auditing glossary

7/29/2019 Auditing Glossary

1/32

INTOSAI EDP COMMITTEE

Version 3, August 2001

INTOSAI EDP

Information Systems

Auditing

Glossary of Terms


2/32

Information Systems Auditing Glossary of ICT Terms

Version 3, August 2001 1

Introduction

This glossary of terms is designed to help auditors who use the INTOSAI Guide to ITInfrastructure Audit- and other IT-related guides - to understand the terminology. Although the

Glossary contains many definitions it is not a comprehensive dictionary. If the term you arelooking for is not listed, we suggest that you try the excellent on-line dictionaries at

http://www.zdwebopedia.comor

http://whatis.techtarget.com/

The definitions provided here are those that are normally used in the context of managing IT-enabled projects and programmes, and in IT services and security. However, a word of caution!Some of the terms listed can mean different things in different contexts - for example the termnetwork can refer to a data communications network, or to a network diagram used inconnection with planning the sequence of tasks in a project.

Hyperlinks are embedded to help navigate the Glossary - please ensure that you select the MSWord web toolbar option (View, toolbars, web) before using the Glossary.
http://www.zdwebopedia.com/http://www.zdwebopedia.com/http://whatis.techtarget.com/http://whatis.techtarget.com/http://www.zdwebopedia.com/


3/32

Information Systems Auditing Glossary of Terms

Subject/term/acronym Description


Access controls Controlsthat are designed specifically to reduce the risk of theunauthorised use of resources (including the use of resources inan unauthorised way), or damage to, or theft of resources.Access control mechanisms include a combination ofphysical(barriers, CCTV, security guards), technical(e.g. passwords,

biometrics, computer logs) and administrative(e.g. personnelvetting, management supervision) controls (see physical access;logical access).

Accountability An information securityprinciple whereby systemusers areuniquely identifiable and are held responsible for their actions.Being able to identify users uniquely enables security violationsto be traced to individuals; sharing passwordsdefeats thisobjective.

Active-X Active X is an integration technology developed by Microsoft. Itsmain use is forweb pages, which it can make more useful and,visually, more exciting. However, Active X controlshave powerful

processing ability, and the onus lies on the user whether or not toaccept them. Web browsersettings control whether Active Xcontrols are to be downloaded and run, or whether they areblocked; however, blocking Active Xmay limit the informationprovided by the web pagethe user is trying access.

Active X controls (See also Active X). Active X controls are objects in a web pagethat allow interactive between the user and the web server.Besides enlivening web pages for aesthetic value, controls canbe used to create interactive forms for ordering merchandise,collecting information, and other purposes.

Activity The lowest level of a work breakdown structure. A packet of work

that forms the basic building block of a plan ornetwork.

After image See - Before and after image.

Algorithm In computing, a finite set of well defined rules for the solution of aproblem in a finite number of steps (see encryption algorithm).

Applet A small Javaprogramthat can be embedded in an HTML page.Applets differ from full-fledged Java applications in that they aresupposed to be restricted to provide some security to the user.

Application A systemthat has been developed to serve a specified purpose,for example to pay suppliers invoices, place orders with suppliersand maintain stock records. An application incorporates bothclerical and computerised procedures; controlsovertransactioninput, processing and output; and filemanagement. It should alsomaintain an audit trail(see also system software; program).

Approval to Proceed This approval is given by the project boardat project initiationand at each end stageassessment prior to commencement ofthe next stage. It represents a commitment to a furtherexpenditure up to the end of the next stagein a project.


4/32




ASCII American Standard Code for Information Interchange. ASCIIwas developed to standardisedata transmission amongdisparate hardware and softwaresystems, and is built into mostmini and personal computers. It is a coding scheme using 7 or 8

bitsthat assigns numeric values to up to 256 characters. Theseinclude letters, numerals, punctuation marks, control charactersand other symbols. ASCII text is often referred to as a plain text(see EBCDIC).

ASCII file A document filein ASCIIformat, containing characters, spaces,punctuation, carriage returns, tabs and an end-of-file marker, butno formatting information. Also sometimes referred to as a textfile, text-only file or plain text.

Asset In Information Security, the informationor information processingresources that are to be protected by the application ofcontrols.

Asymmetric encryption A cryptographicalgorithmthat employs a public keyforencryptionand a private key(see secret key) fordecryption; or inauthentication, a private key for signing and a public key forsignature verification. Public and private keysare related andform an asymmetric key set.

Audit trail A chronological set ofrecordsthat collectively providedocumentary evidence of processing, sufficient to enablereconstruction, review and examination of an activity.

Authenticity The attribute of genuineness. For evidence to be authentic itmust be all that it purports to be.

Authentication (1)The act of determining that a messagehas not been changedsince leaving its point of origin. (2) A process that verifies theclaimed identity of an individual.

Availability The ability to access and use a system, resource orfile, whereand when required.

Backup A duplicate copy (e.g. of a program, of an entire disc or ofdata)made either for archiving purposes or for safeguarding valuablefilesfrom loss should the active copy be damaged or destroyed.A backup is an "insurance" copy.

Back door see Trapdoor.

Bandwidth A measurement of how much datacan be sent across acommunications circuit at the same time. It is usually measuredin bitsper second (BPS).

Baseline (1) In configuration management, a snapshot of the state of a CIandany component CIs, frozen at a point in time for a particularpurpose.


5/32




Baseline (2) In project management, a set of dates and costs frozen at thestart of a projectand used as a basis for comparison as theproject progresses.

Bastion host A specific hostthat is used to intercept packetsentering or

leaving a networkand the systemthat any outsider must normallyconnect with to access a serviceor a systemthat lies within anorganisations firewall.

Before and after image In databaseupdating,the transactionis first applied to a copy ofthe recordto be updated (the before image) held in memory toproduce an image of the record after updating (the after image).The updated image is then committedto the database, afterwhich the after image is compared with the database record. Ifthey do not match the process can be rolled backby the DBMS.

Benefits The enhanced efficiency, economy and effectiveness of futurebusiness operations to be delivered by a programme.

Benefits management A formal process with programme managementfor planning,managing, delivering and measuring the set of benefits which aprogrammeis to provide.

Benefits Management Plan A component of the Programme Definition Statement, whichspecifies who is responsible for achieving the benefits set out inthe Benefits Profilesand how achievement is to be managed,measured and monitored.

Benefits Profiles A component of the Programme Definition Statementwhichdescribes the planned benefits to be realised by a programmeand states where, how, and when they are to be realised.

Biometrics In access control, automated methods of verifying or recognisinga person based upon behavioural or physical characteristics (e.g.fingerprints, handwriting, and facial or retina geometry).

BIOS Basic Input/Output System. The set of essential softwareroutines that test hardware at start-up, start the operating systemand support the transfer ofdataamong hardware devices. OnPC-compatible computers, the BIOS is stored in read-onlymemory (ROM) so that it can be executed when the computer isturned on. Although critical to performance, the BIOS is usuallyinvisible to computer users.

Bit Shortened term for binary digit. It is the smallest unit ofinformationhandled by a computer. One bit expresses a 1 or a 0in a binary numeral, or a true or false logical condition, and isrepresented physically by an element such as a high or lowvoltage at one point in a circuit or a small spot on a diskmagnetised one way or the other. A single bit conveys littleinformation a human would consider meaningful. A group of 8bits, however, makes up a byte, which can be used to representmany types of information, such as a letter of the alphabet, adecimal digit or other character.


