I/O appendage
See input/output appendage. [FISCAM]
I
IA architecture
Activity that aggregates the functions of developing IA operational, system, and technical architecture products for the purpose of specifying and implementing new or modified IA capabilities within the IT environment. (DoD Directive 8100.1, 19 Sept 2002) [US National Information Assurance (IA) Glossary]
IA-enabled information
Product or technology whose primary role is not [US National Information Assurance (IA) Glossary]
Icon
In a GUI, a picture or drawing which is activated by “clicking” a mouse to command the computer program to perform a predefined series of events. [Sedona Conference]
Identification
Identification of a user and is accomplished by techniques such as a secret code only known by a single person, biometrics of a person, a computer readable identity card, or other methods. The process that enables recognition and validation of an entity by a system. [HIPAA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, US National Information Assurance (IA) Glossary, NIST 800 Series, FIPS Pubs]
Identified requirements
A comprehensive list of implicit and explicit recordkeeping requirements, identified from documentary and oral sources in DIRKS Step C, that an organization may potentially decide to meet. An organization must subject these identified requirements to risk-based assessment to prioritize a subset that the organization will meet. [DIRKS, ISO/IEC 27001:2005]
Identifier
A unique data string used as a key in the biometric system to name a person’s identity and its associated attributes. [NIST 800 series, FIPS Pubs]
Identity (ID)
Information that is unique within a security domain and which is recognized as denoting a particular organization, system, asset, or person within that domain. Since the legal names of persons are not necessarily unique, the identity of a person must include sufficient additional information to make the complete name unique. [NIST 800 series, ISO/IEC 27001:2005, PCI-DSS, NIST 800 Series, FIPS Pubs]
Identity binding
Binding of the vetted claimed identity to the individual (through biometrics) according to the issuing authority. [NIST 800 series, FIPS Pubs]
Identity management
A system that coordinates authentication and password management across network applications and resources. [Network Frontiers]
Identity proofing
The process by which a Credentials Service Provider (CSP) and a Registration Authority (RA) validate sufficient information to uniquely identify a person. [NIST 800 series, FIPS Pubs]
Identity registration
The process of making a person’s identity known to the Personal Identity Verification (PIV) system, associating a unique identifier with that identity, and collecting and recording the person’s relevant attributes into the system. [NIST 800 series, FIPS Pubs]
Identity token
Smart card, metal key, or other physical object used to authenticate identity. [US National Information Assurance (IA) Glossary]
Identity validation
Tests enabling an information system to authenticate users or resources. [US National Information Assurance (IA) Glossary]
Identity verification
The process of confirming or denying that a claimed identity is correct by comparing the credentials (something you know, something you have, something you are) of a person requesting access with those previously proven and stored in the PIV Card or system and associated with the identity being claimed. [NIST 800 series, FIPS Pubs]
Identity-based security policy
A security policy based on the identities and/or attributes of the object (system resource) being accessed and of the subject (user, group of users, process, or device) requesting access. [NIST 800 series]
Idle standby
A fail-over process in which the primary node owns the resource group. The backup node runs idle only supervising the primary node. In case of a primary node outage, the backup node takes over. The nodes are prioritized, which means the surviving node with the highest priority will acquire the resource group. A higher priority node joining the cluster will thus cause a short service interruption. [ISACA]
IDS sensor
Intrusion Detection System sensor monitors network activity and can alert personnel when suspicious activity occurs and shut down suspect connections automatically. See also intrusion detection system. [Network Frontiers]
Image
An exact copy of what is on the storage medium. To image a hard drive is to make an identical copy of the hard drive, including empty sectors. Also known as creating a “mirror image” or “mirroring” the drive. [Centers for Medicare & Medicaid Services (CMS), Sedona Conference, NIST 800 Series]
Image copy
See Forensic copy. [Sedona Conference]
Image enabling
A software function that creates links between existing applications and stored images. [Sedona Conference]
Image file format
See File format, format. [Sedona Conference]
Image key
The name of a file created when a page is scanned in a collection. [Sedona Conference]
Image processing
The process of electronically inputting source documents by taking an image of the document thereby eliminating the need for key entry. See also Native format [ISACA, Sedona Conference]
Image Processing Card (IPC)
A board mounted in the computer, scanner or printer that facilitates the acquisition and display of images. The primary function of most IPCs is the rapid compression and decompression of image files. [Sedona Conference]
Imitative communications deception
Introduction of deceptive messages or signals into an adversary's telecommunications signals. See also communications deception and manipulative communications deception. [US National Information Assurance (IA) Glossary]
Immediate recovery
Previously called “hot stand-by,” provides for the immediate restoration of services following any irrecoverable incident. It is important to distinguish between the previous definition of “hot stand-by” and “immediate recovery.” Hot stand-by typically referred to availability of services within a short time-scale such as 2 or 4 hours whereas immediate recovery implies the instant availability of services. See also active recovery site, dedicated work area. [ITIL]
Impact
The effect of a threat on an organization’s mission and business objectives. A measure of the effect of an incident, problem, or change on business processes. Impact is often based on how service levels will be affected. Impact and urgency are used to assign priority. See also impact code. [CERT OCTAVE, ISO/IEC 27001:2005, ITIL, BS 25999, NIST 800 Series]
Impact code
A category used to represent impact. For example, major, minor, or catastrophic. See also priority. [ITIL]
Impersonating
Form of spoofing. [US National Information Assurance (IA) Glossary]
Impersonation
An attempt to gain access to a system by posing as an authorized user. [Centers for Medicare & Medicaid Services (CMS)]
Implant
Electronic device or electronic equipment modification designed to gain unauthorized interception of information-bearing emanations. [US National Information Assurance (IA) Glossary]
Implementation
The process of making a system operational in the organization. [FISCAM, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005]
Implementation life cycle review
Refers to the controls that support the process of transformation of the organization’s legacy information systems into the ERP applications. This would largely cover all aspects of systems implementation and configuration such as change management. [ISACA]
Implementation vulnerability
A weakness resulting from an error made in the software or hardware implementation of a satisfactory design. [CERT OCTAVE]
Import
Data brought into an environment or application which has been exported from another environment or application. [Sedona Conference]
Inactive record
Inactive records are those Records related to closed, completed, or concluded activities. Inactive Records are no longer routinely referenced, but must be retained in order to fulfill reporting requirements or for purposes of audit or analysis. Inactive records generally reside in a long-term storage format remaining accessible for purposes of business processing only with restrictions on alteration. In some business circumstances inactive records may be re-activated. [Sedona Conference]
Inadvertent disclosure
