Not sure of any technical term or what an acronym means?

Explore our downloadable PDF glossary, a concise compilation of key terms tailored to provide clear definitions and explanations. Or, search the list below.



A technique used to determine an issue's root causes. This technique involves asking the question "Why?" repeatedly until the root cause is identified.


A/B testing

A statistical way of comparing two (or more) techniques, typically an incumbent against a new rival. A/B testing aims to determine not only which technique performs better but also whether the difference is statistically significant. A/B testing usually considers only two techniques using one measurement but can be applied to any finite number of techniques and measures.


An abnormal end to a computer job; termination of a task prior to its completion because of an error condition that cannot be resolved by recovery facilities while the task is executing

Acceptable interruption window

The maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectives

Acceptable use policy

A policy that establishes an agreement between users and the enterprise that defines, for all parties, the ranges of use that are approved before gaining access to a network or the Internet

Acceptance criteria

Criteria that a solution must satisfy to be accepted by customers

Acceptance testing

Testing performed to determine whether a customer, acquirer, user, or their designee should accept a solution

Access control

The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises

Access control list (ACL)

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals

Scope Notes: Also referred to as access control table

Access control table

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals

Access method

The technique used for selecting records in a file, one at a time, for processing, retrieval or storage. The access method is related to, but distinct from, the file organization, which determines how the records are stored.

Access path

The logical route that an end user takes to access computerized information.

Scope Notes: Typically includes a route through the operating system, telecommunications software, selected application software and the access control system.

Access rights

The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy

Access risk

The risk that information may be divulged or made available to recipients without authorized access from the information owner, reflecting a loss of confidentiality

Access server

Provides centralized access control for managing remote access dial-up services


The ability to map a given activity or event back to the responsible party

Accountability of governance

Governance ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritization and decision making; and monitoring performance, compliance and progress against plans. In most enterprises, governance is the responsibility of the board of directors under the leadership of the chairperson.

Scope Notes: COBIT 5 and COBIT 2019 perspective

Accountable party

The individual, group or entity that is ultimately responsible for a subject matter, process or scope

Scope Notes: Within the IT Assurance Framework (ITAF), the term "management" is equivalent to "accountable party."


The fraction of predictions that a classification model predicted correctly. In multiclass classification, accuracy is defined as correct predictions divided by total number of examples. In binary classification, accuracy is defined as (true positives plus true negatives) divided by total number of examples.

Acknowledgment (ACK)

A flag set in a packet to indicate to the sender that the previous packet sent was accepted correctly by the receiver without errors, or that the receiver is now ready to accept a transmission


The stakeholder who obtains a solution from a supplier

See Affected stakeholder


Obtaining solutions by establishing and executing supplier agreements

See Supplier agreement


In reinforcement learning, the mechanism by which the agent transitions between states of the environment. The agent chooses the action by using a policy.

Action plan reappraisal (APR)

A bounded set of appraisal activities performed to address non-systemic weaknesses that led to a limited set of unsatisfied practice groups in an appraisal. The APR includes:

  • Conducting an eligibility analysis

  • Gaining authorization from ISACA

  • Reviewing and obtaining approval to proceed from the Appraisal Sponsor

  • Modifying the existing appraisal plan

  • Conducting a reappraisal of unsatisfied practice groups

  • Reporting the results to ISACA

Active recovery site (Mirrored)

A recovery strategy that involves two active sites, each capable of taking over the other's workload in the event of a disaster

Scope Notes: Each site will have enough idle processing power to restore data from the other site and to accommodate the excess workload in the event of a disaster.

Active response

A response in which the system either automatically, or in concert with the user, blocks or otherwise affects the progress of a detected attack

Scope Notes: Takes one of three forms: amending the environment, collecting more information or striking back against the user.


The main actions taken to operate the COBIT process


Device component that enacts physical changes within an environment; Examples: relays, solenoids, switches


A sophisticated gradient descent algorithm that rescales the gradients of each parameter, effectively giving each parameter an independent learning rate


1. A number, character or group of characters that identifies a given device or a storage location, which may contain data or a program step

2. To refer to a device or storage location by an identifying number, character or group of characters.

Address space

The number of distinct locations that may be referred to with the machine address

Scope Notes: For most binary machines, it is equal to 2n, where n is the number of bits in the machine address.


The method used to identify the location of a participant in a network

Scope Notes: Ideally, specifies where the participant is located rather than who they are (name) or how to get there (routing).

Addressing exception

An exception that occurs when a program calculates an address that is outside the bounds of the storage that is available to the program

See Unhandled exception.

Adjusting period

The calendar can contain "real" accounting periods and/or adjusting accounting periods. The "real" accounting periods must not overlap and cannot have any gaps between them. Adjusting accounting periods can overlap with other accounting periods.

Scope Notes: For example, a period called DEC-93 can be defined that includes 01-DEC-1993 through 31-DEC-1993. An adjusting period called DEC31-93 can also be defined that includes only one day: 31-DEC-1993 through 31-DEC-1993.

Administrative access

Elevated or increased privileges granted to an account for that account to manage systems, networks and/or applications. Administrative access can be assigned to an individual’s account or a built-in system account.

Administrative control

The rules, procedures and practices dealing with operational effectiveness, efficiency and adherence to regulations and management policies

Administrative distance

A metric used by routers to select the best network traffic path when multiple routes exist

Advanced Encryption Standard (AES)

A public algorithm that supports keys from 128 bits to 256 bits in size

Advanced Message Queueing Protocol (AMQP)

A messaging protocol on the application layer usually used with middleware

Advanced persistent threat (APT)

An adversary that possesses sophisticated levels of expertise and significant resources, which allow them to create opportunities to achieve their objectives by using multiple attack vectors, e.g., cyber, physical, and deception. These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission themselves to carry out these objectives in the future. An advanced persistent threat (APT):

  • Pursues its objectives repeatedly over an extended period of time

  • Adapts to defenders' efforts to resist it

  • Is determined to maintain the level of interaction needed to execute its objectives

Source: CMMC-NIST SP800-39


A threat agent


A software package that automatically plays, displays or downloads advertising material to a computer after the software is installed on it or while the application is being used

Scope Notes: In most cases, this is done without any notification to the user or without the user’s consent. The term adware may also refer to software that displays advertisements, whether or not it does so with the user’s consent; such programs display advertisements as an alternative to shareware registration fees. These are classified as adware in the sense of advertising supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and it provides the user with a specific service.

Affected stakeholders

People impacted by a process, activity, work product, or decision


A written or oral statement confirming implementation, or lack of implementation, of processes that meet the intent and value of one or more model practices. Affirmations must be provided:

  • By people who have a process role to implement, follow, or support processes

  • In an interactive forum where the appraisal team has control over the interaction

Examples of affirmations:

  • Oral affirmations include: interview responses, presentations, and demonstrations, and can include responses to questions on white boards, Skype/Instant Message chat board, etc.

  • Written affirmations include: emails, instant messages, and data contained in systems, documents

See Process role and Appraisal participant


1. A methodology of adopting flexible, adaptable, and iterative processes (ISACA)

2. An approach to project management or delivery methodology in which the customer is intimately involved in the project, tasks are divided into short phases of work, and there is frequent reassessment and adaptation of plans (CMMI)

Agile with Scrum

This is a CMMI context-specific tag reserved for identifying unique information for agile projects using Scrum. It is a framework for managing work with an emphasis on software development. It is designed for small teams of developers who break their work into actions that can be completed within time-boxed iterations, called sprints, e.g., two-weeks; and track progress and re-plan in 15-minute stand-up meetings, called daily scrums.

See Agile

Alert situation

The point in an emergency procedure when the elapsed time passes a threshold and the interruption is not resolved. The enterprise entering into an alert situation initiates a series of escalation steps.

Alerting system

Provides real-time information about security issues, including vulnerabilities and exploits that are currently happening


A finite set of well-defined, unambiguous rules for the solution of a problem in a finite number of steps, it is a sequence of operational actions that lead to a desired goal and is the basic building block of a program

Algorithm analysis

A software verification and validation (V&V) task to ensure that the algorithms selected are correct, appropriate and stable, and meet all accuracy, timing and sizing requirements


A state where the enablers of governance and management of enterprise IT support the goals and strategies of the enterprise

Scope Notes: COBIT 5 perspective

Alignment goals

These goals emphasize the alignment of all IT efforts with business objectives

Allocated requirement

Requirement that results from levying all or part of a higher-level requirement on a solution's lower-level design component. Requirements can be assigned to logical or physical components including people, consumables, delivery increments, or the architecture.

Allocation entry

A recurring journal entry used to allocate revenues or costs

Scope Notes: For example, an allocation entry could be defined to allocate costs to each department based on head count.


The use of alphabetic characters or an alphabetic character string


Have no formal definition but are widely considered to be alternative digital currencies; can also be all cryptocurrencies other than bitcoin

Alternate facilities

Locations and infrastructures from which emergency or backup processes are executed, when the main premises are unavailable or destroyed

Scope Notes: Includes other buildings, offices or data processing centers

Alternate process

Automatic or manual process designed and established to continue critical business processes from point-of-failure to return-to-normal

Alternative routing

A service that allows the option of having an alternate route to complete a call when the marked destination is not available

Scope Notes: In signaling, alternate routing is the process of allocating substitute routes for a given signaling traffic stream in case of failure(s) affecting the normal signaling links or routes of that traffic stream.

American National Standards Institute (ANSI)

The organization that coordinates the development of US voluntary national standards for nearly all industries. It is the US member body to the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Information-technology industry standards pertain to programming languages, electronic data interchange, telecommunications and physical properties of diskettes, cartridges and magnetic tapes.

American Standard Code for Information Interchange (ASCII)



The process of cost allocation that assigns the original cost of an intangible asset to the periods benefited; calculated in the same way as depreciation


The strength of a radio signal


A transmission signal that varies continuously in amplitude and time and is generated in wave formation

Scope Notes: Analog signals are used in telecommunications


1. To separate into elemental parts or basic principles to determine the nature of the whole 2. A course of reasoning showing that a certain result is a consequence of assumed premises 3. The methodical investigation of a problem and the separation of the problem into smaller related units for further detailed study (Source: ANSI)

Analytical technique

The examination of ratios, trends, and changes in balances and other values between periods to obtain a broad understanding of the enterprise's financial or operational position and to identify areas that may require further or closer investigation

Scope Notes: Often used when planning the assurance assignment


An open-source JavaScript library maintained by Google and the AngularJS community that lets developers create what are known as Single [web] Page Applications. AngularJS is popular with data scientists, as a way to show the results of their analysis.