6/32




Black box testing Testing that involves no knowledge of the internal structure orlogic of a system.

Boot The process of starting or resetting a computer. When first turned

on (cold boot) or reset (warm boot), the computer executesimportant softwarethat loads and starts the computer's operatingsystemand prepares it for use. Thus, the computer can be saidto pull itself up by its own bootstraps.

Boot disk A floppy disc that contains key system files from the operatingsystemand that can boot, or start, the PC. A bootdisk must beinserted in the primary floppy disc drive (usually drive A:) and isused when there is some problem with starting the PC from thehard disc, from which the computer generally boots.

BSI British Standards Institution. The UK national standardsbody.Widely used standards first developed and published by the BSI

include ISO 9001 (BS5750 qualitymanagement systems) andISO 17799 (BS 7799 information securitymanagement).

BS 7799 A UK standardpublished by the BSI. It consists of two parts. Part1 (A Code of Practice for Information Security Management)provides a baseline set ofinformation securitycontrols. Part 2contains the auditing criteria against which formal certificationagainst the standard may be obtained.

Browser See web browser.

Browsing Searching through storage to locate or acquire information,without necessarily knowing of the existence or the format of the

databeing sought.

Buffer (1) In computing, an area of storage that is temporarily reservedfor use in performing an input/output operation, into which dataisread or from which it is written. (2) In data communications, astorage area used to compensate for differences in the rate offlow of data, or time of occurrence of events, when transferringdata from one deviceto another.

Bug An error in programmingcodethat produces an undesirablevariation from design performance in a programduring execution.

Business A commercial or government enterprise, and the people whocomprise it.

Business Case A document that provides justification for the commitment ofresources to a projectorprogramme.

Business Change Manager A role in the programmeexecutive responsible forbenefitsmanagement, the programme's Business Case, transition planand the management of change and risk.


7/32




Business continuity A formal plan, or integrated set of plans, designed to enable keybusiness processes to continue in operation following a majorsystem failure or disaster. Essential ingredients include theidentification of key business processes, adequate systembackupsand a workable continuity strategy.

Business impact review In business continuityplanning, a review designed to identify theimpacts (over time) of loosing information systems.

Byte A unit ofdatagenerally comprising 8 bits. A byte can represent asingle character, such as a letter, a digit or a punctuation mark.Because a byte represents only a small amount of information,amounts of computer memory and storage are usually given inkilobytes (1,024 bytes), megabytes (1,048,576 bytes), orgigabytes (1,073,741,824 bytes).

Call centre A central point where customer and other telephone calls arehandled by an organisation, usually assisted by some amount of

computer automation. Typically, a call centre has the ability tohandle a considerable volume of calls at the same time, toclassify calls and forward them to someone qualified to handlethem, and to record calls. Call centres commonly handle suchactivities as customer services, order entry, reservations, helpdeskfacilities, dispatch systems, telesales and collections.Telephone banking, insurance and share dealing are amongfinancial applications.

CASE Computer Aided Systems Engineering. Softwaretools thatsupport systemsanalysis, design and construction.

Central Processing Unit (CPU) computer hardware that houses the electronic circuits that

control/direct all a computers operations.

Certification authority In cryptography, an authority trusted by all users to create andassign digital certificates. The role is generally performed bylarge public institutions, such as the Post Office, BT and clearingbanks (e.g. Barclays).

Change Control In project management, uncontrolled changes are one of themost common causes of delay and failure. Change Control is theprocess of implementing procedures which ensure that proposedchanges are properly assessed and, if approved, incorporatedinto the project plan.

Change management IN IT service management, the processofcontrollingandmanaging requests to change an IT InfrastructureorIT service,and then controlling and managing the implementation of thechanges that are subsequently approved.

Channel In data communications, a path along which signals can be sent.The term may also refer to a mechanism by which the path iseffected.


8/32




CI Configuration Item. In configuration management, a componentassociated with an IT infrastructurethat is under the control of theConfiguration Manager. CIs vary widely in complexity, size andtype. They can range from an entire system(including all itshardware and documentation) to a single programmodule or a

minor hardware component.

Ciphertext In cryptography, unintelligible text produced through the use ofencryption.

Classification The process of formally identifying incidents, problemsandknown errorsby origin, symptoms and cause.

Client (1) A computer that interacts with another computer, usuallyreferred to as the server, using a client program. E-mail is anexample - an e-mail client connects to an e-mail server to sendand receive messages. (2) A term sometimes used by auditors torefer to an audited organisation.

Close Out The completion ofprojectwork once a project has beenimplemented. It is the phase at the end of the project lifecycle justbefore live operations begin. Confusingly this period is oftencalled Start-Up, since this refers to the start-up of the facility.

Code Programinstructions written by a programmer in a programminglanguage.

Cold site In business continuity, a site that is suitable for the installation ofcomputer equipment and its environmental and ancillary support.

Commit In databases, a command to update the physical databasewiththe transactionsinput to the system and held in temporarystorage (orbuffer).

Confidentiality In information security, the property that informationis not madeavailable or disclosed to unauthorised individuals, entities orprocesses.

Configuration The complete technical description required to build, test, accept,install, operate, maintain and support a system.

Configuration audit Verifying the completeness and correctness ofCIs. This involvesverifying that all items are present in their correct versionand,where computerfilesare concerned, their integrity is sound; andthat no extraneous items have been introduced (e.g.unauthorised equipment; unauthorised and/or unlicensedsoftware).

Configuration Item See CI.

Configuration Management The process of identifying and defining the CIsin a system;recording and reporting their status; and verifying theircompleteness and correctness.


9/32




Controls In information security, policies, proceduresand mechanismsdesigned to ensure that activities achieve their authorisedobjectives. Controls can be preventive (e.g. a no smoking policyis enforced), detective (e.g. a smoke detector), corrective (e.g. a

sprinkler system) or restorative in character (e.g. a disasterrecovery plan).

CMDB Configuration Management Database a databasethatcontains details about the attributes and the history of each CI,and details of the important relationships between CIs.

CRAMM The CCTA Risk Analysis and Management Methodology. Asoftware-supported method for identifying and justifying securitymeasures for both current and future IT systems. The methodprovides assistance with risk assessment, and the identificationof cost-effective controls(see risk management). The softwarepackageassists in recording review information, provides audit

trailsbetween recommended controls and relatedrisks, andprovides a what if? facility.

Critical Path The longest sequence ofactivitiesin a network.

Critical Path Analysis A simple calculation of a networkofactivitiesthat results in adate which is the earliest possible completion of the projecttakingtime and logic only, into account. It results in the calculation of acritical path.

Cryptography The discipline that embodies principles, means and methods forthe transformation ofdatain order to hide its informationcontents, prevent its undetected modification, and/or prevent its

unauthorised use.

Customer The individual or organisation that buys a product orservice(seeuser).

Cyberspace The virtual space created by the technology of computer systemsenabling people to communicate with other users worldwide.

Data In computing,(1) a representation of facts, concepts, information,or instructions in a manner that is suitable for processing by aninformation system. (2) The building blocks of information.

Data dictionary In databases, a centralised repository ofinformationabout thestored data, providing details of its meaning, relationship (to otherdata), origin, usage and format.

Data file A fileconsisting ofdatain the form of text, numbers or graphics,as distinct from a programfile containing commands andinstructions. Datafiles may also be called documents orspreadsheets.

Database An extensive and comprehensive set ofrecordscollected andorganised in a meaningful manner to serve a particular purpose.