Type of incident involving accidental exposure of information to an individual not authorized access. [US National Information Assurance (IA) Glossary]
Inappropriate usage
A person who violates acceptable computing use policies. [NIST 800 series]
Incident
Any adverse event whereby some aspect of computer security was or could be threatened involving the loss of data confidentiality, disruption of data or system integrity, or disruption or denial of availability. An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Any event which could affect an IT service in the future is also an incident. For example, failure of one disk from a mirror set. See also incident management, incident record. [Centers for Medicare & Medicaid Services (CMS), CobiT, ISO/IEC 27001:2005, FIPS Pubs, ITIL, US National Information Assurance (IA) Glossary, PAS 56, BS 25999, NIST 800 Series]
Incident cost
A cost of providing an IT service which cannot be allocated in full to a specific customer. For example, cost of providing shared servers or software licenses. Indirect costs are divided into absorbed overhead and unabsorbed overhead. See also direct cost, overhead. [ITIL]
Incident handling
The mitigation of violations of security policies and recommended practices. [NIST 800 series]
Incident management
The process responsible for managing the lifecycle of all incidents. The primary objective of incident management is to return the IT service to customers as quickly as possible. [ITIL]
Incident management plan
A clearly defined and documented plan of action for use at the time of an incident, typically covering the key personnel, resources, services and actions needed to implement the incident management process. [BS 25999]
Incident record
A record containing the details of an incident. Each incident record documents the lifecycle of a single incident. [ITIL]
Incident response plan
The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s IT systems(s). [NIST 800 series]
Incident response procedure
Incident response involves detection, alert, triage, response (containment and eradication), recovery and follow-up. The goal of a systematic approach to handle security incidents is to resume system and business operations as soon as possible while preserving the incident’s forensics information for further analysis and security process enhancements. A formal process or set of procedures to be followed after notification of a suspected system unauthorized action within a network or computer system. [Centers for Medicare & Medicaid Services (CMS)]
Incomplete parameter checking
System flaw that exists when the operating system does not check all parameters fully for accuracy and consistency, thus making the system vulnerable to penetration. [US National Information Assurance (IA) Glossary]
Incremental backup
The processes of making a copy of only the files that have changed since the last backup instead of backing up every file. [Centers for Medicare & Medicaid Services (CMS)]
Incremental testing
Deliberately testing only the value-added functionality of a software component. [ISACA]
Inculpatory evidence
Evidence that tends to increase the likelihood of fault or guilt. [NIST 800 series]
Independence
Self-governance and freedom from conflict of interest and undue influence. The IS auditor should be free to make his/her own decisions, not influenced by the organization being audited and its people (managers and employers). [ISACA]
Independence appearance
The outward impression of being self-governing and free from conflict of interest and undue influence. [ISACA]
Independent attitude
Impartial point of view which allows the IS auditor to act objectively and with fairness. [ISACA]
Independent verification and validation
An independent assessment of a system. The assessment assures that the products conform to the requirements and design, as documented, and fulfill the operational objectives. [Centers for Medicare & Medicaid Services (CMS)]
Index
The searchable catalog of documents created by search engine software. Also called “catalog.” Index is often used as a synonym for search engine. [Sedona Conference]
Index/Coding fields
Database fields used to categorize and organize documents. Often user-defined, these fields can be used for searches. [Sedona Conference]
Indexed Sequential Access Method (ISAM)
A disk access method that stores data sequentially, while also maintaining an index of key fields to all the records in the file for direct access capability. [ISACA]
Indexed sequential file
A file format in which records are organized and can be accessed according to a pre-established key that is part of the record. [ISACA]
Indexing
Identification of specific attributes of a document or database record to facilitate retrieval. The process of establishing access points to facilitate retrieval of records and/or information. Universal term for coding and data entry. [AIIM, ISO 15489, Sedona Conference]
Indication
A sign that an incident may have occurred or may be currently occurring. [NIST 800 series]
Indicator
Recognized action, specific, generalized, or theoretical, that an adversary might be expected to take in preparation for an attack. [US National Information Assurance (IA) Glossary]
Individual
A citizen of the United States or an alien lawfully admitted for permanent residence. Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to businesses, sole proprietors, aliens, etc. [NIST 800 series]
Individual accountability
Ability to associate positively the identity of a user with the time, method, and degree of access to an information system. [US National Information Assurance (IA) Glossary]
Industry Standard Architecture (ISA)
[Sedona Conference]
Informal security policy
Natural language description, possibly supplemented by mathematical arguments, demonstrating the correspondence of the functional specification to the high-level design. [US National Information Assurance (IA) Glossary]
Information
Knowledge communicated or received concerning some fact or circumstance. The meaning of data. Data are facts or subsets of information. Various groupings of data become information when they are seen in context and convey meaning to people. Therefore, information is communication or reception of knowledge, such as facts, data, or opinions, including numerical, graphic, or narrative forms, whether oral or maintained in any other medium, including computerized databases, paper, microfilm, or magnetic tape. In the world if e-discovery, information can mean either documents or data. [DIRKS, FISCAM, Centers for Medicare & Medicaid Services (CMS), OMB Circular A-130, ISO/IEC 27001:2005, FIPS Pubs, US National Information Assurance (IA) Glossary, Sedona Conference, NIST 800 Series]
Information and communication
A component of internal control in addition to the control environment, risk assessment, monitoring, and control activities. The identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. The accounting system and accounting manuals are examples of this component. [GAO/PCIE Financial Audit Manual]
Information architecture
See IT architecture. [CobiT]
Information asset
Documented (paper or electronic) information or intellectual assets used to meet the mission of the enterprise. [CERT OCTAVE]
Information assurance
There are four basic properties of information, information processes, information systems, and information technology. 1) Confidentiality is a characteristic of information only being disclosed to authorized entities, processes, or persons at authorized times and in authorized manners. 2) Integrity is a characteristic of information, information processes, and information systems being complete and accurate. 3) Availability is a characteristic of information, information systems, and information technology being accessible and usable on a timely basis. 4) Accountability is a characteristic of responsibly interacting at a level commensurate with the sensitivity and criticality of information, information processes, information systems, and information technology. Furthermore, in order for information assurance to be guaranteed, these four properties must co-support each other. Loss of one characteristic can lead to loss of the other characteristics. [Network Frontiers, US National Information Assurance (IA) Glossary, NIST 800 Series]
