechrarger.com/sDe/initioll/0, .sid45-"Gi901422, OO.hllll i

Payroll system-An electronic system for processing payroll information and the rel.ated electronic (e.g., electronictimekeeping aneVor human resources system), human (e.g., payroll clerk). and external party (e.g., bank) interfaces. In amore limited sense, it is the electronic system that performs the processing for generating payroll checks and/or bank directdeposits to employees.

Private branch exchange (PBX)-A telephone exchange that is owned by a private business, as opposed to one owned bya common carrier or by a telephone company.

Performance testing-Comparing the system's performance to other equi\"alent systems using wcllMdcfincd benchmarks

Personal digital assistant (PDA)-Also called palmtop and pocket computer, these are handheld devices that providecomputing, Internet, networking and telephone characteristics.

Personal identification number (PIN)-A type ofpassworcl (i.e., a secret number assigned to an individual) that, inconjunction with some means of identifying the individual, serves to verify the authenticity of the individual. PINs have beenadopted by financial institutions as the primary means of verifying customers in an electronic funds transfer system (EFTS).

Phishing-This is a type of e-mail attack thnt attempts to convince a user that the originator is genuine, but with theintention of obtaining information for use in social engineering. These attacks may take the form of masquerading as alottery organization advising the recipient of a large win or the user's bank; in either case, the intent is to obtain account andPIN details. Alternative attacks may seek to obtain apparently innocuous business information, which may be used inanother form of active attack.

Phreakers-Those who crack security, most frequently phone and other communication networks

Point-oF-sale (POS) systems-Enable the capture of data at the time and place of transaction. pas terminals may includeuse of optical scanners for use with bar codes or magnetic card readers for use with credit cards. pas systems may beonline to a central computer or may use stand-alone terminals or microcomputers that hold the transactions until the end ofa specified period when th~y are sent to the main computer for batch processing.

Port-An internlce point between the CPU and a peripheral device

498 elSA Rev;ew Manual 2007

GlossaryelSA

Point-to-point protocol (PPP)-Commonly used to establish a direct connection between two nodes, it can connectcomputers lIsing serial cable, phone line, trunk line, cellular telephone. specialized radio links or fiber optic links. Its mainfeatures include enhanced error detection, automatic self-configuration and looped link detection. Most Internet serviceproviders use PPP for customers' dial-up access to the Internet. PPP is commonly used to act as a "layer 2" (the data linklayer of the 051 model) protocol for connection over synchronous and asynchronous circuits, where it has largelysuperseded an older nonstandard protocol (known as SLIP) and telephone company mandated standards (such as X.25). PPPwas designed to work with numerous "layer 3" network layer protocols, including JP, Novell's IPX, and AppleTalk.

Privacy-Privacy involves providing proper protection for personally identifiable information relating to an identified oridentifiable individual (data subject). Management should ensure that proper controls are in place and functioning to be incompliance with its privacy policy or applicable privacy laws and regulations.

Problem escalation procedure-The process of escalating a problem up from junior to senior support staff, and ultimatelyto higher levels of management. It is often used in help desk management, where an unresolved problem is escalated up thechain of command, until it is sol ved.

Program Evaluation and Review Technique (PERT)-A project management technique used in the planning and controlof system projects

Project portfolio-The set of projects owned by a company; it usually includes the main guidelines relative to each projectincluding objectives, costs, timelines and other information specific to the project.

Protocol-The rules by which a network operates and controls the flow andyriority of transmissions

Prototyping-A system development technique that enables users and developers to reach agreement on systemrequirements. Prototyping uses programmed simulation techniques to represent a model of the final system to the user foradvisement and critique. The emphasis is on end-user screens and reports. Internal controls are not a priority item since thisis only a model. .

Public key encryption-A cryptographic system that uses two keys. One is a public key, which is known to everyone, andthe second is a private or secret key, which is only known to the recipient of the message.

Public I{ey infrastructure (PKI)-A sysem that authentically distributes Llser's public keys using certificates. It verifiesand authenticates the validity of each party involved in an Internet transaction through digital certificates. certificateauthorities and other registration authorities.

Quality assurance-A technique used to design, develop and implement a product or service reducing costs and preservingthe quality.

Queue-A group of items that are waiting to be serviced or processed

Radio wave interference-The superposition of two or more radio waves resulting in a different radio wave pattern that ismore difficult to intercept and decode properly

Random access memory (RAi\tI)-The computer's primary working memory. Each byte of memory can be accessedrandomly regardless of adjacent bytes. .

Record-A collection of related information treated as a unit. Separate fields within the record are used for processing theinformation. .

Recovery point objective (RPO)-The recovery point objective is determined based on the acceptable data loss in case ofdisruption of operations. [t indicates the earliest point in time to which it is acceptable to recover the data. RPO effectivelyquantifies permissible amount of data loss in case of interruption.


elSAGlossary

Recovery tcsting-A test to check the system's ability to recover after a software or hardware failure

Recovery time objective (RTO)-The recovery time objective is determined based on the acceptable down time in case ofdisruption of operations. It indicates the earliest point in time at which the business operations must resume after disaster.

Redundant Array of Inexpensive Disks (RAID)-Provides performance improvements and t:1ult- tolerant capabilities viaharct\vare or software solutions, by writing to a series of multiple disks to improve performance ancl/or save large filessimultaneously

Recngineering-A process involving the extraction of components from existing systems and restructuring thesecomponents to develop new systems or to enhance the efficiency of existing systems. Existing software systems thus can bemodernized to prolong their functionality. An example of this is a software code translator that can take an existinghierarchical database system and transpose it to a relational database system. CASE includes a source code reengineeringfeature.

Registration authority {RA)~An optional entity separate from a CA that would be used by a CA with a very largecustomer base. CAs use RAs to delegate some of the administrative functions associated with recording or verifying someor all of the information needed by a CA to issue certificates or CRLs and to perform other certificate managementfunctions. However, with this arrangement, the CA still retains sole responsibility for signing either digital certificates orCRLs. Ifan RA is not present in the established PKI structure, the CA is assufl.led to have the same set of capabilities asthose defined for an RA.

Regression testing-A testing technique used to retest earlier program abends or logical errors that occurred during theinitial testing phase

Remote access service {R:\S)-Refers to any combination of hardware and software to enable the remote access to tools orinformation that typically reside on a net\vork of IT devices. Originally coined by Microsoft when referring to their built-inNT remote access tools. RAS was a service provided by Windows NT which allows most of the services that would beavailable on a network to be accessed over a modem link. Over the years, many vendors have provided both hardware andsoftware solutions to gain remote access to various types of networked informntion. !n fact, most modern routers include abasic RAS capability that can be enabled for any dial-up interface.

Remote Procedure Call (RPC)-Tbe traditional Internet service protocol widely used for many years on UNIX-basedoperating systems and supported by the Internet Engineering Task Force (IETF). that allows a program on one computer toexecute a program on another (e.g., server). The primary benefit derived from i·ts use is that a system developer need notdevelop specific procedures for the targeted comPt.1ter system. For example, in a client-server arrangement. the clientprogram sends a message to the server \vith appropriate arguments, and the server returns a message containing tbe resultsof the program executed. Common Object Request Broker Architecture (CORBA) and Distributed Component ObjectModel (DCOM) are two newer object-oriented methods for related RPC functionality.

Repeaters-A pbysicallnyer device that regenerates and propagates electrical signals between two network segments.Repeaters receive signals from one network segment and amplify (regenerate) the signal to compensate for signals (analogor digital) distorted by transmission loss due to reduction of signal strength during transmission (i.e., attenuation).

Replication-In its broad computing sense, involves the use of redundant software or hardware elements to provideavailability and faLl[t~tolerant capabilities. In a database context, replication involves the sharing of data between databasesto reduce workload among database servers, thereby improving client performance, while maintaining consistency amongall systems.

Repository-The central database that stores and organizes data

Request for proposal {RFP)-A clocument distributed to software vendors requesting their submission ofa proposal todevelop or provide a software product


Glossary elSARequirements derinition-A phase of a SDLe methodology where the affected user groups define the requirements of thesystem for meeting the defined needs

Resilience-The ability of a system or network to recover automatically from any disruption, usually with minimalrecognizable effect

Return on investment (ROI)-A measure of operating pClformance and efficiency, computed in its simplest form bydividing net income by average total assets.

Reverse engineering-A software engineering technique whereby existing application system code can be redesigned andcoded using computer-aided software engineering (CASE) technology

Ring configuration-Used in either token ring or FDbr networks, all stations (nodes) are connected to a multistationaccess unit (MSAU), which physically resembles a star-type topology. A ring configuration is created when these MSAUsare linked together in forming a network. Messages in this network are sent in a deterministic fashion from sender andreceiver via a small frame, referred to as a token ring. To send a message, a sender obtains the token with the right priorityas the token travels around the ring, with receiving nodes reading those messages addressed to it.

Risk-The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss of/or damageto the assets. It usually is measured by a combination of impact and probability of occurrence.

Rounding down-A method of computer fraud inVOlving a computer code that instructs the computer to remove smallamounts of money from an authorized computer transaction by rounding down to the nearest whole value denomination andrerouting the rounded off amount to the perpetrator's aceount .

Router-A networking device that can send (route) packets to the connected LAN segment, based on addressing at thenetwork layer (Layer 3) in the OSI model. Networks connected by routers can use different or similar networking protocols.Routers usually are capable of filtering packets based on parameters, such as source address, destination address, protocoland network application (ports).

RSA-A public key cryptosystcm developed by R. Rivest, A. Shamir and L. Adleman. RSA has two different keys; thepublic encryption key and the secret decryption key. The strength of RSA depends on the difficulty of the prime numberfactorization. For applications with high-level security. the number of the decryption key bits should be greater than 512bits. RSA is used for both encryption and digital signatures.

Run-to-run totuls-Provide verification that all transmitted data are read and processed

Scheduling-A method used in the information processing facility (IPF) to determine and establish the sequence ofcomputer job processing

Scope creep-Also called requirement creep, this refers to uncontrolled changes in a project's scope. This phenomenon canoccur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consistsof either new products or new features of already approved products. Hence, the project team drifts away from its originalpurpose. Because of one's tendency to focus on only One dimension of a project, scope creep can also result in a projectteam overrunning its original budget and schedule. For example, scope creep can be a result of poor change control, lack ofproper identification of what products and features are requlred to bring about the achievement of project objectives in thefirst place, or a weak project manager or executive sponsor.

Secure Sockets Layer (SSL)-A protocol that is used to transmit private documents through the Internet. This protocoluses a private key to encrypt the data that is to be transferred through the SSL connection.

Security testing-Making sure the modified/new system includes appropriate access controls and does not introduce anysecurity holes that might compromise other systems


1&1 ,Zi'tn.

elSA~,,,,,,,,,hF,",,,,,,",~,,,,,,,,,\l,,"'" Glossary

Service set identifier (SSID)-In Wi-Fi \Virelcss LAN computer networking, this is a code attached to all packets on awireless network to identify each packet as part of that network. The code consists of a maximum of 32 alphanumericcharacters, All wireless devices attempting to communicate with each other must share the same SSID. Apart fromidentifying each packet, SSID also serves to uniquely identify a group of vlireless network devices used in a given serviceset. There are two major variants of the SSfO. Ad !loc wireless networks that consist of client machines without an accesspoint use the fBSSID (Independent Basic Service Set Identifier); whereas on an infrastructure network which includes anaccess point, the basic service set identifier (BSS rO) or extended S'ervice set identifier (ESS ID) is used instead.

Servlet-Typically indicates a Java applet or a small program that runs within a web server environment. A Java servlet issimilar to a CGI program, but unlike a CGI program. once started, it stays in memory and can fulfil! multiple requests,thereby saving server execution time and speeding up the services.

Session border controller (SBC)-Provide security features for VoIP traffic similar to that provided by firewalls. SBCs canbe configured to filter specific VoIP protocols. monitor for denial-of-service (DOS) attacks. and provide network addressand protocol translation features.

Sign-on procedure-The procedure performed by a user to gain access to an application or operating system. If the user isproperly identified and authenticated by the system's security, they will be able to access the software.

Simple Object Access Protocol (SOAP)-A platform-independent, XML-based formatted protocol enabling applications tocommunicate with each other over the Internet. Use of this protocol may provide a significant security risk to webapplication operations, since use of SOAP piggybacks onto a web-based document object model and is transmitted viaHTTP (port 80) to penetrate server firewalls, which are usualfy configured to accept port 80 and port 21 (FTP) requests.\Veb-based document models define how objects on a web page are associated with each other and how they can bemanipulated while being sent from a server to a client browser. SOAP typically relies on XML for presentation formattingand also adds appropriate HTTP-based headers to send it. SOAP forms the foundation layer of the web services stack,providing a basic messaging framework on which more abstract layers can build. There are several ditfercnt types ofmessaging patterns in SOAP, but by far the most common is the Remote Procedure Call (RPC) pattern. in which onenetwork node (the client) sends a request mcssage to another node (the server), and the server immediately sends a responsemessage to the clicnt.

Slack time (float)-Time in the project schedule, the use 0 f \vhich does not affect the project's critical path (the minimumtime to complete the project based upon the estimated tin1e for each project segmcnt and their relationships). Slack timc iscommonly referred to as "float" and generally is not "owned" by either party to the transaction.

Si\IART (specific, measurablc, achievable, relev<lnt, time-bound)-A development methodology for value management

Sofh't'are-Programs and supporting documentation that enable and facilitate use of the computer. Software controls theoperation of the hardware.

Source code-Source code is the language in which a program is written. Source code is translated into object code byassemblers and compilers. In some cases. source code may be converted automatically into another language by aconversion program. Source code is not executable by the computer directly. It must first be converted into machinelanguage.

Source documents-The forms used to record data that have been captured. A source document may be a piece of paper, aturnaround document or an image displayed for onfine data input.

Source lines of codc (SLOC)-Source lines of code are often used in deriving single-point software size estimations.


Glossary elSASpool (simultaneous peripheral operations onlinc)-An automated function that can be operating system or applicationbased in which electronic data being transmitted between storage areas are spooled or stored until the receiving device orstorage area is prepared and able to receive the information. This operation allows more efficient electronic data transfersfrom one device to another by permitting higher speed sending functions, stich as internal memory, to continue on withother operations instead of waiting on the slower speed receiving device, such as a printer.

Standing data-Permanent reference data used in transactiDn processing. These data are changed infrequently, such as aproduct price file or a name and address file.

Spyware~Software whose purpose is to monitor a computer user's actions (e.g.. web sites they visit) and report these. actions to a third party, without the informed consent of that machine's owner or legitimate user. A particularly maliciousform of spyware is software that monitors keystrokes (e.g., to obtain passwords) or otherwise gathers sensitive informationsuch as credit card numbers, which it then transmits to a malicious third pmiY. The term has also come to refer morebroadly to software that subverts the computer's operation for the benefit of a third party.

Statistical sampJing-A method of selecting a portion of a population, by means of mathematical calculations andprobabilities, for the purpose of making scientifically and mathematically sound inferences regarding the characteristics ofthe entire population

Storage area networ~{s (SANs)-A variation of a LAN that is dedicated for the express purpose of connecting storagedevices to servers and other computing devices. SANs centralize the process for the storage and administration of data.

Structured Query Language (SQL)-The primary language used by both ?pplication programmers and end users inaccessing relational databases

Substantive testing-Determines the integrity of actual processing, \vhich provides evidence of the validity of the finaloutcome. This is done outside of a review of processes and related internal controls. For example, balances in the financialstatement and the transactions to support those balances is a substantive test. General types of testing involve recalculation,confirmations, verification of outcomes from other information sources and observations. Substantive testing will be limitedwhen there is a low risk of control-failure. Conversely, if the testing of controls reveals weaknesses in control, the level ofsubstantive testing would be increased.

Supply chain management (SCJVI)-A concept that allows an organization to more effectively and efficiently manage theactivities of design, manufacturing, distribution, service and recycling of products and services its their customers

Suspense file-A computer file used to maintain information (i.e., on transactions, payments, or other events) until theproper disposition of that information can be determined. Once the proper disposition of the item is determined, it should beremoved from the suspense file and processed in accordance with the proper procedures for that particular transaction. Twoexamples of items that may be included in a suspense file are receipt of a payment from a source that is not readilyidentified or data that do not yet have an identified match during migration to a new application.

Switches-Typically ass·ociated as a data link layer device, switches enable LAN network segments to be created andinterconnected, which also has the added benefit of reducing collision domains in Ethernet-based networks.

Synchronous transmission-Block-at-a-time data transmission

System software-A collection of computer programs used in the design, processing and control of all applications. Theprograms and processing routines that control the c6mputer hardware, including the operating system and utility programs.

System testing-A series of tests designed to ensure that the modi fied program interacts correctly with other systemcomponents. These test procedures typically are performed by the system maintenance staff in their development library.


elSA Glossary

Systems development life cycle (SDLC)~~Thc phases deployed in the development or acquisition ofa software system.Typit:al phases include the feasibility study, requirements study, requirements definition. detailed design. programming.testing, installation and postill1plcl1lent~ltion review.

Tape management system (TMS)-A system software tool that logs, monitors and directs computer tnpe usage.

Telecommunications-Electronic communications by special devices over distances or around devices that preclude directinterpersonal exchange

Terminal-A device for sending and receiving computerized data over transmission lines

Test data-Data that arc llsed to test a computer program. Depending on the purpose of the test, the data may beproduction dara (files) or data created by either information systems (IS) or the customer (user).

Throughput-The quantity of useful work made by the system per unit of time. Throughput can be measured ininstructions per second or some other unit of performance. When referring to a data transfer operation, throughout measuresthe useful data transfer rate and is expressed in kbps, Mbps and Gbps.

Transaction log-A manual or automated log ofall updates to data files and databases

Transaction-Business events or information grouped together because they have a single or similar purpose. Typically, atransaction is applied to a calculation or event that then results in the updating of a holding or master file.

Transmission Control Protocol/Internet Protocol (TCP/lP)-A set of communications protocols that encompasses mediaaccess, packet transport, session communicntions, file transfer, electronic mail, terminal emulation, remote file access andnet\vork management. TCP/IP provides the basis for the Internet.

Trojan horse-Purposefully hidden malicious or damaging code within an authorized computer program

Tunneling-A method by which one network protocol encapsulates another protocol within itself. It is commonly used tobridge between incompatible hosts/routers or to provide encryption. When protocol A encapsulates protocol B, then aprotocol A header and optional tunneling heaclers are appended to the original protocol B packet. Protocol A then becomesthe data link layer of protocol B. Examples of tunneling protocols include IPSec, Point-to-point Protocol Over Ethernet(PPPoEI. and Layer 2 Tunneling Protocol (L1TP).

Tuple-A tuple is a row in a database table.

Twisted pairs-A pair of smaIL insulated wires that are twisted around each other to minimize interference from otherwires in the cable. This is a low~capacity transmission medium.

Unicode-A standarcl for representing characters as integers. it uses 16 bits. which means that it can represent more than65,000 unique characters, as is· necessary for languages such as Chinese and Japanese.

