RACI chart
Illustrates who is responsible, accountable, consulted, and informed within in a standard organizational framework. See also RACI model. [CobiT]
R
RACI model
The RACI model is a relatively straightforward tool that can be used for identifying roles and responsibilities during an organizational change process. After all, transformation processes do not process themselves; people have to “do” something to make the processes happen. Therefore it is useful to describe what should be done by whom to make a transformation process happen. R = Responsible - owns the problem/project. A = to whom “R” is Accountable - who must sign off (Approve) on work before it is effective. C = to be Consulted - has information and/or capability necessary to complete the work. I = to be Informed - must be notified of results, but need not be consulted. Typical steps in a RACI process: 1) Identify all of the processes/activities involved and list them down the left hand side of the chart. 2) Identify all of the roles and list them along the top of the chart. 3) Complete the cells of the chart: identify who has the R, A, C, I for each process. 4) Every process should preferably have one and only one “R” as a general principle. A gap occurs when a process exists with no “R” (no role is responsible), an overlap occurs when multiple roles exist that have an “R” for a given process. 5) Resolve overlaps. Every process in a role responsibility map should contain one and only one “R” to indicate a unique process owner. In the case of multiple “R”s, there is a need to “zoom in” and further detail the sub processes associated with “obtain resource commitment” to separate the individual responsibilities. 6) Resolve gaps. The simpler case to address is the resolution of a gap. Where no role is identified that is “responsible” for a process, the individual with the authority for role definition must determine which existing role is responsible or new role that is required, update the RACI map and clarify with the individual(s) that assume that role. [Network Frontiers]
RACI Model and RACI chart (RACI)
See RACI chart, RACI model. [Network Frontiers]
Random Access Memory (RAM)
Hardware inside a computer that retains memory on a short-term basis and stores information while the computer is in use. It is the “working memory” of the computer into which the operating system, startup applications and drivers are loaded when a computer is turned on, or where a program subsequently started up is loaded, and where thereafter, these applications are executed. RAM can be read or written in any section with one instruction sequence. It helps to have more of this “working space” installed when running advanced operating systems and applications. RAM content is erased each time a computer is turned off. See also Dynamic Random Access Memory DRAM. [ISACA, Sedona Conference]
Random Number Generator (RNG)
A process used to generate an unpredictable series of numbers. Each individual value is called random if each of the values in the total population of values has an equal probability of being selected. Random Number Generators (RNGs) used for cryptographic applications typically produce a sequence of zero and one bits that may be combined into sub-sequences or blocks of random numbers. There are two basic classes: deterministic and nondeterministic. A deterministic RNG consists of an algorithm that produces a sequence of bits from an initial value called a seed. A nondeterministic RNG produces output that is dependent on some unpredictable physical source that is outside human control. [NIST 800 series, FIPS Pubs]
Random sample
A sample selected so that every combination of the same number of items in the population has an equal chance of selection. A random sample should be selected by using computer software or a random number table. A systematic sample with a random start, although not technically meeting the definition, may generally be evaluated as if it were a random sample. [GAO/PCIE Financial Audit Manual]
Randomizer
Analog or digital source of unpredictable, unbiased, and usually independent bits. Randomizers can be used for several different functions, including key generation or to provide a starting state for a key generator. [US National Information Assurance (IA) Glossary]
Range check
Range checks ensure that data fall within a predetermined range. See also limit check. [ISACA]
Rapid Application Development (RAD)
A methodology that enables organizations to develop strategically important systems faster, while reducing development costs and maintaining quality through the use of a series of proven application development techniques within a well-defined methodology. [ISACA]
Raster/Rasterized
A method of representing an image with a grid (or “map”) of dots. Typical raster file formats are GIF, JPEG, TIFF, PCX, BMP, etc. [Sedona Conference]
Re-keying
To change the value of a cryptographic key that is being used in a cryptographic system application; this normally entails issuing a new certificate on the new public key. [PCI-DSS, NIST 800 Series]
Read
Fundamental operation in an information system that results only in the flow of information from an object to a subject. [US National Information Assurance (IA) Glossary]
Read access
This level of access provides the ability to look at and copy data or a software program. [FISCAM, Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary]
Read Only Memory (ROM)
Random memory which can be read but not written or changed. Also, hardware, usually a chip, within a computer containing programming necessary for starting up the computer, and essential system programs that neither the user nor the computer can alter or erase. Information in the computer’s ROM is permanently maintained even when the computer is turned off. [Sedona Conference]
Real charging
A charging policy where actual money is transferred from the customer to the IT service provider in payment for the delivery of IT services. See also notional charging. [ITIL]
Real time reaction
Immediate response to a penetration attempt that is detected and diagnosed in time to prevent access. [US National Information Assurance (IA) Glossary]
Real-time analysis
Analysis that is performed on a continuous basis, with results gained in time to alter the run-time system. [ISACA]
Real-time processing