Information Assurance and Infrastructure Protection Directorate of the DHS (IAIP)
An organization within the Department of Homeland Security. IAD's mission involves detecting, reporting, and responding to cyber threats; making encryption codes to securely pass information between systems; and embedding IA measures directly into the emerging Global Information Grid. It includes building secure audio and video communications equipment, making tamper protection products, and providing trusted microelectronics solutions. It entails testing the security of customers' systems, providing OPSEC assistance, and evaluating commercial software and hardware against nationally set standards, to better meet our nation's IA needs. See also http://www.nsa.gov/ia/ for more information. [de facto]
Information Assurance Manager (IAM)
See information systems security manager. [US National Information Assurance (IA) Glossary]
Information Assurance Officer (IAO)
See information systems security officer. [US National Information Assurance (IA) Glossary]
Information assurance product
Product or technology whose primary purpose is to provide security services (e.g., confidentiality, authentication, integrity, access control, non-repudiation of data) correct known vulnerabilities; and/or provide layered defense against various categories of non-authorized or malicious penetrations of information systems or networks. Examples include such products as data/network encryptors, firewalls, and intrusion detection devices. [US National Information Assurance (IA) Glossary]
Information engineering
Data-oriented development techniques that work on the premise that data are at the center of information processing and that certain data relationships are significant to a business and must be represented in the data structure of its systems. [ISACA]
Information environment
Aggregate of individuals, organizations, or systems that collect, process, or disseminate information, also included is the information itself. [US National Information Assurance (IA) Glossary]
Information flow control
Procedure to ensure that information transfers within an information system are not made from a higher security level object to an object of a lower security level. [US National Information Assurance (IA) Glossary]
Information Lifecycle Management (ILM)
[Sedona Conference]
Information Management System (IMS)
A general purpose system that allows users to access a database remotely. [FISCAM]
Information Operations (IO)
Actions taken to affect adversary information and information systems while defending one’s own information and information systems. [US National Information Assurance (IA) Glossary]
Information owner
Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. [FIPS Pubs, US National Information Assurance (IA) Glossary, NIST 800 Series]
Information processing
Information processing describes the organized collection, initial storage, processing, transmission, dissemination, and long term storage in accordance with defined procedures that could be automated or manual. [Network Frontiers]
Information Processing Facility (IPF)
See computer room, data center facility. [ISACA]
Information resource
Information and related resources such as personnel, equipment, funds, and information technology. See also resource. [FISCAM, Centers for Medicare & Medicaid Services (CMS), FIPS Pubs, NIST 800 Series]
Information resource management
See information systems management. [FISCAM]
Information resource owner
See owner. [FISCAM, Centers for Medicare & Medicaid Services (CMS)]
Information security
The preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved. The protection of data against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional to preserve the confidentiality, integrity, and availability of the system. See also information assurance. [Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ISO/IEC 17799:2005, PCI-DSS, FIPS Pubs, NIST 800 Series]
Information security event
An identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. [ISO/IEC 27001:2005, ISO/IEC TR 18044:2004]
Information Security Forum (ISF)
The Information Security Forum (ISF) is the world's leading independent authority on information security. By harnessing our world-renowned expertise and the collective knowledge and experience of our members - including 50% of Fortune 100 companies - the ISF delivers practical guidance and solutions to overcome wide-ranging security challenges impacting business information today. See also http://www.securityforum.org for more information. [de facto]
Information security incident
A single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. [ISO/IEC 27001:2005, ISO/IEC TR 18044:2004]
Information security management
The process that ensures the confidentiality, integrity and availability of an organizations assets, information, data and IT services. Information security management usually has a wider scope than the service provider. It normally includes handling of paper, building access, phone calls, etc., for the entire organization. [ITIL]
Information Security Management System (ISMS)
An information security management system (ISMS) is a system of management concerned with information security. It is that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. The design and implementation of an organization’s ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple ISMS solution. [ISO/IEC 27001:2005]
Information Security Manager
The information security manager is the role responsible for the information security management process in the IT service provider. The information security manager is responsible for fulfilling the security demands as specified in the information security policy and SLAs. The information security manager typically delegates the actual implementation to other personnel in the IT service provider. The information systems security officer and the information security manager work closely together. [ITIL]
Information Security Officer
See Information Systems Security Officer. [ITIL]
Information security policy
The policy that governs the organizations approach to information security management. [ITIL, US National Information Assurance (IA) Glossary, NIST 800 Series]
Information security training and awareness
Training on organizational policies and procedures, security requirements, legal responsibilities, business controls, and correct, safe use of information processing facilities. [Centers for Medicare & Medicaid Services (CMS)]
Information Services (IS)
[GAO/PCIE Financial Audit Manual, Centers for Medicare & Medicaid Services (CMS), ISACA]
Information sharing
The requirements for information sharing by an IT system with one or more other IT systems or applications, for information sharing to support multiple internal or external organizations, missions, or public programs. [NIST 800 series]
Information system (IS)
Organized collections of hardware, software, supplies, policies, procedures and people, which store, process and provide access to information. The entire infrastructure, organization, personnel, and components for the collection, processing, storage, transmission, display, dissemination, and disposition of information. See also computer systems. [NIST 800 series, DIRKS, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, FIPS Pubs, US National Information Assurance (IA) Glossary, PCI-DSS, Sedona Conference]
Information system owner
Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system. [FIPS Pubs, NIST 800 Series]
Information System Security Engineering (ISSE)
Information Systems Security Engineering (ISSE) is the art and science of discovering users' information protection needs and then designing and making information systems to safely resist the forces to which they may be subjected. ISSE should be an integral part of systems engineering and should support certification and accreditation processes, such as the Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP). The ISSE process comprises the following eight activities: 1) discover Information Protection Needs, 2) Define System Security Requirements, 3) Design System Security Architecture, 4) Develop Detailed Security Design, 5) Implement System Security, 6) Assess Information Protection Effectiveness, 7) Plan Technical Effort, and 8) Manage Technical Effort.