Uninterruptible power supply (UPS)-Provides short-term backup power from batteries for a computer system when theelectrical power fails or drops to an unacceptable voltage level

Unit testing-A testing technique that is L1sed to test program logic within a particular program or module. The purpose ofthe test

Universal Serial BUS (US B)-An external bus standard that provides capabilities to transfer data at a rate of 12 Mbps. ACSB port can connect up to 1~7 peripllCral devices.


Glossary elSAUser awareness-The training process in security-specific issues to reduce security problems, since users are often theweakest link in the security chain

Utility programs-Specialized system software used to perform particular computerized functions and routines that arefrequently required during normal processing. Examples include sorting, backing up and erasing data.

Utility script-A sequence of commands input into a singl'e file to automate a repetitive and specific task. The utility scriptis then executed, either automatically or manually, to perform the task. In UNIX, these are known as a shell scripts.

Variable sampling-A sampling technique used to estimate the average or total value of a population based on a sample; astatistical model used to project a quantitative characteristic, such as a monetary amount

Verification-Checks that data are entered correctly

Virus-Malicious programs designed to spread and replicate from computer to computer through telecommunications linksor through sharing of computer diskettes and files

Voice mail-A system of storing messages in a private recording medium where the called party can later retrieve themessages

Voice-over Internet protocol (VoIP)-Also called IP Telephony, Internet telephony and Broadband Phone, this is atechnology that makes it possible to have a voice conversation over the Internet or over any dedicated Internet Protocol (IP)network instead of dedicated voice transmission lines.

WAN switch-A data link layer device used for implementing various \VAN technologies such as asychronous transfermode, point-to-point frame relay solutions, and ISDN. These devices are typically associated with carrier networksproviding dedicated \VAN switching and router services to organizations via T-I or T-3 connections.

Wide area network (WAN)-A computer network connecting different remote locations that may range from shortdistances, such as a floor or building, to extremely long transmissions that encompass a large region or several countries

\Vi-Fi Protected Access (\VPA)-A class of systems used to secure \vireless (\Vi-Fi) computer networks. It was created inresponse to several serioLls weaknesses researchers found in the previoi.Ls system. \Vired EquivaleM Privacy (WEP). \VPAimplements the majority of the IEEE 802.1 Ii standard, and was intended as an intermediate measure to take the place of"YEP while 802.11 i was prepared. \VPA is designed to work with all wireless network interface cards. but not necessarilywith first generation wireless access points. WPA2 implements the full standard, but will not work with some older networkcards. Both provide good security with two significant issues. First, either WPA or WPA2 must be enabled and chosen inpreference to WEP; WEP is usually presented as the first security choice in most installation instructions. Second, in the"personal" mode, the most likely choice for homes and small offices, a pass phrase is required that, for fuB security, mustbe longer than the typical 6 to 8 character passwords users are taught to employ.

Wired Equivalent Privacy (\VEP)-A scheme that is part of the IEEE 802.11 wireless networking standard to secureIEEE 802.11 wireless networks (also known as \Vi-Fi networks). Because a wireless network broadcasts messages usingradio, it is particularly susceptible to eavesdropping. WEP was intende.d to provide comparable confidentiality to atraditional wired network (in particular it does not protect users of the network from each other), hence the name. S.everalserious weaknesses were identified by cryptanalysts, and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003,and then by the full IEEE 802.11 i standard (also known as WPA2) in 2004. Despite the weaknesses, WEP provides a levelof security that can deter casual snooping.

\Vireti.lpping-The practice of eavesdropping on information being transmitted over telecommunications links

Note: The ClSA candidate may want to be farhiliar with ISACA's Glossary which can be viewed at wwuUsaca,orglg!osswy.Also available is a list of CISA exarn terminology in different languages that can be viewed at wlV'rEisaca.orglextlmferm.


elSA Acronyms

The elSA candidate should be familiar with the following list of acronyms published in the Cwulidate:v Guide to the elSAExaminatio/l. These acronyms are the only stand-alone abbreviations used in examination question..;,

ASC[]

Bit

CASE

CCTYCPU

DBADBivlS

EDI

FTPHTTP[HTPS

ID

IDS

IP[SISO

American Standard Code for InformationTnterchange

Binary digitComputerRaided system engineering

Closed-circuit television

Central processing unit

Database administrator

Database management system

Electronic data interchange

File Transfer Protocol

Hypertext Transmission Protocol

Secured Hypertext Transmission Protocol

Identification

Intrusion detection system

Internet protocol

Information systemsInternational Organization for Standardization

IT

LAN

PBXPC

PCR

PDA

PERT

PIN

PKI

RAID

RFID

SDLC

SSLTCP

UPSVolP

WAN

Information technology

Local area network

Pri .....ate- branch (business) exchange

Persona I computerimicrocompu tel'

Program change request

Personal digital assistant

Program Evaluation Review Technique

Personal identification number

Public key infrastructure

Redundant Array of Inexpensive Disks

Radio frequency identification

System development life cycle

Secure Sockets Lnyer

Transmission Control Protocol

Uninterruptible power supply

Voice-over Jnternet Protocol

\Vide area network

In ;:Iddition to the aforementioned acronyms. candidates may also wish to become familiar with the following additionalacronyms. Should any of these abbreviations be used in examination questions, their meanings would be included when theacronym appears.

4GL

ACID

ACL

AHAIAICPA

ALE

ALU

ANSIAPI

ARP

ASIC

ATDM

ATivI

BCI

BOdBCP

BI

506

Fourth-generation languageAtomicity. consistency, isolationand durability

Access control list

Authentication headerArtificial intelligence

American Institute of Certified PublicAccountants

Annual loss expectancyArithmetic-logic unit

American National Standards Institute

Application programming interface

Address Resolution Protocol

Application-specific integrated circuit

AsynchronoLls time division multiplexing

Asynchronous Transfer Mode orautomated teller machine

Business Continuity Institute

Business continuity management

Business continuity planning

Business inklligence

BIA

BIMS

BIOS

BIS

BLP

BNS

BOM

BOMP

BPRBRP

BSC

B-to-B

B-to-C

B-to-E

B-to-G

CA

CAAT

CAD

CAE

Business impact analysis

Biometric Information Managementand Security

Basic [nput/Output System

Bank for International Settlements

Bypass label process

Backbone network services

Bill of materialsBill of materials processor

Business process reengineeringBusiness recovery (or resumption) plan

Balanced a scorecard

Business-to-businessBusiness-to-consumer

Business-to-employeeBusiness-to-government

Certificate authority

Computer-assisted audit techniqueComputer-assisted design

Computer-assisted engineering

elSA Review Manual 2007

Acronyms elSACAM Computer-aided manufacturing C-to-G

CASE Computer-aided software engineering DAC

CCK Complementary Code Keying DASD

CCM Constructive Cost Model DAT

CD Compact disk DCE

CDDF Call Dattl Distribution Function DCE

CDPD Cellular Digital Packet Data DCOM

CD-R Compact disk-recordable

CD-RW Compact disk-rewritable DCT

CEO Chief executive officer DDIDS

CERT Computer emergency response team DDL

CGl Common gateway interface DDoS

CIAC Computer Incident Advisory Capability DES

CICA Canadian Institute of Chartered Accountants DFD

CIM Computer-integrated manufacturing DHCP

CIO Chief information officer DID

CIS Continuous and intermittent simulation DIP

ClSO Chief information security officer DLL

CMDB Configuration management database DNS

CMM Capability Maturity Model DoS

CMMl Capability Maturity Model lntcgration DOSD

CNC Computerized Numeric Control DRII

COBIT Control Objectives jor Information and DRP

related Technology DSL

COCOM02 Constructive Cost Model DSS

CODASYL Conference on Data Systems Language DSSSCOM Component Object Model DTE

COM/DCOM Component Object Model/Distributed DTRComponent Object Model DVD

COOP Continuity of operations plan DVD-HDCORBA Common Object Requcst Broker Architecture

CoS Class-of-service DW

COSO Committee of Sponss>ring Organizations of EAthe Trcadway Commission EAC

CPM Critical Path Methodology EAMCPO Chief privacy officer EBCDlCCPS Certification practice statement

CRL Certificate revocation list ECCRM Customer relationship management ECC

CSA Control self-assessment EDFA

CSF Critical success factor EER

CSIRT Computcr security incident response team EFT

CSMA/CD Carrier-sense Multiple Access/ EIGRPCollision Detection EJB

CSO Chief security officer EMlCSU-DSU Channel service unit/digital service unit EMRT


Consume1'-to-government

Discretionary access controls

Direct access storage device

Digital audio tape

Data communications equipment

Disttibuted computing environment

Distributed Component Object:Vlodel (Microsoft)

Discrete Cosine Transform

Data dictionary/directory system

Data Definition Language

Distributed denial of service

Data Encryption Standard

Data flow diagram

Dynamic Host Configuration Protocol

Direct inward dial

Document image processing

Dynamic link library

Domain name server

Denial of service

Data-oriented system development

Disaster Recovery Institute International

Disaster recovery planning

Digital subscriber lines

Decision support systems

Direct-sequence spread spectrum (DSSS)

Data terminal equipment

Data terminal ready

Digital video disc

Digital video disc-high definition/high density

Data warehouse

Enterprise architecture

Estimates at completion

Embedded audit modules

Extended Binary-coded for DecimalInterchange Code

Electronic commerce

Elliptical curve cryptography

Enterprise data flow architecture

Equal-error rate

Electronic funds transfer

Enhanced Interior Gateway Routing Protocol

Enterprise java beans

Electromagnetic interference

Emergency response time

507

Acronyms elSA

MTTR

NAS

NAT

NCP

NDA

NFPA

NFS

NIC

NlST

NNTP

NSP

NT

NTFS

NTP

OBS

OCSP

OECD

OEP

OFDM

OlAP

00OOSD

ORB

asOSl

OSPF

PAD

PAN

PDCA

PDN

PER

.PHY

PICS

PlD

PlD

PMBOK

PMI

pacPOP

pasPOTS

PPP

Mean time to repair

Network access server or Network attachedstorage

Network address translationNetwork Control Protocol

Nondisclosure agreementNational Fire Protection Agency (USA)

Network files system

Network interface cardNational Institute of Standardsand Technology (USA)

Network News Transfer Protocol

Name Server Protocol or Networkservice providerNew technology

NT file system

Network Time Protocol

Object Breakdown Structure

Online Certificate Status Protocol

Organization for Economic Cooperationand Development

Occupant emergency planOrthogonal frequency division multiplexingOnline analytical processingObject-oriented

Object-oriented system development

Object request broker (ORB)

Operating systemOpen Systems InterconnectionOpen Shortest Path First

Packet assembler/disassemblerPersonal area network

Plan-Do-Check-Act

Public data network

Package-enabled reengineering

Physical layer

Platform for Internet content selection

Process lD

Project Initiation DocumentProject Management Body of Knowledge

Project Management InstituteProof of concept

Proof of possessionPoint of sale or POlnt-of-sale systems

Plain old telephone servIcePoint-to-point Protocol

PPPoE

PPTP

PR

PRD

PRlNCE2

PROM

PSTN

PVC

QA

QAT

RA

RAD

RADIUS

RAID

RAM

RAS

RBAC

RDBMS

RFl

RFP

RIP

RMJ

RaJ

ROM

RPC

RPO

RST

RTO

RW

S/HTTP

S/i'vIIME

SA

SAN

SANS

SAS

SBC

SCARF

SCARF/EAM

SCM

SCaR

SD/i'vIMC

SDlC

SDO

SEC

SET

!;'oint-to-point Protocol Over Ethernet

Point-to-Point Tunneling Protocol

Public relations

Project request document

Projects in Controlled EnvironmentsProgrammable Read-Only Memory

Public switched telephone network

Permanent virtual circuit

Quality assurance

Quality assurance testing

Registration authorityRapid application development

Remote Access Dial-in User Service

Redundant Array of Inexpensive Disks

Random access memory

Remote access service

Role-based access control

Relational database management system

Request for infonnation

Request for proposal

Routing Information Protocol

Remote method invocation

Return on investmentRead-only memory

Remote procedure call

Recovery point objective

Reset

Recovery time objectiveRe-writable

Secure Hypertext Transfer ProtocolSecure rvlultipurpose [nternet Mail Extensions

Security Association

Storage area networkSysAdmin, Audit, Network, Security

Statement on Auditing Standards

Session border controllerSystems Control Audit Review File

Systems Control Audit Review File andEmbedded Audit \"lodules

Supply Chain Management

Supply Chain Operations Reference

Secure digital multimedia cardSystem development life cycle

Service delivery objectiveSecurities and Exchange Commission (USA)

Secure electronic transactions


elSAAcronyms

SLA Service level agreement TLS Transport layer securitySUd Service level management TMS Tape management systemSLIP Serial Line Internet Protocol TP monitors Transaction processing (TP)S;VIART Specific, measurable. achievable, relevant. TQivI Total quality management

time-bound TR Technical reportSMF System management facility UkT User i'.lcceptance testingS;VITP Simple Mail Transport Protocol UBE Unsolicited bulk e-mailSNA. Systems network architecture UDDI Description, discovery and integrationSNMP Simple Network Management Protocol UDP User Datagram ProtocolSO Security officer UID User IDSOAP Simple Object Access Protocol UML Unified Modeling LanguageSOHO Small office-home otfice URL Universal resource locatorSPI Security parameter index USB Universal Serial BusSprCE Software Process Improvement and VAN Value-added network

Capability Determination VAN Value-added networkSPOC Single point of contact VLAN Virtual local area networkSPOOL Simultaneous peripberal operations online VolP Voice-Over frSQL Structured Qucry Languagc VPN Virtual private networkSSH Secure Shell WAP \Vireless Application Protocolssm Set services identifiers WEP \Vir~d Equivalent PrivacySSO Single sign-on WML \Vireless Markup LanguageSVC Switched virtual circuits WORM \Vrite-once and read manySYSGEN Systcm generation WP Work packagesTACACS Terminal Access Control Access WPA \Vi-Fi Protected Access

Control SystemWPAN \Vireless personal area network

TCO Total cost of ownershipWSDL \Veb Services Description Language

TCP IP Transmission Control Protocol/InternetWWAN \Vireless wide area networkProtocolWWW VI/orld Wiele WebTCP CDP Transmission Control ProtocolJUserXBRL Extensible Business Reporting LanguageDatagram Protocol

TD,VI Time-division multiplexing Xi'vIL Extensible tvlarkup Language

TES Terminal emulation software Xquery X:VIL query

TFTP Trivial File Transport Protocol XSL Extensible Stylesheet Language

TKrp Temporal Key Integrity Protocol X-to-X Exchange-to-Exchange


Appendix

THE elSA EXAMINATION AND COBIT

A elSA

COBlT, now in transition between the 3'd Edition and COBIT 4.0, is an initiative conducted by the IT Governance Institute.COBIT has been developed as a generally applicable and accepted framework for good IT security and control practices thatprovide a reference for management, users, and IS audit, control and security practitioners. COBIT is based on ITGI's controlobjectives, enhanced with existing and emerging international technicaL professional, regulatory and industry-specificstandards. The resulting control objectives have been developed for application to organizutioJ1wide information systems.

COBIT also supports a generic IT assurance/audit process, which could be summarized as:• Obtaining an understanding of business requirements, related risks and relevant control measures• Evaluating the appropriateness of stated controls• Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously• Substantiating the risk of control objectives not being met by using analytical techniques and/or consulting alternative sources

Although knowledge of COBIT is not specifically tested on the CISA examination, the COBiT control objectives or processesreflect the tasks identified in the CISA job practice. As such, a thorough review of COBIT is recommended for candidatepreparation for the CISA examination. To focus a candidate's attention on the specific COBtT processes that relate to CISApractice analysis tasks, the following table has been provided to aid in a candidate's exam preparation.

Note: The COBIT framework is freely available from ISACA/ITGI and can be downloaded at w\v·w.isaca.org/cobit.

To focus a candidate's attention on the specific COBIT processes that relate to elSA practice analysis tasks, the followingtable has been provided to aid in a candidate's exam preparation.

Chapter 1: The IS Audit Process

CISA Review Manual I COBiT 3" Edition CO.IT 4.0

Tasks COBIT Processes

1.1 Develop and implement a risk-based IS audit strategy for the P09 Assess risk P09 Assess and manage ITorganization in compliance with IS audit standards, guidelines M3 Obtain Independent risksand best practices. assurance ME2 Monitor and evaluate

M4 Provide lor independent internal controlaudit

1.2 Plan specific audits to ensure that IT and business systems are M3 Obtain independent ME2 Monitor and evaluateprotected and controiled. aSSurance internal control

M4 Provide for independentaudit

1.3 Conduct audits in accordance with IS audit standards, guidelines IM4 Provide for independentand best practices to meet planned audit objectives. audit

1.4 Communicate emerging issues, potential risks and audit results to M3 Obtain independent P09 Assess and manage ITkey stakeholders. assurance risks

M4 Provide for independent ME2 Monitor and evaluateaudit internal control

1.5 Advise on the implementation of risk management and control P09 Assess riskpractices within the organization while maintaining independence. P011 Manage quality P08 Manage quality

M3 Obtain independent P09 Assess and manage ITassurance risks



elSA Appendix A

Chapter 2: IT Governance

CISA Review Manual COBiT 3" Edition COBiT 4,0

Tasks GOBIT Processes

2.1 Evaluate the effectiveness of the IT governance structure to ensure pal Define a strategic plan P01 Define astrategic planadequate board control over the decisions, directions and . P04 Deffne the IT organization P04 Define the IT processes,performance of IT so that it supports the organization's strategies and reiationshlp organization andand objectives. P05 Manage the IT relationships

investment P05 Manage the ITP06 Communicate investment

management aims and P06 Communicatedirections management aims and

M2 Assess internal control directionsadequacy ME4 Provide IT governance

M3 Obtain independentassurance


2.2 Evaluate IT organizational structure and human resources P04 Define the IT P04 Define the IT processes,(personnel) management to ensure that they support the organization and organization andorganization's strategies and objectives. relationships relationships

pal Manage human pal Manage IT humanresources resources

DS1 Define and manage DSl Define and manageservice levels service levels

2.3 Evaluate the IT strategy and the process for its development, P01 Define a strategic IT plan pal Define a strategic IT planapproval, implementation and maintenance to ensure that it P05 Manage the IT P05 Manage the ITsupports the organizations strategies and objectives. investment investment

2.4 Evaluate the organization's IT policies, standards, procedures and pas Ensure compliance with ME3 Ensure regulatoryprocesses for their development, approval, implementation, and external requirements compliancemaintenance to ensure that they support the IT strategy and comply AI6 Manage changes AI6 Manage changeswith regulatory and legal requirements.

