Terms and Definitions Information Security

This side contains information security related terms and definitions.


Access control

The process that limits and controls access to resources of a computer system; a logical or physical control designed to protect against unauthorized entry or use.



In a RACI chart, refers to the person or group who has the authority to approve or accept the execution of an activity.



The main actions taken to operate a process.


Application program

A program that processes business data through activities such as data entry, update or query. It contrasts with systems programs, such as an operating system or network control program, and with utility programs, such as copy or sort..


Audit charter

A document approved by the board, which defines the purpose, authority and responsibility of the internal audit activity.



The act of verifying the identity of a system entity (e.g., user, system, network node) and the entity’s eligibility to access computerized information. Designed to protect against fraudulent logon activity, authentication can also refer to the verification of the correctness of a piece of data.


Automated application control

A set of controls embedded within automated solutions (applications).


Balanced scorecard

A coherent set of performance measures organized into four categories. It includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives. It was developed by Robert S. Kaplan and David P. Norton in 1992.



A systematic approach to comparing an organization’s performance against peers and competitors in an effort to learn the best ways of conducting business (e.g., benchmarking of quality, logistical efficiency and various other metrics).


Best practice

A proven activity or process that has been successfully used by multiple organizations.



Having the needed attributes to perform or accomplish.


Capability Maturity Model (CMM)

The CMM for Software, from the Software Engineering Institute (SEI). A model used by many organizations to identify good practices useful in helping them assess and increase the maturity of their software development processes.



Chief executive officer; the highest-ranking individual in an organization.



Chief financial officer; the individual primarily responsible for managing the financial risks of an organization CIO—Chief information officer; the individual responsible for the IT group within an organization. In some cases, the CIO role has been expanded to become the chief knowledge officer (CKO), who deals in knowledge, not just information. Also see CTO.



Chief technology officer; focuses on technical issues in an organization. The title CTO is often viewed as synonymous with CIO.


Configuration item (CI

Component of an infrastructure, or an item, such as a request for change, associated with an infrastructure, which is (or is to be) under the control of configuration management. CIs may vary widely in complexity, size and type, from an entire system (including all hardware, software and documentation) to a single module or a minor hardware component.


Configuration management

The control of changes to a set of configuration items over a system life cycle.



In a RACI chart, refers to those people whose opinions are sought on an activity (two-way communication).



Preventing, mitigating and recovering from disruption. The terms ‘business resumption planning’, ‘disaster recovery planning’ and ‘contingency planning’ also may be used in this context; they all concentrate on the recovery aspects of continuity.


Control framework

A set of fundamental controls that facilitates the discharge of business process owner responsibilities to prevent financial or information loss in an organization.


Control objective

A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process.


Control practice

Key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk and alignment of IT with business.



Committee of Sponsoring Organizations of the Tread way Commission.. See www.coso.org.



Critical success factor; the most important issues or actions for management to achieve control over and within its IT processes.



A tool for setting expectations for an organization at each level of responsibility and continuous monitoring of the performance against set targets.


Data classification scheme

An enterprise wide scheme for classifying data by factors such as criticality, sensitivity and ownership.


Data dictionary

A database that contains the name, type, range of values, source and authorization for access for each data element in a database. It also indicates which application programs use that data so that when a data structure is contemplated, a list of the affected programs can be generated. The data dictionary may be a stand-alone information system used for management or documentation purposes, or it may control the operation of a database.


Data owners

Individuals, normally managers or directors, who have responsibility for the integrity, accurate reporting and use of computerized data.


Detective control

A control that is used to identify events (undesirable or desired), errors and other occurrences that an enterprise has determined to have a material effect on a process or end product.



A group of individuals working together for a common purpose, typically within the context of an organizational form such as a corporation, public agency, charity or trust.


Enterprise architecture

Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships amongst them and the manner in which they support the organization’s objectives.


Enterprise architecture for IT

Description of the fundamental underlying design of the IT components of the business, the relationships amongst them and the manner in which they support the organization’s objectives.


Enterprise governance

A set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.



See Control framework.


General computer controls

Controls, other than application controls, which relate to the environment within which computer based application systems are developed, maintained and operated, and which are therefore applicable to all applications. The objectives of general controls are to ensure the proper development and implementation of applications, the integrity of program and data files and of computer operations. Like application controls, general controls may be either manual or programmed.



A description of a particular way of accomplishing something that is less prescriptive than a procedure.


Information architecture

One component of IT architecture (together with applications and technology). See IT architecture.



In a RACI chart, refers to those people who are kept up to date on the progress of an activity (one-way communication) Internal control —The policies, plans and procedures, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.


ISO 17799

An international standard that defines information confidentiality, integrity and availability controls.


ISO 277001

Information Security Management—Specification with Guidance for Use; the replacement for BS7799-2. It is intended to provide the foundation for third-party audit and is harmonized with other management standards, such as ISO/IEC 9001 and 14001.


ISO 9001:2000

Code of practice for quality management from the International Organization for Standardization (ISO). ISO 9001:2000, which specifies requirements for a quality management system for any organization that needs to demonstrate its ability to consistently provide product or service that meets particular quality targets.



Information technology; the hardware, software, communications and other facilities used to input, store, process, transmit and output data in whatever form.


IT architecture

Description of the fundamental underlying design of the IT components of the business, the relationships amongst them and the manner in which they support the organization’s objectives.



The UK Office of Government Commerce (OGC) IT Infrastructure Library; a set of guides on the management and provision of operational IT services.


IT incident

Any event that is not part of the ordinary operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of that service (aligned to ITIL).