[US National Information Assurance (IA) Glossary]
Information Systems Audit and Control Association (ISACA)
The Information Systems Audit and Control Association (ISACA) is a worldwide organization which provides up-to-date information for professionals in the converging disciplines of auditing, data processing, accounting, data security, and quality assurance. See also http://www.isaca.org for more information. [de facto]
Information Systems Auditor
A person with specialized technical knowledge and skills who can understand the IS concepts discussed in the manual and apply them to the audit. See also auditor. [GAO/PCIE Financial Audit Manual]
Information systems controls
Controls whose effectiveness depends on computer processing, including general, application, and user controls. [GAO/PCIE Financial Audit Manual]
Information Systems Examination Board (ISEB)
The British computer society information systems examination board is accredited by the ICMB as an examination board. See also http://www.bcs.org/bcs/products/qualifications/iseb for more information. [ITIL]
Information systems security
The protection afforded to information systems to preserve the availability, integrity, and confidentiality of the systems and information contained in the systems. Protection results from the application of a combination of security measures, including crypto security, transmission security, emission security, computer security, information security, personnel security, resource security, and physical security. [Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary]
Information Systems Security Association (ISSA)
ISSA is a not-for-profit international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members. See also http://www.issa.org for more information. [de facto]
Information systems security equipment modification
Modification of any fielded hardware, firmware, software, or portion thereof, under NSA configuration control. There are three classes of modifications: mandatory (to include human safety); optional/special mission modifications; and repair actions. These classes apply to elements, subassemblies, equipment, systems, and software packages performing functions such as key generation, key distribution, message encryption, decryption, authentication, or those mechanisms necessary to satisfy security policy, labeling, identification, or accountability. [US National Information Assurance (IA) Glossary]
Information Systems Security Manager (ISSM)
Individual responsible for a program, organization, system, or enclave’s information assurance program. [US National Information Assurance (IA) Glossary]
Information Systems Security Officer (ISSO)
The person responsible for ensuring the security of an information system throughout its life cycle, from design through disposal. The Information Systems Security Officer is responsible for assessing the business risks and setting the information security policy. This role is the counterpart of the Information Systems Security Manager and resides in the customer organization. The Information Systems Security Officer and the Information Security Manager work closely together. This is roughly equivalent to the Chief Information Security Officer and Senior Agency Information Security Officer. See also security officer. [NIST 800 series, Centers for Medicare & Medicaid Services (CMS), ITIL, US National Information Assurance (IA) Glossary]
Information systems security product
Item (chip, module, assembly, or equipment), technique, or service that performs or relates to information systems security. [US National Information Assurance (IA) Glossary]
Information Technology (IT)
Processing information by computer. IT or Information Technology has probably been the most redefined term over the past few years. The definition has varied from simple automation of manual processes using microprocessors to computers to networks to desktop publishing to networking. FIPS 200 provides a much more in-depth definition whereby they define information technology as any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which: 1) requires the use of such equipment; or 2) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. [Centers for Medicare & Medicaid Services (CMS), CobiT, NIST 800 series, FIPS Pubs, ITIL, Sedona Conference]
Information technology assets
Information technology assets are the individual elements of an information system and are classified into the staff, documents and records, applications and databases, operating systems, storage components, firmware and hardware, network, power and cooling, and facilities. [Network Frontiers]
Information Technology infrastructure
The overall makeup of business-wide technology operations, including mainframe operations, standalone systems, e-mail, networks (WAN and LAN), internet access, customer databases, enterprise systems, application support, regardless of whether managed, utilized or provided locally, regionally, globally, etc., or whether performed or located internally or by outside providers (outsourced to vendors). The IT Infrastructure also includes applicable standard practices and procedures, such as backup procedures, versioning, resource sharing, retention practices, janitor program utilization, and the like. [Sedona Conference]
Information Technology Laboratory (ITL)
[NIST 800 series]
Information type
A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or in some instances by a specific law, Executive Order, directive, policy, or regulation. [FIPS Pubs, NIST 800 Series]
Informed customer
A manager who works for the customer and is a specialist in dealing with and managing IT service providers. The informed customer is responsible for all aspects of managing the relationship with service providers. [ITIL]
Infrastructure
Technology, human resources, and facilities that enable the processing of applications. [CobiT, ISO/IEC 27001:2005]
Infrastructure service
An IT service that is not directly used by the business but is required by the IT service provider so they can provide other IT services. For example, directory services, naming services, or communication services. See also general support system. [ITIL]
Ingress
Traffic entering the network. [PCI-DSS]
Ingress filtering
The process of blocking incoming packets that use obviously false IP addresses, such as reserved source addresses. [NIST 800 series]
Inherent risk
The susceptibility of an assertion to a material misstatement, assuming that there are no related internal controls. This is an auditor judgment. [FISCAM, GAO/PCIE Financial Audit Manual, ISACA]
Inheritance [objects]
Inheritance refers to database structures that have a strict hierarchy (no multiple inheritance). Inheritance can initiate other objects irrespective of the class hierarchy, thus there is no strict hierarchy of objects. [ISACA]
Initial Program Load (IPL)
A program that brings another program, often the operating system, into operation to run the computer. Also referred to as a bootstrap or boot program. [FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS)]
Initialization Vector (IV)
A vector used in defining the starting point of an encryption process within a cryptographic algorithm. [NIST 800 series, FIPS Pubs]
Initialize
Setting the state of a cryptographic logic prior to key generation, encryption, or other operating mode. [US National Information Assurance (IA) Glossary]
Initiator
The entity that initiates an authentication exchange. [NIST 800 series]
Input
Any information entered into a computer or the process of entering data into the computer. [FISCAM, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005]
Input controls
Techniques and procedures used to verify, validate, and edit data to ensure that only correct data are entered into the computer. [ISACA]
Input designs
Templates used to enable authors to more easily enter content into a system, typically customized, based on the type and format of content to be entered. [AIIM]
Input device
Any peripheral that allows a user to communicate with a computer by entering information or issuing commands (e.g., keyboard). [Sedona Conference]
Input/output appendage
A routine designed to provide additional controls for system input/output operations. [FISCAM]
Inside threat
An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service. [NIST 800 series]
Insource
Transferring the provision of IT services from an external service provider to an internal service provider. The term insourcing is used to mean running or managing IT services as an internal service provider. See also outsource. [ITIL]
Inspectable space
Three dimensional space surrounding equipment that process classified and/or sensitive information within which TEMPEST exploitation is not considered practical or where legal authority to identify and remove a potential TEMPEST exploitation exists. Synonymous with zone of control. [US National Information Assurance (IA) Glossary]
Inspector General (IG)
[GAO/PCIE Financial Audit Manual]
Instant Messaging (IM)
A form of electronic communication involving immediate correspondence between two or more online users. Peer-to-peer IM communications may not be stored on servers after receipt; logging of peer-to-peer IM messages is typically done on the client computer, and may be optionally enabled or disabled on each client. [de facto, Sedona Conference]
Institute of Chartered Accountants in England & Wales (ICAEW)
The Institute of Chartered Accountants in England & Wales is the largest professional accountancy body in Europe with over 128,000 members.