Ml Monitor the processes MEl Monitor and evaluate iTperformance

2.5 Evaluate management practices to ensure compliance with the P06 Communicate P06 Communicateorganization's IT strategy, policies, standards and procedures. management aims and management aims and

direction directionpal Manage human pal Manage IT human

resources resourcesP010 Manage project P010 Manage projectsP011 Manage quality pas Manage qualityDS6 Identify and aliocate costs DS6 Identify and aliocate costs

2.6 Evaluate IT resource investment, use and allocation practices to P05 Manage the IT P05 Manage the ITensure alignment with the organization's strategies and objectives. investment investment

POlO Manage projects P010 Manage projects2.1 Evaluate IT contracting strategies and policies and contract pal Manage human pal Manage IT human

management practices to ensure that they support the organization's resources resourcesstrategies and objectives. pas Ensure compliance with ME3 Ensure regulatory

external requirements complianceAI1 Identify automated AI1 identify automated

solutions solutionsOS2 Manage third-party DS2 Manage third-party

services servicesDS9 Manage the DS9 Manage the

configuration configuration


Appendix

Chapter 2: IT Governance (cant.)

CISA Review Manual CoalT 3" Edition COBiT 4.0


2.S Evaluate risk management practices to ensure that the organization's POt Define a strategic IT plan P01 Define a strategic ITplanIT related risks are properly managed. . P06 Communicate P06 Communicate

. management aims and management aims anddirections directions

P09 Assess risk P09 Assess and manage ITPOlO Manage projects risks

Mt Monitor the processpat 0 Manage projects

M4 Provide for independentME4 Provide IT governance

audit2.9 Evaiuate monitoring and assurance practices to ensure that the pas Ensure compliance with pas Manage quality

board and executive management receive sufficient and timely external requirements pat 0 Manage projectsintormation about IT performance. pat 0 Manage projects ME2 Monitor and evaluate

POtt Manage quality internal controlM2 Assess internal control ME3 Ensure regulatory

adequacy complianceM3 Obtain independent

assurance

Chapter 3: Systems and Infrastructure Life Cycle Management

CISA Review Manual COBIT 3" Edition COBIT 4.0


3.t Evaluate the business case for the proposed system P03 Determine technological P03 Determine technologicaldevelopment/acquisition to ensure that it meets the organization's direction directionbusiness goals. P01t Manage quality pas Manage quality

Alt Identity automated Alt Identity automatedsoiutions solutions

AI2 Acquire and maintain AI2 Acquire and maintainapplication software application software

AI3 Acquire and maintain AI3 Acquire and maintaintechnology infraestructure technology infrastructure

DS9 Manage the conliguration DS9 Manage the conliguration3.2 Evaluate the project management framework and project governance P09 Assess risks P09 Assess and manage IT

practices to ensure that business objectives are achieved in a pat 0 Manage projects riskcost-effective manner while managing risks to the organization.

POtt Manage qualityP010 Manage projects

Alt Identify automatedpas Manage quaiity

solutions AI1 Identity automated

AI2 Acquire and maintainsolutions

application software AI2 Acquire and maintainapplication software

3.3 Perform reviews to ensure that a project is progressing in POt 0 Manage project POlO Manage projectsaccordance with project plans, it is adequately supported by Alt Identity automated AI1 Identity automateddocumentation and the status reporting is accurate. solutions solutions


M3 Obtain independent ME2 Monitor and evaluateassurance internal control



PM, ? t'I' 11 m or 1: :'7 rims 1ttr~ !!17 T ;" r 1m,.

elSA Appendix A

Chapter 3: Systems and Infrastructure Life Cycle Management (cont,)

GISA Review Manual CoBrT 3M Edition GOBJT 4.0


3.4 Evaluale proposed conlrol mechanisms lor syslems and/or POl DManage projects POi DManage projectsinfrastructure during specification. development/acquisition, and

..POll Manage quality POS Manage quaiity

testing to ensure that they will provide safeguards and comply with Ali identify automated Ali Identify automatedthe organization's policies and other requirements. solurions solutions

AI2 Acquire and maintain AI2 Acquire and maintainapplication soft\vare application software

AI5 Ins tali and accredit AI? Install and accreditsystems solutions and changes

3.5 Evaluate the processes by which systems and/or infrastructure are P01D Manage projects POi DManage projectsdeveloped/acquired and tested to ensure that the deliverables meet P01l Manage quality POS Manage qualitythe organization's objectives.

Ali Identify automated Ali Identity automatedsolutions solutions


AI5 Instail and accredit AI? install and accreditsystems solutions and changes

3.6 Evaluate the readiness of the system and/or infrastructure for P03 Determine technological P03 Determine technologica/implementation and migration into production. direction direction

AI3 Acquire and niaintain Ai3 Acquire and maintaintechnology infrastructure technology infrastructure

AI5 instaii and accredit AI? Instali and accreditsystems solutions and changes

3.7 Perform postimplementation review of systems and/or infrastructure PO 10 Manage projects POlO Manage projectsto ensure that they meet tile organization's objectives and are POll Manage quality POS Manage quatitysUbject to effective internal control.

AI5 Instatl and accredit AI? tnstatt and accreditsystems solutions and changes

3.S Perform periodic reviews of systems and/or infrastructure to ensure P06 Communicate P06 Communicatethat they continue to meet the organization's objectives and are management aims and management aims andsubject to effective ',nternal control. direction direction

P01D Manage projects P010 Manage projectsPOi I Manage qualir! POS Manage qualifyAI5 Instatl and accredit AI? Instali and accredit

systems soiutions and changesOS1 Define and manage DS1 Define and manage

service levels service levelsDS3 Manage performance OS3 Manage performance

and capacity and capacityM2 Assess internal control ME2 Monitor and evaluate

adequacy internal controiM3 Dbtain independent

assuranceM4 Provide for independent

audit


Appendix

Chapter 3: Systems and Infrastructure Life Cycle Management ,(cont.)

CISA Review Manual COBiT 3" Edition COBiT 4.0

Tasks I COBiT Processes

3,9 Evaluate the process by which systems and/or infrastructure are P03 Determine technological P03 Determine technologicalmaintained to ensure the continued support of the organization's direction directionobjectives and are subject to effective internal control. P011 Manage quality P08 Manage quality

AI3 Acquire and maintain AI3 Acquire and maintaintechnoiogy infraestructure technology infrastructure

AI6 Manage changes AI6 Manage changes

3.10 Evaluate the process by which systems and/or infrastructure are P06 Communicate P06 Communicatedisposed of to ensure that they comply with the organization's management aims and management aims andpolicies and procedures. direction direction

Ali Identify automated AI1 Identify automatedsolutions solutions

Chapter 4: IT Service Delivery and Support'

CISA Review Manual COBiT 3" Edition COBIT 4.0


4.1 Evaluate service level management practices to ensure that the level AI4 Develop and maintain AI4 Enable operation and useof service from internal and external service providers is defined procedures 081 Define and manageand managed. OS1 Define and manage service levels

service levels 082 Manage third-party082 Manage third-party services

services 086 Identify and allocate costs086 Identify and allocate 088 Manage service desk and

costs incidents088 Assist and advise 0810 Manage problems

customers ME1 Monitor and evaluate ITM1 Monitor the process pertormance

4,2 Evaluate operations management to ensure that IT support P09 Assess risks P09 Assess and manage ITfunctions effectively meet business needs, AI4 Develop and maintain risks

procedures AI4 Enable operation and use

AI5 Install and accredit All Install and accredit

systems solutions and changes

0813 Manage operations 0813 Manage operations

M2 Assess internal controlME1 Monitor and evaluate IT

adequacy performance

4.3 Evaluate data administration practices to ensure the integrity and P02 Define the information P02 Define the informationoptimization of databases. architecture architecture

P04 Define the IT P04 Define the IT processes,organisation and organization andrelationships relationships

Ai1 Identify automated AI1 Identify automatedsolutions solutions


AI5 Intail and accredit All Install and accreditsystems solutions and changes

085 Ensure systems security 085 Ensure systems security

M1 Monitor the process ME1 Monitor and evaluate ITperformance


elSA Appendix A

Chapter 4: IT Service Delivery and Support (cont.)

CISA Review Manual COBIT 3'~ Edition COBiT 4.0

Tasks COBII Processes

4.4 Evaluate the use of capacily and pertormance monitoring tools and AI1 Identify automated AI1 Idenlifyautomatedtechniques to ensure that IT services meet the organization's solutions solutionsobjectives. AI5 Install and accredit AI7 Install and accredit

systems solutions and changes081 Define and manage 081 Define and manage

service levels service levels083 Manage performance 083 Manage performance

and capacity and capacityM1 MoMor the process MEl Monitor and evaluale IT

P011 Manage quality performance

4.5 Evaluate change, configuration and release management practices AI2 Acquire and maintain P08 Manage qualityto ensure that changes made to the organization's production application software AI2 Acquire and maintainenvironment are adequately controlled and documented. AI3 AcqUire and maintain applicalion software

technology infrastructure AI3 Acquire and maintainAI5 Install and accredit technology infrastructure

systems AI7 Install and accreditAI6 Manage changes solutions and change089 Manage the AI6 Manage changes

configuration 089 Manage the configuration

4.6 Evaluate problem and incident management practices to ensure that 088 Assist and advise 088 Manage service desk andincidents, problems or errors are recorded, analyzed and resolved in customers incidentsa timely manner. 0810 Manage problems and 0810 Manage Problems

incidents 0811 Manage data0811 Manage data MEl Monitor and evaluate ITM2 Assess internal control performance

adequacy4.7 Evaluate the lunctionality of the IT infrastructure (e.g., network P03 Determine technological P03 Determine technological

components, hardware, system software) to ensure that it supports direction directionthe organization's objectives. P011 Manage quality P08 Manage quality

AI3 Acquire and maintain AI3 Acquire and maintaintechnology inlrastructure technology infrastructure

AI6 Manage changes AI6 Manage changes

Chapter 5: Protection of Information Assets

CISA Review Manuat GOBlT 3'd Edition COBIT 4.0


5.1 Evaluate the design, implementation and moniloring of logical AI6 Manage changes AI6 Manage changesaccess controls to ensure the conlidentiality, integrity, availability DS4 Ensure conUnous service 084 Ensure continous serviceand authorized use 01 information assets. 085 Ensure systems security 085 Ensure systems security

0810 Manage problems and 0810 Manage problemsincidents ME1 Monitor and Evaluate IT

M1 Monitor the process performance

5.2 Evaluate network infrastructure security to ensure confidentiality, 084 Ensure continous service 084 Ensure continous serviceintegrity, availability and authorized use at the network and the 085 Ensure systems security 085 Ensure systems securityinformation transmitted. 0811 Manage data 0811 Manage data

0813 Manage operations 0813 Manage operationsM1 Monitor the process MEl Monitor and evaluate IT

performance

516 elSA ReView Manual 2007

Appendix

Chapter 5: Protection of Information Assets (cont.)

CISA Review Manual COBiT 3" Edition COBiT 4.0


5.3 Evaluate the design. implementation and monitoring of P09 Assess risks P09 Assess and manage ITenvironmental controls to prevent or minimize loss. 0 084 Ensure continous service risk

0812 Manage tacilitles084 Ensure continous service0812 Manage the physicai

M1 Monitor the process environmentMEl Monitor and evaluate IT

periormanceME3 Ensure regulatory

compliance5.4 Evaluate the design, implementaiion and monitoring of physical P04 Define the IT P04 Define the IT processes,

access controis to ensure that information assets are adequately organization and organization andsafeguarded. relationships relationships

085 Ensure systems security 085 Ensure systems security0812 Manage facilities 0812 Manage the physicalMl Monitor the process environment

POS Ensure compliance with MEl Monitor and Evaluate ITexternal requirements periormance

ME3 Ensure regulatorycompliance

5.5 Evaluate the processes and procedures used to store, reirieve, AI3 Acquire and maintain ME3 Ensure regulatorytransport and dispose of confidential Information assets. technology infrastructure compliance

084 Ensure continous service AI3 Acquire and maintain085 Ensure systems security technology infrastructure

0811 Manage data 084 Ensure continous service

Ml Monitor the process 085 Ensure systems security0811 Manage dataMEl Monitor and evaluate IT

periormance

Chapter 6: Business Continuity and Disaster Recovery

CISA Review Manual GOBlr 3,a Edition Co",T 4.0


6.1 Evaiuate the adequacy of backup and restore provisions to ensure P02 Define the information P02 Define the informationthe availability of information required io resume processing. architecture architecture

084 Ensure continuous 084 Ensure continuousservice. service

0811 Manage data6.2 Evaluate the organization's disaster recovery plan to ensure that it 084 Ensure continuous 0811 Manage data

enables the recovery of IT processing capabilities in the event of a serVice 084 Ensure continuousdisasier. 0811 Manage data service

0812 Manage faci/ites 0811 Manage data0813 Manage operations 0812 Manage the physical

environmentME3 Ensure regulatory

comptiance

6.3 Evaluate the organization's business continuity plan to ensure its 084 Ensure continuous 0813 Manage operationsability to continue essential business operations during the period of service 084 Ensure continuousan IT disruption. service


.... ;; 'T tn

elSA Appendix A

COBIT 3 RD EDITION

The following information provides the set of COBIT domains and the 34 IT processes. which can be identified for eachCISA job practice task listed in the previous tables.

Domain Process,,I

Plan and Organize P01 Define a strategic IT planP02 Define the information architectureP03 Determine technological directionP04 Define the IT organization and relationshipsP05 Manage the IT investmentP06 Communicate management aims and directionPOl Manage human resourcesPD8 Ensure compliance with external requirementsPOg Assess risksP010 Manage projectsP01l Manage quality

Acquire and Implement AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructureAI4 Develop ahd maintain proceduresAi5 Install and accredit systemsAi6 Manage changes

Deliver and Support DSl Define and manage service levelsDS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and allocate costsDSl Educate and train usersDS8 Assist and advise customersDS9 Manage the contigurationDS10 Manage problems and incidentsDS1l Manage dataDS12 Manage facilitiesDS13 Manage operations

Monitor M1 Monitor the processM2 Assess internal control adequacyM3 Obtain independent assuranceM4 Provide for independent audit


COBIT 4.0

Appendix A elSA

The following information provides the set of COBIT domains and the 34 IT processes, which can be identified for eachelSA job practice task listed in the previous tables.

Domain . Process

Plan and Organize POl Define a strategic IT plan.P02 Define the information architecture.P03 Determine technotogical direction.P04 Define the tT processes, organization and relationships.P05 Manage the IT investment.P06 Communicate management aims and direction.PO? Manage IT human resources.POS Manage quality.POg Assess and manage IT risks.P010 Manage projects.

Acquire and Implement All Identify automated solutions.At2 Acquire and maintain application software.AI3 Acquire and maintain technology infrastructure.AI4 Ensure operation and use.AI5 Procure IT resources.AI6 Manage changes.All Install and accredit solutions and changes.

Deliver and Support DSl Define and manage service levels.DS2 Manage third-party services.DS3 Manage performance and capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS? Educate and train users.DSS Manage service desk and Incidents.DS9 Manage the configuration.OSlO Manage problems.DSll Manage data.DS12 Manage the physical environment.DS13 Manage operations.

Monitor and Evaluate MEl Monitor and evaluate IT performance.ME2 Monitor and evaluate internal control.ME3 Ensure regulatory compliance.ME4 Provide IT governance.


,~!.)A Appendix A

520 . M al2007elSA RevIew anu

Appendix

IS AUDITING STANDARDS, GUIDELINES ANDPROCEDURES

B elSA

The specialized nature of IS auditing and the skills necessary to perfon'1 such audits require standards that applyspecifically to [S auditing. One of the goals of ISACA is to.advance globally applicable standards to meet its vision. Thedevelopment and dissemination of the IS Auditing Standards are a comerstone of the ISACA professional contribution tothe audit community. The framework for the IS Auditing Standards provides multiple levels of guidance.

Standards define mandatory requirements for IS auditing and reporting. They inform:• IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in

the ISACA Code of Professional Ethics for IS auditors.. rvlanagement and other interested parties of the profession's expectations conceming the work of practitioners• Holders of the CISA designation of requirements. Failure to comply with these standards may result in an investigation

into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, indisciplinary action.

Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how toachieve implementation of the standards, use professional judgment in their application and be prepared to justify anydeparture. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the ISAuditing Standards.

Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documentsprovide information on how to meet the standards when performing IS auditing work, but do not set requirements. Theobjective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.

COBiT resources should be used as a source of best practice guidance. The COB1T framework states, "It is management'sresponsibility to safeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve itsexpectations, management must establish an adequate system of intemal controL" COBIT provides a detailed set of controlsand control techniques for the information systems management environment. Selection of the most relevant material inCOBiT applicable to the scope of the particular audit is based on the choice of specific COBiT IT processes andconsideration of COBiT information criteria.

As defined in the COl3lT .framework, each of the following is organized by IT management process. COBlT is intended foruse by business and IT management, as \vell as IS auditors; therefore, its usage enables the understanding of businessobjectives, communication of best practices and recommendations to be made around a commonly understood and wellrespected standard reference. COBiT includes:• Control objectives-High-Ievel and detailed generic statements of minimum good control• Control practices-Practical rationales and "how to implement" guidance for the control objectives• Audit guidelines-Guidance for each control area on how to obtain an understanding, evaluate each control, assess

compliance and substantiate the risk of controls not being met• Management guidelines-Guidance on how to assess and improve IT process performance, using maturity models, metrics

and critical success factors. They provide a management-oriented framework for continuous and proactive'control selfassessment specifically focused on:- Performance measurement-How weU is the IT function supporting business requirements? Management guidelines can

be used to support self-assessment workshops and the implementation by management of continuous monitoring andimprovement procedures, as part of an IT governance scheme.

- IT control profiling-\Vhat IT processes are important? What are the critical success factors for control?- Awareness-What are the risks of not achieving the objectives'?


~1.1I'1I1I1"'1_111·1I1I1·~1_1.lllrllll!"1'1711!11I1·1I11111nllll.·.'11

11

11 l'I'IIIPlfITI7Irl"I'ITlz lril'·III,!

elSA Appendix B

- Benchmarking-\Vhat do others do'? How can results be measured and compared'! :vlanagcment guidelines provideexample metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measureoutcomes of IT processes, and the key performance indic;:Jtors assess ho\\· well the processes are performing bymeasuring the enablers of the process. Maturity models and maturity attributes prO\ide for capability assessments andbenchmarking, helping management to measure control capability and identify control gaps and strategies forimprovement.

RELATIONSHIP OF STANDARDS TOGUIDELINES AND PROCEDURESThere are 11 overall [S Auditing Standards. IS Auditing Standards are brief mandatory reports on requirements regardingthe audit and its findings for certification holders. IS Auditing Guidelines and Procedures are detailed guidance on how tofoHow those standards. The procedure examples show the steps performed by an IS auditor and are more informative thanIS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelinesand provide information on fol!owing the IS Auditing Standards. To some extent, they also establish best practices forprocedures to be followed.

Codification:o Standards are numbered consecutively as they are issued, beginning \vith Sl.o Guidelines are numbered consecutively as they are issued, beginning with G 1.o Procedures are numbered consecutively as they are issued, beginning with Pl.

Please refer to the index of IS Auditing Standards, Guidelines and Procedures for a complete listing of those documents.

USE

[t is suggested that during the annual audit program, as well as individual reviews throughout the year. the IS auditor shouldreview the standards to ensure compliance with them. The IS auditor is encouraged to refer to the ISACA standards in thereport, stating that the review was conducted in compliance with the laws of the country, applicable audit regulations andISACA standards.