Unusual or statistically rare

Anomaly detection

Detection on the basis of whether the system activity matches that defined as abnormal


The quality or state of not being named or identified


Irreversible severance of a data set from the identity of the data contributor to prevent any future reidentification, even by the organization collecting the data under any condition


A widely used technology to prevent, detect and remove many categories of malware, including computer viruses, worms, Trojans, keyloggers, malicious browser plug-ins, adware and spyware


Software that identifies phishing content and attempts to block the content or warn the user about the suspicious nature of the content

Antivirus software

An application software deployed at multiple points in an IT architecture. It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been infected.


The act of giving the idea or impression of being or doing something

Appearance of independence

Behavior adequate to meet the situations occurring during audit work (interviews, meetings, reporting, etc.).

Scope Notes: An IS auditor should be aware that appearance of independence depends on the perceptions of others and can be influenced by improper actions or associations.


A program written in a portable, platform-independent computer language, such as Java, JavaScript or Visual Basic.

Scope Notes: An applet is usually embedded in an HyperText Markup Language (HTML) page downloaded from web servers and then executed by a browser on client machines to run any web-based application (e.g., generate web page input forms, run audio/video programs, etc.). Applets can only perform a restricted set of operations, thus preventing, or at least minimizing, the possible security compromise of the host computers. However, applets expose the user's machine to risk if not properly controlled by the browser, which should not allow an applet to access a machine's information without prior authorization of the user.


A computer program or set of programs that performs the processing of records for a specific function.

Scope Notes: Contrasts with systems programs, such as an operating system or network control program, and with utility programs, such as copy or sort

Application acquisition review

An evaluation of an application system being acquired or evaluated, that considers such matters as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is acquired in compliance with the established system acquisition process.

Application architecture

Description of the logical grouping of capabilities that manage the objects necessary to process information and support the enterprise’s objectives.

Scope Notes: COBIT 5 and COBIT 2019 perspective

Application benchmarking

The process of establishing the effective design and operation of automated controls within an application.

Application containerization

A mechanism that is used to isolate applications from each other within the context of a running operating system instance. In much the same way that a logical partition (LPAR) provides segmentation of system resources in mainframes, a computing environment employing containers segments and isolates the underlying system services so that they are logically sequestered from each other.

Application controls

The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved

Application development review

An evaluation of an application system under development that considers matters such as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is developed in compliance with the established system development life cycle process.

Application development sandbox

The use of a standalone computer, virtual machine or virtual environment to conduct software development removed from production infrastructure

Application implementation review

An evaluation of any part of an implementation project.

Scope Notes: Examples include project management, test plans and user acceptance testing (UAT) procedures.

Application layer

In the Open Systems Interconnection (OSI) communications model, the application layer provides services for an application program to ensure that effective communication with another application program in a network is possible

Application maintenance review

An evaluation of any part of a project to perform maintenance on an application system.

Scope Notes: Examples include project management, test plans and user acceptance testing (UAT) procedures.

Application or managed service provider (ASP/MSP)

A third party that delivers and manages applications and computer services, including security services to multiple users via the Internet or a private network

Application program

A program that processes business data through activities such as data entry, update or query

Scope Notes: Contrasts with systems programs, such as an operating system or network control program, and with utility programs such as copy or sort

Application programming

The act or function of developing and maintaining application programs in production

Application programming interface (API)

A set of routines, protocols and tools referred to as building blocks used in business application software development

Application proxy

A service that connects programs running on internal networks to services on exterior networks by creating two connections, one from the requesting client and another to the destination service

Application security

Refers to the security aspects supported by the application, primarily with regard to the roles or responsibilities and audit trails within the applications

Application service provider (ASP)

Also known as managed service provider (MSP), it deploys, hosts and manages access to a packaged application to multiple parties from a centrally managed facility

Scope Notes: The applications are delivered over networks on a subscription basis.

Application software

Software designed to fill specific needs of a user; for example, software for navigation, payroll or process control. Contrasts with support software and system software.

Application software tracing and mapping

Specialized tools that can be used to analyze the flow of data through the processing logic of the application software and document the logic, paths, control conditions and processing sequences

Scope Notes: Both the command language or job control statements and programming language can be analyzed. This technique includes program/system: mapping, tracing, snapshots, parallel simulations and code comparisons.

Application system

An integrated set of computer programs designed to serve a particular function that has specific input, processing and output activities

Scope Notes: Examples include general ledger, manufacturing resource planning and human resource (HR) management.

Application-specific integrated circuits (ASIC)

A solid-state device designed to perform a single or small group of functions.


An amalgamation of applications and technical infrastructure


An examination of one or more processes by a trained team using an appraisal reference model as the basis for determining, at a minimum, strengths, and weaknesses

See Action plan reappraisal, Benchmark appraisal, Evaluation appraisal, and Sustainment appraisal

Appraisal Disclosure Statement (ADS)

A summary statement describing the ratings generated as outputs of the appraisal, and the conditions and constraints under which the appraisal was performed. The ADS may be used for public disclosure of maturity level or capability level profile ratings so they can be reported accurately and consistently.

Appraisal final findings

The results of an appraisal that identify, at a minimum, any strengths and weaknesses within the appraisal scope. Appraisal findings are inferences drawn from corroborated objective evidence.

See Objective evidence

Appraisal method

A group of appraisal activities that satisfy a defined subset of requirements as defined by ISACA in the CMMI V2.0 Appraisal Method Definition Document

Appraisal objectives

Desired outcome(s) of an appraisal

Appraisal output

The tangible results of an appraisal

See Appraisal results package

Appraisal participant

Members of the organizational unit who must perform a process role and are identified in the appraisal plan as someone who will provide information used by an appraisal team

See process role.

Appraisal rating

The value an appraisal team assigns to a CMMI practice group, practice area, or the maturity level or capability level target profile of an organizational unit during a benchmark appraisal, sustainment appraisal, or action plan reappraisal. Ratings are determined by following the requirements in the appraisal method.

Appraisal results package

The appraisal results package consists of all the items required to be updated, within the CMMI Appraisal System or retained by the Appraisal Sponsor during the entire appraisal validity period. For a detailed list, refer to Activity 2.3.4 Record Appraisal Results.

Appraisal scope

The definition of the boundaries of the appraisal that encompass and describe the organizational unit transparently and in detail. The appraisal scope includes the organizational unit and model scope.

See model scope, and Organizational unit

Appraisal sponsor

The individual, internal or external to the organization being appraised, who requires the appraisal to be performed, and who provides funding, the contract, or other resources to conduct the appraisal. The appraisal sponsor also typically can commit the organization, e.g., approvals for purchases.

Appraisal tailoring

Appraisal method implementation guidance options selected for use in a specific appraisal. Tailoring helps an organization adapt the appraisal method to meet its business needs and objectives.

Appraisal team member (ATM)

The role of the person(s) who are responsible for performing the activities as assigned and identified in the appraisal plan. ATMs must meet the minimum requirements for experience and training/certification as defined by ISACA in the CMMI V2.0 Appraisal Method Definition Document.

Appraisal teamleader (ATL)

The role of the person who leads the activities of an appraisal and has satisfied the qualification criteria for experience, knowledge, and skills as defined by ISACA in the CMMI V2.0 Appraisal Method Definition Document, and is an active Certified CMMI Lead Appraiser and listed on the CMMI website as sponsored by a CMMI Partner.

Appropriate evidence

The measure of the quality of the evidence

Architectural design

1. The process of defining a collection of hardware and software components and their interfaces to establish the framework for the development of a computer system. See Functional design.

2. The result of the process in definition 1

See Software engineering

  1. Description of the fundamental underlying design of the components of the business system, or of one element of the business system (e.g., technology), the relationships among them, and the manner in which they support enterprise objectives (ISACA)

  2. The set of structures that need to be considered to establish a solution. These structures are comprised of smaller components or elements, relationships among those structures and elements, and the properties of both (CMMI).

    See Functional architecture

Architecture board

A group of stakeholders and experts who are accountable for guidance on enterprise-architecture-related matters and decisions, and for setting architectural policies and standards

Scope Notes: COBIT 5 and COBIT 2019 perspective


A lasting collection of computer system data or other records that are in long term storage

Arithmetic logic unit (ALU)

The area of the central processing unit that performs mathematical and analytical operations


A form of objective evidence that is an output of the work being performed and process being followed. It must demonstrate the extent of implementing, performing, or supporting the organizational or project processes that can be mapped to one or more model practices. Artifacts must be provided by people who have a process role to implement, perform, follow, or support processes.

See Document, Process role and Appraisal participant


An n-dimensional ordered set of data items identified by a single name and one or more indices, so that each element of the set is individually addressable, e.g., a matrix, table or vector

Artificial intelligence

An advanced computer system that can simulate human capabilities, such as analysis, based on a predetermined set of rules


The American Standard Code for Information Interchange (ASCII). Uses 7 or 8 bits to represent an alphanumeric symbol or special character.


A computer program that translates programs (source-code files) that are written in assembly language into their machine-language equivalents (object-code files). Contrasts with compiler and interpreter.

See Cross-assembler, Cross-compiler.

Assembly language

A low-level programming language that corresponds closely to the instruction set of a computer, allows symbolic naming of operations and addresses, and usually results in a one-to-one translation of program instructions (mnemonics) into machine instructions


Any formal declaration or set of declarations about the subject matter made by management.

Scope Notes: Assertions should usually be in writing and commonly contain a list of specific attributes about the subject matter or about a process involving the subject matter.


A broad review of the different aspects of a company or function that includes elements not covered by a structured assurance initiative.

Scope Notes: May include opportunities for reducing the costs of poor quality, employee perceptions on quality aspects, proposals to senior management on policy, goals, etc.


Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation

Asset inventory

A register that is used to record all relevant assets

Asset value

The value of an asset to both the business and to competitors

Assignable cause of process variation

An extraordinary event outside the bounds of the usual steps following the process


Pursuant to an accountable relationship between two or more parties, an IT audit and assurance professional is engaged to issue a written communication expressing a conclusion about the subject matters for which the accountable party is responsible. Assurance refers to a number of related activities designed to provide the reader or user of the report with a level of assurance or comfort over the subject matter.

Scope Notes: Assurance engagements could include support for audited financial statements, reviews of controls, compliance with required standards and practices, and compliance with agreements, licenses, legislation and regulation.

Assurance engagement

An objective examination of evidence for the purpose of providing an assessment on risk management, control or governance processes for the enterprise.

Scope Notes: Examples may include financial, performance, compliance and system security engagements

Assurance initiative

An objective examination of evidence for the purpose of providing an assessment on risk management, control or governance processes for the enterprise.

Scope Notes: Examples may include financial, performance, compliance and system security engagements.

Asymmetric cipher

Most implementations of asymmetric ciphers combine a widely distributed public key and a closely held, protected private key. A message that is encrypted by the public key can only be decrypted by the mathematically related, counterpart

Asymmetric key (public key)

A cipher technique in which different cryptographic keys are used to encrypt and decrypt a message

Scope Notes: See public key encryption.

Asynchronous Transfer Mode (ATM)

A high-bandwidth low-delay switching and multiplexing technology that allows integration of real-time voice and video as well as data. It is a data link layer protocol.

Scope Notes: ATM is a protocol-independent transport mechanism. It allows high-speed data transfer rates at up to 155 Mbit/s. The acronym ATM should not be confused with the alternate usage for ATM, which refers to an automated teller machine.

Asynchronous transmission

Character-at-a-time transmission.


A condition of smart contracts in that one or more conditions defined by the smart contract must all be met for the transaction to execute in its entirety

Atomic swaps

Peer-to-peer exchange of assets across separate blockchains triggered by predetermined rules, without the use of a third-party service, through the use of self-enforced smart contracts. Requires an exchange of assets on both sides or transaction will not occur


An actual occurrence of an adverse event

Attack mechanism

A method used to deliver the exploit. Unless the attacker is personally performing the attack, an attack mechanism may involve a payload, or container, that delivers the exploit to the target.

Attack vector

A path or route used by the adversary to gain access to the target (asset)

Scope Notes: There are two types of attack vectors: ingress and egress (also known as data exfiltration).


Reduction of signal strength during transmission

Attest reporting engagement

An engagement in which an IS auditor is engaged to either examine management’s assertion regarding a particular subject matter or the subject matter directly.

Scope Notes: The IS auditor’s report consists of an opinion on one of the following: The subject matter. These reports relate directly to the subject matter itself rather than to an assertion. In certain situations management will not be able to make an assertion over the subject of the engagement. An example of this situation is when IT services are outsourced to third party. Management will not ordinarily be able to make an assertion over the controls that the third party is responsible for. Hence, an IS auditor would have to report directly on the subject matter rather than on an assertion.


An engagement in which an IT auditor is engaged to either examine management’s assertion regarding a particular subject matter or the subject matter directly.


Way of thinking, behaving, feeling, etc.

Attribute sampling

Method to select a portion of a population based on the presence or absence of a certain characteristic


Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met.

Scope Notes: May be carried out by internal or external groups.

Audit accountability

Performance measurement of service delivery including cost, timeliness and quality against agreed service levels.

Audit authority

A statement of the position within the enterprise, including lines of reporting and the rights of access.

Audit charter

A document approved by those charged with governance that defines the purpose, authority and responsibility of the internal audit activity.

Scope Notes: The charter should:

- Establish the internal audit function’s position within the enterprise

- Authorize access to records, personnel and physical properties relevant to the performance of IS audit and assurance engagements

- Define the scope of audit function’s activities

Audit engagement

A specific audit assignment, task or review activity, such as an audit, control self-assessment review, fraud examination or consultancy. An audit engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.

Audit evidence

The information used to support the audit opinion.

Audit expert systems

Expert or decision support systems that can be used to assist IS auditors in the decision-making process by automating the knowledge of experts in the field.

Scope Notes: This technique includes automated risk analysis, systems software and control objectives software packages.

Audit log

See Audit trail.

Audit objective

The specific goal(s) of an audit.

Scope Notes: These often center on substantiating the existence of internal controls to minimize business risk.

Audit plan

1. A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion.

Scope Notes: Includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the work

2. A high-level description of the audit work to be performed in a certain period of time.

Audit program

A step-by-step set of audit procedures and instructions that should be performed to complete an audit.

Audit responsibility

The roles, scope and objectives documented in the service level agreement (SLA) between management and audit.

Audit risk

The risk of reaching an incorrect conclusion based upon audit findings.

Scope Notes: The three components of audit risk are:

- Control risk

- Detection risk

- Inherent risk

Audit sampling

The application of audit procedures to less than 100 percent of the items within a population to obtain audit evidence about a particular characteristic of the population.

Audit subject matter risk

Risk relevant to the area under review:

- Business risk (customer capability to pay, credit worthiness, market factors, etc.)

- Contract risk (liability, price, type, penalties, etc.)

- Country risk (political, environment, security, etc.)

- Project risk (resources, skill set, methodology, product stability, etc.)

- Technology risk (solution, architecture, hardware and software infrastructure network, delivery channels, etc.).

Scope Notes: See inherent risk

Audit trail

Data in the form of a logical path linking a sequence of events, used to trace the transactions that have affected the contents of a record

Source : ISO

Audit universe

An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process.

Scope Notes: Traditionally, the list includes all financial and key operational systems as well as other units that would be audited as part of the overall cycle of planned work. The audit universe serves as the source from which the annual audit schedule is prepared. The universe will be periodically revised to reflect changes in the overall risk profile.


The level to which transactions can be traced and audited through a system.

Auditable unit

Subjects, units or systems that are capable of being defined and evaluated.

Scope Notes: Auditable units may include:

  • Policies, procedures and practices

  • Cost centers, profit centers and investment centers

  • General ledger account balances

  • Information systems (manual and computerized)

  • Major contracts and programs

  • Organizational units, such as product or service lines

  • Functions, such as information technology (IT), purchasing, marketing, production, finance, accounting and human resources (HR)

  • Transaction systems for activities, such as sales, collection, purchasing, disbursement, inventory and cost accounting, production, treasury, payroll, and capital assets

  • Financial statements

  • Laws and regulations


An individual assigned by ISACA to evaluate, audit, or review an appraisal team leader or an appraisal

Auditor’s opinion

A formal statement expressed by the IS audit or assurance professional that describes the scope of the audit, the procedures used to produce the report and whether or not the findings support that the audit criteria have been met.

Scope Notes: The types of opinions are:

- Unqualified opinion— Notes no exceptions or none of the exceptions noted aggregate to a significant deficiency

- Qualified opinion— Notes exceptions aggregated to a significant deficiency (but not a material weakness)

- Adverse opinion— Notes one or more significant deficiencies aggregating to a material weakness

Augmented reality

A computer-generated simulation that adds enhancements to existing reality enabling a user to interact with reality in a more meaningful way. It is often accessed through mobile applications that blend digital enhancements with the real world while ensuring that the user can tell them apart easily.

  1. The act of verifying identity, i.e., user, system

    Scope Notes: Can also refer to the verification of the correctness of a piece of data.

  2. The act of verifying the identity of a user, the user’s eligibility to access computerized information

    Scope Notes: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.

Authentication Header (AH)

Protocol used to provide connectionless integrity and data-origin authentication for Internet Protocol (IP) datagrams and to provide protection against replays (RFC 4302)

Scope Notes: AH ensures data integrity with a checksum that a message authentication code, such as MD5, generates. To ensure data-origin authentication, AH includes a secret shared key in the algorithm that it uses for authentication. To ensure replay protection, AH uses a sequence number field within the IP authentication header.


Undisputed authorship


The process of determining if the end user is permitted to have access to an information asset or the information system containing the asset.

Automated application controls

Controls that have been programmed and embedded within an application.

Auxiliary storage

Storage device other than main memory (RAM), e.g., disks and tapes


Ensuring timely and reliable access to and use of information

Availability risk

The risk that service may be lost or data are not accessible when needed

Average precision

A metric for summarizing the performance of a ranked sequence of results. Average precision is calculated by taking the average of the precision values for each relevant result (each result in the ranked list where the recall increases relative to the previous result).


Being acquainted with, mindful of, conscious of and well informed on a specific subject, which implies knowing and understanding a subject and acting accordingly.



The main communication channel of a digital network. The part of a network that handles the major traffic

Scope Notes: Employs the highest-speed transmission paths in the network and may also run the longest distances. Smaller networks are attached to the backbone, and networks that connect directly to the end user or customer are called "access networks." A backbone can span a geographic area of any size from a single building to an office complex to an entire country. Or, it can be as small as abackplane in a single cabinet.


A means of regaining access to a compromised system by installing software or configuring existing software to enable remote access under attacker-defined conditions


An algorithm for iteratively adjusting the weights used in a neural network system. Backpropagation is often used to implement gradient descent.


Files, equipment, data and procedures available for use in the event of a failure or loss, if the originals are destroyed or out of service.

Backup center

An alternate facility to continue IT/IS operations when the primary data processing (DP) center is unavailable.

Bad actor

Another term for cybercriminal or hacker


A card or other device that is presented or displayed to obtain access to an otherwise restricted facility, as a symbol of authority (e.g., the police), or as a simple means of identification.

Scope Notes: Also used in advertising and publicity.

Balanced scorecard (BSC)

Developed by Robert S. Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives.


The range between the highest and lowest transmittable frequencies. It equates to the transmission capacity of an electronic line and is expressed in bytes per second or Hertz (cycles per second).

Bar code

A printed machine-readable code that consists of parallel bars of varied width and spacing.

Base case

A standardized body of data created for testing purposes.

Scope Notes: Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system.

Base measure

A base measure is functionally independent of other measures and cannot be expressed in other terms. A base measure is defined in terms of an attribute and the method for quantifying it.