The Institute was established by Royal Charter in 1880. It is now a key influencer on the international stage and the leading UK body of finance professionals offering world class qualifications. See also http://www.icaew.co.uk for more information. [de facto]
Institute of Electrical and Electronics Engineers (IEEE)
Pronounced I-triple-E, IEEE is an organization composed of engineers, scientists, and students. The IEEE is best known for developing standards for the computer and electronics industry. See also http://www.ieee.org/portal/site for more information. [ISACA, Sedona Conference]
Institute of Internal Auditors (IIA)
Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 117,000 members with global headquarters in Altamonte Springs, Fla., United States. Throughout the world, the IIA is recognized as the internal audit profession’s leader in certification, education, research, and technological guidance. See also http://www.theiia.org for more information. [de facto]
Institute of IT Service Managers
An independently governed professional body, specifically aimed at professionals in IT service management which “aims to promote and support the standing of its members by establishing high-standards of professional and ethical conduct, ensuring continuing professional development of its members in order to demonstrate their competence and commitment.” See also http://www.iosm.com/ for more information. [ITIL]
Integrated Drive Electronics (IDE)
An engineering standard for interfacing PC’s and hard discs. [Sedona Conference]
Integrated Services Digital Network (ISDN)
A public end-to-end digital telecommunications network with signaling, switching, and transport capabilities supporting a wide range of service accessed by standardized interfaces with integrated customer control. The standard allows transmission of digital voice, video, and data over 64 Kbps lines. [ISACA, Sedona Conference]
Integrated Test Facilities (ITF)
Test data are processed in production systems. The data usually represent a set of fictitious entities such as departments, customers and products. Output reports are verified to confirm the correctness of the processing. See also integration testing. [ISACA]
Integration
Measures, practices, and procedures for the continuity of information should be coordinated and integrated with each other and other measures, practices, and procedures of the organization so as to create a coherent system of continuity. [NIST 800 series]
Integration testing
Testing of a build release to determine if related information system components perform to specification. [FISCAM, ITIL]
Integrity
The authenticity, accuracy, and completeness of an asset. The property that data or information have not been altered or destroyed in an unauthorized manner. Information has integrity when it is timely, accurate, complete, and consistent. The security objective that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation). See also data integrity and system integrity. [HIPAA, NIST 800 series, CERT OCTAVE, CobiT, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ISO/IEC 13335-1:2004, FIPS Pubs, ITIL, US National Information Assurance (IA) Glossary]
Integrity check value
Checksum capable of detecting modification of an information system. [US National Information Assurance (IA) Glossary]
Integrity controls
Implement security measures to ensure that electronically transmitted regulated data is not inadvertently modified or deleted without detection, until disposed of. Many information objects contain cyclic redundancy checks or checksums that indicate if the data has been corrupted while in storage or transit. These methods do not, however, protect against accidental or malicious modification of the data by an otherwise authorized user. Integrity proofing allows receivers of the object to verify that the information within it has not been modified and that the information comes from the claimed sender. As a type of checksum it is calculated from the original object and encrypted using asymmetric, or private/public key encryption technology. Any modification after this digital signature is applied will fail the subsequent verification process. Replacing a digital signature is, in practical terms, not possible when the secret key, i.e. the private key of the private/public key pair is unknown to the modifier. [HIPAA]
Intellectual control
The control established over the informational content of records and archives resulting from ascertaining and documenting their provenance, and from the processes of arrangement and description. [DIRKS]
Intellectual Property (IP)
Useful artistic, technical, and/or industrial information, knowledge or ideas that convey ownership and control of tangible or virtual usage and/or representation. [ISACA, NIST 800 Series]
Intelligent Character Recognition (ICR)
The conversion of scanned images (bar codes or patterns of bits) to computer recognizable codes (ASCII characters and files) by means of software/programs which define the rules of and algorithms for conversion This is an advanced form of Optical Character Recognition technology that may include capabilities such as learning fonts during processing or using context to strengthen probabilities of correct recognition or that can recognize hand print characters. [AIIM, Sedona Conference]
Intelligent terminal
A terminal with built-in processing capability. It has no disk or tape storage but has memory. The terminal interacts with the user by editing and validating data as they are entered prior to final processing. [ISACA]
Inter-partition space
Unused sectors on a track located between the start of the partition and the partition boot record. This space is important because it is possible for a user to hide information here. [Sedona Conference]
Interactive processing
A mode of operation in which users interact with the system as their programs and data are processed. [FISCAM]
Interactive voice response (IVR)
A form of automatic call distribution that accepts user input, such as key presses and spoken commands, to identify the correct destination for incoming calls. [ITIL]
Interconnection Security Agreement (ISA)
Written management authorization to interconnect information systems based upon acceptance of risk and implementation of established controls. [US National Information Assurance (IA) Glossary, NIST 800 Series]
Interdepartmental amounts
Activity and balances between two different departments. The intradepartmental and interdepartmental amounts are subsets of intragovernmental activity and balances. See also department. [GAO/PCIE Financial Audit Manual]
Interentity
Activities or balances between two or more agencies, departments, or bureaus. [GAO/PCIE Financial Audit Manual]
Interest rate risk
Is the risk to earnings or capital arising from movements in interest rates. From an economic perspective, a bank focuses on the sensitivity of the value of its assets, liabilities, and revenues to changes in interest rates. Internet banking may attract deposits, loans, and other relationships from a larger pool of possible customers than other forms of marketing. Greater access to customers who primarily seek the best rate or term reinforces the need for managers to maintain appropriate asset/liability management systems which should include the ability to react quickly to changing market conditions. [ISACA]
Interface
A connection between two devices, applications, or networks or a boundary across which two systems communicate. Interface may also refer to the portion of a program that interacts with the user. [FISCAM, Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary]
Interface control document
Technical document describing interface controls and identifying the authorities and responsibilities for ensuring the operation of such controls. This document is baselined during the preliminary design review and is maintained throughout the information system lifecycle. [US National Information Assurance (IA) Glossary]
Interface testing
A testing technique that is used to evaluate output from one application while the information is sent as input to another application. [ISACA]
Interim Approval To Operate (IATO)
Temporary authorization granted by a DAA for an information system to process information based on preliminary results of a security evaluation of the system. [US National Information Assurance (IA) Glossary]
Interim Approval To Test (IATT)
Temporary authorization to test an information system in a specified operational information environment within the timeframe and under the conditions or constraints enumerated in the written authorization. [US National Information Assurance (IA) Glossary]
Interlaced
TV & CRT pictures must constantly be “refreshed”. Interlace is to refresh every other line once/refresh cycle. Since only half the information displayed is updated each cycle, interlaced displays are less expensive than “non-interlaced”. However, interlaced displays are subject to jitters. The human eye/brain can usually detect displayed images which are completely refreshed at less than 30 times per second. [Sedona Conference]
Interleave