Appendix

INDEX OF IS AUDITING STANDARDS, GUIDELINES ANDPROCEDURES

Note: These documents are available for download on the ISACA web site, 1V1nt:isaca.org/standards

8 elSA

Index of IS Auditing Standards

S I Audit CharterS2 IndependenceS3 Professional Ethics and StandardsS4 CompetenceS5 PlanningS6 Performance of Audit WorkS7 ReportingS8 Follow-up ActivitiesS9 Irregularities and Illegal ActsS I0 IT GovernanceS II Use of Risk Assessment in Audit PlanningS 12 Audit MaterialitySI3 Using the Work of Other ExpertsS 14 Audit Evidence

Index of IS Auditing Guidelines

G I Using the Work of Other AuditorsG2 Audit Evidence RequirementG3 Use of Computer Assisted Audit Techniques (CAATs)04 Outsourcing of IS Activities to Other OrganizationsG5 Audit Charter06 Materiality Concepts for Auditing Information SystemsG7 Due Professional Care08 Audit Documentation09 Audit Considerations for IrregularitiesG I0 Audit SamplingG I I Effect of Pervasive IS ControlsG 12 Organizational Relationship and IndependenceG 13 Use of Risk Assessment in Audit PlanningGI4Application Systems ReviewG15 Planning RevisedGI6 Effect ofThird Parties on an Organization's IT ControlsG 17 Effect of Nonaudit Role on the IS Auditor's IndependenceG 18 IT GovernanceG19 Irregularities and Illegal ActsG20 ReportingG21 Enterprise Resource Planning (ERP) Systems Review022 Business-to-consumer (B2C) E-commerce ReviewG23 System Development Life Cycle (SDLC) Review Reviews024 Internet Banking025 Review ofYirtual Private NetworksG26 Business Process Reengineering (BrR) Project ReviewsG27 Mobile ComputingG28 Computer ForensicsG29 Postimp[ementation Review


Effective DateI JanuaryI January1 JanuaryI JanuaryI JanuaryI JanuaryI January1 JanuaryI SeptemberI September1 NovemberI JulyI JulyI July

Effective Date1 June1 DecemberI DecemberI SeptemberI SeptemberI SeptemberI SeptemberI SeptemberI MarchI March1 MarchI SeptemberI September1 NovemberI MarchI MarchI JulyI JulyI JulyI JanuaryI August[ AugustI August1 AugustI JulyI JulyI SeptemberI September1 January

20052005200520052005200520052005200520052005200620062006

19981998199819991999199919991999200020002000200020002001200220022002200220022003200320032003200320042004200420042005

523

elSA Appendix 8

G30 CompetenceG31 PrivacyG32 Business Continuity Plan (Be?) Review From It PerspectiveG33 General Considerations on the Use of the InternetG34 Responsibility, Authority and AccountabilityG35 Follow-up Activities

Index of IS Auditing Procedures

P I IS Risk AssessmentP2 Digital SignaturesP3 Intrusion DetectionP4 Viruses and other Malicious CodeP5 Control Risk Self-assessmentP6 Firc\vnllsP7 Irregularities and l1!egal ActsPS Security Assessment-Penetration Testing and Vulnerability AnalysisP9 Evaluation of Management Controls Over Encryption MethodologiesP [0 Business Application Change Control

I JuneI JuneI SeptemberI MarchI MarchI March

Effective DateI JulyI July1 AugustI August1 August1 AugustI NovemberI September1 JanuaryI October

200520052005200620062006

2002200220032003200320032003200420052006


Appendix c elSAOJrnrlID I""""""'" ''mv-!>Amrrn.-

2007 elSA EXAMINATION GENERAL INFORMATION

ISACA is a professional membership association composed of individuals interested in IS audit, assurance, control, securityand governance. The CISA Certification Board is chartered by TSACA and is responsible for establishing policies for theelSA certification program and developing the exa~ination.

REQUIREMENTS FOR CERTIFICATION

The CISA designation is awarded to those individuals who have met and continue to meet requirements regarding (1) theCISA examination, (2) IS auditing, control or security experience, (3) the Code ofProfessional Ethics, and (4) thecontinuing education program.

SUCCESSFUL COMPLETION OF THE CISA EXAMINATION

The examination is open to all individuals who wish to take it. Successful examination candidates are not certified untilthey apply for certification and demonstrate they have acquired requisite experience.

EXPERIENCE IN IS AUDITING, CONTROL AND SECURITY

A minimum of five (5) years professional IS auditing, control and security work experience is required for certification.Substitutions and waivers of such experience may be obtained as follows:• A maximum of one (1) year ofTS audit, control or security experience may be substituted for:

- One full year of non-IS audit experience, or- One full year of information systems experience) or- An Associate's degree (60 semester college credits or its equivalent).

• Two years IS audit, control or security experience may be substituted for a Bachelor's degree (120 semester college creditsor its equivalent) or master's degree from a university that enforces the ISACA-sponsored model curricula.

• Two years as a full-time university instructor in a related field (e.g., computer science, accounting or information systemsauditing) can be substituted for one year of IS audit, control, assurance or security experience.

Experience must have been gained within the 1O-year period preceding the application for certification or within five (5)years from the date of initially passing the examination. Application for certification must be submitted within five (5) yearsfrom the passing date of the CISA exam. All experience will be independently verified with employers.

DESCRIPTION OF THE EXAMINATION

The CISA Certification Board oversees the development of the examination and ensures the currency of its content.Questions for the CISA examination are developed through a multitiered process designed to enhance the ultimate qualityof the examination. Once the ClSA Certification Board approves the questions, they go into the item pool from which allCISA examination questions are selected.


elSA Appendix c

The purpose of the examjnation is to evaluate a candidate's knowledge and experience in conducting IS audits and reviews.The examination consists of 200 multiple-choice questions, administered during a four-hour session. Candidates may takethe exam in Dutch, English, French, German, Hebrew, Italian, Japanese, Korean, Simplified Mandarin Chinese, Spanish orTraditional Mandarin Chinese. A proctor speaking the primary language used at each test site is available. If a candidatedesires to take the examination in a language other than the primary language of the test site, the proctor may not beconversant in the language chosen. However, written instructions w~.H be available in the language of the examination.

REGISTRATION FOR THE CISA EXAMINATION

The elSA examination will be administered twice in 2007. The first 2007 elSA examination will be administered onSnnu'day, 9 June 2007 and the second 2007 CISA examination wiIl be administered on Saturday, 8 December 2007.Please refer to the CISA 2007 Bulletin of Information for specific registration deadlines at: )vww.isaca.org/cisaboiThe registration form can be obtained online at wlvw.isaca.org!cisaexam or from ISACA at the following address:

ISACA3701 Algonquin Road, Suite 1010RoIling Meadows, I1Iinois 60008, USAAttn.: elSA Examination RegistrarTelephone: +1.847. 253. I545Fax: +1.847.253.1443E-mail: [email protected]

Additionally, save US $50 by registering online at www.isaca.org/examreg.

The 2007 elSA examination fee must accompany the registration form. The Candidate 5' Guide to the elSA Exam will besent upon receipt and recording of your registration and payment.

CISA PROGRAM ACCREDITED UNDER ISO/IEC 17024:2003

The American National Standards Institute (ANSI) has accredited the CISA and CISM certifications under ISO/IEC17024:2003, General Requirements for Bodies Operating Certification Systems of Persons. ANSI, a private, nonprofitorganization, accredits other organizations to serve as third-party product, sys.tem and personnel certifiers.

lSOiIEC 17024 specifies the requirements to be followed by organizations certifying individual against specificrequirements. ANSI describes ISO/IEC 17024 as "expected to playa prominent role in. facilitating global standardization ofthe certification community, increasing mobility of among countries, enhancing public safety, and protecting consumers."

ANSI's accreditation:• Promotes the unique qualifications and expertise ISACA's certifications provide• Protects the integrity of the certifications and provides legal defensibility• Enhances consumer and public confidence in the certifications and the people who hold them• Facilitates mobility across borders or industries

ANSI Accredited ProgramPERSONNEL CERTIFICATION.

Accreditation by ANSI signifies that [SACA's procedures meet ANSI's essential requirements for openness, balance,consensus and due process. ·With this accreditation, ISACA anticipates that significant opportunities for CISAs and CISMswill continue to open in the US and around the world.


Appendix

PREPARING FOR THE elSA EXAMINATION

c elSA

The elSA examination evaluates a candidate's practical knowledge of tile content areas listed in this manual and in theCandidate's Guide to the elSA Exam. That is, the examination is designed to test a candidate's knowledge, experience andjudgment of the proper or preferred application of IS audit, security and control principles, methods and practices. Since theexamination covers a broad spectrum of information systems audit, control and security issues, candidates are cautioned notto assume that reading ClSA study guides and reference publications will fully prepare them for the examination. CISAcandidates are encouraged to refer to their own experiences when studying for the exam and refer to elSA study guides andreference publications for further explanation of concepts or practices with which the candidate is not familiar.

No representation or warranties are made by ISACA in regard to ClSA exam study guides, other ISACA publications,references or courses assuring candidates' passage of the examination.

TYPES OF EXAM QUESTIONS

CISA exam questions are developed with the intent of measuring and testing practical knowledge and the application ofgeneral concepts and standards. All questions are multiple choice and are designed tor one best answer.

Every ClSA question has a stem (question) and four options (answer choices). The candidate is asked to choose the correct orbest answer from the options. The stem may be in the form of a question or incomplete statement. In some instances, a scenarioor description problem may also be included. These questions normally include a description of a situation and require thecandidate to answer two or more questions based on the information provided. wIany times a CISA examination question willrequire the candidate to choose the most likely or best answer. In every case the candidate is required to read the questioncarefully, eliminate known incorrect answers and then make the best choice possible. Knowing the format in which questionsare asked and how to study to gain knowledge of what will be tested will go a long way toward answering them correctly.

ADMINISTRATION OF THE EXAMINATION

ISACA has contracted with an internationally recognized testing agency. This not-for-profit corporation engages in thedevelopment and administration of credentialing examinations for certification and licensing purposes. It assists rSACA inthe construction, administration and scoring of the elSA examination.

SITTING FOR THE EXAMINATION

Be prompt. Registration will begin at each center at the time indicated on your admission ticket. All candidates must beregistered and in the test center when the chief examiner begins reading the oral instructions. NO CANDIDATE \VILL BEADMITTED TO THE TEST CENTER ONCE THE CHIEF EXAMINER BEGINS READING THE ORALINSTRUCTIONS, APPROXIMATELY 30 MINUTES BEFORE THE EXAMINATION BEGINS. Any candidate whoarrives after the oral instructions have begun will not be allowed to sit for the exam and will forfeit the registration [ee.Candidates can use their admission tickets only at the designated test center on the admission ticket.

Candidates will be admitted to the test center only if they have a valid admission ticket and an acceptable form ofidentification. Examples of acceptable identification include those with a photograph (such as a passport or photo driver'slicense). Any candidate who does not provide an original form of identification will not be allowed to sit the the exam andwill forfeit their registration fee.


elSA Appendix c

Observe the following conventions when completing the examination:• Candidates are not allowed to bling study materials il1to the examination site.• Bring several NO.2 lead pencils. Do not assume someone will provide pencils for answering the examination.• The chief examiner or designate at each test center will read aloud the instructions for entering information on tbe answer

sheet. It is imperative that candidates include their examination identification number as it appears on their admissionticket and any other requested information. Failure to do so may r~su[t in a delay or errors.

• Identify key words or phrases in the question (I\tIOST, BEST, FIRST) before selecting and recording answers.• Read the provided instructions carefully before attempting to answer questions. Skipping over these directions or reading

them too quickly could result in missing important information and possibly losing credit points.• It is imperative that candidates mark the appropriate area when indicating their: response on the answer sheet. \rVhen

correcting a previously answered question, fully erase a wrong answer before writing in the new one.• Remember to answer all questions since there is no penalty for wrong answers. Grading is based solely on the number of

questions answered correctly.

BUDGETING YOUR TIME

• Try to arrive at the examination testing site at least 30 minutes before the examination instructions are read. This will givecandidates time to locate a seat and get acclimated.

• The examination is administered over a four hour period. This allows for'a little over one minute per question. Therefore, itis advisable that candidates pace themselves to complete the entire exam. Candidates must complete an average of 50questions per hour.

• Candidates are urged to record their answers on their answer sheet. No additional time will be allowed after theexamination time has elapsed to transfer or record answers should candidates mark their answers in the question booklet.

RULES AND PROCEDURES

• Candidates will be asked to sign the answer sheet to protect the security of the examination and maintain the validity ofthe scores.

• Upon the discretion of the elSA Certification Board, any candidate can be disqualified who is discovered engaging in anykind of misconduct, such as giving or receiving help; llsing notes, papers, or other aids; attempting to take the examinationfor someone else; or removing test materials or notes from the testing room. The testing agency will provide the boardwith records regarding such irregularities. The board will review reported incidents, and all board decisions are final.

• Candidates may not take the exam question booklet after completion of the exam.

GRADING THE EXAMINATION

The CISA exam consists of200 items. Candidate scores are reported as a scaled scored. A scaled score is a conversion of acandidate's raw score on an exam to a common scale. ISACA uses and reports scores on a cornman scale from 200 to 800,A candidate must receive a score of 450 or higher to pass the exam. A score of 450 represents a minimum consistentstandard of knowledge as established by ISACA's CISA Certification Board. A candidate receiving a passing score may thenapply for certification if all other requirements are met.

Passing the exam does not grant the CISA designation. To become a CISA, each candidate must complete allrequirements, including submitting an application for certification.

A candidate receiving a score less than 450 is not successful and can retake the exam during any future examadministration. To assist witll future study, the result letter each candidate receives will include a score analysis by contentarea. There are no limits to the number of times a candidate can take the exam.


Appendix c elSA

Approximately eight weeks after the test date, the offielal exam results will be mailed to candidates. Additionallywith the candidate's consent on the registration form, an e-mail containing the candidates pass/fail status and score will besent to paid candidates. This e-mail notification will only be sent to the address listed in the candidate's profile at the timeof the initial release of the results. To ensure the confidentiality of scores, exam results will not be reported by telephoneor fax. To prevent the e-mail notification from being sent to the candidate-'s spam folder, the candidate should [email protected] to his/her address book, whitelist or safe senders list.

Successful candidates will receive an application for certification. For those candidates not passing the examination., thescore report will contain a subscore for each job domain. The subscores can be useful in identifying thos~ areas in which thecandidate may need further Shldy before retaking the examination. Unsuccessful candidates should note that taking either asimple or weighted average of the subscores does not derive the total scaled score.

Candidates receiving a failing score on the examination may request a rescoring of their answer sheet. This procedureensures that no stray marks, multiple responses or other conditions interfered with computer scoring. Requests for handscoring must be made in writing to the certification department within 12 months after the examination was administered.All requests must include a candidate's name, examination identification number and mailing address. A fee of US $50must accompany this request.


elSA In d e x

-Abend. 481

Acceptance testing, 128, 137·138, 1-l0, 146. 148, 152-l55. 211. 245-246,263,5C

Access control, 20, 86, 97.100.150,180,205.233,252,264,273,276,281,286,295,332,334,341-342,345-346,352. 354-356. 358-360,362-364, 366, 368, 373. 385. 407-410,416-417, -+29, 481. 485, 490,

496, 508, 510-512Access control lists (ACLs), 363Access control table, 48lAccess method, 277-278, 292. 299, 364, 481, 494. 508Access rights. 29. 45,100.107,175,313,325,332,340-342,345-346.349,

353.358.363,366,404,429,431.481AccessfCollision Detection (CSMA/CD), 291ACCOlintability, [1,13,15.17,44,62-63,68,70,92-93.129,140,153-154,

197.209,211, 225, 243. 343, 355·356, 367-368, 374, 403, 510, 525Accreditation, 117, [22, 129, 140, 153-154, 163, 182,528Accurac,y 11, 30, 81, 96,121. [51, 154, 164, [96-198,200,205,210-211,

224,245,258,281,308,317,323,325,338,358,428,465,471,482,-J.87,492

ACID, See Atomicity, Consistency. Isolation and DurabilityAcknowledgment, 220, 228ACLs, See Access control listsActive attack, 377,499ActiveX 171, 395Address space, 275, 377, 481, 494Addressing. 22, 46, 66, 68, 74, 93,140, I-J.2, 147-148, 173,2[8.233,238,

261. 293, 332, 339, 345-346. 369, 376. 405-406. -J.12, -J.81. 502Administratin:: controls. 21-22, 48 IADTmag.247Advanced encryption standard (AES), 2lJ9-300. 337, 386, 38R. 391AES. See Advanced encryption standardAftermath.411A[CPA. See American Institute of Certified Public AccountantsALE. See Annual loss expectancyAlpha, 153.358,409.481Alpha testing. 153Alternative processing, 442, 471Alternntive routing, 453, 456. 461, 481ALU, See Arithmetic-logic unitAmerican Institute of Certified Public Accountants (AICPA). 2-J.. 47. 88, 508American Institution of Electrical and Elcctronic Engineers (IEEE), 125,

191.298-302,328,506-507American National Standards Institute (ANSl), 218, 508, 528American Standard Code for Information Interchange {ASCn ),36, 160,

170, 223, 277, 286, 481-482, 508Analog, 283. 289, 292, 294, 397, 399-400, 481, 497, 501Analytical review, 36Annual loss expectancy (ALE), 81, 508Anonymous File Transfer Protocol 9r Fi[e Transfer Protocol (FTP), 170,

260, 295, 304, 306, 354, 381-382, 392, 395, 415, 482, 503, 508ANSI. See American National St.mdards 1nstitutcAntispam, 484, 493Antivirus Sollware, 333, 393-395.405-406.43 I, 482Apache, 414API. See ,\pplication programming imcrfaccApplet, 306, 482. 503Application contrab. l. 23, 30, 36.118-119, lS9, 19(1, :03-204, 206.120.

341. 417, 4R2

530

Application dc\elopment, 1. 73.109,116-117,121, 137-139, 165, 169.172- I73. 189-190, 2 [6, 247. 165, 309, 491, 511

Application layer. 286, 293, 383. 390. 392. 482Application program, 53, 199, :::01. 203, 206, 318. 323, 325. 353. 467, 482Application programmer, 105. :::65, 497Application programming, 97.172,277-278,482.508Appljcation programming intcrface (API), 172-173,482,497, 508Application 5y5t<:111, 21. 25, 36, 96,131,139,149,153,163.169. 17l. 182,

187.196. :03, 207-209. 213. 218-219, 354, 416, 446, 482, 502ApplicatiolHpecific integrated circuits {ASICs}. 292Arithmetic-logic unit (AL(j), 267, 482, 508Arrays. 269, 359, 463Artificial intelligence, 47, II-I-. 120, 171, 232, 237, 482, 491, 508ASCll, Sec Amcrican Standard Codc for Information InterchangeASICs, Sec Application-specific integrated circuits ~ASP, 114.479-480Assembler, 151,482,510-511Assembly language, 482Asset value, 79Asymmetric, 224, 373, 385-387, 389, 392, 430, 483Asymmetric key. 389, 483Asynchronous attacks, 353Asynchronous time division (ATOM), 295. 508Asynchronous Transfer Mode (ATM), 296Asynchronous transmission, 294. 483ATOM, Sec Asynchronous time divisionATM, See Automated teller machine or Asynchronous Transfcr ModcAtomicity, Consistency, Isolation and Durability (ACID), 58, 114,205,250,

330,370,440,480,487,50SAttribute sampling, 34-35. 483. 490Audit approach. 8,12, 15,25,27-28,37,45.53.208,243.319,328Audit chartcr, 11, 15, 17, 35, 525Audit documentation, 8,17.41,189,515Audit evidenc.:, 15-17. 31-33. 37. 41, 196. 208-209. 407,483, 525Audit hooks. 51. 108-209Audit methodology, 8, 25Audit objective. 25, 29, 36. 483Audit planning. 8,10-13.17·19,24.38.233.417.525Audit program, 15, 23. 25-26. 37. 41,45, 51, 483. 514Audit report. S, 15, 23, 25-26, 28, 38-40. 88. 164Audit risk, 8,16,27-29.35.37,51,413.483Audit strategy. 10, 12,24,57,513Audit trnil, 21. 155, 183, 201, 219. 225, 230. 243. 264-265, 282, 319,323.