See Derived measure

Base58 Encoding

Base58 Encoding is a binary-to-text encoding process that converts long bit sequences into alphanumeric text, which is easier for users

Base64 Encoding

Base64 Encoding is a binary-to-text encoding process that converts long bit sequences into alphanumeric text.


A form of modulation in which data signals are pulsed directly on the transmission medium without frequency division and usually utilize a transceiver.

Scope Notes: The entire bandwidth of the transmission medium (e.g., coaxial cable) is utilized for a single channel.

  1. A specification or product that has been formally reviewed and agreed on, serves as the basis for further development, and can be changed only through formal change control procedures (ISACA)

  2. A set of specifications or work products that:

  • Has been formally reviewed and agreed on,

  • Serves as the basis for further work or change, and

  • Can be changed only through change control procedures


    See Configuration baseline and Product baseline

Baseline architecture

The existing description of the fundamental underlying design of the components of the business system before entering a cycle of architecture review and redesign

Scope Notes: COBIT 5 and COBIT 2019 perspective


Beginners All-purpose Symbolic Instruction Code (BASIC) is a high-level programming language intended to facilitate learning to program in an interactive environment.


System heavily fortified against attacks

Batch control

Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage.

Scope Notes: There are two main forms of batch controls: sequence control, which involves numbering the records in a batch consecutively so that the presence of each record can be confirmed; and control total, which is a total of the values in selected fields within the transactions.

Batch processing

The processing of a group of transactions at the same time.

Scope Notes: Transactions are collected and processed against the master files at a specified time.

Baud rate

The rate of transmission for telecommunications data, expressed in bits per second (bps).

Bayes' Theorem

An equation for calculating the probability that something is true if something potentially related to it is true. If P(A) means “the probability that A is true” and P(A|B) means “the probability that A is true if B is true,” then Bayes' Theorem tells us that P(A|B) = (P(B|A)P(A)) / P(B).

Bayesian network

Graphs that compactly represent the relationship between random variables for a given problem. These graphs aid in performing reasoning or decision making in the face of uncertainty. These networks are usually represented as graphs in which the link between any two nodes is assigned a value representing the probabilistic relationship between those nodes.


A standard against which measurements or comparisons can be made


A systematic approach to comparing enterprise performance against peers and competitors in an effort to learn the best ways of conducting business.

Scope Notes: Examples include benchmarking of quality, logistic efficiency and various other metrics.

Benchmark appraisal

A consistent and reliable assessment method that results in a rating. This includes clear and repeatable process steps, and when followed are capable of achieving high accuracy and reliable appraisal results through the collection of objective evidence from multiple sources. A maturity level profile or capability level profile must be produced as part of this appraisal process and allows Appraisal Sponsors to compare an organization’s or project’s process implementation with others. Like other appraisal methods, benchmark appraisals identify opportunities for improving both process implementation and business performance.

Benchmark model view

A logical grouping of predefined CMMI model components used to define the appraisal model view scope. Benchmark model views are defined in the CMMI V2.0 Model, Appendix B.

  • For maturity levels, the benchmark model view is a set of practice areas, and their levels, predefined for the purposes of conducting Benchmark appraisals or Sustainment appraisals.

  • For capability levels, the benchmark model view may either be a predefined view, or a selection of practice areas or capability areas and their levels that meet the organization’s business needs and performance objectives.


In business, an outcome whose nature and value (expressed in various ways) are considered advantageous by an enterprise.

Benefits realization

One of the objectives of governance. The bringing about of new benefits for the enterprise, the maintenance and extension of existing forms of benefits, and the elimination of those initiatives and assets that are not creating sufficient value

Scope Notes: COBIT 5 and COBIT 2019 perspective

Best practice

A proven activity or process that has been successfully used by multiple enterprises.


In machine learning, bias is a learner’s tendency to consistently learn the same wrong thing.

Scope Notes: Variance is the tendency to learn random things irrespective of the real signal. For example, it is easy to avoid overfitting (variance) by falling into the opposite error of underfitting (bias).

Bidirectional traceability

An association that enables the ability to trace in either direction between logical entities, e.g., from requirements to design to code to test to the end solution, or from customer requirements to product component requirements

See Requirements traceability and Traceability

Big data

The ability to work with collections of data that had been impractical before because of their volume, velocity, and variety (“the three Vs”). A key driver of this new ability has been easier distribution of storage and processing across networks of inexpensive commodity hardware using technology such as Hadoop instead of requiring larger, more powerful individual computers.


The base 2 number system (2n). Permissible digits are 0 and 1.

Binary code

A code whose representation is limited to 0 and 1.

Binding corporate rules (BCRs)

A set of rules that allow multinational organizations to transfer personal data from the EU to their affiliates outside of the EU.

Binomial distribution

A distribution of outcomes of independent events with two mutually exclusive possible outcomes, a fixed number of trials and a constant probability of success. This is a discrete probability distribution, as opposed to continuous.

Biometric data

Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Biometric locks

Door and entry locks that are activated by such biometric features as voice, eye retina, fingerprint or signature.


A security technique that verifies an individual’s identity by analyzing a unique physical attribute, such as a handprint


Basic input/output system


A contraction of the term binary digit, and the most basic and smallest unit of computing information. A bit may be in one of two states, logic 1 or logic 0. It can be thought of as a switch that is either on or off. Bits are usually combined into computer words of various sizes, named bytes.

Bit-stream image

Bit-stream backups, also referred to as mirror image backups, involve the backup of all areas of a computer hard disk drive or other type of storage media.

Scope Notes: Such backups exactly replicate all sectors on a given storage device including all files and ambient data storage areas.

Black box testing

A testing approach that focuses on the functionality of the application or product and does not require knowledge of the code intervals.

Block cipher

A public algorithm that operates on plaintext in blocks (strings or groups) of bits

Block height

The number of blocks preceeding it in a blockchain ledger. It is typically used to identify a specific block (e.g., block ID).

Block producers

For proof of stake blockchain network


A distributed, protected journaling and ledger system. Use of blockchain technologies can enable anything from digital currency (e.g., Bitcoin) to any other value-bearing transaction

Blockchain explorers

Front end applications or user interfaces that allow a user to view individual records on a blockchain


An exact or detailed plan or outline


A wireless communications standard used for communication over short distances


A Trojan horse that attacks a computer system when a specific logical event occurs (logic bomb) or when a specific time-related logical event occurs (time bomb), or is hidden in electronic mail or data and triggers a computer system attack when read in a certain way (letter bomb)

Similar to: Trojan horse, virus and worm


Pertaining to the principles of mathematical logic developed by George Boole, a nineteenth century mathematician. Boolean algebra is the study of operations carried out on variables that can have only one of two possible values, i.e., 1 (true) and 0 (false). Like add, subtract, multiply and divide are the primary operations of arithmetic, and, or and not are the primary operations of Boolean Logic. In Pascal a Boolean variable is a variable that can have one of two possible values, true or false.


A machine-learning technique that iteratively combines a set of simple and not very accurate classifiers (referred to as "weak" classifiers) into a classifier with high accuracy (a "strong" classifier) by upweighting the examples that the model is currently mis-classifying


1. To initialize a computer system by clearing memory and reloading the operating system

2. To cause a computer system to reach a known beginning state. A boot program, in firmware, typically performs the boot function, which includes loading basic instructions that tell the computer how to load programs into memory and how to begin executing those programs. A distinction can be made between a warm boot and a cold boot. A cold boot starts the system from a powered-down state. A warm boot restarts the computer while it is powered up. Important differences between the two procedures are:

  • A power-up self-test, in which various portions of the hardware, e.g., memory, are tested for proper operation, is performed during a cold boot, while a warm boot does not normally perform such self-tests.

  • A warm boot does not clear all memory.


A short computer program that is permanently resident or easily loaded into a computer, and whose execution brings a larger program, such as an operating system or its loader, into memory


A term derived from robot network; a large automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks, such as a denial-of-service attack, on targeted victims


Logical and physical controls to define a perimeter between the organization and the outside world

Boundary value

1. A data value that corresponds to a minimum or maximum input, internal or output value specified for a system or component

2. A value that lies at, just inside or just outside a specified range of valid input and output values

Boundary value analysis

A selection technique in which test data are chosen to lie along boundaries of the input domain or output range classes, data structures, procedure parameters, etc. Choices often include maximum, minimum and trivial values or parameters. This technique is often called stress testing.

See Testing, boundary value.

Source: NBS


An instruction which causes program execution to jump to a new point in the program sequence, rather than execute the next instruction. Contrasts with condition coverage, multiple condition coverage, path coverage and statement coverage.

See Decision coverage.

Branch analysis

A test case identification technique that produces enough test cases so that each decision has a true and a false outcome at least once

Branch coverage

A test coverage criterion that requires that for each decision point, each possible branch is executed at least once. Synonymous with decision coverage. Contrasts with condition coverage, multiple condition coverage, path coverage and statement coverage.


Data link layer device developed in the early 1980s to connect local area networks (LANs) or create two separate LAN or wide area network (WAN) network segments from a single segment to reduce collision domains.

Scope Notes: A bridge acts as a store-and-forward device in moving frames toward their destination. This is achieved by analyzing the MAC header of a data packet, which represents the hardware address of an NIC.

Bring your own device (BYOD)

An enterprise policy used to permit partial or full integration of user-owned mobile devices for business purposes


Multiple channels are formed by dividing the transmission medium into discrete frequency segments.

Scope Notes: Broadband generally requires the use of a modem.


A method to distribute information to multiple recipients simultaneously


Device that performs the functions of both a bridge and a router.

Scope Notes: A brouter operates at both the data link and the network layers. It connects same data link type LAN segments as well as different data link ones, which is a significant advantage. Like a bridge, it forwards packets based on the data link layer address to a different network of the same type. Also, whenever required, it processes and forwards messages to a different data link type network based on the network protocol address. When connecting same data link type networks, it is as fast as a bridge and is able to connect different data link type networks.


A computer program that enables the user to retrieve information that has been made publicly available on the Internet; also, that permits multimedia (graphics) applications on the World Wide Web.