10/32




Data Protection Act (UK) Legislation designed to protect the rights of individuals whosepersonal dataare stored in either manual or computerisedsystems. Systems covered by the Act are those where (1)personal data is held (data relating to a living individual who can

be identified from the data, or from the data and otherinformationthat the data user has access to. And (2), the filesholding thedata are structured in the same way. The Act contains a strictcode of conduct, which includes an obligation to protect personaldata against loss, destruction, damage or disclosure. Both civiland criminal penalties can apply to contravention of the Act.

DBMS Database Management System. Softwarethat handlesdatabaseaccess requests from applicationprocesses.Essentially a DBMS handles storage, access, datasharingamong multiple users, and database administration tasks (e.g.controlling what data an application usercan view and update).

Decrypt Incryptography, to convert by use of the appropriate key,encryptedtext (see ciphertext) into its equivalent plaintext.

Definitive Software Library DSL.A secure library where quality-controlled versions of allsoftwareCIsthat have been accepted from the developer orsupplier are held in their definitive form.

Device A generic term for printers, scanners, mice, keyboards, serialports, video adapters, disk drives and other computersubsystems. Such devices frequently require their own controllingsoftware, called device drivers.

Device driver A softwarecomponent that permits the computer system to

communicate with a device. Many devices, especially videoadapters on microcomputers, will not work properly, if at all,without the correct device drivers installed in the operatingsystem.

Digital certificate In cryptography, a message that guarantees the authenticity ofthe data contained within it. In public keycryptographyit isimportant that anyone using a public key can be sure about itsauthenticity. Such a guarantee may be issued by a CertificationAuthoritytrusted by the users, and based on assurancesobtained from applicants for digital certificates. A certificategenerally contains the public key owners identity, the public keyitself and its expiry date. A user supplies the certificate and therecipient decryptsit using the certification authoritys public key(often performed automatically by the recipients browser/e-mailsoftware). The recipient gains assurance that a trusted authorityhas signed the user identity and corresponding public key.

Digital signature A datablock appended to a fileormessage(or a completeencryptedfile or message) such that the recipient canauthenticatethe file or message contents and/or prove that itcould only have originated with the purported sender.


11/32




Document Informationin readable form. The medium on which thedocument is held (e.g. paper, fiche, film and magnetic disk) is notimportant. See also record.

DSDM Dynamic Systems Development Methodology. A formal

method for developing information systemsquickly using RADtechniques.

Dump In computing, the act of copying raw datafrom one place toanother with little or no formatting for readability. It usually refersto copying data from main memory to a display screen or aprinter. Dumps are useful for diagnosing bugs. After a programfails, a dump can be used to analyse the contents of memory atthe time of the failure.

EBCDIC Extended Binary Coded Decimal Interchange Code.Developed by IBM, and mostly used by mainframesystems,EBCDIC is a standard way of representing text symbols using

binary numbers (see also ASCII).

E-business See electronic business.

E-commerce See electronic commerce.

E-government See electronic government.

EDI Electronic Data Interchange. In computing andcommunications, the transmission of documents from onecomputer to another over a network. Although EDI is sometimescarried out over direct links between trading partners (andincreasingly the Internet), it is more usual to involve a value

added supplier to operate an electronic mailbox through whichdocuments are exchanged on a store and collect basis, similar toe-mail. The ability of communicating computer systems toexchange and process informationin this way can significantlyspeed up processing and reduce manual transcription errors.

EFT Electronic Funds transfer. Systemsdesigned to move fundsbetween banks using electronic communications rather thanpaper media. Common EFT systems include BACS (BankersAutomated Clearing Services) and CHAPS (Clearing HousePayment System).

Electronic business Using an electronic networkto simplify and speed up all stages ofthe business process including such as activities as design andmanufacturing; buying, selling and delivering; and transactinggovernment business.

Electronic commerce Using an electronic networkto simplify and speed up the processof buying, selling and delivering.

Electronic government Using an electronic networkto deliver government informationto,and transact government business with other departments ofstate, citizens and businesses, and other governments.


12/32




Encryption (Also encipher). The process of transforming informationinto anunintelligible form in such a way that the original informationcannot be obtained (one-way encryption) or cannot be obtainedwithout using the inverse decryptionprocess (two-way

encryption).

Encryption algorithm A set of mathematically expressed rules implemented in eitherfirmwareorsoftware, and used in conjunction with a secret keyforencryptingplaintext and decrypting ciphertext.

End user computing Refers to the use of non-centralised (i.e. non-IT department) dataprocessing using automated procedures developed by end-users,generally with the aid ofsoftware packages(e.g. spreadsheetand database) and enquiry software. End-user processes can besophisticated and become an extremely important source ofmanagement information. Whether they are adequately testedand documented may be questionable.

Error (1) In IT Service Management, a condition identified bysuccessful diagnosis of the root cause of a problemwhen it isconfirmed that a CIis at fault. (2) In qualitymanagement, anynon-conformance between softwareand either its specification,design or implementation, or its behaviour as stated or implied byusersand operations staff.

Error control In IT Service Management, the process of identifying, recording,classifying and progressing known errors. This includes theresolution phase until successful implementation of anamendment or replacement CIis confirmed.

ETHERNET A common LANtechnology that employs CSMA/CD (carriersense multiple access with collision detection) over either coaxialcable or twisted pair wiring. CSMA/CD allows computers totransmit when the networkis free.

Facilities management In computing, the management, operation and support of anorganisations computers and/or networks by an external providerunder a contract, and at agreed levels of service (see ServiceLevel Agreement; outsource).

File A complete, named and collection of information. (1) Incomputing, a filecan contain program code, data(e.g.transactionsto be processed by a program), or user-created data(e.g. a word processor file). Most commonly, however, the termrefers to data (numbers, words, or images) that a user hascreated and then saved for subsequent retrieval, editing orprinting. (2) In information systems, a collection ofdocuments.The medium on which the documents are stored (e.g. paper,fiche, microfilm, magnetic disks) is not important.

File server In a local area network(LAN), a computer that provides access tofilesforworkstationsthat are connected to the network.


13/32




Firewall A security system used to prevent unauthorised access betweennetworks (both internal/internal, and internal/external) byexamining and filtering IP data packets. A firewall will allow onlyapproved traffic in and/or out by filtering packetsbased onsource/destination IP address, source/destination port. The

firewall inspects the identification information associated with allcommunication attempts and compares it to a rule-set consistentwith the organisations security policy. Its decision to accept ordeny the communication is then recorded in an electronic log.

Firmware Programming that is inserted into Programmable Read-OnlyMemory (PROM), thus becoming a permanent part of acomputing device. Firmware is created and tested like othersoftware. It can also be distributed like other software andinstalled in the PROM by the user. Firmware is sometimesdistributed for printers, modemsand other computerdevices.

Float A measure of the time flexibility available in the performance of

an activity(see also free float, negative floatand independentfloat).

Fourth Generation LanguageAny programming language that uses English terminology andallows rapid softwaredevelopment. With 4GLs the user specifieswhat is required and the programming language works out whatactions are needed to carry out the required task. StructuredQuery Language(SQL) is a commonly used 4GL.

Frame-Relay A packet-switchedwide area networktechnology that providesfaster performance than other packet-switched WANtechnologies (such as X-25networks) because it was designed

for more recent and reliable circuits that require less rigorouserror detection. Fame-relay is best suited to data and imagetransfers. Because of its variable-length packet architecture, it isnot the most efficient technology for real-time voice and video. Ina frame-relay network, end nodes establish a connection via aPermanent Virtual Circuit(PVC).