To arrange data in a noncontiguous way to increase performance. When used to describe disk drives, it refers to the way sectors on a disk are organized. In one-to-one interleaving, the sectors are placed sequentially around each track. In two-to-one interleaving, sectors are staggered so that consecutively numbered sectors are separated by an intervening sector. The purpose of interleaving is to make the disk drive more efficient. The disk drive can access only one sector at a time, and the disk is constantly spinning beneath. [Sedona Conference]
Intermediate Certification Authority (CA)
A Certification Authority that is subordinate to another CA, and has a CA subordinate to itself. [NIST 800 series]
Intermediate Distribution Frame (IDF)
Also known as a wiring closet; this is the room where the metal rack designated to connect telecommunications cables are located. The IDF consists of IT assets that provide the connection between inter-building cabling and intra-building cabling, i.e., between the MDF and local cabling runs out to devices. [Network Frontiers]
Intermediate recovery
A recovery option which is also known as warm standby. Provision is made to recover the IT service in a period of time between 24 and 72 hours. Intermediate recovery typically uses a shared portable or fixed facility that has computer systems and network components. The hardware and software will need to be configured, and data will need to be restored as part of the IT service continuity plan. [ITIL]
Internal administration
Information related to the internal administration of an agency. Includes personnel rules, bargaining positions, and advance information concerning procurement actions. [Centers for Medicare & Medicaid Services (CMS)]
Internal connectivity
A computer or network connection to an organizational peer system within the defined security perimeter. See also domain. [Centers for Medicare & Medicaid Services (CMS)]
Internal control
The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. A process, affected by organization management and other personnel, designed to provide reasonable assurance that 1) operations, including the use of organization resources, are effective and efficient; 2) financial reporting, including reports on budget execution, financial statements, and other reports for internal and external use, are reliable; and 3) applicable laws and regulations are followed. Internal control also includes the safeguarding of organization assets against unauthorized acquisition, use, or disposition. Internal control consists of five interrelated components that form an integrated process that can react to changing circumstances and conditions within the organization. These components include the control environment, risk assessment, control activities, information and communication, and monitoring. See also internal control structure. [FISCAM, GAO/PCIE Financial Audit Manual, ISACA, Centers for Medicare & Medicaid Services (CMS), CobiT]
Internal control structure
The dynamic, integrated processes, effected by the governing body, management and all other staff, that are designed to provide reasonable assurance regarding the achievement of the following general objectives: effectiveness, efficiency and economy of operations; reliability of management; Compliance with applicable laws, regulations and internal policies. Management’s strategies for achieving these general objectives are affected by the design and operation of the following components: control environment, information system, control procedures. See also internal control. [FISCAM, ISACA]
Internal customer
A customer who works for the same business as the IT service provider. See also internal service provider, external customer. [ITIL]
Internal penetrators or hackers
Authorized users of a computer system who overstep their legitimate access rights. This category is divided into masqueraders and clandestine users. [ISACA]
Internal security controls
Hardware, firmware, or software features within an information system that restrict access to resources only to authorized subjects. [US National Information Assurance (IA) Glossary]
Internal service provider
An IT service provider which is part of the same business as their customer. An internal service provider may have both internal customers and external customers. See also external service provider. [ITIL]
Internal storage
The main memory of the computer’s central processing unit. [ISACA]
International Chamber of Commerce (ICC)
CC (International Chamber of Commerce) is the voice of world business championing the global economy as a force for economic growth, job creation and prosperity. ICC activities cover a broad spectrum, from arbitration and dispute resolution to making the case for open trade and the market economy system, business self-regulation, fighting corruption or combating commercial crime. See also http://www.iccwbo.org for more information. [de facto]
International Federation of Accountants (IFAC)
IFAC is the global organization for the accountancy profession. It works with its 163 member organizations in 120 countries to protect the public interest by encouraging high quality practices by the world's accountants. IFAC members represent 2.5 million accountants employed in public practice, industry and commerce, government, and academe. Its structure and governance provide for the representation of its diverse constituencies and interaction with external groups that rely on or influence the work of accountants. See also http://www.ifac.org for more information. [de facto]
International Information System Security Certification Consortium (ISC2)
The International Information Systems Security Certification Consortium, or ISC2, is internationally recognized for educating and certifying information security professionals throughout their careers. Their certification programs range from CISSPs through ISSAPs, ISSMP, and others. For more information see https://www.isc2.org. [Generally Accepted Information Security Principles, de facto]
International Organization for Standardization (ISO)
The International Organization for Standardization (ISO) is the world’s largest developer of standards. ISO is a non-governmental organization which is a network of the national standards institutes of 156 countries. Further information about ISO is available from http://www.ISO.org/. [ITIL, CobiT, AICPA, Centers for Medicare & Medicaid Services (CMS), PCI-DSS, Sedona Conference]
International Standards Organization
See International Organization for Standardization (ISO). [Network Frontiers]
International Telecommunication Union (ITU)
An international organization under the UN headquartered in Geneva concerned with telecommunications that develops international data communications standards; known as CCITT prior to March 1, 1993. See also http://www.itu.int. [Sedona Conference]
Internet
When capitalized, the term “Internet” refers to the worldwide network of networks that all use the TCP/IP communications protocol and share a common address space. It supports services such as e-mail, the World Wide Web, file transfer, and Internet Relay Chat. Also known as “the net,” “the information superhighway,” and “cyberspace.” When not capitalized, the term “internet” refers to two or more networks connected by a router. [FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), Workgroup for Electronic Data Interchange, Sedona Conference]
Internet banking
Use of the Internet as a remote delivery channel for banking services. Services include the traditional ones, such as opening an account or transferring funds to different accounts, and new banking services, such as electronic bill presentment and payment (allowing customers to receive and pay bills on a bank’s web site). [ISACA]
Internet Control Message Protocol (ICMP)
An extension to the Internet Protocol (IP) that supports packets containing error, control and informational messages. A set of protocols that allow systems to communicate information about the state of services on other systems. It is used, for example, in determining whether systems are up, maximum packet sizes on links, or whether a destination host/network/port is available. Hackers typically (abuse) use ICMP to determine information about the remote site. [ISACA]
Internet Engineering Task Force (IETF)
The Internet standards setting organization with international affiliates from network industry representatives. This includes all network industry developers and researchers concerned with evolution and planned growth of the Internet. See also http://www.ietf.org for more information. [ISACA, PCI-DSS]
Internet Inter-ORB Protocol (IIOP)
A protocol developed by the Object Management Group (OMG) to implement Common Object Request Broker Architecture (CORBA) solutions over the World Wide Web. CORBA enables modules of network-based programs to communicate with one another. These modules or program parts such as tables, arrays, and more complex program sub-elements are referred to as objects. Use of IIOP in this process enables browsers and servers to exchange both simple and complex objects. This significantly differs from HTTP which only supports the transmission of text. [ISACA]
Internet packet spoofing