Browser protection

Software that evaluates the safety of websites

Brute force

A class of algorithms that methodically try all possible combinations until a solution is found

Brute-force attack

Methodically trying all possible combinations of passwords or encryption keys until the correct one is found


Estimated cost and revenue amounts for a given range of periods and set of books.

Scope Notes: There can be multiple budget versions for the same set of books.

Budget formula

A mathematical expression used to calculate budget amounts based on actual results, other budget amounts and statistics.

Scope Notes: With budget formulas, budgets using complex equations, calculations and allocations can be automatically created.

Budget hierarchy

A group of budgets linked together at different levels such that the budgeting authority of a lower-level budget is controlled by an upper-level budget.

Budget organization

An entity (department, cost center, division or other group) responsible for entering and maintaining budget data.


A device or storage area (memory) used to store data temporarily to compensate for differences in rates of data flow, time of occurrence of events or amounts of data that can be handled by the devices or processes involved in the transfer or use of the data

Buffer overflow

Occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold

Scope Notes: Because buffers contain a finite amount of data, the excess data can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. In buffer overflow attacks, the extra data may contain codes designed to trigger specific actions, in effect sending new instructions to the attacked computer that can damage user files, change data or disclose confidential information.


A fault in a program that causes the program to perform in an unintended or unanticipated manner

See Anomaly, Defect, Error, Exception and Fault.

Bulk data transfer

A data recovery strategy that includes a recovery from complete backups that are physically shipped offsite once a week.

Scope Notes: Specifically, logs are batched electronically several times daily, and then loaded into a tape library located at the same facility as the planned recovery.


Common path or channel between hardware devices.

Scope Notes: Can be located between components internal to a computer or between external computers in a communication network.

Bus configuration

All devices (nodes) are linked along one communication line where transmissions are received by all attached nodes.

Scope Notes: This architecture is reliable in very small networks, as well as easy to use and understand. This configuration requires the least amount of cable to connect the computers together and, therefore, is less expensive than other cabling arrangements. It is also easy to extend, and two cables can be easily joined with a connector to make a longer cable for more computers to join the network. A repeater can also be used to extend a bus configuration.

Bus topology

Network topology in which nodes are connected to a single cable

Business balanced scorecard

A tool for managing organizational strategy that uses weighted measures for the areas of financial performance (lag) indicators, internal operations, customer measurements, learning and growth (lead) indicators, combined to rate the enterprise.

Business case

Documentation of the rationale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle

Business continuity

Preventing, mitigating and recovering from disruption

Scope Notes: The terms 'business resumption planning', 'disaster recovery planning' and 'contingency planning' also may be used in this context; they focus on recovery aspects of continuity, and for that reason the 'resilience' aspect should also be taken into account.

COBIT 5 and COBIT 2019 perspective

Business continuity plan (BCP)

A plan used by an enterprise to respond to disruption of critical business processes; depends on the contingency plan for restoration of critical systems

Business control

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented or detected.

Business dependency assessment

A process of identifying resources critical to the operation of a business process.

Business function

An activity that an enterprise does, or needs to do, to achieve its objectives.

Business goal

The translation of the enterprise's mission from a statement of intention into performance targets and results.

Business impact

The net effect, positive or negative, on the achievement of business objectives.

Business impact analysis (BIA)

Process of evaluating the criticality and sensitivity of information assets by determining the impact of losing the support of any resource to an enterprise. Establishes the escalation of that loss over time, identifies the minimum resources needed to recover and prioritizes the recovery of processes and the supporting system.

Scope Notes:This process captures income loss, unexpected expense, legal issues (regulatory compliance or contractual), interdependent processes and loss of public reputation or public confidence.

Business impact analysis/assessment (BIA)

Evaluating the criticality and sensitivity of information assets; An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover and prioritizes the recovery of processes and the supporting system

Scope Notes: This process also addresses:

  • Income loss

  • Unexpected expense

  • Legal issues (regulatory compliance or contractual)

  • Interdependent processes

  • Loss of public reputation or public confidence

Business interruption

Any event, whether anticipated (i.e., public service strike) or unanticipated (i.e., blackout) that disrupts the normal course of business operations at an enterprise.

Business Model for Information Security (BMIS)

A holistic and business-oriented model that supports enterprise governance and management information security, and provides a common language for information security professionals and business management.

Business objective

A further development of the business goals into tactical targets and desired results and outcomes.

Business performance

The accomplishment of a given capability or task measured against preset known objectives, including, but not limited to, quality, cost, speed, accuracy, and completeness for delivery of a solution to a customer. In the CMMI, the term "business performance" refers to performance at the business or organizational level; it can be both organizational-specific or aggregated from the project level. For example, collect measurement and performance data at the project level and aggregate data to enable organizational performance analysis at the business level.

See Process performance

Business process

An inter-related set of cross-functional activities or events that result in the delivery of a specific product or service to a customer.

Business process control

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that a business process will achieve its objectives.

Scope Notes: COBIT 5 and COBIT 2019 perspective

Business process integrity

Controls over the business processes that are supported by the enterprise resource planning system (ERP).

Business process owner

The individual responsible for identifying process requirements, approving process design and managing process performance.

Scope Notes: Must be at an appropriately high level in the enterprise and have authority to commit resources to process-specific risk management activities

Business process reengineering (BPR)

The thorough analysis and significant redesign of business processes and management systems to establish a better performing structure, more responsive to the customer base and market conditions, while yielding material cost savings.

Business risk

The probability that a situation with uncertain frequency and magnitude of loss (or gain) could prevent the enterprise from meeting its business objectives

Business service provider (BSP)

An application service provider (ASP) that also provides outsourcing of business processes such as payment processing, sales order processing and application development.

Business sponsor

The individual accountable for delivering the benefits and value of an IT-enabled business investment program to the enterprise.


Transactions in which the acquirer is an enterprise or an individual operating in the ambits of his/her professional activity. In this case, laws and regulations related to consumer protection are not applicable.

Scope Notes: The contract’s general terms should be communicated to the other party and specifically approved. Some companies require the other party to fill out check-boxes where there is a description such as "I specifically approve the clauses" This is not convincing; the best solution is the adoption of a digital signature scheme, which allows the approval of clauses and terms with the non-repudiation condition.


Selling processes in which the involved parties are the enterprise, which offers goods or services, and a consumer. In this case there is comprehensive legislation that protects the consumer.

Scope Notes: Comprehensive legislation includes:

  • Regarding contracts established outside the merchant’s property (such as the right to end the contract with full refund or the return policy for goods)

  • Regarding distance contracts (such as rules that establish how a contract should be written, specific clauses and the need to transmit to the consumer and approve it)

  • Regarding electronic form of the contract (such as on the Internet, the possibility for the consumer to exit from the procedure without having his/her data recorded)

Business-to-consumer ecommerce (B2C)

Refers to the processes by which enterprises conduct business electronically with their customers and/or public at large using the Internet as the enabling technology.

Bypass label processing (BLP)

A technique of reading a computer file while bypassing the internal file/data set label. This process could result in bypassing of the security access control system.


A sequence of adjacent bits, often an octet, operated on as a unit

Byzantine fault tolerance (BFT)

The property of a system that allows it to withstand failures and continue to function even if some of the nodes fail or act maliciously



A general-purpose high-level programming language that was created for use in the development of computer operating systems software. It strives to combine the power of assembly language with the ease of a high-level language.


An object-oriented high-level programming language



The Committee on the Financial Aspects of Corporate Governance, set up in May 1991 by the UK Financial Reporting Council, the London Stock Exchange and the UK accountancy profession, was chaired by Sir Adrian Cadbury and produced a report on the subject commonly known in the UK as the Cadbury Report.

Calibration layer

A post-prediction adjustment, typically to account for prediction bias. The adjusted predictions and probabilities should match the distribution of an observed set of labels.

Candidate generation

The initial set of recommendations chosen by a recommendation system

  1. An aptitude, competency or resource that an enterprise may possess or require at an enterprise, business function or individual level that has the potential, or is required, to contribute to a business outcome and to create value (ISACA)

  2. Capabilities are typically organizational level skills, abilities, and knowledge embedded in people, processes, infrastructure, and technology. Capabilities are what an organization needs to implement its business model or fulfill its mission and achieve measurable business results. (CMMI)

Capability area (CA)

A group of related practice areas that can provide improved performance in the skills and activities of an organization or project. Capability areas are a type of view.

Capability level

A list of PAs and their corresponding capability levels. A capability level profile represents the organization's progress toward achieving their targeted practice group level for each in scope PA.

Capability level profile

A list of PAs and their corresponding capability levels. A capability level profile represents the organization’s progress toward achieving their targeted practice group level for each in scope PA.

Capability Maturity Model (CMM)

1. Contains the essential elements of effective processes for one or more disciplines. It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness.

2. CMM for software, from the Software Engineering Institute (SEI), is a model used by many enterprises to identify best practices useful in helping them assess and increase the maturity of their software development processes.

Scope Notes: CMM ranks software development enterprises according to a hierarchy of five process maturity levels. Each level ranks the development environment according to its capability of producing quality software. A set of standards is associated with each of the five levels. The standards for level one describe the most immature or chaotic processes and the standards for level five describe the most mature or quality processes. A maturity model that indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives. A collection of instructions that an enterprise can follow to gain better control over its software development process.

Capability Maturity Model Integration (CMMI)

An integrated model of best practices that enable businesses to improve performance by improving their processes. Product teams developed the model with global members from across industry. The CMMI provides a best-practice framework for building, improving, and sustaining process capability.

See CMMI product suite

Capable process

A stable process able to meet the quality and process performance objectives set for it. The process variation is within set specification limits. See Stable process

Capacity stress testing

Testing an application with large quantities of data to evaluate its performance during peak periods. Also called volume testing.

Capital expenditure/expense (CAPEX)

An expenditure that is recorded as an asset because it is expected to benefit more than the current period. The asset is then depreciated or amortized over the expected useful life of the asset.

Card swipe

A physical control technique that uses a secured card or ID to gain access to a highly sensitive location.

Scope Notes: If built correctly, card swipes act as a preventive control over physical access to those sensitive locations. After a card has been swiped, the application attached to the physical card swipe device logs all card users who try to access the secured location. The card swipe device prevents unauthorized access and logs all attempts to enter the secured location.