332.366-367,370,483Authentication, 215Authorization forms. 61, 100. 317Automated te1Jer machine, 35, 120, 229. 483, 508Automated teller machine or Asynchronous Transfer Mode (ATM), 35,120,

187,229-230,294,296, 302,-J.50,483. 508-Backbone, 219, 303, 396, 483. 487. 509Backbone network services (BNS), 303, 509Backlog, 101Badge, 38. 4S3Balanced scorecard, 60, 64, 66-67,114,495Balancing, 38. 64, 95,100,118, 198,203-204,120, 22lJ, 237, 255, 259,

293,307.309-310,382Bandwidth, 272-273, 288-290.292-299,302,308-309,387.396.456, 4S3

484,493


In d e x elSABank for Internal Settlements (8IS), 112.508

Bar code, 271, 425, 483

Base case, 484

Baseband, 283, 288, 484

Basic control. 22

Bastion, 381-383

Batch, 95, II S, 180, 197-199, 218, 220, 222, 224, 260-261, 265, 267, 317,

373,482,484,499Batch control. 198, 222, 484

Batch integrity, 118, [99

Batch processing, 224, 484, 499

Batch registers, 198

Bayesian, 484

SCI, See Business Continuity Institute

SCM, See Business continuity management

SCP, See Business continuity planning

Benchmark, 76, 93, 285, 484

Benchmarking, 61, 86, 90, 93,118,193,195,203,244,246,323,325,524Bela testing, 153

SIA, See Business impact analysis

Bill of materials (80M), 227, 509

SIMS, See Biometric information management and security

Binary code, 484

Bioidentification, 433

Biometric door locks. 426

Biometric information management and security (SIMS), 360, 508Biometric security, 426

Biomctrics, 332. 337, 341, 358-360, 415. 428, 433-434. 484

BlS, See Bank for Internal Settlements

Black box testing, 154,484

BLP, Sec Bypass label processingBluesniff,376

Bluetooth, 284, 297, 300-301. 320, 337, 376

BNS, Sec Backbone network servicesBOM, Sce Bill of materials

Bootstrap, 195Bottlcnecks, 293, 308

BPR, Sec Business process reengineering

Bridge. 26, 393, 400, 484, 505

BroadbamL 283, 296, 484, 506

Bromba, 433

BrotHCr, 484

Browser, 166, 171,214-215,236,270,304,306,309,391,482,488.490,494,503,546

BRP, See Busincss recovery plan

Brute-force attack, 377, 385·386

Budget, 66, 90, 93,101,108,123,129-131,135,156-157,272,293,502Buffer, 172, 202, 281, 307, 383. 484Buffer-overflow, 383

Bug, 305, 40 IBus, 180, 252, 270, 290-291,463, 484·485, 491, 506, 508, 512

Bus topology, 491

Busincss Continuity Institute (BCI), 469. 479,508

Business continuity managemcnt (BCM), 469, 508

Business continuity plan, 17.335.423,429.444.450,453,457,459,461,

464-466,469-471. 475-478, 519, 525Business continuity planning (BCP). 17.442,445-448.459.465,470,476-

479, 508, 525Business continuity planning (BCP). 445, 477

Business impact analysis (SIA), 444

Business impact analysis (B[A), 71, 444, 449-450, 452-453, 457, 485, 50S


Business process rccngineering (BPR), 17, 118, 123, 169, 191-193, 245,

249,485,509.525

Business process reengineering (BPR), 17,525

Business recovery plan (BRP), 459, 509

Business risk, 18.29,46,57,164,445.483,485

Bypass label processing (ELP), 368, 485, 509-CA, See Certification authority

CAAT, See Computer-assisted audit technique

Call-tracking, 398. 400

CA:-'r, See Computer-aided manufacnlring

Capability maturity model (CMM), 62, 86·87, 194-195. 485, 496, 509

Capability maturity model integration (CMMI), 194-195. 509

Capacity and growth planning, 61, 88, 323, 325

Capacity management. 86, 252, 257·258, 267, 272-273, 310, 325

Capacity planning. 255. 272, 323, 325

Capillary, 359

Carbon. 421

Carbon dioxide (C02), 421

Carrier-sense Multiple. 291, 509

Carrier·sense Multiple Access/Collision Avoidance (CSMA/CA), 299, 302

Carrier-sense Multiple Access/Collision .Detection (CSMA/CD), 291,491,509

Cartridges, 271. 463, 466

CASE. See Computer-aided software engineering

Cassettes, 466

Catalog, 214-215, 264

CC!TT. See International Telegraph and Telephone Consultative Committee

CCK. See Complemcntary Code KeyingCDPD, Sce Cellular Digital Packet Data

Cellular, 298, 302, 398, 400, 461, 500, 509

Cellular Digital Packet Data (CDPD), 298, 509

Central processing unit (CPU), 180, 260, 267-269, 272, 274-275. 281-282,

302.308,353.382,454.485,488,499,508Central processing unit (CPU), 488

Certco.390

Certification authority (CA), 216-217, 299, 302, 390-391, 485, 50 I. 509Certification authority (CA), 485

Certification practice statement (CPS), 217, 390, 485, 509Certification revocation list (CRL), 217, 390, 485, 509

Certification revocation list, 217

CGI, See Common gateway interface

Chain of custody, 10.334,411,417

Challenge/response, 337, 357Change control, 23,107,118,140,149.168,172,182-183,187·188,210,

212, 233, 256, 263-265, 311, 373, 416, 502Change management. 21, 49, 61, 82, 89-90,105,107,118.149,155,157,

163,183,186-188,192-194,209,213,230,252,257, 263-264, 311,323,325,343,346,373,499

Channel service unit'digital service unit (CSUlDSU). 295, 486 .

Charting, 25

Check digit. 200, 486

Checkpoint, 176. 353

Checkpoint/restart 353

Checksum. 223, 486

Chief privacy officer (CPO). 112.340,509Chief security officer (CSO), 340. 509

CIAC. Sce Computer Incident Advisory Capability

CIM. Sec Computcr-ilucgratcd manufacturing

531

elSA In d ex

Cipher. 337, 386. 38:\, 3') I, 425, 483

Ciphertext, 385, 486, 489, 491Circtlil~switchcd network. 294

CIS. Sec Continuous and intermittent simulationCkartexl, 320, 389, 486

Client-server, 168, ISO. 253. 264, 269. 276, 282, 284, 304. 309-310, 323-326.

333,354-355.359,361,363,371,373,391-393,429.431, 486, 501Client-server architecture, 309CMOB, See Configuration management database

CMi\I, Sec Capability maturity model

CMMI. See Capability maturity model integrationCr.-IViSEI, 247, 249, 327

CNC. Sec Computerized numeric control

C02, See Carbon dioxide

Coaxial cablc. 291, 461. 484. 486ComT, See Conlro! Objectives jiJr Information (/m/ Fe/med Tl!cllllology

CaCOMO. Sec Constructive cost model

CODASYL, See Conference on Datu Systems LanguagesCode generators, 118, 188,282

Code of Professional Ethics, 8, 10, 14·15,523,527Coding standards, 150, 245, 265

Cohesion, 150, 486Cold sitc, 454, 456, 458, 486

COMiDCOM, See Component Object Model/Distributcd Component

Objcct ModelCommand-line, 392Common gatcway intcrt11ce (COl), 151, 305-306, 378, 503. 509Common Object Request Broker Architecture (CORBA). 171-172, 310,

501,509Communicating audit results, 8, 39

Comparison program. 265, 486

Compensating control. 38. 100. 107.486Competence. II. 14-15. 17,35,525Compilcr. 150,486

Complementary Code Keying (CCK). 300. 509Complo.::teness check, 487Compliance testing, ::!4, 27, 31,34.206.487

Component Object Modell Distributed Component Object \Iodcl

(COMIDCOM). 171.310.509Comprehensive audit. 487Computer crime, 332, 334, 349-350, 352, 411Computer Incident Advisory Capability (CIAC), 416, 509

Computer operations. 95, 187

Computer operator, 105, 282Computer security incident response team (CSlRT), 351, 509Computer shutdown, 353, 421

Computer-aided manufacturing (CAM), 171,227. 509Computer-aided software engincering (CASE), 1-2,5,9,27.32-33.42.44,

49,61,66,72,82,85,88-89,96,103,111·112.116. 120-121, 123-126,128,130,136,140,142-143,146,152,154, [58-160, 164, 171, 183,

188-190,206,214.216,229,242-245,248.254,271.279, 304. 309.312.314,319-320,336,342,345,347-348.354. 357-360. 370-371,

377.385,396,404-405,4[2.422,426.428·429.431. 433-434, 443,445-447.449,452-455.457.459,461, 463-46-L 470-471. 473. 476

478,481,484-485,487,490.498-502. 503-509, 515. 529Computer-aided software cngineering (CASE). 32. 502Computer-assisted audit technique (CAAT). 37. 48. -J.87. 509

CompUler-integnllcd m:lI1ufacturing (Cll\l). 227'::!~S. 509Computerized numeric control (CNCl. 227. 509Concurrency, 96. 244. 4S7Conference on Data Systems Languages (CODASYL), 5(l'l

532

Confidentiality. 215Configuration. 48. 95. 97. 118,121, 140-14[. 149. 154. 163, 168, 182·183,

187-188,215.218.223.244.245,255·258.262-263,266, 269, 276.

281. 288, 291. 302. 308. 311. 315. 337. 364-365. 379. 382. 397.40 L409, -t 15-41 6. 455. -t59. 461. 485. 487. 500. 502. 509, 514-515, 518,

520-521

Confjguration managcment database (CMOB). 257. 509Connectionless. 382

Console log, 256. 258, 319, -t87Constructive cost model (COCOMO). 134

Contingency planning, 20, 225, 347, 479·480, 487

Continuous and intermittcnt simulation (CIS), 51, 53, 208-209, 509

Continuous online auditing, 37.119, [49,208

Control account. 198

Control classifications. 20Control group. 95-96,100,183. i87, 199.265,488

Control matrix. 38, 98-99. 269Control Objectivcs for Infonnation and related Technology (OmIT). 3, 8,

10,21-22,40,43,56-58,62,93,110-113,142-143.248,327, 338, 435

436.469,479.495,509,513-521,523

Control overhead 78Control procedures, 8. 22-23, 28-30, 38, 84. 87. 118. 182, 197, 199, 201,

212, 220-221. 229, 233,243. 263.294.310.-t16Control risk. 18.27-28,51,53.488.494.526Control sclt'..assessment (CSA), 10, 52

Control self-assessment (CSA). 9-10.42-44. 52. 509

Controlling input'output. i56Conversion, 85, 95,117,122. 1-t9. 155, 159-161. 163. 169-170. 180, 187.

198.212.264,286.315,418.503Cookie. 306.414,488

Cookie/session. 414

Cooperative processing systems. 120. 230CORBA. Sec Common Object Request Broker Architccture

Corporatc governance, 1, 13, 26. 60. 62-64. 70. 111-113, 249. 488. 493Corrective controls. 448. 488Coupling, 150. 215, 488

CPM. See Critical path methodologyCPO, S...e Chief privacy oO'icer

CPS. See Certification practice statementCPU. See Central processing unitCrackers, 248, 350. 374. 398, -t03, -t37

Critical path methodology (CPM), 135. 137.508-509CRL, Sec Certifieatiun revocation list

CRM. See Customer relationship managementCryptographic algorithm. 294, 388, 486

CSA, See Control self-assessmentCSIRT, Sec Computer security incident response teamCSMA/CA, See Carrier-sense Multiple Access/Collision Avoidance

CSMA/CD, Sec Carrier-sense Multiple Access/Collision DetectionCSO, Sec Chief security otriccr

CSU/DSU. See Channel service unit/digital service unit

Cube, 236Customer relationship management (CRM), 139. 166.227.240.488,493,

509.546Customer relutionship management. III, 120. 139. 217, 240, 488, 509Cyberduacks, 440

Cybercommerce, 11 ~

Cyl)(~rcrimc, ~..t, 434. -t40. 479Cybcrsecurity, 249. 327.433, -t79

Cybenhreats.436Cybenfllst. 390

elSA Review Manual 2007-

Decision support systems (DSS) Trends, 120,240

Decision trees ,233

Decompiler, 173

Decryption, 385-386. 388. 489, 502

Decryption key, 385. 489, 502

DECr. See Digital Enhanced Cordless Telecommunications

Delineation, 86

Delta. '257

Demilitarized zone \D~E), 383

Denial of service, 79.337,339,365,374,377-378,393,397,413,509

Deplo~1l1ent68, 77, 85.122,138,148-149, [53, 160, 169, 177,223.391,459

DES. See Data Encryption Standard

Design and development, 85,117,119-120,137,141,165.211,238,244-

1-1-5.284.287,-1.11

Detailed design, 119. 136, 138, 148-149, 166, 189,211,505

Detenninistic. 502

DFD. See Data flow diagram

Dial-back, 372-373, .100-40 1,489

Dial-in penetration anacks, 378

Dial-up access controls. 333, 372, 412

Dictionaries, 165, 186.278,467

orD. See Direct inward dial

Diffie·Hellman, 391

Digital Enhanced Cordless Telecommunications (DECT), 30 I

Digitnl signature, 216. 223, 337, 388·389, 391-392, 430, 432, 489

Digital subscriber lines (DSL), 296-297, 364. 509

Digitnl video disc (DVD), 270-271, 274, 509-510

Direct imvard dial (DID), 103, [87, 199,201,299,355.387-388,398,

400. 509

Direct inward dial (DID), 398

Direct-sequence spread spectrum (DSSS), 509

Disaster recovery, 4-1.5

Disastcr Recovery Institute International (DRlI), 469, 479, 509

Disaster recovery planning. 2, 23, 442, 445-446, 480, 487, 509

Disastcr recovery procedures (DRP), 313, 445, 447, 459

Disastcrs and other disruptive events. 442. 446

Disco\'cry sampling. 34. 490

Discrete cosine transform (OCT). 231, 509

Discretionary Access Controls WACs), 342

Disk management. 253. 273, 282

Disk management system (DMS), 282

Disk striping, 462

Diskless \vorkstations, 373, 394, 490

Distributed data processing network. 315. 490

Diverse routing, 456. 461

DLLs. See Dynamic link libraries

DMS. See Disk management system

DivIZ. See Demilitarized zoneDNS. See Domain name service

DNS, network, 4 I6

Domain name service tONS), 269, 306, 378, 413-414, 416, 490, 509

DO\\1l1oading, 306, 393.482,490

Downtime report, 490

DRII. See Disaster Recovery Institute InternationalDRP. See Disaster recovery procedures or Disaster recovery planning

Dry-pipe sprinkling systems, 421

OS. 278-279, 509

DS~. See Digital subscriber linesDSS. 120, 137, 139,237-240,489,509

DSS Frameworks. 110.238DSS. S<.'e Decision support systems

-DACs, See Discretionary Access Controls

Daemcn, 388

Damage assessment team, 457

Damagefflooding, 419

Data analysis, 48, 237. 369, 418

Datacenter, 38,159,264,276,282,341,428,473-474Data classification, 129,337,340-341

Data communication, 236, 277

Datu communications equipment (DeE), 294

Data communications equipment or Distributed computing environment

(DeE), 294-295, 361,486.509Datu communications software. 252, 273, 277

Datu control group, 100

Datu conversion, 117, 122, [49, 155, 159-161, 169, 198,212

Datu custodian, 488

Datu dictionary (DO), 278 8 279, 509

Datu Dictionary/Directory System (DO/OS), 278-279, 509Data editing, [99, 240

Datu encryption, 100,223,228-229.371,373,386,430, 489, 508~509

Data Encryption Standard (DES), 224, 386, 388, 391, 430, 489, 508-509

Data Encryption Standard (DES), 430

Data entry, 61, 85, 95, 198-199, 254, 3 [7, 411,460,464-465,482

Data file control procedures, 118,201

Data now diagram (DFD), 509

Data input, 21,197,200,482,504

Data integrity, 106-[07, [19,148.161, 163, 196,205,219,225,276,278,

282,316,325,360.388-389

Data leakage, 352, 489Data management, 13,94,214,238,252,275,277

Data mining, 48, 226. 236Data owner, 99, 342, 403, 410,431, 489-490

Data redundancy, 278, 3 [3,462

Data security, 95,105,107,259,278.307,311, 313, 315. 372, 489

Data structure, 36, 161, 236, 281, 489

Data terminal equipment (DTE), 295, 486, 509

Data transmission, 307-308, 486, 498, 504

Data validation, 27,118,199-200,204-205

Data warehouse, 235-237, 343, 510

Database administration, 23, 61, 96-97,105,107,255

Database administrator (DBA), 96-97,105,107,276,279,408,489,508Database controls, 253, 281

Database management system (DBMS), 48,151,166,190,205,227,252,275,277-279,281,313,408,467,487,489,493,508

Database specifications, 33, 140, 149, 165, 170,489

Datagram, 285, 295, 304, 381, 512

Data-oriented system development, 117, 169-170, 509DBA, See Database administrator

DBMS, See Database management system

DeE, See Data communications equipment or Distributed computingenvironment

OCT, See Discrete cosine transform

DO, See Data dictionary

OOiDS, See Data DictionaryJDirectory System

Deadlock, 281

Debugging, 36, 116, 1.19-151, 154,282,353

Decentralization, 75, 489

Decision focus, 120, 238Decision support systems (DSS), 137

In d e x elSA


elSA, ..,,,",,,,,,,,,,,,,,,,,,,..,,,,.,,,,,,,., In d e x

[)SSS. s~·~ Dir<..'cl-scqucllc<..' spread spectruill. 50l)

DTE. SL:C Data terminal lCquiprnl:1llDumb tlO'rlllinal, 402. -!-90Duplcxing. -l-52

Duplicate check. 2()O

Duplicare intormation processing t:1cilitics. 453

DVD. Sl:<..' Digital video Ji$cDynamic link libraries toLLs). 154-EAP. See Extensible Authentication Protocol

Ean:sdropping, 352. 374, 377, 391. 397·399. 507

EBCDIC See E,xtended Binary-coded Decimal Interchange Code

ECc. See Elliptical elln'c cryptography

E-coml11l.'rcc. 13. 17,55,58.112.114.119. 12S. l-l-l, [..+9,113-217.219.