An attack using packets with spoofed source Internet packet (IP) addresses. This technique exploits applications that use authentication based on IP addresses. This technique also may enable an unauthorized user to gain root access on the target system. [ISACA]
Internet Protocol (IP)
Specifies the format of packets and the addressing scheme. The standard protocol for transmission of data from source to destinations in packet switched communications networks and interconnected systems of such networks. [ISACA, Workgroup for Electronic Data Interchange, US National Information Assurance (IA) Glossary, PCI-DSS]
Internet Protocol address
Also called an IP address. A string of four numbers separated by periods used to represent a computer on the Internet - a unique identifier for the physical location of the server containing the data. See also TCP/IP (e.g., 206-1432.001). [Sedona Conference, VISA Glossary of Terms]
Internet Protocol security (IPsec)
An Institute of Electrical and Electronic Engineers (IEEE) standard, Request For Comments (RFC) 2411, protocol that provides security capabilities at the Internet Protocol (IP) layer of communications. IPsec’s key management protocol is used to negotiate the secret keys that protect Virtual Private Network (VPN) communications, and the level and type of security protections that will characterize the VPN. The most widely used key management protocol is the Internet Key Exchange (IKE) protocol. [Network Frontiers, ISACA, PCI-DSS, NIST 800 series]
Internet publishing
Specialized imaging software that allows documents to be published on the Internet. [Sedona Conference]
Internet Security Alliance (ISA)
The Internet Security Alliance was created to provide a forum for information sharing and leadership on information security issues. It represents industry's interests to legislators and regulators and aims to identify and standardize best practices in Internet security and network survivability while creating a collaborative environment to develop and implement information security solutions. The alliance is a collaborative effort between Carnegie Mellon's Software Engineering Institute (SEI), its CERT Coordination Center (CERT/CC), and the Electronic Industries Alliance (EIA), a federation of trade associations. See also http://www.sei.cmu.edu for more information. [de facto]
Internet Service Provider (ISP)
A third party that provides organizations with a variety of Internet and Internet-related services. ISPs may be a source of evidence through files (such as ISP e-mail) stored on ISP servers. See also Application Service Provider, Managed Service Provider. [ISACA, ITIL, Sedona Conference]
Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
A networking protocol used by the Novell NetWare operating systems. Like UDP, IPX is a datagram protocol used for connectionless communications. IPX and SPX are derived from Xerox Network Services' IDP and SPP protocols. SPX is a transport layer protocol (layer 4 of the OSI Model) used in Novell Netware networks. The SPX layer sits on top of the IPX layer (layer 3 - the network layer) and provides connection-oriented services between two nodes on the network. SPX is used primarily by client/server applications. IPX and SPX both provide connection services similar to TCP/IP, with the IPX protocol having similarities to IP, and SPX having similarities to TCP. [Sedona Conference, Wikipedia]
Internetwork private line interface
Network cryptographic unit that provides secure connections, singularly or in simultaneous multiple connections, between a host and a predetermined set of corresponding hosts. [US National Information Assurance (IA) Glossary]
Interoperability
In FIPS 201, interoperability allows any Government facility or information system, regardless of the cardholder’s parent organization, to authenticate cardholder’s identity using the credentials stored on the Personal Identity Verification (PIV) card. [NIST 800 series, FIPS Pubs]
Interruption
The limiting of an asset’s availability; interruption refers mainly to services. [CERT OCTAVE, ISO/IEC 27001:2005]
Intradepartmental amounts
Activity and balances within the same department. The intradepartmental and interdepartmental amounts are subsets of intragovernmental activity and balances. See also department. [GAO/PCIE Financial Audit Manual]
Intragovernmental amounts
Activity and balances occurring within or between federal departments. [GAO/PCIE Financial Audit Manual]
Intragovernmental Payment and Collection System (IPAC)
The primary method used by most federal agencies to electronically bill and/or pay for services and supplies within the government. Used to communicate to the Treasury and the trading partner agency that the online billing and/or payment for services and supplies has occurred. [GAO/PCIE Financial Audit Manual]
Intranet
A private network that uses the infrastructure and standards of the Internet and World Wide Web but is isolated from the public Internet by firewall barriers. [ISACA]
Intrusion
Any intentional violation of the security policy of a system. Unauthorized access to logical and physical resources. [ISACA, Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary]
Intrusion detection
The process of monitoring the events occurring in a computer system or network and detecting signs of security problems. [ISACA]
Intrusion Detection System (IDS)
Methods to track system activities to determine if current actions are consistent with the established policies and to identify to system administrators inconsistencies that may signal unauthorized access. An intrusion detection system (IDS) inspects network activity to identify suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise a system. [ISACA, Centers for Medicare & Medicaid Services (CMS), PCI-DSS, NIST 800 Series]
Intrusion monitoring
In vulnerability analysis, gaining information by performing checks that affects the normal operation of the system, even crashing the system. [ISACA]
Intrusion Prevention System (IPS)
Implementing the basic IDS, an intrusion prevention system is an in-line device; network traffic flows through it. Unlike the IDS, an IPS is able to block any traffic that appears to be an intrusion. [Network Frontiers, PCI-DSS, NIST 800 Series]
Inverse cipher
Series of transformations that converts ciphertext to plaintext using the Cipher Key. [NIST 800 series, FIPS Pubs]
Investigation
The review and analysis of system security features (e.g., the investigation of system control programs using flow charts, assembly listings, and related documentation) to determine the security provided by the operating system. [Centers for Medicare & Medicaid Services (CMS)]
Investigation, intelligence related, and security information
Information related to investigations for law enforcement purposes; intelligence-related information that cannot be classified, but is subject to confidentiality and extra security controls. Includes security plans, contingency plans, emergency operations plans, incident reports, reports of investigations, risk or vulnerability assessments certification reports; does not include general plans, policies, or requirements. [Centers for Medicare & Medicaid Services (CMS), 14 CFR Part 191.5(D)]
Investment adviser
A person or organization employed by an individual or mutual fund to manage assets or provide investment advice. [17 CFR 240.17a-3 & 4]
Investment appraisals
The activity responsible for carrying out a cost benefit analysis to justify capital expenditure for a new or changed IT services. See also business case, cost effectiveness, return on investment, return on capital employed. [ITIL]
Investment company
An investment company, commonly known as a mutual fund, invests the pooled funds of retail investors for a fee. [17 CFR 240.17a-3 & 4]
Invocation
Initiation of the steps defined in a plan. For example, initiating the IT service continuity plan for one or more IT services. [ITIL, BS 25999]
IP Address
An Internet Protocol address is a numeric code that uniquely identifies a particular computer on the Internet. The IP address is analogous to a house number for ordinary postal mail. [PCI-DSS, NIST 800 Series]
IP Spoofing
See spoofing. [PCI-DSS]
Irregularities
Intentional violations of established management policy or regulatory requirements. Deliberate misstatements or omissions of information concerning the area under audit or the organization as a whole; gross negligence or unintentional illegal acts. [ISACA]
Ishikawa Diagram
See cause/effect diagram. [ITIL]
ISIS and TWAIN scanner drivers
Specialized applications used for communication between scanners and computers. [Sedona Conference]
ISO 17799
Code of practice for information security management from the International Organization for Standardization (ISO). [CobiT, ITIL]
ISO 20000
ISO specification and code of practice for IT service management. ISO/IEC 20000 is aligned with ITIL best practice and supersedes BS 15000. See also standard. [ITIL]
ISO 8583
An established standard for communication between financial systems. [PCI-DSS]
ISO 9001:2000
Code of practice for quality management from the International Organization for Standardization (ISO). ISO 9001:2000 specifies requirements for a quality management system for any organization that needs to demonstrate its ability to consistently provide product that meets customer and applicable regulatory requirements and aims to enhance customer satisfaction. [CobiT, ITIL]