Cartel attack

Where a group of stakers that has large amount of staked tokens in a blockchain manipulates the blockchain to their favor. Alternatively, it is a form of 51% attack on PoS blockchain.


Categories are logical groups or types of views of related capability areas that address common problems encountered by businesses when producing or delivering solutions.

Cathode ray tube (CRT)

A vacuum tube that displays data by means of an electron beam striking the screen, which is coated with suitable phosphor material or a device similar to a television screen on which data can be displayed.

Causal analysis

A method of searching for the origination of certain effects

See root cause

Central bank digital currency (CBDC)

A digital form of fiat money

Central processing unit (CPU)

Computer hardware that houses the electronic circuits that control/direct all operations of the computer system.

Centralized data processing

Identified by one central processor and databases that form a distributed processing configuration.


The center of a cluster as determined by a k-means or k-median algorithm. For instance, if k is 3, then the k-means or k-median algorithm finds 3 centroids.

Certificate (Certification) authority (CA)

A trusted third party that serves authentication infrastructures or enterprises and registers entities and issues them certificates

Certificate revocation list (CRL)

An instrument for checking the continued validity of the certificates for which the certification authority (CA) has responsibility

Scope Notes: The CRL details digital certificates that are no longer valid. The time gap between two updates is very critical and is also a risk in digital certificates verification.

Certification practice statement (CPS)

A detailed set of rules governing the certificate authority's operations. It provides an understanding of the value and trustworthiness of certificates issued by a given certificate authority (CA).

Scope Notes: In terms of the controls that an enterprise observes, the method it uses to validate the authenticity of certificate applicants and the CA's expectations of how its certificates may be used.

Certified CMMI High Maturity Lead Appraiser (CHMLA)

The ISACA designation for a person who leads the activities of a high maturity appraisal and has satisfied the qualification criteria for experience, knowledge, and skills defined by the Appraisal Method Definition Document, and who has an active certification for conducting high maturity appraisals

See Appraisal team leader

Chain of custody

The process of evidence handling from collection to presentation that is necessary to maintain the validity and integrity of evidence

Scope Notes: Includes documentation of who had access to the evidence and when, and the ability to identify that evidence is the exact item that was recovered or tested. Lack of control over evidence can lead to it being discredited. Chain of custody depends on the ability to verify that evidence could not have been tampered with. This is accomplished by sealing off the evidence, so it cannot be changed, and providing a documentary record of custody to prove that the evidence was, at all times, under strict control and not subject to tampering.

Challenge/response token

A method of user authentication that is carried out through use of the Challenge Handshake Authentication Protocol (CHAP).

Scope Notes: When a user tries to log into the server using CHAP, the server sends the user a "challenge," which is a random value. The user enters a password, which is used as an encryption key to encrypt the "challenge" and return it to the server. The server is aware of the password. It, therefore, encrypts the "challenge" value and compares it with the value received from the user. If the values match, the user is authenticated. The challenge/response activity continues throughout the session and this protects the session from password sniffing attacks. In addition, CHAP is not vulnerable to "man-in-the-middle" attacks because the challenge value is a random value that changes on each access attempt.

  1. A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or "soft" elements of change (ISACA)

    Scope Notes: Includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resources (HR) policies and procedures, executive coaching, change leadership training, team building and communication planning and execution.

  2. A methodical approach for controlling and implementing changes in a planned and structured manner (CMMI)

Change control

The processes, authorities and procedures to be used for all changes that are made to the computerized system and/or the system data. Change control is a vital subset of the quality assurance (QA) program in an enterprise and should be clearly described in the enterprise standard operating procedures (SOPs).

See Configuration control.

Change enablement

A holistic and systemic process of ensuring that relevant stakeholders are prepared and committed to the changes involved in moving from a current state to a desired future state.

Change management

1. A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or "soft" elements of change (ISACA)

Scope Notes: Includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resources (HR) policies and procedures, executive coaching, change leadership training, team building and communication planning and execution.

2. A methodical approach for controlling and implementing changes in a planned and structured manner (CMMI)

Change risk

A change in technology, regulation, business process, functionality, architecture, user and other variables that affect the enterprise business and technical environments, and the level of risk associated with systems in operation

Channel service unit/digital service unit (CSU/DSU)

Interfaces at the physical layer of the open systems interconnection (OSI) reference model, data terminal equipment (DTE) to data circuit terminating equipment (DCE), for switched carrier networks.


Also known as ledger conduits, are private channels in a permissioned blockchain network, in which two or more nodes perform private transactions


The redistribution of expenditures to the units within a company that gave rise to them.

Scope Notes: Chargeback is important because without such a policy, misleading views may be given as to the real profitability of a product or service because certain key expenditures will be ignored or calculated according to an arbitrary formula.

Check digit

A numeric value, which has been calculated mathematically, is added to data to ensure that original data have not been altered or that an incorrect, but valid match has occurred.

Scope Notes: Check digit control is effective in detecting transposition and transcription errors.

Check digit verification (self-checking digit)

A programmed edit or routine that detects transposition and transcription errors by calculating and checking the check digit.


A list of items that is used to verify the completeness of a task or goal.

Scope Notes: Used in quality assurance (and in general, in information systems audit), to check process compliance, code standardization and error prevention, and other items for which consistency processes or standards have been defined


The process of storing a block in the history of the blockchain at intervals and refusing to accept divergent blockchain without these blocks

Checkpoint restart procedures

A point in a routine at which sufficient information can be stored to permit restarting the computation from that point.


A checksum value is generated by an algorithm and associated with an input value and/or whole input file. The checksum value can be used to assess its corresponding input data or file later and verify that the input has not been maliciously altered. If a subsequent checksum value no longer matches the initial value, the input may have been altered or corrupted.

Chi-square test

An analysis technique used to estimate whether two variables in a cross tabulation are correlated. A chi-square distribution varies from normal distribution based on the “degrees of freedom” used to calculate it.

Chief executive officer (CEO)

The highest ranking individual in an enterprise

Chief financial officer (CFO)

The individual primarily responsible for managing the financial risk of an enterprise

Chief information officer (CIO)

The most senior official of the enterprise who is accountable for IT advocacy, aligning IT and business strategies, and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources.

Scope Notes: In some cases, the CIO role has been expanded to become the chief knowledge officer (CKO) who deals in knowledge, not just information. Also see chief technology officer (CTO).

Chief information security officer (CISO)

The person in charge of information security within the enterprise

Chief security officer (CSO)

The person usually responsible for all physical and digital security matters in an enterprise

Chief technology officer (CTO)

The individual who focuses on technical issues in an enterprise.

Scope Notes: Often viewed as synonymous with chief information officer (CIO)


An integrated circuit (IC) or group of ICs that provides input and output for computer processing, e.g., RAM, graphics chips or WiFi chips


An algorithm to perform encryption


Information generated by an encryption algorithm to protect the plaintext and that is unintelligible to the unauthorized reader

Circuit-switched network

A data transmission service requiring the establishment of a circuit-switched connection before data can be transferred from source data terminal equipment (DTE) to a sink DTE.

Scope Notes: A circuit-switched data transmission service uses a connection network.

Circular routing

In open systems architecture, circular routing is the logical path of a message in a communication network based on a series of gates at the physical network layer in the open systems interconnection (OSI) model.


The identification of two or more categories in which an item belongs; a classic machine learning task


Data that is not encrypted. Also known as plaintext.


A term used in a broad sense to describe the relationship between the receiver and the provider of a service. Generally, the client-server describes a networked system where front-end applications, like the client, make service requests to another networked system. Client-server relationships are defined primarily by software. In a local area network (LAN), the workstation is the client and the file server is the server. However, client-server systems are inherently more complex than file server systems. Two disparate programs must work in tandem, and there are many more decisions to make about separating data and processing between the client workstations and the database server. The database server encapsulates database files and indexes, restricts access, enforces security and provides applications with a consistent interface to data via a data dictionary.


A technique for handling outliers. Specifically, reducing feature values that are greater than a set maximum value down to that maximum value. Also, increasing feature values that are less than a specific minimum value up to that minimum value.

Cloud access security brokers (CASBs)

Software or appliances that are positioned between an enterprise technology infrastructure and a cloud service provider (CSP)

Cloud computing

Convenient, scalable on-demand network access to a shared pool of resources that can be provisioned rapidly and released with minimal management effort or service provider interaction

Cluster controller

A communication terminal control hardware unit that controls a number of computer terminals.

Scope Notes: All messages are buffered by the controller and then transmitted to the receiver.


An algorithm for dividing data instances into groups—not a predetermined set of groups, which would make this classification, but groups identified by the execution of the algorithm because of similarities that it found among the instances. The center of each cluster is known as "centroid."

CMMI product suite

The integrated set of components that comprise CMMI. The product suite components include the model, appraisal method, training and certification, adoption guidance, and systems and tools.


When neurons predict patterns in training data by relying almost exclusively on outputs of specific other neurons instead of relying on the network's behavior as a whole

Coaxial cable

Composed of an insulated wire that runs through the middle of each cable, a second wire that surrounds the insulation of the inner wire like a sheath, and the outer insulation which wraps the second wire.

Scope Notes: Has a greater transmission capacity than standard twisted-pair cables, but has a limited range of effective distance


1. COBIT 2019: The current iteration of COBIT builds on and integrates more than 25 years of developments in the field of enterprise governance of information and technology (I&T), not only incorporating new insights from science, but also operationalizing these insights as practices. COBIT is a broad and comprehensive I&T governance and management framework and continues to establish itself as a generally accepted framework for I&T governance.

Scope Notes: Earlier versions of COBIT focused on IT, whereas COBIT 2019 focuses on information and technology aimed at the whole enterprise, recognizing that I&T has become crucial in the support, sustainability and growth of enterprises. (See for more information.)

2. COBIT 5: Formerly known as Control Objectives for Information and related Technology (COBIT); with this iteration used only as the acronym. A complete, internationally accepted framework for governing and managing enterprise information and technology (IT) that supports enterprise executives and management in their definition and achievement of business goals and related IT goals. COBIT describes five principles and seven enablers that support enterprises in the development, implementation and continuous improvement and monitoring of good IT-related governance and management practices.