Free float The amount of time an activitymay be delayed without causingany knock on delay to following activities.

FTP File Transfer Protocol. In communications, a protocolthatensures the error-free transmission ofprogramand datafilesviaa data communications link.

Function Point Analysis In planning and estimating, a technique used to determine thesize of a development task. It entails breaking a projectdown intofunction points (factors such as inputs, outputs, enquiries, logicalinternal sites, etc.), which are then classified by degree ofcomplexity. Factors are then applied from which time estimatesmay be developed.

Gateway A computer or otherdevicethat links two networks, routing andoften converting protocolsormessagesfrom one network to the


14/32




other. The term can also refer to a system capability that providesdirect access to other remote networks orservices.

GANTT Chart A bar chart plotting the phases oractivitiesof a projectagainst apredefined timeline to completion.

Gigabyte (GB) 1,024 megabytes (230

bytes). Often interpreted, though, asapproximately one million bytes.

Hash total A figure obtained by some operations upon all the items in acollection ofdataand used for control purposes. A recalculationof the hash total, and comparison with a previously computedvalue, provides a check on the loss or corruption of the data.

Help Desk Sometimes called a service desk, provides a focal point forproviding first line incidentsupport; help with using IT-basedbusiness systems; and management reporting on IT servicequality.

Hexadecimal A numbering system that uses a base of 16 and requires 16digits (0 through 9, and A through F).

Host A computer connected to a networkthat offers services to one ormore users.

Hot site In business continuity, a fully equipped computer installationdesignated for standby purposes. Datawill need to be loaded;and softwaremay need to be installed and configured.

HTML Hypertext Markup Language. The programming language usedforweb pages. It is called a mark-up language because it is

used to describe the formatting to be used to display thedocument. The html file contains both the text and code(calledtags). It is read by a web browser, which interprets the code anddisplays the web pages in the format specified by the HTML.

HTTP Hypertext Transfer Protocol is the set of rules for exchangingfiles (text, graphic images, sound, video, and other multimediafiles) on the World Wide Web. By comparison with the TCP/IPsuite ofprotocols, which forms the basis ofinformationexchangeacross the Internet, HTTP is an applicationprotocol.

Hub A devicethat connects several devices (terminals, printers, etc.)to a network.

ICT Information and Communications Technology. Theacquisition, processing, storage and dissemination ofinformationusing a combination of computer and telecommunicationstechnologies.

IETF The Internet Engineering Task Force: a large openinternational community ofnetworkdesigners, operators,vendors, and researchers concerned with the evolution of the


15/32




Internetarchitecture and the smooth operation of the Internet. Itis open to any interested individual.

Impact In information security, the damage to an organisation resultingfrom a threatexploiting a vulnerability. The business

consequences may result from unauthorised disclosure ofsensitive information; or modification or unavailability ofinformation; or a combination of these impacts. Impact generallyhas financial implications, but depending on the circumstancesand the nature of the information at risk, other consequencesmight be loss of credibility, contravention of the law, personalinjuryand/orloss of life(e.g. as in medical records, patientmanagement and safety critical control systems).

Impact code A simple code assigned to incidentsshowing the extent ofdeterioration in normal user service levels. It is the major meansof assigning priority for dealing with incidents.

Implement Install, utilise or bring into operation.

Incident An operational event that is not part of the normal operation of asystem. It will have an impact on the system, although this maybe slight or transparent to the users.

Incident control The process of identifying, recording, classifying and progressingincidentsuntil affected services return to normal operation.Collection ofdatato identify causes of incidents is a secondaryobjective, although this may be necessary to effect incidentresolution.

Independent Float The degree of flexibility that an activityhas that does not affect

the floatavailable on any preceding or succeeding activities.

Information Knowledge that was unknown to the recipient prior to its receipt.Information is derived from data, which to be of value needs to bevalid (e.g. not duplicated or fraudulent), complete, accurate,relevant and timely.

Information security The result of any system of policies and procedures foridentifying, controlling and protecting informationagainstunauthorised disclosure, manipulation, modification; unavailabilityand destruction. Unauthorised disclosure refers to informationthat is, for example, commercially sensitive, nationally classifiedor subject to data protectionlegislation. Manipulation isconcerned with changing some attribute of the data, such as fileownership, security classification, destination, etc. Modificationinvolves unauthorised alteration of the data itself, which can takeplace without leaving any trace. Unavailability refers to aninability to access and process the data (e.g. due to computer orcommunications failure). Data can be destroyed quickly andefficiently in electronic or magnetic storage devices(e.g. bydegaussing, powering down volatilestorage and overwriting).


16/32




Information security policy A formal statement that defines top management intentions oninformation security, and provides general direction for protectingthe confidentiality, integrityandavailabilityof corporateinformation.

Information system The means for organising, collecting, processing, transmitting,and disseminating informationin accordance with defined policiesand procedures, whether by automated or manual means.

Input controls Techniques and procedures used to verify, validate and edit datato ensure that only correct data is entered into a computersystem.

Integrity In information security, the property that informationis valid,complete and accurate.

Internet A worldwide system of linked computernetworksthat enablesdatacommunication services(based on TCP/IP) such as remote

logon, file transfer, electronic mail, and newsgroups. The Internetis not a discrete computer network, but rather a way ofconnecting existing computer networks that greatly extends thereach of each participating system. It is not single service, has noreal central hub, and is not owned by any one group (see alsoIETF).

Intranet A private networkinside an organisation that uses the samekinds ofsoftwareand protocolsfound on the Internet. Intranetsmay or may not be connected to the Internet.

IP Internet Protocol. A protocolthat defines and routes data acrossthe Internet. It uses packet switchingand makes a best effort to

deliver its packets(see also TCP/IP).

IP address Every computer on the Internetis assigned a unique number so itcan be identified. IPaddresses are 4 dot-separated numbers (forexample, 205.243.76.2) that specify both the networkthecomputer is connected to and the host.

ISDN Integrated Services Digital Network. A medium speed, digitalconnection. It provides up to 128kbps bandwidthover twochannels. Like normal phone lines, it has a number that can bedialled into and it can dial out to any other ISDN number, unlikeleased lines which are strictly point-to-point. Like leased lines,ISDN provides a reliable digital servicethat is not normallyaffected by line noise and other ailments that modems canexperience.

ISO International Standards Organisation. An agency of the UnitedNations concerned with international standardisation across abroad field of industrial products. An example of an ISO standardagainst which some audit clients (or their external providers) areformally certified is that governing qualitymanagement systems,ISO 9001.


17/32




Island of Stability A review point at the end of a tranche, when progress is reviewedand the next tranche is planned.

IS Steering Committee The top management group responsible for the overall direction

ofinformation systems(IS). The ISSC owns, commissions,directs and agrees their organisations IS Strategy.

IS Strategy An organisations master plan for directing, developing, install ingand operating the information systemsnecessary to satisfy itsbusiness needs. An IS strategy should be supported by abusiness case to provide purpose and economic justification forwhat is proposed. It should also include measurable performancetargets and deadlines against which its success can bemonitored. Due to the delay generally involved in bringing new ITinfrastructureinto operation, an IS strategy usually covers a threeto five year planning period. It should, however, be monitored andupdated frequently to ensure that it continues to represent an

effective and workable plan. See IS Steering Committee.