IT investment dashboard

A tool for setting expectations for an organization at each level and continuous monitoring of the performance against set targets for expenditures on and returns from IT-enabled investment projects in terms of business values.


IT strategic plan

A long-term plan, i.e., three- to five-year horizon, in which business and IT management co-operatively describe how IT resources will contribute to the enterprise’s strategic objectives (goals) IT strategy committee—Committee at the level of the board of directors to ensure that the board is involved in major IT matters/decisions. The committee is primarily accountable for managing the portfolios of IT-enabled investments, IT services and other IT resources. The committee is the owner of the portfolio.


IT tactical plan

A medium-term plan, i.e., six- to 18-month horizon, that translates the IT strategic plan direction into required initiatives, resource requirements, and ways in which resources and benefits will be monitored and managed.



Key goal indicator; measures that tell management, after the fact, whether an IT process has achieved its business requirements, usually expressed in terms of information criteria.



Key performance indicator; measures that determine how well the process is performing in enabling the goal to be reached. They are lead indicators of whether a goal will likely be reached, and are good indicators of capabilities, practices and skills. They measure the activity goals, which are the actions the process owner must take to achieve effective process performance.



In business, indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives.



A standard used to evaluate and communicate performance against expected results. Measures are normally quantitative in nature capturing numbers, dollars, percentages, etc., but can also address qualitative information such as customer satisfaction. Reporting and monitoring measures help an organization gauge progress toward effective implementation of strategy.



Specific descriptions of how a quantitative and periodic assessment of performance is to be measured. A complete metric defines the unit used, frequency, ideal target value, the procedure to carry out the measurement and the procedure for the interpretation of the assessment.



Operational level agreement; an internal agreement covering the delivery of services that support the IT organization in its delivery of services.



The manner in which an enterprise is structured.


Outcome measures

Measures that represent the consequences of actions previously taken and are often referred to as lag indicators. They frequently focus on results at the end of a time period and characterize historical performance. They are also referred to as key goal indicators (KGIs) and are used to indicate whether goals have been met. These can be measured only after the fact and, therefore, are called ‘lag indicators’.



In IT, the actual implementation or achievement of a process.


Performance drivers

Measures that are considered the ‘drivers’ of lag indicators. They can be measured before the outcome is clear and, therefore, are called ‘lead indicators’. There is an assumed relationship between the two that suggests that improved performance in a leading indicator will drive better performance in the lagging indicator. They are also referred to as key performance indicators (KPIs) and are used to indicate whether goals are likely to be met.


Performance management

In IT, the ability to manage any type of measurement, including employee, team, process, operational or financial measurements. The term connotes closed-loop control and regular monitoring of the measurement.



Project management officer; the individual function responsible for the implementation of a specified initiative for supporting the project management role and advancing the discipline of project management.



Generally, a document that records a high-level principle or course of action that has been decided upon. A policy’s intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams. In addition to policy content, policies need to describe the consequences of failing to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and measured.



A grouping of programs, projects, services or assets selected, managed and monitored to optimize business return.


Preventive control

An internal control that is used to prevent undesirable events, errors and other occurrences that an organization has determined could have a negative material effect on a process or end product.



Projects in a Controlled Environment, developed by the OGC; a project management method that covers the management, control and organization of a project.



In IT, the unknown underlying cause of one or more incidents.



A document containing steps that specify how to achieve an activity. Procedures are defined as part of processes.



Generally, a collection of procedures influenced by the organization’s policies and procedures that takes inputs from a number of sources, including other processes, manipulates the inputs, and produces outputs, including other processes. Processes have clear business reasons for existing, accountable owners, clear roles and responsibilities around the execution of the process, and the means to measure performance.



A structured grouping of interdependent projects that includes the full scope of business, process, people, technology and organizational activities that are required (both necessary and sufficient) to achieve a clearly specified business outcome.



A structured set of activities concerned with delivering to the enterprise a defined capability (that is necessary but not sufficient to achieve a required business outcome) based on an agreed-upon schedule and budget.



Quality management system; a system that outlines the policies and procedures necessary to improve and control the various processes that will ultimately lead to improved organization performance.


RACI chart

Illustrates who is responsible, accountable, consulted and informed within an organizational framework.



In business, the ability of a system or network to recover automatically from any disruption, usually with minimal recognizable effect.



In a RACI chart, refers to the person who must ensure that activities are completed successfully.



In business, the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss and/or damage to the assets; usually measured by a combination of impact and probability of occurrence.


Root cause analysis

Process of diagnosis to establish origins of events, which can be used for learning from consequences, typically of errors and problems.



System development life cycle; the phases deployed in the development or acquisition of a software system. Typical phases include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and post-implementation review, but not the service delivery or benefits realization activities.


Segregation/separation of duties

A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals responsibility for initiating and recording transactions and custody of assets to separate individuals. Commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection.


Service desk

A point of contact within the IT organization for users of IT services.


Service provider

External entity that provides services to the organization.



Service level agreement; an agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines minimum performance targets for a service and how they will be measured.



A mandatory requirement. Examples include ISO/IEC 20000 (an international standard), an internal security standard for UNIX configuration or a government standard for how financial records should be maintained. The term ‘standard’ is also used to refer to a code of practice or specifications published by a standards organization, such as ISO or BSI.



  • Total cost of ownership; in IT includes:
  • Original cost of the computer and software
  • Hardware and software upgrades
  • Maintenance
  • Technical support
  • Training
  • Certain activities performed by users


Technology infrastructure plan

A plan for the technology, human resources and facilities that enables the current and future processing and use of applications.