Scope Notes: Earlier versions of COBIT focused on control objectives related to IT processes, management and control of IT processes and IT governance aspects. Adoption and use of the COBIT framework are supported by guidance from a growing family of supporting products.

3. COBIT 4.1 and earlier: Formally known as Control Objectives for Information and related Technology (COBIT). A complete, internationally accepted process framework for IT that supports business and IT executives and management in their definition and achievement of business goals and related IT goals by providing a comprehensive IT governance, management, control and assurance model. COBIT describes IT processes and associated control objectives, management guidelines (activities, accountabilities, responsibilities and performance metrics) and maturity models. COBIT supports enterprise management in the development, implementation, continuous improvement and monitoring of good IT-related practices.

Scope Notes: Adoption and use of the COBIT framework are supported by guidance for executives and management (Board Briefing on IT Governance, 2nd Edition), IT governance implementers (COBIT Quickstart, 2nd Edition; IT Governance Implementation Guide: Using COBIT and Val IT, 2nd Edition; and COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance), and IT assurance and audit professionals (IT Assurance Guide Using COBIT). Guidance also exists to support its applicability for certain legislative and regulatory requirements (e.g., IT Control Objectives for Sarbanes-Oxley, IT Control Objectives for Basel II) and its relevance to information security (COBIT Security Baseline). COBIT is mapped to other frameworks and standards to illustrate complete coverage of the IT management life cycle and support its use in enterprises using multiple IT-related framework and standards.


Common Business Oriented Language (COBOL) is a high-level programming language intended for use in the solution of problems in business data processing.


Criteria of Control, published by the Canadian Institute of Chartered Accountants in 1995.

Code audit

An independent review of source code by a person, team or tool to verify compliance with software design documentation and programming standards. Correctness and efficiency may also be evaluated. Contrasts with code inspection, code review and code walkthrough.

Code of ethics

A document designed to influence individual and organizational behavior of employees, by defining organizational values and the rules to be applied in certain situations.

Scope Notes: A code of ethics is adopted to assist those in the enterprise called upon to make decisions understand the difference between 'right' and 'wrong' and to apply this understanding to their decisions.

COBIT 5 and COBIT 2019 perspective


1. In software engineering, the process of expressing a computer program in a programming language

2. The transforming of logic and data from design specifications (design descriptions) into a programming language

Coding standards

Written procedures describing coding (programming) style conventions that specify rules governing the use of individual constructs provided by the programming language and naming, formatting, and documentation requirements, which prevent programming errors, control complexity and promote understandability of the source code. Synonymous with development standards and programming standards.


A number or algebraic symbol prefixed as a multiplier to a variable or unknown quantity (Ex.: x in x(y + z), 6 in 6ab)


Originated as a biological term, refers to the way two or more ecologically interdependent species become intertwined over time.

Scope Notes: As these species adapt to their environment they also adapt to one another. Today’s multi-business companies need to take their cue from biology to survive. They should assume that links among businesses are temporary and that the number of connections-not just their content-matters. Rather than plan collaborative strategy from the top, as traditional companies do, corporate executives in coevolving companies should simply set the context and let collaboration (and competition) emerge from business units.


Establishing a potent binding force and sense of direction and purpose for the enterprise, relating different parts of the enterprise to each other and to the whole to act as a seemingly unique entity.


The extent to which a system unit--subroutine, program, module, component, subsystem--performs a single dedicated function.

Scope Notes: Generally, the more cohesive the unit, the easier it is to maintain and enhance a system because it is easier to determine where and how to apply a change.

Cold site

An IS backup facility that has the necessary electrical and physical components of a computer facility, but does not have the computer equipment in place.

Scope Notes: The site is ready to receive the necessary replacement computer equipment in the event that the users have to move from their main computing location to the alternative computer facility.

Collaborative filtering

Making predictions about the interests of one user based on the interests of many other users. Collaborative filtering is often used in recommendation systems.


The situation that occurs when two or more demands are made simultaneously on equipment that can handle only one at any given instant (Federal Standard 1037C)

Combined Code on Corporate Governance

The consolidation in 1998 of the "Cadbury," "Greenbury" and "Hampel" Reports.

Scope Notes: Named after the Committee Chairs, these reports were sponsored by the UK Financial Reporting Council, the London Stock Exchange, the Confederation of British Industry, the Institute of Directors, the Consultative Committee of Accountancy Bodies, the National Association of Pension Funds and the Association of British Insurers to address the financial aspects of corporate governance, directors' remuneration and the implementation of the Cadbury and Greenbury recommendations.


1. In programming languages, a language construct that allows explanatory text to be inserted into a program and that does not have any effect on the execution of the program

2. Information embedded within a computer program, job control statements or a set of data that provides clarification to human readers but does not affect machine interpretation

Source: IEEE

Commercial off-the-shelf (COTS)

Describes items that can be purchased from a commercial supplier and used without tailoring

Common Attack Pattern Enumeration and Classification (CAPEC)

A catalogue of attack patterns as “an abstraction mechanism for helping describe how an attack against vulnerable systems or networks is executed” published by the MITRE Corporation

Common cause of variation

The variation of a process that exists because of normal and expected interactions among components of a process. Also referred to as “inherent cause” of variation.

See Special cause of variation

Communication processor

A computer embedded in a communications system that generally performs the basic tasks of classifying network traffic and enforcing network policy functions.

Scope Notes: An example is the message data processor of a defense digital network (DDN) switching center. More advanced communication processors may perform additional functions.

Communications controller

Small computers used to connect and coordinate communication links between distributed or remote devices and the main computer, thus freeing the main computer from this overhead function.

Community cloud

A cloud computing environment in which resources are shared among entities within shared industries or interests in common, e.g., healthcare or financial services

Community strings

Authenticate access to management information base (MIB) objects and function as embedded passwords.

Scope Notes: Examples are:

  • Read-only (RO)- Gives read access to all objects in the MIB except the community strings, but does not allow write access

  • Read-write (RW)- Gives read and write access to all objects in the MIB, but does not allow access to the community strings

  • Read-write-all - Gives read and write access to all objects in the MIB, including the community strings (only valid for Catalyst 4000, 5000 and 6000 series switches)

Simple Network Management Protocol (SNMP) community strings are sent across the network in cleartext. The best way to protect an operating system (OS) software-based device from unauthorized SNMP management is to build a standard IP access list that includes the source address of the management station(s). Multiple access lists can be defined and tied to different community strings. If logging is enabled on the access list, then log messages are generated every time that the device is accessed from the management station. The log message records the source IP address of the packet.

Compact disc–read-only memory (CD-ROM)

A compact disk used for the permanent storage of text, graphic or sound information. Digital data is represented very compactly by tiny holes that can be read by lasers attached to high resolution sensors. Capable of storing up to 680 MB of data, equivalent to 250,000 pages of text, or 20,000 medium resolution images. This storage medium is often used for archival purposes. Synonymous with optical disk and write-once read-many times disk.

Comparison program

A program for the examination of data, using logical or conditional tests to determine or to identify similarities or differences.


A process for protecting very-high value assets or in environments where trust is an issue. Access to an asset requires two or more processes, controls or individuals.

Compensating control

An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions.


The ability to perform a specific task, action or function successfully

Scope Notes: COBIT 5 and COBIT 2019 perspective


The strengths of an enterprise or what it does well.

Scope Notes: Can refer to the knowledge, skills and abilities of the assurance team or individuals conducting the work.


Translating a program expressed in a problem-oriented language or a procedure-oriented language into object code. Contrasts with assembling and interpret.


1. A computer program that translates programs expressed in a high-level language into their machine-language equivalents

2. The compiler takes the finished source-code listing as input and outputs the machine-code instructions that the computer must have to execute the program.

See Assembler and Interpreter

Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)

A type of challenge-response test used in computing to ensure that the response is not generated by a computer. An example is the site request for web site users to recognize and type a phrase posted using various challenging-to-read fonts.

Completely connected (mesh) configuration

A network topology in which devices are connected with many redundant interconnections between network nodes (primarily used for backbone networks).

Completeness check

A procedure designed to ensure that no fields are missing from a record.


Adherence to, and the ability to demonstrate adherence to, mandated requirements defined by laws and regulations, as well as voluntary requirements resulting from contractual obligations and internal policies

Compliance documents

Policies, standards and procedures that document the actions that are required or prohibited. Violations may be subject to disciplinary actions.

Compliance risk

The probability and consequences of an enterprise failing to comply with laws, regulations or the ethical standards or codes of conduct applicable to the enterprise industry

Compliance testing

Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period.


A general term that is used to mean one part of something more complex.

Scope Notes: For example, a computer system may be a component of an IT service, or an application may be a component of a release unit. Components are co-operating packages of executable software that make their services available through defined interfaces. Components used in developing systems may be commercial off-the-shelf software (COTS) or may be purposely built. However, the goal of component-based development is to ultimately use as many pre-developed, pretested components as possible.

Comprehensive audit

An audit designed to determine the accuracy of financial records as well as to evaluate the internal controls of a function or department.

Computational linguistics

A branch of computer science for parsing text of spoken languages (e.g., English or Mandarin) to convert it to structured data that can be used to drive program logic

Computationally greedy

Requiring a great deal of computing power; processor intensive.


1. A functional unit that can perform substantial computations, including numerous arithmetic operations, or logic operations, without human intervention during a run

2. A functional programmable unit that consists of one or more associated processing units and peripheral equipment, is controlled by internally stored programs, and can perform substantial computations, including numerous arithmetic operations, or logic operations, without human intervention

Computer emergency response team (CERT)

A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems.

Computer forensics

The application of the scientific method to digital media to establish factual information for judicial review

Scope Notes: This process often involves investigating computer systems to determine whether they are or have been used for illegal or unauthorized activities. As a discipline, it combines elements of law and computer science to collect and analyze data from information systems (e.g., personal computers, networks, wireless communication and digital storage devices) in a way that is admissible as evidence in a court of law.

Computer instruction set

A complete set of the operators of the instructions of a computer together with a description of the types of meanings that can be attributed to their operands. Synonymous with machine instruction set.