IT infrastructure The hardware, software, computer-related communications,documentation and skills that are required to support theprovision ofIT services, together with the environmentalinfrastructure on which it is built.

IT infrastructure management The processesthat are required to manage an IT infrastructure.They comprise processes covering servicemanagement,hardware and software release, incidentand problemresolution,customerand supplier management, and overall control ofassets(see changeand configurationmanagement).

IT service (1) In IT Service Management, an operational IT servicecomprises the IT infrastructurenecessary to provide a designatedgroup ofusersorcustomerswith access to one or moredesignated applications, often within the terms of a service levelagreement. (2) In computing, the provision of data processingfacilities.

IT service management Sometimes shortened to Service Management, is the totality of(a) IT serviceprovision and (b) IT infrastructure management(theterm is synonymous with IT systems management and ITService Delivery).

Java A programminglanguage, similar to C++, created by SunMicrosystems for developing that are capable of running on anycomputer regardless of the operating system.

Key In cryptography, a symbol or sequence of symbols that controlsthe operations ofencryptionand decryption. It is essential thatkeys are protected against unauthorised disclosure.

Known error In IT Service Management, a condition identified by successfuldiagnosis of the root cause of a problemwhen it is confirmed thata CIis at fault.


18/32




LAN Local Area Network. A networkthat connects PCs and othercomputers within a limited geographic area by high-performancecables so that users can exchange information, share expensiveperipherals, and draw on the resources of a massive secondary

storage unit, call a file server. See also WAN.

Lights out operating Sometimes known as darkroom operating, is where thecomputer room is not staffed, but people are available to controlthe system via one or more terminals or consoles connected tothe system, often as part of an Operations Bridge.

Log In computing, a record(or journal) of a sequence of events (1)relating to the jobs run through a computer. Job logs generallycontain chronologically listed information on when jobs start andend, the resources they access (and whether or not access wassuccessful), together with any messagesgenerated from withinthe applicationsthat are running. (2) A chronological record of the

activities performed (or attempted) by individuals when using acomputer system.

Logical In computing, conceptual or virtual (i.e. within the computer; incyberspace), as compared with physical or actual (i.e. outside thecomputer; real world).

Logical access The act of gaining access to computerdata. Access may belimited to read only, but more extensive access rights includethe ability to amend data, create new records, and delete existingrecords (see also physical access).

Login The act of connecting to a computer and being authenticatedas

a legitimate user. The usual requirements are a valid user name(or user ID) and password, but in higherriskscenarios a usermay also have to insert a physical token (e.g. a smartcard) and/orprovide biometricproof of identity.

Mainframe A high-level computer designed for the most intensivecomputational tasks. Mainframe computers are often shared bymultiple usersconnected to the computer by terminals.

Macro A macro is a list of actions to be performed that is saved under ashort key code or name. Softwarecan then carry out the macrosinstructions whenever the user calls it by typing its short key codeor specifying the macro name.

Media The physical material, such as paper, disc and tape, used forstoring computer-based information.

Memory Memory generally refers to the fast semiconductor storage(Random Access memory, orRAM) directly connected to theprocessorthat is dependent on electrical power for activation.Memory is often differentiated from computer storage (e.g., harddisks, floppy disks, CD-ROMdisks) that is not dependent on


19/32




electricity and is therefore a more permanent means for holdingdata.

Memory chip Or chip, is an integrated circuit devoted to memory storage. Thememory storage can be volatileand hold datatemporarily, such

as RAM, or non-volatile and hold data permanently, such asROM, EPROM, EEPROM or PROM.

Message In data communications, an electronic communication containingone or more transactionsor one or more items of relatedinformation.

Message header The additional informationattached to e-mail messagesthatprovides information about the e-mail; who sent it, where it camefrom, what path it took, when it happened.

Messaging Also called electronic messaging, is the creation, storage,exchange, and management of text, images, voice, telex, fax, e-

mail, paging, and EDIover a communications network.

MICR Magnetic Ink Character Recognition. A technique for theidentification of characters printed with ink that contains particlesof a magnetic material. Used widely in the banking industry tocapture sort codes and account numbers on cheques.

Microprocessor A central processing unit (CPU) on a single microchip. Amicroprocessor is designed to perform arithmetic and logicoperations that make use of small number-holding areas calledregisters. Typical microprocessor operations include adding,subtracting, comparing two numbers, and moving numbers from

one area to another. These operations are the result of a set ofinstructions that are part of the microprocessor design. A modernmicroprocessor can have more than one million transistors in anintegrated-circuit package that is roughly one inch square.Microprocessors are at the heart of all computers, frommainframesdown to smartcards.

Middleware Softwarethat is neither part of the operating system, nor anapplication. It occupies a layer between the two, providingapplicationswith an interface for receiving services. Commonexamples are communications programsand transactionprocessing monitors.

Milestone An activityof zero duration which represents a significantdeliverable orstagein a project.

Modem A communications devicethat enables a computer to transmitinformationover a standard telephone line. Because a computeris digital (it works with discrete electrical signals representingbinary numbers 1 and 0) and a telephone line is analogue(carries a signal that can have any of a large number ofvariations), modems are needed to convert digital to analogueand vice versa. The term is short for MOdulator/DEModulator.


20/32




Multiplexor Equipment that takes one or more datachannelsand combinesthe signals into one common channelfor transmission. At thereceiving end a demultiplexor extracts each of the originalsignals.

Negative Float Where a path in a networkbecomes hypercritical the activitiesonthat path have a float of less than zero. The quantity of float thenindicates the amount of time that must be recovered in order toachieve a target date.

Network (1) In data communications, a computer-based communications anddata exchange systemcreated by physically connecting two ormore computers. The smallest networks, called local areanetworks (LAN's), may connect just two or three computers sothat they can share an expensive peripheral, such as a laserprinter, but some LAN's connect hundreds of computers. Larger

networks, call wide area networks (WANs), employ telephonelines or other long-distance communications media to linkcomputers.

Network (2) A diagram that shows the logical relationships between activities.

Node (1) In a LAN, a connection point that can create, receive, or repeat amessage. Nodes include repeaters, file servers, and sharedperipheral devices. In common usage the term node often relatesto a workstationor terminal.

Node (2) In planning and estimating, the node at the start of an activityinan activity on arrow network.

Normalisation In databasedesign, the elimination of redundant/superflous data.

Object (1) In computer security, a passive entity that contains orreceives information. For example, records,files, programs,printers, andnodes. (2) In object-oriented programming, an entitythat encapsulates within itself both the datadescribing the objectand the instructions for operating on those data.

Objective A desired goal, or end result.

OCR Optical Character Recognition. Techniques and equipment forreading printed, and possibly hand-written, characters on adocumentand converting them to digital code (e.g. ASCII) forinput to a computer.

Off-the-shelf A packaged item ready for sale. The term can refer to hardware,softwareor both.

On-line Generally describes a computer that is connected to a networkand is thereby ready for operation or interaction over the network.It may also refer to the ability to connect to the Internetby virtueof having an Internet account.


21/32




Operations bridge The combination in one physical location of computer operations,networkcontrol and the Help Desk.

Operating system In computing, a collection ofsoftwaredesigned to directly control

the hardware of a computer (e.g. input/output requests, resourceallocation, data management), and on which all otherprograms(including application programs) running on the computergenerally depend.

Organisation See business.

Output controls Controlswhose objectives are to ensure that computer outputsare complete and accurate, are securely held until distribution(they may include financial instruments), and are distributed tothe intended recipient(s) in a timely manner.