2-4:\-250.386.391. -DO, 436. 479, 525

E-commerce architectures. 119.214

E-commerce audit tll1d control issues. 119. 216

E-commerce models. 119,213

E-commerce requiremcnts. 119. 216

E-comm.... rce risks. 119,215

[-commerce, See Electronic Commerce

EDFA, S..:e Enterprise duta now architecture

EDf, 31. 95. I J 9. 213, 215, 217-222. 241. 243. 260. 277. 412. 460-"+6 L

..+90.508,536.545

EDI risks and cOlltrols. 119. 219

EDt. Sec Electronic data interchange

Edit controls. 199• ..+90

Editing. 30. lIS. 150, 189-190. 199-200.20-1.. 2..+0. 26,1.. 353. -NOEER. Sec Equal-crror rate

EfTS. Sec Electronic funds tmnsfer systems

EIGRP. See Enhanced Interior Gateway Routing Protocol

EJB. Sc.... Enterprise Java Bcans

Electromagnetic intcrlcrCllcc (E;VlI). 288-':~89. -J.19. 510

Ekctronic Commerce (E-commerce). i. 13. 17.55.58.112. Il-J.. 119. 12X.

I-J.l. 1"+<).213. 21-t. 215. 216, 217. 219. 248. 2-J.9. 250. 386. 391. -J.30.

-J.36. -+79. 515. 536

Ekctl'OnicCommcrce. 13.58. 119.113.J91.-t12.510

I:h:ct!'llnil: data interchange (EDI l. i. 3 L 95. 119. 213. 215. 117. 2 lB. 219.

220. 221. 222. 2-tl. 2-t3Ekclronic funds tr:lI1Sfer "ystems (EfTS). 229

Ekmoniemail (E-111;lill.6.1)..J.. 103. 109. ll-t. 119. 171. 183.119. 222

223. 2-t7. 268. 277. 28"+-286. 307. 35..J.. 362. 377-378. 381, 391-39..J..

406.-J.12.-J.15.-J.29. 431. 433. 482.490."+93-494.499. 512,528. 531

Ekctronie mail. Ill). 137.222.229.306.505

Electronic signature. 439

Elliptical curve cryptography (ECC). 387. ..J.62. 5·10

E-mail. Sec Electronic l11:1il

Embedded audit modules. ~7"~8. 51. 510, 512

Emergency action team. -t5iEmergcncy management team. -t57--t5S. -t70

E\I1. Sec Electromagnetic interferencc

Employt:e handhook. 60. X2

Employee pt:rtonnance t:\nluations. 60. 83

Emulation. 28-t-285. 306. 355. 36~, 50S. 512

Ellcap~lIJ:Hion. 2%_297. 326. 3M), 392. ~\) 1

Encapsulation sccurity p~lylnad IESP). 392. '+31). '+32. 51 ()

Encryption. 303. 3x5. 3XX. 392.'+9 J

Enh~Hlct:J Intcrior Gatcway !{(ll1ling PJ\llOC\11 (EIGRPJ. -J.b I. 50S

Enl1ilfKCd Telecom ()rt:rariolls \lap (I: n)\ll. 73

534

Enrerpl'isc duta tlow architecture (EOFA l. 234, 510

Enterprise Ja'.:J. Beans (EJB1. 171, 510

Entity relation~hip diagrams (ERD). I43-I-t4. 510

Equal-error ratc (EER). 358. 510

[RD.,Sec Enmy relationship diagrams

Error reponing. 118. 198. 20 I

Esc<~lation. 255. 259. 262-263. 318. 337. 347. 4 1..J.--t1 5. 485. 500

Escrow. 87. 102-103. 121, 140. 146. 148.472.491

ESP. See Encar~ulationsCL:urity payload

Ethernet. 180.2-0.288.291-292,295.298. 3()-t. 491. 496. 504-505, 511

E-token. 369

ETON!. See Enhanced Telecom Operations ivIap

Evidence, 15.31

E.'(ception rcpon. 200-20 1.491

Executable coce. 153. 173. 182.265.352.491

Existence check. 200

Expert systems. 26. 36. J 20. 151. 222. 232-233. 240. ..J.91

Exponentiation. 386

Exposure. 66. 68-69. 78. 83. 103. 153, 223-224. 3~9. 353. 356. 370-371.

385.403. 415.424. 426."+91.-J.96

Extended Binary-coded Decimallnterehangc Code (EBCDIC). 160,277.

286,490.492. 510

Extensible Authentication Protocol (E,\Pj, 299

Extensible Markup Language (XMLl. 172-173, 21-t·215. 28-t. 302, 492.

503,512

Extcrnallabcling.201

External schema. 278

Extranet. 297. 326. 492

Extrapolation. -tl S-Facial-metric. 359

F;lcilitaTOr.16-::'

faCTOrization. 3:-\6. 502

Failure-to-enroll rate (FER!. 358. 510

false-positive. 394

False-rejection. 358, 510

Fast Fourier transtorm (FFT). 231. 510

fAT. Sce rile ,1JlQcation table

FOOL Sce Fib<:r-Oi"tribUled Data Intcrt1\ce

FD1'vL Sec Frequency division lllultiplexing

FEA. See Federal Enterprise Architecture

Feasibility Study. 32.116.1 19. 12~. 136. 139, 142-J-t3. 145.210-212.245.

3 I 1,492. 505

Fedcral Emergency Management Association (FEMA). 469, 479. 510

Fedcral Energy Regulation Commission (FERC), 469. 510

federal Enterprise Architecture (FEAt 73-74. 510

Federal Financial Institutions Examination CoullcillFFIEC). 469, 510

Federal Information Processing Standards (FIPS), 388. 510

FE1\'IA. Sec Federal Emergency M::magement Association

FER. See F:lilure-to-enroll rate

FERe, See Fecleml Energy Regulation Commission

fF1EC, See Fcdcral Financial Institutions Exmnination Council

FFT. See Fust Fourier tr:ll1sform

fl ISS. Sec Frequency-hopping spread spectrum

fiber-Distributed Data Intcrt11cc (FOOl). 50:?. 510

Fiber-optic. 2;';i'i-2WJ. 303. -tbl. ·N2

File allocation table (FAT). 1:-;2. "+92. 510

File controls. ':01-202

Fik layout. 492


In d e x elSAfile server, 286. 313-314. 427, 490, 492. 496Financial audit. 23, 492

Financial management practices, 61. 90Fingerprint, 223, 358-359, 426, 436, 440FrPS, Sec Federal Information Processing Standards

Firefox, 304Fircwalking, 414Firewall, 166,216·217,222,270,320,324,333,337,364,371, 375, 377,"

379-383,385,394-395,402,407,415,418,473,492Firewire, 284, 302Firmware, 273-274, 394, 493

Floppy, 270-271, 282, 369-370, 373, 418, 427, 429, 43 IFlowchart, 204Flowcharts. 37, 4[, 72,137,148,165,186,192,211Follow-up. 15, 17.23·25, 39-41. 86. 144, 186, 198, 200, 205, 272, 312,

315,334,367,410,466,525,547Forensics, 17,35,55,57,335,417·418,433,435·438,479,487,525Fortczza, 391Fourth-generation language, 493. 508FPA, See Function point analysisFPs, See Function pointsFrame relay. 242. 253. 294. 296. 320, 364, 473, 493, 506, 510Fraud, 8, 24, 26-27, 34, 47. 51. 57, 79,113,141, 187,125,347,374,397,

399,407,434-435,502Fraud risk, 51Frequency division multiplexing (FDM), 295, 510

Frequency of rotation, 442, 467Frequency-hopping spread spectrum (FHSS), 300. 302, 510FTr, See Anonymous File Transfer Protocol or File Transfer ProtocolFUD,439Full duplex, 293Function point analysis (FPA), 116, 132-134, 510Function point analysis, 116, 132, 510Function points (FPs), 132Functional dcsign specifications. 203-Gantt chart, 177Gatcway, 125, 151,219,222, 293, 305, 313, 381, 393, 458, 461, 493. 508-509

GOP, See Gross domestic productGeneral audit procedures, 24General control procedure, 22Generalized audit software, 25, 36, 52, 54, 207, 487,493, 510Generally accepted standards. 100Geographical Information System (GIS), 139, 493. 510GHz, See GigahertzGigabit, 291-292Gigabyte, 268, 510Gigahertz (GHz), 299, 302

GIS, See Geographical Information SystemGlobal position system (GPS), 375, 510Global System for Mobile Communications (GSM), 298, 510GPS, See Global position systemGraphical user interface (GUIl, 132, 166. 309-310. 510Gross domestic product (GOP). 81GS1Yl, See Global System for Mobile CommunicationsGUI, See Gr:lphical user interfaceGuidelines, 14. 17,523


-Hacker. 246, 302, 366. 372, 375, 394, 412, 114, 447Half duplex, 293

Halon. 421Handheld 268. 301-302. 306. 335. 373. 375. 420, 422. 425. 499Handwriting, 268Hardened 166,381. 383. 427Hardware acquisition. 91. 118, 179, 310Hash. 20, 198, 223. ~43, 245, 385, 388-389, 391,432,462. 486, 489HOLe. See High~lt:~\el data link control

Health Insurance Portability and Accountability Act (HIPAA), 13, 469, 510Help desk, 74, 85. 89. 94, 99, 156, 218, 232, 252, 255-256, 263. 309, 318.

362. 493, 500Heuristic. 130, 135. 168. 195.394,493Hexadecimal, 320. 418Hierarchical database. 279, 493. 50 IHigh~level data link control (HOLe). 296. 510

HIPAA. Sce Hcalth Insurance Portability and Accountability ActHiperlan. 298, 302Hiring, 60, 65, 82,135.182.498Holistic project vi~w. 127Honeynet,384-385Honeypot, 384-385. 494HTMHTML, See Hypertext markup languageHtml, 113, 151,.171. 247, 249, 302, 304, 328-329. 433, 435-436, 439, 479-

482.486,488,~9~,~99,504,510

HTTP. See Hypertext Transfer ProtocolHTTPS. See Secure Hypertext Transfer ProtocolHub. 29 J, 298Hypertext markup language (Htm). 109-110,249.327.433.435,440.479Hypertext Transfer Protocol (Http), 109-110, 112, 114,269.304.306,327,

381-382, 391-392. 395, 414-415. 433, 437.48 1,483, 485-488, 491,494-504, 506-507. 510-511

I&A. See Identification :lnd authenticationICMP. See Internet control message protocolIDE. See Integrated development environmentIdentificatiotlllnd lluthentic<ltion ([&A). 356. 510Identifier, 144, 197,266.392,503IEEE. See American Institution of Electrical and Ekctronic EngineersIETE See Internet Engineering Task ForceImage processing, 31. 120. 231,494. 509Impersonation, 362. 377,494Implementation phase. 119. 152, 154.212Implementation strategies. 120. 239, 333, 395IMS. See Integrated manufacturing systemsInbound 119,219,221-222,243,382,395Incident handling and response, 332, 339. 351. 379. 415Incident response. 21. 68. 225, 337. 351, 411. 418. 436. 448. 45/. 459, 479.

509~51 0Independence. 10. 15, 17.31,35.37.39·40,78.150.190.207,278.494,

513.525Indexed sequential access method (fSAM). 494, 50SIndustrial espiOflage. 349, 374Information processing facility (lPF), 94, 502Information processing facility (lPF), 94-97, 335. 421A23, 426-427, 454

455,461,463-464.466,475.494,498,502,510

Information systems control objectives. 30

535

elSAr.;.,,,,,,,I~F"'-\"''''''~'''''',,AC1~''''· In d ex

Information systems operations. 256. 266. 310, 316, 31:\

Information Technology Inrrastructurc Library (IT1L). 110. 112.257.

32S~329, 371. SIO

Infrared (IR), 297, 299, 301, 510

lnfrarctl28S, 297, 299, 3D!. 366, 510

Infrared Data Association (IrDA), 284, 299, 301. 510

Inherent risk. 27-28, :5 1, 53, 204, 494

Initial program load 276, 508lnput authorization, liS, 197. 204

Input controls. 202, 494

Input/origination controls, 118, 197

Insulation. 314, 486

Insurance coverage, 78Insurance. iv, 13. 19, 35, 78,226, 231,420,423, 442, 444. 450, 453, 454,

455.456.458.460,463,464,465,468,471,472,476,478,510Integrated customer rile. 120.229

Integrated development environment (fOE), 150

Integrated manufacturing systems (ItvIS), 227

Integrated manufacturing systems. 119. 217

Integrated Services Digital Network (ISDN), 180,294.296.303.364.495,

506, 50S

Integrated test facilities (ITF), 51 .Integrated test facilities (lTF). 51. 53, 208-209, 495. 50S

Integration. 35. 68,70-72,78, 113. 118. 144. 147, 149. 152. 154, 166, 172-

173, 178. 194,216.217-231.234, 1:40, 248-249. 359. 483, 509-510, 512

Integrity. 215, 264

Interception. 242. 302. 385

Intcreonnectivity, 488

Internal contro!' 8.12-13,16,20-21,23,26,28-30.37. 4.>H 48, 53, 58,

63. 110. 121. 140. !54. 222. 229. 233.433,435.486. 513-518,520

521. 523

Internal control objectives, 8. 21. 26

Internal controls. I, 8, 16, 19-20. 23-24, 26-30, 33-34. 36. 42. 44-45. 53,

55.57,63,98, 112.204.21 I. 345,483.487-488.491,494.500.504

Internal labels. 20 I

Internal schema. 278

Internal storage, 274, 488

International Organization for Standardization/Open Systems

!nterconneetion (lSO/OSI). 285-286,303

Intenwtional Telecommunications Union (ITU), 296, 396. 51 ()

Intenlational Telegraph and Telephone Consultative Comminee (CCITTl.

296

Internet, 225, 303, 306

Internet control message protocol (ICMP). 414. 5lO

Internet Engineering Task Force (IETF), 297, 364, 392. 435, 479-480. 495,

501.510

Internet Protocol (lP). 222. 236. 253. 286-287, 292-297. 300-304, 306-308,

320.326,328-329,333,337.362.364.375-378, 380-382. 391-392.

395-396.406,411,413,418.432.437,494·495,498, 500, 505-506.

508,512

Internet Protocol (IP), 222, 295. 304. 326. 506

Internet Protocol security (lPSec). 297. 327. 364, 380, 392. 505, 5lO

Internet service providcr (ISP), 119, 303, 306. 396. 508

Inter~net\vorkPaekct Exchange (IPX). 293. 195, 326.500.510

InterNIC,413

Interoperability. 225. 285. 303. 310. 391Interview. 10. 15. 32. 39. 84. 2 I I. 3 I 1,315.403.409, 44t). 470-471

Intranet. 173. 236.196~297, 320. 324, 326. 355. 363. 41.)2

Intruder. 353. 357. 365. 376-379. 3X2-385. 397-402

536

Intrusion detection. IS. -17.103.117.224.147.270.320.333,337.351-

352.367.3-9.383~3S.j..415.430,510.526

Invitation to tender (ITT). I-Ui. 179-ISO. 51 0

Ip, Sec Internet Protocol

IPE Sec Information processing ri\cility

IPSec, See Internet Protocol security

IPv4., 391

IPv6, 392

IPX, See Inter-t!ct\vork Packet Exchange

IR, See Infrared

IrDA. See Infrared Data Association

Iris, 356. 358-3~q

Irregularities. 16·18. 28. 34. 57. 84, 98, 10 l. 152. 108, 353. 358. 366. 495.

525·526. 530IS audit function. 8. I L 15. 103

IS budgets, 61. 90.142

lSACA Code of Professional Ethics. 8,14-15,513

rSACA IS Auditing Guidelines. 8, 17

ISACA IS Auditing Standards, 1.8.10·12,14,17

ISACA IS Auditing Standards and Guidelines. I. 8. I.j.

lSAM. Sec Indexed sequential aceess method

ISDN, See Integrated Services Digital Network

ISM,299

ISO 9001, 91-92.111. 191. 248

ISOiOS\, See International Organization for Standardization/Open Systems

Interconnection

Isochronous. 302

ISP, See Internet service provider

Issuer. 226-227

IT governance. ii. 1. 5. 16. 17.21. 22. 45. 49. 55, 57. 58. 60, 61. 62. 63. 64.

65.66.67. '72. 74. 83,101. 105. 106. 107. 109. 110. Ill. 112. 113.

114. 2.j.8, 149. 327. 338. 371. 436. 479. 495. 510,5 I3. 514, 515, 521.