ISO 9660 CD format
The International Standards Organization format for creating CD-ROMs that can be read worldwide. [Sedona Conference]
IT accounting
The process responsible for identifying actual costs of delivering IT services, comparing these with budgeted costs, and managing variance from the budget. See also charging. [ITIL]
IT accounting system
The entire set of policy, tools, and process that support IT financial management. [ITIL]
IT architecture
An integrated framework for evolving or maintaining existing IT and acquiring new IT to achieve the enterprise’s strategic and business goals. [CobiT]
IT Availability Metrics Model (ITAMM)
A model that helps to ensure all aspects of availability are considered when defining availability metrics and reports. [ITIL]
IT Compliance Institute (ITCI)
The IT Compliance Institute (ITCi) strives to be a global authority on the role of technology in business governance and regulatory compliance. Through comprehensive education, research, and analysis related to emerging government statutes and affected business and technology practices, they help organizations overcome the challenges posed by today’s regulatory environment and find new ways to turn compliance efforts into capital opportunities. See also http://www.itcinstitute.com for more information. [de facto]
IT Directorate
Senior management within a service provider, charged with developing and delivering IT services. Most commonly used in UK government departments. [ITIL]
IT governance
A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. See also governance, corporate governance. [ISACA]
IT infrastructure
All of the hardware, software, networks, facilities, etc. that are required to develop, test, deliver, or support IT services. The term IT infrastructure includes all of the information technology but not the associated people, processes, and documentation. [ITIL]
IT Infrastructure Library (ITIL)
The UK Office of Government Commerce (OGC) IT Infrastructure Library. A set of guides on the management and provision of operational IT services. A set of best practice guidance for IT service management. ITIL is owned by the OGC and is developed in conjunction with the ITSMF. ITIL consists of a series of publications giving guidance on the provision of quality IT services, and on the processes and facilities needed to support them. See also http://www.ogc.gov.uk/index.asp?id=2261 for more information. [CobiT, ITIL]
IT investment dashboard
Charting of costs and returns of IT-enabled investment projects in terms of business values for an enterprise. [CobiT]
IT operations
The process responsible for the day-to-day monitoring and management of one or more IT services and the IT infrastructure they depend on. The term IT operations is also used to refer to the group or department within an IT service provider responsible for IT operations. See also operations bridge, event management. [ITIL]
IT policy
The “documentation of IT security decisions” in an organization. There are three basic types: 1) Program Policy—high-level policy used to create an organization’s IT program, define its’ scope within the organization, assign implementation responsibilities, establish strategic direction, and assign resources for implementation. 2) Issue-Specific Policies—address specific issues of concern to the organization, such as contingency planning, the use of a particular methodology for systems risk management, and implementation of new regulations or law. These policies are likely to require more frequent revision as changes in technology and related factors take place. 3) System-Specific Policies—address individual systems, such as establishing an access control list or in training users as to what system actions are permitted. These policies may vary from system to system within the same organization. In addition, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization’s electronic mail (e-mail) policy or fax security policy. [NIST 800 series]
IT security architecture
A description of security principles and an overall approach for complying with the principles that drive the system design; i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments. [NIST 800 series]
IT security awareness
IT Security Awareness [NIST 800 series]
IT security awareness and training program
Explains proper rules of behavior for the use of agency IT systems and information. The program communicates IT security policies and procedures that need to be followed. [NIST 800 series]
IT security education
IT Security Education seeks to integrate all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and pro-active response. [NIST 800 series]
IT security goal
The five security goals are confidentiality, availability, integrity, accountability, and assurance. See also security goal. [NIST 800 series]
IT security investment
An IT application or system that is solely devoted to security. For instance, intrusion detection systems (IDS) and public key infrastructure (PKI) are examples of IT security investments. [NIST 800 series]
IT security metrics
Metrics based on IT security performance goals and objectives. [NIST 800 series]
IT security training
IT Security Training strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing). The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues. The skills acquired during training are built upon the awareness foundation, in particular, upon the security basics and literacy material. [NIST 800 series]
IT service
A service provided to one or more customers by an IT service provider. An IT service is based on the use of information technology and supports the customer’s business processes. An IT service is made up from a combination of people, processes, and technology and should be defined in a service level agreement. [ITIL]
IT Service Continuity Management (ITSCM)
The process responsible for managing risks that could seriously impact IT services. ITSCM ensures that the IT service provider can always provide minimum agreed service levels, by reducing the risk to an acceptable level and planning for the recovery of IT services. ITSCM should be designed to support business continuity management and should be a part of the systems continuity plan. [ITIL, Network Frontiers]
IT service continuity plan
A plan defining the steps required to recover one or more IT services. The plan will also identify the triggers for invocation, people to be involved, communications etc. The IT service continuity plan should be part of a business continuity plan and the systems continuity plan. [ITIL, Network Frontiers]
IT Service Management (ITSM)
The implementation and management of quality IT services that meet the needs of the business. IT service management is performed by IT service providers through an appropriate mix of people, process, and information technology. [ITIL]
IT Service Management Forum (ITSMF)
The IT service management forum is an independent organization dedicated to promoting a professional approach to IT service management. The ITSMF is a not-for-profit membership organization with representation in many countries around the world (ITSMF chapters). The ITSMF and its membership contribute to the development of ITIL and associated IT service management standards. See also http://www.itsmf.com/ for more information. [ITIL]
IT service provider
A service provider that provides IT services to internal customers or external customers. [ITIL]
IT steering group
A formal group that is responsible for ensuring that business and IT service provider strategies and plans are closely aligned. An IT steering group includes senior representatives from the business and the IT service provider. [ITIL]
IT strategic plan
A long-term plan, i.e., three- to five-year horizon, in which business and IT management co-operatively describe how IT resources will contribute to the enterprise’s strategic objectives (goals). [CobiT]
IT strategy committee
Committee at the level of the board of directors to ensure the board is involved in major IT matters/decisions. [CobiT]
IT tactical plan
A medium-term plan, i.e., six- to eighteen-month horizon, that translates the IT strategic plan direction into required initiatives, resource requirements, and ways in which resources and benefits will be monitored and managed. [CobiT]
IT-related risk
The net mission/business impact (probability of occurrence combined with impact) from a particular threat source exploiting or triggering a particular information technology vulnerability. IT related-risks arise from legal liability or mission/business loss due to: 1. Unauthorized (malicious, non-malicious, or accidental) disclosure, modification, or destruction of information. 2. Non-malicious errors and omissions. 3. IT disruptions due to natural or man-made disasters. 4. Failure to exercise due care and diligence in the implementation and operation of the IT. See also risk. [NIST 800 series]
ITIL Certification Management Board (ICMB)
The body responsible for the maintenance and ongoing development of the ITIL qualification scheme. See also http://www.ITIL.co.uk/ICMB.htm for further information. [ITIL]
Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.