Outsource The use of an external contractor to provide (1) both the IT

systemsand the personnel required to run them (see alsofacilities management). (2) support services, such as hardwaremaintenance.

Package release In IT Service management, a set ofsoftwarethat is CIsthat aretested and introduced into the live environment together.

Packet (Sometimes referred to as a frame) in communications, a packetcomprises a well-defined block ofbytes consisting of header,dataand trailer. Packets can be transmitted across networksorover telephone lines. The format of a packet depends on theprotocolthat created it. Various communications standardsandprotocolsuse special purpose packets to monitor and control a

communications session. For example, the X.25standard usesdiagnostic, call clear and reset packets (among others), as wellas data packets.

Packet switching A transmission method in which packetsare sent across ashared medium from source to destination. The transmission mayuse any available path or circuit, and the circuit is available assoon as the packet has been sent. The next packet in thetransmission may take a different path, and packets may notarrive at the destination in the order in which they were sent.

Password In Access Control, confidential authenticationinformation, usuallycomposed of a string of characters, that may be used to control

access to physical areas and to data.

Patch A piece of programming codethat is added to an existingprogramto repair a deficiency in the functionality of an existingroutine or program. It is generally provided in response to anunforeseen need or set of circumstances. Patching is also acommon means of adding a new feature or function to a programuntil the next major version of the softwareis released.


22/32




PD0005 A Code of Practice for IT Service Management. A guidepublished by the BSI, that is designed to provide advice andrecommendations forIT service management. The subjects dealtwith include managing incidents, problems, systemconfigurationand system change.

PD0008 A Code of Practice for Legal Admissibility and EvidentialWeight of Information Stored electronically. A BSIguide onthe management ofsystemsin which original paperdocumentsare scanned to form electronic images. The object is to ensurethat the images so formed may be regarded as authentic, forexample in a court of law or by external regulators or auditors.

Permanent Virtual Circuit (PVC) is a software-defined logical connection in a network suchas a frame relay network. A feature of frame relay that makes it ahighly flexible network technology is that users can define logicalconnections and required bandwidth between end points and letthe frame relay network technology worry about how the physical

network is used to achieve the defined connections and managethe traffic. In frame relay, the end points and a stated bandwidthcalled a Committed Information Rate constitute a PVC, which isdefined to the frame relay network devices. The bandwidth maynot exceed the possible physical bandwidth. Typically, multiplePVCs share the same physical paths at the same time. Tomanage the variation in bandwidth requirements expressed in theCIRs, the frame relay devices use a technique called statisticalmultiplexing.

Phreaking In communications security, fraudulent use of a telephone systemto make calls at the expense of another. Cases brought underEnglish law are prosecuted under the Theft Act.

Physical access In access control, gaining access to physical areas and entities(see logical access).

Platform The computer hardware, and the associated operating systemssoftwarenecessary for its operation, on which applicationssoftwareis run.

Policy A formally stated course of action to be followed for achieving anobjective(see strategy).

Port an interface between the CPU and a peripheral device.

PRINCE A methodology for planning, managing and controlling projects.PRINCE II is a generic project managementmethod, whereas theearlier version (PRINCE) was specifically aimed at IT projects.

Private key See secret key.

Problem In IT Service Management, a condition identified from multipleincidentsthat exhibits common symptoms. It can also arise froma single significant incident that suggests a single errorfor whichthe cause is unknown.


23/32




Problem control In IT Service Management, the process of identifying, recording,classifying and progressing problemsthrough investigation anddiagnosis until either known errorstatus is achieved, or analternative procedural reason for the problem is revealed.

Problem management In IT Service Management, a generic term used to identify thecombined processes ofincident, problemand errorcontrol,complemented by the utilisation of associated managementinformation. The primary objective is to make sure that servicesare stable, timely and accurate.

Procedure A set of instructions for performing a task. Procedures should beconsistent with policyrequirements.

Process In IT Service Management, a sequence of operations that areintended to achieve a defined objective. Processes require policy,people, procedures and IT infrastructure.

Processing controls Controlswhose objectives are to ensure that only valid dataisprocessed, and that processing is both complete and accurate.

Program In computing, a series of instructions that conform to the syntaxof a computer language, that when executed (or run) on acomputer will perform a given task.

Programme A group ofprojects. The projects that comprise a programme areselected and planned in a co-ordinated way so that, overall, theyserve to implement a business strategy. Sometimes a large,complex project is described as a programme.

Programme Definition Statement The agreed statement of objectives and plans between thetarget business operation, the Programme Director, and thesenior management group to whom the Programme Directorreports.

Programme Management The selection and co-ordinated planning of a portfolio ofprojectsso as to achieve a set of defined business objectives, and theefficient execution of these projects within a controlledenvironment such that they realise maximum benefit for theresulting business operations.

Programme Director The senior manager with individual responsibility for the overallsuccess of a programme. Is ideally drawn from the managementof the target business area.

Project A temporary management environment, set up to deliver aspecifiedbusiness product in accordance with a defined businesscase.

Project Brief A statement of the terms of reference for the project, initiallyprovided by the IS Steering Committee and subsequently refinedby the project boardto form part of the Project InitiationDocument.


24/32




Project Board A board set up to exercise overall control of a project. It generallycomprises a small group of senior managers that represent majorbusiness interests such as Finance, Information Technology andthe particular business area that is sponsoring, or will be most

affected by the project.

Project Initiation Management activities that aim to ensure that a projectisestablished with clear terms of reference and an adequatemanagement structure. These activities are led by the ProjectBoard.

Project Initiation Document A document that is approved by the Project Boardat projectinitiation. It defines the terms of reference for the project, basedon the initial project brief, and brings together other keyinformation needed to start the project on a sound basis. (Itshould answer the questions why? what? how? who? and when?for the project, and what? why? and when?for its business

products).

Project Manager The person appointed to take day-to-day responsibility formanaging a projectthroughout all its stages. A project manageris essentially a non-technical role, with technical management ofa project being undertaken by stage managers.

Project Management The managerial task of accomplishing a projecton time, withinbudget and to technical specification. The project manageris thesingle point of responsibility for achieving this.

Project Support Office A central support unit that provides a planning and monitoringservice to projectboards and project managers.

Protocol A set of rules that must be followed for any datacommunicationsto be made. Protocols enable totally different platforms(e.g.computers connected to the Internet) to communicate with eachother. For one computer to communicate with another, both mustadhere to the same protocol(s).

Public key In cryptography, the key, in an asymmetricencryption system, ofa users key set that is known to other users.

Quality The attributes of a product orservicethat make it fit for itsintended use. The term also embraces value for money, whichin turn implies a satisfied customer.

Query In computing, a specific set of instructions for extracting particulardatafrom a database.

RAD Rapid ApplicationDevelopment. An approach to systemdevelopment that aims to speed up the development process.RAD focuses on core business requirements to the exclusion ofinessential items (the 80/20 rule), and makes extensive use ofthe construction of models and prototype systems in place of


25/32




formal system analysis and specification. It also makes extensiveuse ofCASE(see also DSDM).

RAM Random Access Memory. Semiconductor-based memory thatcan be read and written by the central processing unit (CPU) or

other hardware devices. The term is generally understood to referto volatile memory that does not permanently hold dataorprograms.