523, 525, 5-16

IT performance. 62. 92. 51-+-515. 517-519. 521, 524

ITF, See Integrated tcSt facilities

[TIL. See Information Technology Infrastructure Library

ITT, See Invitation to tender

ITU, Sec International Telecommunications Union-J2EE, 73

1<lVa, 151. 170-/71. 214. 306, 378, 395. 481. 503. 510

JAVAScript 15/. 301, 306. 482. 5~6

Jbuilder. 15/

JiT, See Just-in-time

Job description. 94, 407-408. 425

Job rotation. 8-1

Joins, 112,236

Journal, 55·58,101,109-114.247-250.327·330. ..J.33-440, 479w 480, 546

Judging the materiality of findings, 8. 38

Just-in·time (JlTJ, J [3, 227, 241-KOSI. Sec Thousand delivered source instructions

Kerbcros. 361

Kernel. 276Key decision-mJ.king personnel, 442, 460

Key goal indic:ltors (KGI). 83, 508

Kq performance indicators (KPI). 83,495, 508


In d ex elSAKey personnel, 101, 209, 442, 471Key verification, 200

Keyboard, 267~268. 302, 426

Keypad,230

KG I, See Key goal indicators

Kick-otT meeting, 127Kilo lines of code (KLOC), 132; 510

KLOC, See Kilo lines of code

KPI, Sec Key performance indicators-L2TP, See Layer 2 Tunneling Protocol

Laptop. 163.268,298,320,353,365,376,425.427Laserdisc, 271

Last-mile circuit protection, 461

Latency, 292, 307

Layer 2 Tunneling Protocol (L2TP), 505, 510

LCP, See Link Control Protocol

Leased lines, 297, 299, 303

Legacy systems, 166, 2 [4, 2 [6.320

Librarian, 256, 266, 317,466,495

Library control software, 252, 264-265

Licensed software, 283

Lights-out operations, 252, 254, 259-260, 318

Limit check, 200, 496

Link Control Protocol (LCP), 295, 510

Linux, 214, 276, 327, 414

LISP, 151,232Load balancing, 255, 293, 307, 309~310,382

Local area network, 242, 253, 288, 473, 496, 508, 512

Lock,400,404,406,425-426,431

Log, 101, 199,202Logging, 48, 105, 107, 181, 199,202,204,221,252,275-276,307,318,

327,332,334,349,355,363,366-367,371,410, 416-417, 426-427,429,467,488

Logic bomb, 352

Logical access controls, 49,105,107,332,337, 350, 352~354, 362, 368,

407,410-411,415,518Logical security, 22-23, 29, 49. 91, 312, 314~315, 341, 403~404, 408

Logoff, 258, 315, 409

Logon, 356,409

Logon [0,353-354,356-357,366,407-408,410

Long-haul network diversity, 456, 461

Loopholes, 411

Lophtcrack, 379

MAC, See Mandatory access controls

Machine language, 150,482,491, 503

Macro, 410

Magnetic card readers, 224, 499

Mainframe, 267

Malware, 352, 496

Management information system (MIS), iv, 139.496,511

Management principles. 55, 92, 109, III, 194Mandatory access controls (MAC), 242, 248, 286. 291-293, 342, 496. 510

Manual controls, 191, 203Manufacturing resources planning (MRP), 113,227,511

tvlAP1CS.227


Mapping, 24, 36, 113, 206, 218. 249. 274, 320, 329, 359, 382, 413-414,

418,438,496Masking. 410

Masquerading, 371. 377, 494, 499

Master file, 51,198,206-207,218,221,243,245,467,470,505

Mnteriality,8, 17, 27~29, 38, 40, 47, 81, 496, 525

MOl,388

MD4,388M05, 388, 391Mdac, 414

Mean time between failures (MTBF), 157

Mean time between fnilures (MTBF), 157, 51. I

Mean time to repair (ivITTR), 157

Mean time to repair ()"ITTR), 157,511

ivledia and documentation backup, 442, 467

Megapixel, 366

Memory dump, 417

Mesh, 46, 487

lvlessage modification, 377

Message switching. 218, 294, 497

Metadata, 215, 236, 252, 278-279

Microbro\Vsers, 302

Microchip, 271Microcomputer, 189.208,219,233,269,274-275,284,411,482,487,508

Microfiche, 231, 370, 468

Microfilm, 231,.468

Microsoft's Transaction Server (MTS), 171, 511

Middleware, 166, 171. 214-216, 253, 275, 309~310, 497

Mirror, 462-463

Mirroring, 452, 461-462, 475, 477

MIS. See Management information system

Mobile, 2, 17,97,214,268,270,294,297-298, 301, 327~328, 332. 336,

366,387,396.427,453,455,497,510,525

Modem. See Modulator/demodulator

Modulation. 300. 302. 484. 497Modulator/demodulator (Modem). 219, 283, 294, 296~297, 306, 315, 364,

372.383,400.~84. 501, 508

Modulator/demodulator. 294. 508Module. 52~53, 1~9, 152. 160, 163, 172-173, 188,212,227,233,257,265,

325. ~02, 486. 488, ~90-~91. 506

Monetary unit, 497

Mozilla firefox, 304

MPLS, See Multiprotocol label switching

MQSeries,214

MRP, See Manufacmring resources planning

MSAU, 502

MSAUs. See Multistation access units

MTBF. See Mean time between failures

MTS. See Microsoft's Transaction Server

MTTR, See Mean time to repair

iv!ultiplexing, 295·296, 300,483, 508, 510~512

Multiplexor, 295

Multiprotocol, 253. 296, 511

Multiprotocollabcl switching (MPLS), 296, 511

Multistation access units (MSAUs), 502. 511

Multitiered, 214. 527

Multiuser, 95, 143.205.269,272,309.462

537

elSA In d ex

-Naming conventions. 96. 313. 315. 332. 368-369. 372

NAS. See Network access server

NAT. Sec Network address translation

N:ltional Bureau of Standards (i'mS). 386. 489

National Fire Protection Agency (NFPAj, 469, 511

National Institute of Standards and Technology (NIST). 144,248.388,

489,511

NBS. See National Bureau of StandardsNCr, Sec Network Control Protocol

NDA, See Non-disclosure agreementNETBEUI,326

NetBios. 293

Nerem. 379Network access server (NAS), 282, 364, 497, 511

Nct\vork address translation (NAT), 337, 382, 511

Network address translation (NAT). 382

Network administrator. 306-307, 313-314, 316, 320, 373. 381, 393, 412.

429.497Network· architecture. 284-285. 293, 308-309, 313, 314, 326, 512

Network connectivity, 168,284.297,345,354,454

Ndwork control, 177,195,316, 341. 370, 408, 458. 482, 511

Network Control Protocol (NCP), 195, 511

Network interl~lce card (NrC), 291-292, 3/JL 497. 511

:'-Jetwork management, 11, 49, 61, 97. 103, 136, IS I, 217. 253. 273. 185.

293. 195. 304, 308. 354. 365, 375,41 1.416.418.492. 505. 512

Network management software, 273. 416

Network manager, 409-410

Net\vork sccurity. 48. 315. 320. 327-329. 333. 361. 371. 376-377. 379, 385.

'+33, 436. ·+38

Network service provider (NSPj, 295-296, 304. 51!

Network standards and protocols. 253. 277. 285, 364

:'-Iemal networks, 232. 384

NFPA. See National Fire Protection Agency

NIC. Sec :\tetwork interface card

N 1ST. See National Institute of Standards and Technolol!vnmap.379 y'

Node. 296. 355. 503

Noise. 2~9-290, 308. 497

Non-disclosure agreement (NDA), 4 I3,498. 51 I

Nonrepudiation. 202, 215, 219, 222, 125, 360. 374. 385. 387-389,

391-391,489

Normalization. 28 I, 323, 325, 335.418.498

Notebook, 268. 301, 375

NSP. See Network service provider

N-tier.121-Object code. 107. 150, 187,486.503

Objectivity. 14,31.35. !47.498

Object-oriented (OOl. 144

Object-oriented (00). 144.511

Object-orknted system development (OOSD\. 169-170. 51 I

Object-oriented system tbc!opmcnt. 117. 170.511

Occupant emergency plan (OEP), 45\). 511

DECO. S<.:e Organi.zation for Eo.:oI1omic ('ooperafil)ll and Oe\'c1Qpmcllt

OEP, S~e Occupant <::Ill<::rgeney plan

OFOi\1. 300. 302. 511

Otfice autoll1lltion. 45. 1J 6. 120. 137. 171. 229. 268

538

Omine file. 31 7

Olfshore. 84-85, 87. 109.2'+"7

Offsite facility. 442. 460. 466-467. 471

Offsite libraries. 466

Offsite library controls. 442, -166

Otfsitc stol'llge. 38. 422, 426. ..j.42. 45S. 467-469. 471 . .+98

OrfSite stomge team. 458

OlAP, See Online analytical processing

Onlinc analytical processing (OLAP), 236, 511

Online auditing techniques. 37.119,208

Online programming t:'lcilities. 116, 148, 150

00, Sec Object-oriented

OOSO, See Object-oriented system developmelll

Open Shortest Path First (OSPF). 46 1.498, 508

Open systems, lSI. 277, 285. 482. 508

Open Systems Interconnection (OSI). 253, 285-287. 292-296, 303. 333.

381, 390. 482. 486. 500. 502. 508

Operating system. 173. 274. 311

Opcrational cOlllroL 126,238. ..j.98

Operations manager ,95,156.410

Operator console. 354, 397. -1-98

Optical scanners, 224, 499

Optimizing. 55, 57.19-1-,260.288

. Organization for Economic Cooperation and Development (OECO), 12, 63.

343,511

Organizational relationship. 17.525

Origination cOlllrols, 118. 197

OSI, Sec Open Systems Interconnection

OSPF. Sec Open Shortest Path First

Outbound tl'ansao.:tions. 119. 218-219. 22 I

Output analyzer. 282

Output control. 95, 212. 252. 260. -1-25

Outsourcing, 17.35.85.87.38

Oxley, 13.42, 57. 109-110. 112-113. 234-P<Jekct. 286. 291-298. 307. 32-L 326, 333. 372. 376-377, 380-383, 392,

396.414. 493. 495. 498. 503. 505. 509-511

Packet switching. 294. 296. 324, 396,498

Paperless. 37.118.149,208.221. 260, 354, 490

Parallel simulation, 52-53. 207

P'lrallel testing. 154,21 i, 498

Parity check, 102. 498

Pascal. 170

Passive attack, 397

Password, 197,356,357,358.392.410

Paths of logical access, 331. 354

PBX, See Private branch exchange

PDA, See Personal digital assistant

PONs. See Public data nctworks

Penetration testing. II, 18, 2..\6. 337. t4 10.412-416, 526

Performance indicators. 62, 92, 234, 3 19,495. 50S. 52..\

Perfortl1<Jnce of audit work, 15, 26. 56, 525

Perlormance optimization, 61,92. 139

Per!onnance testing, 15:2, 2-1-6. 4'll)

Periodic b,H:kup prot:t:dures. 44.2. 467

Peripherals, lJ5. lBO, 255, .268. 272, 282. 356

Perl. 151,305

Pcrm,ltlent virtual circuit (PVC). 493. 5 [ I

Person'll data, 12-13, 33B. 3..\3. 369. 43l)


In d ex elSAPersonal digital nssistant (PDA). 268. 3D!. 306. 365-366. 375. 495. 499, 508Personal identification number (P[N). 214, 128-229. 302. 356. 372, 377.

499,511PERT. See Program Evaluation Review TechniquePhreakers, 350, 398, 460, 499

PHY, Sec Physical layerPhysical access controls, 23, 38, 335. 337, 339, 341, 425. 427, 466,519

Physicallay~r(PHY), 299, 511

Physical sccurit, 49,95, 176,228-229,313·314,337,352.365,400,404,

426.428Piggybacking, 353, 426, 428

PIN, See Personal identification number

Ping, 307PingSweep,414PKI, See Public key infrastructure

Plaintext, 372, 385-386. 388-389, 489, 491

Plan maintenance, 442, 465-466, 477Plan testing, 442, 464·465Point-or-sale Systems (POS), 224, 229, 242, 499, 511

Point-to-point Protocol (PPP), 295, 304. 500. 5 [[

Point-to-point Protocol Ovcr Ethernet (PPPoE), 505, 5 [I

Policies, 20, 22. 32. 39. 75

Polymorphism. I70

Port, 293. 298. 366, 381. 392-393. 400. 414. 437, 499.503.506Portfolio management. 62.123-124.126.247-248

POS. See Point-of·sale SystemsPostimplel11entation, 117, 1[9, [21-[22, 125, 138-140, 163-164,209,212.

245,505,516,525

Posting, 30, 320

PPP, See Point-to-point Protocol

PPPoE, See Point-to-point Protocol Over Ethernet

PPTP, 300, 511.Preventive control, 107, 192, 199. 243, 245, 351. 394. 403, 431

Prime, 95, 107,374,386-387,428,502

Prior test results, 442, 471

Privacy issues, 11,298,343

Private branch exchange (PBX), 333-334, 396-403, 499. 50S

Privatc key, 216, 333. 385-391, 485, 489, 503

Private key cryptosystem, 489

Problem escalation, 263, 500

Problem management, 157, 187, 252, 254-257. 261-263. 310, 318

Proceuures, 20. 22, 32, 39. 77

Processing control procedures, 221

Processing controls, 95,107, 1[8,200,204-205.209

Procuring alternative hardware, 442, 456

Production software, 130,408

Professional compctence, 14-15,35

Professional ethics and standards, IS, 525

ProFessional, iv, 8. 10. II, 12, 14, 15. 16. 17, 18,24, 26. 28, 35, 37. 40. 41,

56.81,90,109,123,129,265,344,463,469.479.513,523, 525, 527,546,547

Program change control, 263-264

Program changes, 25,105.118,183,186.202-203,212,264-265.455

Progrnm errors, 262

Program Evaluation Review Technique (PERT), 135

Program Evaluation Review Techniquc (PERT), 135-137. 500. 50S

Program library management, 252. 264, 273Program logic, 53, [54. [89,206-207,309.408.468.506

Progr:lln migration. I [9, 2 [2, 265

Program narratives, [37, 186

Programmed controls. 20[


Programming, 132. 150

Programming languages, 132, [50

Project management. 1225, 130

Projcct management strucUlre, I, 116. 125

Project management techniques, 8, 41-42,127.130,135.164

Project manager, 126-131. 137, 15[, 164, 167,502

Project tcam, 126-130. 137. 146-147, [53, [60-161, [64, 189, 192.

209-210,502

PROLOG. 151,231

Promotion policies. 60. 83

Protocol, 284, 287, 295. 301

Protocol converters. 293

Prototyping, 32-33,117.121, 137, 148-149. 166, 168-170,238,500

Proxy server. 269. 354. 382. 473

PSTN, See Public-switched telephone network

Public data networks (PONs), 296

Public key, 223, 386

Public key cryptosystcm. 223, 386

Public key encryption. 388-389,430,432.483,500

Public key infrastructure (PKI), 216-217, 249. 337, 385, 389-392, 437, 439,

485,500-501, 50S

Public-switched telephone network (PSTN), 294, 396. 5 [I

Purchase accounting system. 120. 230PYC, See Permanent yirtual circuit-QA. See Qua[ity assurance

QAT. See Qualify assurance testing

Qua[ity assurance

Qua[ity assurance (Q.-\), 96. [29.263.266. 50S

Qua[itv assurance managcr. -Quality assurance manager. 94

Qualitv assurance testing. -Quality assurance testing (QAT), [52, 511Quality management. 6 [-62, 91-92, [II, 191, 195,248, 328, 508

Quality management system. 91-92, [9 [, [95

Quantum cryptography, 333. 387

Questionnaire. iii.42.-13.-14.449,547

Qucue. 309-310, 500-RA. See Registration authority

RAD, See Rapid application dcvc[opment

Radio frequency identiFic:ltion (RFID), 271, 508

RAID level descriptions. 442. 462

RAJD, See Redundal1l Array of [nexpensive Disks

Range check, 200, 496Rapid appliention development (RAD), 12 [, 142, 169. 245, 511

RC2.391

RC4.391Reactivation, 4 [0

Read only memory (RO~I). 267, 508

Reasonable aSSUr<lnce, 15, 20, 22. 24, 30. 312, 4 [7

Reciprocal agreement. 454-455Reconciliation, 100. IlJ8- [l)t), 20 I, 203, 129-230. 237. 317

Recovery alternatives. 442. 454RecO\cry point objectiYc (RPO), 452-453. 475-478. 500, 51 I

RecO\wy time objective (RTO), 452·453, 473, 475, 477·478, 501, 5[ [

Rccurring, 26, 2n. 318

539

elSA In d e x

Redundallcy. 202, 278. 286, 313. 323, 394, 453-..J.5-L 46 J -402.468

R.::dundancy check. 286. 394

Rcdundmn Array of Inl:::-;pcllsivc Disks (RAID), 442. 461--163, 501, 50S. 511Recnginccring, 17. J 17-118, 159, 173, 190-193. 213. 215. 243-244. 248.

3..D, 485. 50 I. 509. 51 J, 525

Rcgimation authority (RA) 217. 390, 501, 511Regression testing. 154,501

Regulations. 8.12-13.21-22,26-27.34-35,41, 55. 63. 68. 76, SO, 102,203. 315. 33S~340. 3..+3. 3-18. 385. 396. 404. 410. -H2. 414, 420, 457.

469,481.500.524Relational. 64, [44, 190, 205, 235-236. 279·281, 325. ..J.93. 50 I, 504. 511

Relational online <InalYlical processing (ROLAP). 236Reliability, 147, 193

Reliance, 31, 69,101, 167. l6tRemote access. 285. 297. 364, 365, 399. 412

Remote Method Invocation (RivlI), 171, 51!

Remote procedure calls (RPC), 172·173, 310, 50!, 503. 511

Replay protection, 389

Rcplicatc, 352, 506

Replication, 237. 501

Repository, 159-160, 169, 189,236,269,278,377,501

Request for inforrnmion (RFI), 147.511

Rcquest for proposallRFP), 146

Request for proposal (RFP), !46-147, 179. 211, 502, 511

Required vacations, 60. 84

R.::C]uirements definition, 116, 119. 128, 139. 143, 145. 148,210.219,245,

502, 505

Rerun, 20. 258-259, 317, 319

Resequencing, 264

Rcsidual risk, 19.69,80,453

Resilience, 453, 502

Resource allocation, 256

Restoration, 312, 442, -144-447, 453, 466-467. 477

Restructuring, 85. 281, 50 I

Results analysis, 4-12, 465

Retcntion, 41, 46, 82, 20 I, 203, 230~231, 282, 366. 369. 444, -167

Retina, 358-359, 426. 428

Return on invc:;tment (ROI), 62, 1-10, 142, 163, 175,502,511

Reusability. 133. 169

Re\'erse engineering, !17. 173, 502

RFC, 32f!, 436

RFI. See Request for information

RFlO. See Radio frcquency identification

RFP. See Request for proposal

Risk analysis, IS, 80

Risk assessment, 17, 18, 19, 29

Risk asscssment modcl, 119, 204

Risk assessment techniques, 8. 29

Risk factors, 349

Risk management (RM), 69. 78, 80, 81

Risk management process, 19, 60, 78, 80. 224

Risk managemcnt program, 60. 78

Risk-bascd audit approach, 15, 27-28. 53

Risk-based IS audit strategy, 10, 513

RJ.298

RM, Sec Risk management

R.!vll. Sec Remote J\lcthod Invocation

Robust Secure Network (l~SN), 299ROI, Sec Return 011 investment

ROLAP, See Relational online analytical processingROi\I, See Read only memory

540

Rotation. 84, :2$2, -142, 467.468

Rounding down. 353. 502

Router, 292

RPC, See Remote procedure calls

RPO, Sec I\eco\-ery poim obj'ectivc

RSA. 224. 337. 387. 391, 430. -137, 502. 51!

RSN, Sec Robust Secure Network

RTO. See Reco\-ery time objeclive

Run-to~run totals, 200. 502-S/HTTP, See Secure Hypertexl Transfer Protocol

S/MIME. See Securc Multipurpose Internct Mail E.xlensionsSabotage, 350. 374, 466

Salami tcehnique, 353

Sample audit rev-iew file (SARFl, 207

Sampling, 8. 17,26, 28, 33~37, 51, 53, 204, 207. 416, 483, 490, 497, 504.

506.525

Sarbanes, 13,41, 57, 109~IIO, 112-113,234

SARF. See Sample audit revit:\v file

Satellite, 289-290, 298, 455, -IS8. 497

Scalability, 225. 285, 307, 309. 382. 463

Scanning, 36, 231, 283. 320, 337, 359, 375, 393-395, 406. 414, 416, 428-429,431,437,440

SCARF, See Systems Control Audit Review File

Scheduling and Time Reporting, 60, 83

Schemas, 27S~179

SCM, See Supply chain management

SCOR, See Supply Chain Operations ReferenceScrambling, 386

Screen, 1·+3, 148. 151. 168, 189-190,207, 211. 267~268, 304. 314. 357Screening routers, 415

Script, 151, 350. 366, 394. 506

SDiI\IMC, See Secure digital multimedia card

Secure digital multimcdia card (SOrivl ......IC). ISO, 512

Secure electronic tmnsactions (SET). 12. 14. 18.22-23.25-26,28,34,36,

38.43,48-49, 53, 63~64, 67. 69-70. 73. 75-76, 78, 81, 83, 89-92, 97.