Computer language

A language designed to enable humans to communicate with computers

See Programming language.

Computer science

The branch of science and technology that is concerned with methods and techniques relating to data processing performed by automatic means

Computer security incident response team (CSIRT)

Technical team responsible for addressing security incidents

Computer sequence checking

Verifies that the control number follows sequentially and that any control numbers out of sequence are rejected or noted on an exception report for further research.

Computer server

1. A computer dedicated to servicing requests for resources from other computers on a network. Servers typically run network operating systems.

2. A computer that provides services to another computer (the client).

Computer system

A functional unit, consisting of one or more computers, associated peripheral input and output devices, and associated software, that uses common storage for all or part of a program and for all or part of the data necessary for the execution of the program; executes user-written or user-designated programs; performs user-designated data manipulation, including arithmetic operations and logic operations; and can execute programs that modify themselves during their execution. A computer system may be a stand-alone unit or may consist of several interconnected units.

See Computer.

Computer-aided software engineering (CASE)

The use of software packages that aid in the development of all phases of an information system.

Scope Notes: System analysis, design programming and documentation are provided. Changes introduced in one CASE chart will update all other related charts automatically. CASE can be installed on a microcomputer for easy access.

Computer-assisted audit technique (CAAT)

Any automated audit technique, such as generalized audit software (GAS), test data generators, computerized audit programs and specialized audit utilities.

Concurrency control

Refers to a class of controls used in a database management system (DBMS) to ensure that transactions are processed in an atomic, consistent, isolated and durable manner (ACID). This implies that only serial and recoverable schedules are permitted, and that committed transactions are not discarded when undoing aborted transactions.

Concurrent access

A fail-over process, in which all nodes run the same resource group (there can be no [Internet Protocol] IP or [mandatory access control] MAC address in a concurrent resource group) and access the external storage concurrently.

Concurrent appraisals

Concurrent or simultaneous appraisals is defined by two or more appraisals where the conduct appraisal phase is performed by the same ATL at the same time. Concurrent or simultaneous appraisals are not allowed, under any circumstances. A concurrent or simultaneous appraisal typically includes:

  • Appraising one or more OUs with different scopes, or

  • Using two or more appraisal teams,

All during the same timeframe of the conduct appraisal phase

Confidence interval

A range specified around an estimate to indicate margin of error, combined with a probability that a value will fall in that range


Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information

Configurable control

Typically, an automated control that is based on, and therefore dependent on, the configuration of parameters within the application system.

Configuration identification

A configuration management activity that involves selecting a product’s configuration items, assigning them unique identifiers, and recording their functional and physical characteristics in technical documentation

See Configuration item and Configuration management

Configuration item (CI)
  1. Component of an infrastructure-or an item, such as a request for change, associated with an infrastructure-which is (or is to be) under the control of configuration management (ISACA)

    Scope Notes: May vary widely in complexity, size and type, from an entire system (including all hardware, software and documentation) to a single module or a minor hardware component

  2. Work products designated for configuration management and treated as a single entity in the configuration management process (CMMI)

    See Configuration management

Configuration management
  1. The control of changes to a set of configuration items over a system life cycle (ISACA)

  2. The process of managing the integrity of work products using configuration identification, version control, change control, and audits (CMMI)

    See Configuration identification, Configuration item, Configuration audit and Version control


The number of blocks added to the blockchain after the network has accepted that a particular transaction has been executed


A decision-making method that allows team members to develop a common basis of understanding and develop general agreement concerning a decision that all team members are willing to support

Consensus mechanism

A fault-tolerant mechanism used in blockchain/distributed ledger systems to achieve the necessary agreement on data values or the state of the network among distributed processes or multiagent systems


Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


The result of a realized risk. A consequence can be certain or uncertain and can have positive or negative direct or indirect effects on objectives. Consequences can be expressed qualitatively or quantitatively.


The degree of uniformity, standardization and freedom from contradiction among the documents or parts of a system or component

See Traceability.

Consistency checker

A software tool used to test requirements in design specifications for both consistency and completeness

Console log

An automated detail report of computer system activity.


The practice of collecting and summarizing the information provided into a manageable set to:

  • Determine the extent to which the objective evidence is corroborated and covers the areas being investigated

  • Determine the objective evidence sufficiency for making judgments

  • Revise the objective evidence-gathering plan as necessary to achieve this sufficiency

See Objective evidence

Consortium blockchain

A subset of private blockchains that provides a unique blend of both public and private blockchain


A value that does not change during processing. Contrasts with variable.

Constrained Application Protocol (CoAP)

A messaging protocol usually implemented with low-powered devices


In a RACI (responsible, accountable, consulted, informed) chart, refers to those people whose opinions are sought on an activity (two-way communication).


One who utilizes goods


A new model in which emerging technologies are first embraced by the consumer market and later spread to the business


A packaged environment that includes all necessary dependencies, executables, and code for particular applications to run separate from the host computing device


Actions taken to limit exposure after an incident has been identified and confirmed

Content filtering

Controlling access to a network by analyzing the contents of the incoming and outgoing packets and either letting them pass or denying them based on a list of rules.

Scope Notes: Differs from packet filtering in that it is the data in the packet that are analyzed instead of the attributes of the packet itself (e.g., source/target IP address, transmission control protocol [TCP] flags)


The overall set of internal and external factors that might influence or determine how an enterprise, entity, process or individual acts

Scope Notes: Context includes:

- technology context (technological factors that affect an enterprise's ability to extract value from data)

- data context (data accuracy, availability, currency and quality)

- skills and knowledge (general experience and analytical, technical and business skills),

- organizational and cultural context (political factors and whether the enterprise prefers data to intuition)

- strategic context (strategic objectives of the enterprise)

COBIT 5 and COBIT 2019 perspective

Contingency plan

A plan used by an enterprise or business unit to respond to a specific systems failure or disruption.

Contingency planning

Process of developing advance arrangements and procedures that enable an enterprise to respond to an event that could occur by chance or unforeseen circumstances.


Preventing, mitigating and recovering from disruption.

Scope Notes: The terms "business resumption planning," "disaster recovery planning" and "contingency planning" also may be used in this context; they all concentrate on the recovery aspects of continuity.

Continuous auditing approach

This approach allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.

Continuous availability

Nonstop service, with no lapse in service; the highest level of service in which no downtime is allowed.

Continuous feature

A floating-point feature with an infinite range of possible values. Contrasts with discrete feature.

Continuous improvement

The goals of continuous improvement (Kaizen) include the elimination of waste, defined as "activities that add cost, but do not add value;" just-in-time (JIT) delivery; production load leveling of amounts and types; standardized work; paced moving lines; and right-sized equipment.

Scope Notes: A closer definition of the Japanese usage of Kaizen is "to take it apart and put it back together in a better way." What is taken apart is usually a process, system, product or service. Kaizen is a daily activity whose purpose goes beyond improvement. It is also a process that, when done correctly, humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how to do rapid experiments using the scientific method and how to learn to see and eliminate waste in business processes.

Continuous risk and control monitoring

A process that includes:

  • Developing a strategy to regularly evaluate selected information and technology (I&T)-related controls/metrics

  • Recording and evaluating I&T-related events and the effectiveness of the enterprise in dealing with those events

  • Recording changes to I&T-related controls or changes that affect I&T-related risk

  • Communicating the current risk and control status to enable information-sharing decisions involving the enterprise

Continuous variable

A variable whose value can be any of an infinite number of values, typically within a particular range

Contract account

The account (or address) created when a smart contract is deployed by the smart contract owner. Contract account contains the runtime virtual machine bytecode for a contract.

Contractual requirements

Result of analysis and refinement of customer requirements into a set of requirements suitable for inclusion in solicitation packages or supplier agreements.

Contractual requirements include technical and nontechnical requirements necessary to acquire a solution.

See Acquirer, Customer requirement and Supplier agreement


The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management or legal nature

Scope Notes: Also used as a synonym for safeguard or countermeasure.

See also Internal control.

Control center

Hosts the recovery meetings where disaster recovery operations are managed.

Control flow diagram

A diagram that depicts the set of all possible sequences in which operations may be performed during the execution of a system or program. Types include box diagram, flowchart, input-process-output chart and state diagram. Contrasts with data flow diagram.

Control framework

A set of fundamental controls that facilitates the discharge of business process owner responsibilities to prevent financial or information loss in an enterprise.

Control group

Members of the operations area who are responsible for the collection, logging and submission of input for the various user groups.

Control objective

A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process.

Control Objectives for Enterprise Governance

A discussion document that sets out an "enterprise governance model" focusing strongly on both the enterprise business goals and the information technology enablers that facilitate good enterprise governance, published by the Information Systems Audit and Control Foundation in 1999.

Control owner

A person in whom the enterprise has invested the authority and accountability for making control-related decisions and is responsible for ensuring that the control is implemented and is operating effectively and efficiently

Control perimeter

The boundary defining the scope of control authority for an entity.

Scope Notes: For example, if a system is within the control perimeter, the right and ability exist to control it in response to an attack.

Control practice

Key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk and alignment of IT with business.

Control risk

Risk that assets are lost/compromised or that financial statements are materially misstated due to lack of or ineffective design and/or implementation of internal controls

Control risk self-assessment

A method/process by which management and staff of all levels collectively identify and evaluate risk and controls with their business areas. This may be under the guidance of a facilitator such as an auditor or risk manager.

Control section

The area of the central processing unit (CPU) that executes software, allocates internal memory and transfers operations between the arithmetic-logic, internal storage and output sections of the computer.

Control weakness

A deficiency in the design or operation of a control procedure. Control weaknesses can potentially result in risk relevant to the area of activity not being reduced to an acceptable level (relevant risk threatens achievement of the objectives relevant to the area of activity being examined). Control weaknesses can be material when the design or operation of one or more control procedures does not reduce to a relatively low level the risk that misstatements caused by illegal acts or irregularities may occur and not be detected by the related control procedures.


The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Convenience sampling

Using a dataset not gathered scientifically in order to run quick experiments. Later on, it is essential to switch to a scientifically gathered dataset.


Informally, often refers to a state reached during training in which