Record (1) In computing, a collection of related datatreated as a unit. Arecord is the main unit of storage within a file. (2) In recordmanagement, anything that provides permanent evidence of, orinformationabout past events. Although the term documentincludes records, records are particular types of document thatare not subject to amendment, and for which there is often a legalor contractual requirement.

Regression testing Testing undertaken to prove that a change introduced to a

systemdoes not affect the way in which the remainder of thesystem performs.

Relational database A type ofdatabasein which data is organised as a collection oftwo-dimensional tables. Microsoft Access and ORACLE areexamples of widely used relational database systems.

Release In IT Service Management, a CIthat is introduced into the test,and subsequently the live environment. In most cases a releasewill also include documentation and possibly hardware as well(see also updatesand upgrades).

Release (Delta) A delta releasedoes not replace all component CIsof a release

unit, but rather includes only those CIsthat have changed sincethe last version of the software.

Release (Full) A full releasereplaces all components of a release unit,regardless of whether or not they have changed since the lastversionof the software.

RFC Request For Change. (1) In IT Service Management, a form orscreen, used to record details of an RFC to any component of anIT infrastructureor any aspect of an IT service. Generally formsthe basis of authorisation for the change to take place and assuch is an important audit trail item. Although rarely viewed assuch, requests to introduce new users; alter the accesspermissions of existing users; and delete accounts are alsoexamples. (2) Request For Comment on a specification.

Risk In information security, the potential that exists for damage orunwanted consequences to arise from a threatexploiting avulnerabilityto cause an impact. Risk managementstrategiesaim to reduce risk to an acceptable level by implementingcontrolsdesigned to reduce threat, vulnerability or impact, or acombination of these.


26/32




Risk assessment In information security, a study of the threats(and theirlikelihood), vulnerabilitiesand potential impact, and thetheoretical effectiveness ofcontrols. The results of riskassessment are used to develop security requirements andspecifications.

Risk management In information security, the total process involved in reducingidentified risksto a level that is acceptable to an organisationstop management.

Rollback In databases, a technique employed to protect a databaseagainst incorrect user action. The state of the database ispreserved and subsequent transactionsstored. If the userdecides to implement the total set of transactions a commitcommand is issued. If the rollback command is employed thetransactions are aborted and do not affect the database.

ROM Read-Only Memory. A semiconductor circuit into which codeor

datais permanently installed by the manufacturing process. ROMcontains instructions or data that can be read or executed, butnot modified.

Script A simple programconsisting of a set of instructions that aredesigned to perform or automate a task or function.

Secret key In cryptography, the keyof a users key set in an asymmetricorpublic keycryptographic system, which may be known only tothat user.

Server A computing unit ornodein a networkthat provides specificservicesto network users, e.g. a printer server provides printing

facilities to the network, and a fileserver stores users files.

Service Performance of a specifiedfunction.See also IT service.

Service Level Agreement OrSLA, is a written agreement between a user and an IT serviceprovider that documents the agreed service levels for an ITservice (e.g. hours of operation, maximum downtimes,transaction throughput, terminal response times, security,contingency). An SLA is not normally a contract in itself, but itmay form part of a contract.

Severity code In IT Service Management, a simple code assigned to problemsand errorsto indicate the seriousness of their effect on the qualityof an IT service. It is the major means of assigning priority forresolution.

Smartcard A plastic card (of identical dimensions to a credit card) that haselectronic logic embedded in it in the case of a stored data card,or a microprocessorin the case of cards with processing ability.Smartcards are commonly used to perform digital signatures,authenticateusers foraccess controlpurposes, and encryptordecryptmessages.


27/32




SMTP Simple Mail Transport Protocol. The protocolthat is used tomove e-mail and any attachments between mail servers.

Software Instructions for the computer. A series of instructions thatperforms a particular task is called a program. The two main

types of software are system software(operating system), whichcontrols the workings of the computer and application programs,which perform the tasks for which people use computers. Acommon misconception is that software is data. It is not. Softwaretells the hardware how to process the data. Software is "run" (orexecuted), whereas data is "processed."

Software package A softwareprogramorapplicationsold to the public, ready to run,and containing all necessary components and documentation.Also called "shrink wrapped" or "off-the-shelf" software.

Software maintenance Any modification to a softwareproduct after delivery to correctfaults, to improve performance or other attributes, or to adapt the

product to a changed environment.

Specification A detailed description of the requirements for a product orservice.

Spoofing In Information Security, (1) assuming the characteristics ofanother computer system for purposes of deception. (2)Malicious codethat masquerades as the operating system,presenting a loginscreen and tricking the user into revealing theirpassword.

SQL Structured Query Language, the traditional language foraccessing datastored in a relational database.

Stage A sub-section of a projectthat has its own organisationalstructure, life span and stage manager.

Stage Manager The person who is responsible for the management andsuccessful completion of a stage in a project. Generally hastechnical expertise in the activities being carried out within theparticular stage. [see also project manager].

Standard Agreed, and generally widely recognised criteria against which aproduct orservicemay be evaluated. See ISOand BSI.

Strategy A detailed and systematic plan of action (see also IS strategy).

Superuser A user with unrestricted access to userfilesand system utilities.For reasons of security, this level of access should only begranted to the minimum number of staff necessary to performsystem administration duties.

Symmetric encryption A form ofdataencryptionalgorithmthat employs the same valueofkeyfor both encryptionand decryptionprocesses.


28/32




System Any collection of components that work together to perform atask. Examples are a hardware system consisting of amicroprocessor, its allied chips and circuitry, input and outputdevices, and peripheral devices; an operating systemconsistingof a set ofprogramsand data files; a database management

systemused to process specific kinds ofinformation; or anapplication systemused to perform a particular business function.

System Development Life Cycle(SDLC). is the process of developing information systemsthrough investigation, analysis, design, implementation, andmaintenance.

System software Softwareprimarily concerned with co-ordinating and controllinghardware and communication resources, access to filesandrecords, and the control and scheduling ofapplications(see alsooperating system).

TCB Trusted computing base. In Information Security, the totality of

protection mechanisms within a computersystem(includinghardware, firmwareand software) the combination of which isresponsible for enforcing a security policy.

TCP/IP Transmission Control Protocol/Internet Protocol. A set ofprotocolsthat make Internetservices (Telnet, FTP, e-mail, etc.)possible among computers that don't belong to the samenetwork.

Telephone call centre See call centre.

Test environment A computer system or part of a computer system (made up ofhardware and system software), which is used to run, and

sometimes to build, softwarereleasesfor acceptance testing.

Test data In computing, dataprepared solely to test the accuracy of theprogrammingand logic of a system. It is used to prove eachbranch and combination of branches (within feasible limits) of asystem and should, therefore, be as comprehensive as possible.

Threat In Information Security, actions and events that may jeopardise asystemsobjectives (see vulnerabilityand impact).

Tranche A block of work within a programme, identified to facilitate theprogramme's management.

Transaction A discrete activity within a computersystem, such as an entry ofa customer order or an update of an inventory item. Transactionsare usually associated with applications.

Trapdoor A hidden hardware orsoftwaremechanism that permits accesscontrolsto be bypassed. Trapdoors often inserted by systemdevelopers as a convenient means of testing computerprogramsand diagnosing bugs.


29/32




Trojan Horse In Information Security, an apparently useful programthatperforms unauthorised functions by taking advantage of aninnocent users access rights in order to copy, misuse or destroydata. For example, a Trojan Horse hidden in a text editor mightcovertly copy sensitive informationcontained in a filebeing edited

to another file that is accessible by the attacker (see also Virusand Worm).