III, 123. 129-130. 13-1-135. 141-]4.3. 146-147, 151-153, 155. 159-160,

163-164,170.174,177.191. 193~194.205,208,213,216~217.219

222.226,228,243,245,260-261, 276-277, 279-282, 284-285, 287·

288,293.301·303,305. 308, 337~33S, 340-341. 354, 356, 358-359,

36!~362, 364-365, 368~369, 373, 376, 37S~379, 381-384. 390, 392,

394-395, 399.403,405,418,420-421,462,464,466, 468, 482~4S3,

485,489. -1.92, 494-496. 500-50 I, 503. 505, 512, 520~521, 523, 530

Sccure Hypertext Transfer Protocol (Https), 391-392

Secure Hypertext Tmnsfer Protocol (S/HTTP), 392, 511

Secure Multipurpose Internet :Vlail Extensions (S/ivIIME), 392, 511Secure shell (SSH), 392, 512

Securc Sockets Layer (SSll. 217. 270, 300. 337, 391-392,503,508

Security administration, 6], 74, 86, 96-97,105, !O7, 332. 339, 341, 363,36S~369, 415, 431

Security administrator. 96, 106-107,334.341, 357, 363. 366~368, 403·404,408-410,412.429

Security awareness, 33, 96,105, 107,334,339.3-1.-1,351,362,365.379,403, 4-1()

Security paramctcr indexing (SPit 392, 512

Security policy. 60, 76-77, 96. !O!. 106-lO7. 123, 292. 339-340, 344, 346,

348,366,380,382.384.404.409,415,-127.-140

S.:eurilY :->oflware. 408, 458

Security testing, 152.337.503


In d e x elSAScgmcllt<ltion, 48, 97, 41 I

Segregation of duties, 32-33, 48, 61, 96~1 02, 105, 107, 183, 201, 203, 225,230,262,265,317,341-342,350,363,368,416

Sentinel, 384Separation of duties, 100,204,415

Sequence checking, 36Server, 171,214,268, 269, 309

Service bureau, 458Service level agreements (SLA), 87,103,156-157,257,326,512Service level agreements, 371

Servlet, 306, 503SET, See Secure electronic transactionsSH, 151,512SHA, 388, 391Shareware, 378, 393, 481Simple Mail Transport Protocol (SMTP), 295, 304, 306, 391, 395, 512

Simple Network Management Protocol (SNMP), 295, 304, 308, 512Simple Object Access Protocol (SOAP), 173,284, 503. 512Simulator, 53, 208, 282Simultaneous peripheral operations, 504, 512Single sign~on (SSO), 361, 512Single sign-on, 332, 337, 361,429,431, 512

Skcletonization, 231SLA, See Service level agreementsSLOC, See Source lines of codeSmalltalk, 170Smart card, 358, 373, 439, 492SMART, See Specific, measurable, achievable. relevant, time-boundSMF, See System management facilitySMTP, See Simple Mail Transport ProtocolSNA, Sec Systems network architecture

Snapshot, 123,206Sniffing, 371,414SNMP, See Simple Network Management ProtocolSOAP, See Simple Object Access ProtocolSocial engineering, 332, 362, 377-378, 394, 406, 413, 494, 499

Sockets, 217, 503, 508Software acquisition. 91, 116. 118-119, 141, 145, 148. 181,211,244Software control, 252, 275

Software licensing, 253. 255. 282Source code, 25,29, 103. 107, 116, 132, 134, 146-148, 150, 173, 187-189,

203,206,213, 252,265~266.316,388,468,472,486,491,496,501,503

Source code comparison software, 265Source documents, 37,197,199,467-468,494,504

Source lines of code (SLOC), 132-133, 504Source program, 264-265Spamming, 337, 378Specific, measurable, achievable, relevant. time-bound (SMART), 127, 138,

224,302,306,358,373,387,390,415,439,492,503,508SPI, See Security parameter indexingSpoofing, 337, 371, 377-378, 381, 495Spool, 202Spreadsheets, 31, 45, 229, 268, 406Sprinkler, 420-421Spyware, 352, 481,496, 504SQL, See Structured Query Language

SSH, See Secure shellSSL, See Secure Sockets Layer

SSO, Scc Single sign-onStarring, 12,83, 137, 180,258Staggered, 299


Standards, 14. 18. 523

Standing data. 202. 504Star-topology, 292

Statd, 414Statistical sampling. 28, 33-34, 504Stealth. 414Steering committee. 60, 66. 71, 74-75, 85,102,121,124.126,129-130.

237,339Strategic planning, 60, 74, 106, 238Streamline. 191, 32.l

Stress/volume. 152Structured analysis. 117, 165Structured programming, 132, 150Structurcd Query Language (SQL), 190, 236. 313, 320, 383. 413-414,

504.512Structured Query Language (SQL), 313Stubs, lSIStylesheet, 214, 512Suboceanic, 307

Substantive testing. 8. 23-24, 27, 30-31, 34, 326, 504Supercomputers, 267, 269Supervision, 13, 15,36,55,109,186,228,316,350

Supply chain management (SCM), 139. 147,227,240«241,504,512Supply chain management, 120, 139,240,297,504,512Supply Chain Operations Reference (SCaR), 73, 512Surge protectors. 314, 335, 419, 421, 423Surge protectors',SVCs. See Switched virtual circuits

Swipe eard 425Switched network. 218. 294, 454Switched virtual circuits (SVCs), 294

SYN. 378. 414SYN floodsSynchronous transmission. 294, 504SYSGEN, Scc System gcncrationSystem access, 84.100,201,332,338,341«342.350,354-356,366-367,

398-400,416. .l29. 431System control parameters. 140, 202System development process, lSI, 164.210System development tools. l. 118, 188System exits, 363, 368, 410System generation (SYSGEN), 276, 512System management facility (SMF), 258. 512System software, 180, 181System testing, 138. 140. 151~152, 154,312,505Systems administration, 61, 93, 95Systems administrator, 95. 353Systems Control Audit Review File (SCARF), 51, 53, 207-209, 512Systems development manager, 94Systems network architecture (SNA), 293, 308, 326. 364, 512Systems progmmming, 23, 97SysTrust, 56, 435

Table look-ups, 200Tagging. 206Tape management, 38. 282. 317. 467-468. 470, 505, 512Tape managcment systcm (TMS). 282Tape management system (TMS). 282, 505, 512TCl, lSI

541

TCP Jr. Sec Transmission Control ProlOcotlntcrnc! ProtoCl)1

TD:',-!. Sec Time-divIsion multiplexingTechnical reference documentation, 203Technical report (TR), 57, 195,247-248,512Technical support. 23, 93,129,146-147, 21S. 256, 203. 31 J. 455

Teething, 125

Telecommunication networks disaster recovery. 442. 4(,0

Telecommuting, 297Tclnet. 295, 304, 306, 378. 382. 392. 415, 435, 479

Temporal Key Integrity Protocol (TKIP), 299-300, 512

Terminal emulation software (TES), 285. 512

Terminals, 180, 197Termination, 60, 82. 84, 258·259, 332, 347, 349-350, 360. 368, 373. 384.

390,404-405. 424, 48 I

Termination policies, 60. 84TerrestriaL 461TES. See Terminal emulation software

Test data, 36, 51-53. 153-154, 173,206-207.245,282,341,487,495,

498. 505Test data generators, 154,487Test execution, 442, 464

Test programs, 154, 265Tesllllg phase, 151-152, 155,212,501

TFTP. Sec Trivial File Transport Protocol

Thinning. 231Thollsand delivered source instructions (KDSO, 132. 510Threats. 19, 68, 71, 77-80, 96, 224, 238, 313, 315. 333. 3-1-L 348-349. 351.

374-377.397-398,415,419.446,488Timt::box.116,137Time-division multiplexing (TDM), 295, 512

Timesharing. 169Timt.:sramp, 265, 389

TKIP. See Temporal Key Integrity ProlocolTLS, See TrJnsport Layer S.,;curity

T:--"IS. Sec Tape management systemT;'I.IS DJ'..IS. 182

Toigo. -180Token ring. 292, 295, 304. 502

Topology, 290Topy. 226TOlal risk, 18

TP, Sec Transaction processingTR. Sec Technical report

Tracing, 36, 89,197,206,265,496Traffic analysis, 377, 397Transaction authorization, 61, 99, 2 [9

Transaction flowchart. 204Transaction Log, 10 I, [99, 505Transaction processing (TP), 3 [0, 512

Transborder. 12,253,307,343Transcription, 161, [70, 200

Transmission Control Protocol/Internet Protocol (TCP,IP). 222, 505

Transport Layer Security (TLS). 327. 391,435, -180. 512Triggering, 402, 448Trivial File Transport Protocol (TFTP). 461, 512

Trojan horse. 152, 352. 393. 40 l. 505Tunnd, 270, 297, 392. -130, 432Tuple. 2~(}-2~ l, -193, 50STwi~tc:d pair;;, 2Xi), 505Two-ti~red, 2 I4

elSA In d ex

-UAT, See User :lcceprance testing

UDDI, See LJni\wsal Description, Discovery and IntegrationUDP, Sec User Datagram Protocol

UML, Sc:e Unified i'vlodcling Language

Unlfnimous,235

Unicasl. 296Unicode, 277, 414, 505

Unified ,,",Iodeling Language (U:VIL), 170, 512

Uniform resource locater (CRL), 304, 392, 490, 512

Unimerruptible power supply (UPS), 200, 314, 335, 419, 421,423,427,

448. 456. ~66. 505, 508

Uninterruptible power supply (UPS), 314Unit testing, 152. 16[, 506

Universal Description, DiscO\cry and Integration (UDDI), 173, 5 I2Universal serial bus (USB). 180,270,283-284,337,352,358,366,393,

431,506, 50S, 512

UNIX, 103,258.268-269,275-176,304,327,381,407,409,414,482,501,506

UPS, See Unintcrruptible power supplyUptime, 87, 396

URL, See Uniform resource locaterUSB, Sec Universal serial bus

User acceptance testing (UAT), 152-153, 155,210, 246, 512User authorization tables. '61. 100

User Datagram Protocol (UD?), 285, 293, 295, 304, 381, 414. 512User!D, 201, 371. 496, 512User manuals. 32. 203, 468

User satisfaction. 6l, 89, 213. 323. 325Utility programs. 153. 273. 282. 482, 505-506-Vacmion, X2, 84. 37XValidity check, 200

Vaille-add~d network (VAN), 56. 58, 109-110. 114. 21 8~219, 222, 249,436,512

VAN, See Valu~-added network

Variable sampling. 34·35, 506VB. See Visual Basic

Video camera. 359,426Virtual private network (VP;.;), 242, 270. 297, 300, 326. 328, 337. 354,

364-365. 380, 392, 430, -192. 512Viruml private network (VPX), 242, 430, 492Virus, 333, 337, 339, 35[-352, 366. 371, 376, 383, 393-396, 406. 416, 427,

429, 431,457, 506

Visual Basic (VB l, 15lVoice mail, 399. 402, 506

Voice recovery, 456, 461Voice response ordering systems, 120,230

Voice-over IP (VoIP), 333, 395-396, 461, 503, 506, 508, 512VoIP, See Voice-over IP

VPN, See Virtual private nc:rworkVulnerability, IS. 36, 55, 69, 79, 267, 320, 337. 352, 398, 400-402, 406,

414, 434, 43K, 526


X.25. 253, 296, 493. 500

XML. See Extensible ivlarkup Language

WML. Sec Wireless ;\larkup Language

Wo'rkpapers. 25-26. -1-5, 164

Workstation. 150. 197. 268-269, 309. 314. 355, 357, 361, 366. 373, 393,

395.-1-02.405,407,426,490

Womls. 352. 374, 393-394,496

WPA. See Wi-Fi Protected Access

WPA:-.J'. Sce Wireless personal area networks

WSDL. See Web Services Description Language

WWA0I, 298, 512

WWA:-.J', See Wireless wide area network

elSAIn d ex

WAP, Sec Wireless Application Protocol

War chalkingWar chalking, 333, 375-376

Warm sites. 444, 453-454

Web servers, 214, 269, 306, 391, 482

Web Services Description Language (WSDL), 173, 512

Web site, 73.109,213-214,219,304,306,354,413-414,430,460,479-480,524,546

Web-based EDT, 119, 219

WebCams, 270, 274

WEP, See Wired Equivalent Privacy

White box testing 154

WHO IS, 413-414

Wi-Fi Protected Access (WPA), 300-30 I, 506-507, 512

Wired Equivalent Privacy (WEP), 242, 299, 301, 303, 506-507, 5\2

Wireless, 297

Wireless Application Protocol (WAP), 30 [-303, 512, 253, 515Wireless local area networks (WLAN), 247, 298-300, 302-303, 327, 433-434

Wireless Markup Language (WML), 302, 512

Wireless personal area networks (WPAN), 301, 376, 512

WLAN, See Wireless [OC<l[ area networks

-


Prepare for the 9June 2007 elSA Exam

ORDER NOW-2007 elSA Review Materials for Exam Preparation and Professional Development

Passing the elSA exam can be achieved through an organized plan of shldy. To assist individuals with the development of a successful Shldy plan.ISACA offers several sUldy aids and review courses to exam candidates (see w\I'\dsaca.OIg'cisoexillJI for morc details),

CISA Review Manual 2007ISACA

CISA Review Questions, Answers &Explanations Manual 2006ISACA

CISA Review Questions, Answers &ExplanationsManual 2006 and 2007 SupplementsISACA

A CISA Review Questions, Answers alld Explanations Alalll/a!Supplement is developed ench year by ISACA. The 2006 and the 2(editions consi::;t of 100 new' sample questions, answers andexplanations for candidates to usc in preparation for the elSA exanThe 2006 and the 2007 Supplements were created based on thE: CISjob practice, lIsing a similar process for item development as that II

to develop actunl exam items.

elSA Ren'l!n' Questions, Answers & Explanations ,"vlalll/al 2006 con~

of 625 multiple-choice study questions. These items appeared in the2005 edition of the elSA Revh.:'lv Questions, Af/sH"el:~ & ExplanationAhlllllal and in the 2005 Supplement, but many have been enhanccd 'rewritten to recognize a change in practice, be more representative 0,

the current exam question tormat, aneL'or provide further clarity orexplanation of the suggested COITect answer. These questions are notaChJaI exam items, but are intended to provide the CISA cnndidate \\an understanding of the type and structure of questions and content 1have pre\'iously appeared on the exam. Questions are sorted by CIS;'job practice areas and a sample 200 question exam is provided.

2006 EditionsQAE-6ES English EditionQAE-6IS Italian EditionQ.-\E-6JS Japanese EditioQAE-6SS Spanish Edition

English EditionItalian EditionJapanese EditionSpanish Edition

QAE-7QAE-7IQAE-7.1QAE-7S

2007 EditionsQAE-7ES English EditionQAE-7FS French EditionQAE-7IS Italian EditionQAE-7JS Japanese EditionQAE-7SS Spanish Edition

Questions are provided in two formats .• Questions sorted by content area-Questions, answers and

explanations are provided (sorted) by the new CISAjob analysis2006 content areas. This allows the CISA candidate to study matlby content area and refer to specific questions, as well as evaluatetheir comprehension of the topics covered within each content are

• Sample test-Tw.o hundred questions are selected from the 625questions to represent a eISA-length examination arranged in thesame proportion as the new CISAjob analysis. Candidates are ur;to use this sample test and the answer sheet provided to simulate,examination, Many candidates use this exam as a pretest todetermine their own specific strengths or weaknesses and/or as afinal exam. Sample exam ans\vcr sheets have been provided for b.uses, In addition, a sample exam answer reference kcy is indudeeAll sample test questions have been cross-referenced to thc qucstisorted by content area. making it convenient to refer back to theexplanations of the correct answers.

CISA Practice Question Database v7

To order the CISA review materialplease visit the ISACA web site at

www.isaca.org/cisabooks.

This manual has been developed and organized to assist in the studyof the following areas:• IT governance• Systems and infrastructure life cycle management• IT delivery and support• Protection of information assets• Business continuity and disaster recovery

CRM-7 English EditionCRM-7I lta~an EditionCRM-7J Japanese EditionCR.:.\-1-7S Spanish Edition

elSA Review X/ollua! 2007 bas been updated and is organizedaccording to the elSA job practice. It has been enhanced with newcontent to reflect changing industry principles and practices. Themanual features detailed descriptions of the current tasks performedby IS auditors and the knowledge required to plan, manage andperform IS audits. This new edition features case studies to assist acandidates' understanding of current practices. The manual alsoprovides definitions of terms most commonly found on the exam,practice questions similar in content to what has previously appearedon the exam and references where additional guidance can be foundon specific topics. This manual can be used as a stand-alone documentfor individual study or as a guide or reference for study groups andchapters conducting local review courses.

A new powerful software engine combined with 825 review questionsis being developed to enhance the CISA candidate's exam preparation.This new product combines the items included in the CISA ReviewQuestions, Answers & Explanations lvlanl/al 2006, CIS.·1 RevielvQuestions, Answers & Explanations Alallllal 2006 Supplement and2007 Supplement.

Please see wlVw.isaca,01g/cisabooks in November for details,availability and pricing concerning this new product


elSAEVALUATION

ISACA continuously monitors the swift and profound professional, technological and environmentaI advances affectingthe IS audit, assurance, control and security professions. Recognizing these rapid advances, the elSA Review lv/anual isupdated annually.

To assist ISACA with keeping abreast of these advanc"", the ISACA Board of Directors would appreciate you taking amoment to comment on the CISA Review klanual 2007. Such feedback is invaluable to our efforts to fully serve theprofession and future CISA examination candidates.

Please complete the questionnaire below and return to:

ISACA3701 Algonquin Road, Suite 10lORolling Meadows, IL 60008USAAttention: Manager-Certification Study Program and Educational Development

1.

2.

3.

The elSA Review iV/amla/ 2007 was (check one);very helpful helpfulin preparing in preparingme for the exam. me for the exam.

The format of the ClSA Review lv/ant/aI2007 made it (check one):_ very easy to read. readable.

The content of the manual was (check one);too detailed detailed enoughin preparing in preparingme for the exam. me for the exam.

not very helpfulin preparingme for the exam.

hard to read.

not detailed enoughin preparingme for the exam.

rfnot detailed, or not detailed enough, please indicate where additional detail should be provided.

The ease studies at the end of each chapter were (check one):very helpful helpful

4.

in preparingme for the exam.

in preparingme for the exam.


5.

rfnot helpful, please indicate where additional detail should be provided.

The practice questions at the end of each chapter were (check one):very helpful helpfulin preparing in preparingme for the exam. me for the exam.


6. What other improvements would you recommend be made to the elSA Review /l,famw/ to make it more useful

(be as specific as possible):

If you would like to complete this evaluation online please go to www.isaca.org/sluc(vaidsevaluation.

Please also note on the back of this page (or a separate page) any specific comments and/or suggestions you may haveconcerning errors and omissions, enhancements, references and fonnat. If you wish, please include your name, addressand phone number so we may follow-up with you. Thank you for your support and assistance.


elSA----------

COMMENTS/SUGGESTIONS


CRM 2007 Glossary & Appendices

Documents

Transcript of CRM 2007 Glossary & Appendices