UNIX A highly portable, general purpose, multi-useroperating system,generally used on small and mid-range computers (versions arealso available for PCs). There is many common featuresbetween the numerous commercial versions of UNIX. UNIXprovides facilities for sharing resources (disc space, CPU time,etc.) and for protecting usersfiles. For each file users canallocate individual read, write and execute privileges tothemselves, members of groups and all other users. Theoperating system is also multitasking, which allows users torelegate programsthat require no interaction to background

processing whilst working interactively on other tasks.

Update A new releaseof an existing softwareproduct. A software updateusually adds relatively minor new features to a product oraddresses issues found after the programwas released. Updatescan be indicated by small changes in the softwareversionnumbers, such as the change from version 4.0 to version 4.0b.

Upgrade The new or enhanced version of a softwareproduct that isconsidered to have major enhancements or improvement to itsfeatures or functionality. Software upgrades are typicallyindicated by a significant (integer) change in the versionnumber,such as from version 4.0 to version 5.0.

URL Uniform Resource Locator. A uniform method where a hostcanbe accessed at a specific address using a specificprotocol.Anexample is http://www.nao.gov.uk/, the URL for the UK NationalAudit Office.

UPS In business continuityan acronym for Uninterruptible PowerSupply. A device, connected between a computer (or otherelectronic equipment) and a power source, that ensures that thecomputers power supply is not interrupted. In most cases it alsoprotects the computer against potentially damaging events, suchas power surges and brownouts. All UPS units are equipped witha battery and a loss-of-power sensor; if the sensor detects a lossof power, it switches over to the battery so that the user has timeto close down the computer in a controlled manner, thus avoidingdataloss.

User The individual or organisation that puts an IT servicetoproductive use (see also customer).

User profile In Information Security, a list of an individuals accessrights, or ofthe access rights of a group of people who share commonbusiness needs. Access may be to physical areas, such as
http://www.zdwebopedia.com/http://www.zdwebopedia.com/http://www.revealed.net/http://www.revealed.net/http://www.revealed.net/http://www.zdwebopedia.com/


30/32




buildings or rooms within them, or to data held within a computersystem (see also physical accessand logical access).

Utility program Softwaredesigned to perform maintenance work on a system oron system components (e.g., backing up data; disk and file

recovery; editing; sorting and merging; file and memory dumps).

Version A particular issue orreleaseof a hardware orsoftwareproduct.Version numbers are generally represented by an integer (awhole number) combined with a decimal number (for example3.2). Successive releases of a programare assigned increasinglyhigher numbers. Major releases are reflected with whole numberincrements; minor releases with decimal increments. Whendiscussing software versions, an "x" is often used after theversion integer to designate a range of minor releases. Forexample, Internet Explorer 5.x refers to all minor releases ofInternet Explorer 5.

Virus A computerprogramdesigned to carry out unwanted and oftendamaging operations. It replicates itself by attaching to a host,which depending on the type of virus, may be a program, macrofile or magnetic disc. In common with a human virus, the effectsof a computer virus may not be detectable for a period of days orweeks during which time the virus will attempt to spread to othersystems by infecting files and discs. Eventually, the effectsmanifest themselves when a date or sequence of events triggersthe virus. Impactsrange from prank messages to erratic systemsoftwareperformance, even catastrophic erasure of all theinformationon a hard disc.

Virtual Private Network A VPN is a private data network, but one that uses the public

telecommunication infrastructure, such as the Internet. It issimilar in concept to a system of owned or leased lines, butprovides comparable capabilities at much lower cost by usingshared rather than private infrastructure. Using a virtual privatenetwork involves encryptingdatabefore sending it through thepublic network and decryptingit at the receiving end. Anadditional level of security involves encrypting not only the databut also the originating and receiving network addresses. VPNsoftware is typically installed as part of the organisation's firewallserver.

Volatile In datastorage, a term used to describe any devicethat needs tobe powered on in order to function. Most microchip storagetechnologies are volatile, compared with optical and magneticstorage devices which are non-volatile (although considerablyslower to access).

Vulnerability In Information Security, a weakness or flaw (in location, physicallayout, organisation, management, procedures, personnel,hardware or software) that may be exploited by a threatto causean impact.


31/32




Warm site In business continuity, a site that is fully equipped withenvironmental and ancillary equipment, and partly equipped withcomputer hardware (generally the less expensive components).

Web browser Or web client, is softwaredesigned to navigate the WWW, view

its informationresources and, when used interactively, exchangeinformation. Netscape Navigator and Internet Explorer are widelyused examples of web browsers.

Web server An Internethostcomputer that stores web pagesand responds torequests to see them. Web servers talk to web browsersby usinga language named HTTP.

Web site A location on the World Wide Web (WWW). It is synonymouswith web pageand web server.

Web page The basic building block of the World Wide Web (WWW).Informationdisplayed on a web page can include highly

sophisticated graphics, audio and video, the locus ofcontemporary creativity. Web pages are linked together to formthe WWW.

Wide Area Network (WAN) - a telecommunications networkthat is dispersed over awide geographic area possible world wide - as distinct from alocal area network (LAN) that is generally confined to a confinedgeographic area, such as a building. A wide area network may beprivately owned or rented; either way it usually requires the useof public (shared user) networks (e.g. the Internet) and/or leasedcommunication circuits. See also VPN.

Windows NT Often referred to as NT, is the high-end member of a family of

operating systemsfrom Microsoft. It is a completely self-contained with a built-in graphical user interface. NT is a 32-bit,multitasking operating system that features networking,symmetric multiprocessing, multithreading and security. It is aportable operating system that can run on a variety of hardwareplatformsincluding those based on the Intel 80386, i486 andPentium microprocessorsand MIPS microprocessors; it can alsorun on multiprocessor computers. NT supports up to 4 gigabytesof virtual memory and can run MS-DOS, POSIX, and OS/2(character-mode) applications. Authenticationchecks are madeduring the loginprocess (which uses a secure communicationschannel) and also during networkoperations (e.g. when a userorprocess needs access to a service).

Work Breakdown Structure A tree diagram that breaks a projectdown in increasing levels ofdetail. The lowest level of a work breakdown structure comprisesactivities.

Workstation This term tends to have different meanings in different contexts.Generally it refers to a high-powered microcomputer, such as aSPARC workstation and other typically single-user but verypowerful machines, often running the UNIXoperating system.


32/32



Worm (1) In communications, a malicious programwhich, unlike a virus,is free-standing (i.e. it does not require a host). Worms replicatethemselves across networks, cause both traffic congestion andcan cause network failure. (2) In computing, Write Once ReadMany (WORM). A data storage deviceto which codeordatacan

be written but not altered or erased. They are generallyimplemented on non-rewritable optical discs, although pseudo-WORM magnetic tape devices are becoming available.

WWW World Wide Web. Refers to the informationresources of theInternetthat are accessible via web pagesusing a web browser.Technically speaking, the WWW refers to the abstractcyberspace of information whereas the Internet is the physicalside of the network, i.e. the computers and communications thatlink computers throughout the World.

XML Extensible Markup Language, is a set of tags and declarationsused as a complement to HTML in the construction ofweb

pages.

X.25 A common communication standardfor the transfer ofinformationbetween terminals operating in the packetmode.

X.400 A communication standardformessagehandling systems (e.g.e-mail).

X.500 A standardfor the storage and retrieval of directory informationabout hostsand usersof distributed systems.

auditing glossary

Documents