An interactive online system capability that immediately updates computer files when transactions are initiated through a terminal. [ISACA]
Real-time system
A computer and/or a software system that reacts to events before they become obsolete. This type of system is generally interactive and updates files as transactions are processed. [FISCAM, Centers for Medicare & Medicaid Services (CMS)]
Realm
A community location that you are a part of identified usually by a server address, which enables you to receive and send secure e-mail. [Workgroup for Electronic Data Interchange]
Reasonable assurance
A level of comfort short of a guarantee but considered adequate given the costs of the control and the likely benefits achieved. [ISACA]
Reasonableness check
Compares data to predefined reasonability limits or occurrence rates established for the data. [ISACA]
Reasonably possible
The chance of the future event or events occurring is more than remote but less than probable. [GAO/PCIE Financial Audit Manual]
Reassessment
The continuity of information systems should be reassessed periodically as information systems and the requirements for their continuity vary over time. [NIST 800 series, ISO/IEC 27001:2005]
Reassessment principle
Participants should review and reassess the security of information systems and networks and make appropriate modifications to security policies, practices, measures, and procedures. [OECD Guidelines for the Security of Information Systems and Networks]
Receiving agency
The agency receiving services, products, goods, transfer funds, purchasing investments, and/or borrowing from Treasury (or other agency). This includes bureaus, departments, and/or programs within agencies. The receiving agency is the purchaser. The receiving agency is the agency receiving transfers of funds (transfers in) when appropriations are transferred without the exchange of goods or services. [GAO/PCIE Financial Audit Manual]
Recipient usage period
The period of time during the cryptoperiod of a symmetric key when protected information is processed. The recipient usage period of the key is usually identical to the cryptoperiod of that key. [NIST 800 series]
Reciprocal accounts
Corresponding SGL accounts that should be used by a providing and receiving agency to record like intragovernmental transactions. For example, the providing entity’s accounts receivable would normally be reconciled to the reciprocal account, accounts payable, on the receiving entity’s records. [GAO/PCIE Financial Audit Manual]
Reciprocal agreement
Emergency processing agreements between two or more organizations with similar equipment or applications. Typically, participants promise to provide processing time to each other when an emergency arises. [ISACA, ITIL, PAS 56]
Reciprocal work area
Work space provided by one organization for use by another in the event of a business continuity incident, by way of a reciprocal agreement. [PAS 56]
Record
With regard to databases, a record is a unit of related data fields. The group of data fields that can be accessed by a program containing the complete set of information on a particular item. A records is also information, regardless of medium, detailing business transactions and maintained as evidence and information in pursuance of legal obligations. In general compliance terms, it is information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business. Records includes all books, papers, maps, photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an organization of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that organization or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the Government or because of the informational value of data in them. See also regulated data. A record is not necessarily the same as a document. All documents are potential records, but not vice versa. A record is essential for the business; documents are containers of “working information.” Records are documents with evidentiary value. [Title 44 Section 3301 of Chapter 33, USC, "Definition of records", ISO 15489, DIRKS, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, FIPS Pubs, ITIL, Sedona Conference, NIST 800 Series]
Record Custodian
A records custodian is an individual responsible for the physical storage and protection of records throughout their retention period. In the context of electronic records custodianship may not be a direct part of the records management function in all organizations. For example, some organizations may place this responsibility within their Information Technology Department, or they may assign responsibility for retaining and preserving records with individual employees. [Sedona Conference]
Record lifecycle
The period of time between a record’s creation and ending with appropriate disposition per NARA requirements. [Title 44 Section 2901 of Chapter 29, USC, "Definitions", Sedona Conference]
Record Owner
The records owner is the subject matter expert on the contents of the record and is responsible for the lifecycle management of the record. This may be, but is not necessarily, the author of the record. [Sedona Conference]
Record series
A description of a particular set of records within a file plan. Each category has retention and disposition data associated with it, applied to all record folders and records within the category. [DOD 5015.2-STD: June 2002, Sedona Conference]
Record Submitter
The Record Submitter is the person who enters a record in an application or system. This may be, but is not necessarily, the author or the record owner. [Sedona Conference]
Record Version
A particular form or variation of an earlier or original record. For electronic records the variations may include changes to file format, metadata or content. [Sedona Conference]
Record, screen, and report layouts
Record layouts provide information regarding the type of record, its size and the type of data contained in the record. Screen and report layouts describe what information is provided and necessary for input. [ISACA]
Recorded amount
The financial statement amount being tested by the auditor in the specific application of substantive tests. [GAO/PCIE Financial Audit Manual]
Recordkeeping
Making and maintaining complete, accurate and reliable evidence of business transactions in the form of recorded information. Recordkeeping includes the following: 1)the creation of records in the course of business activity and the means to ensure the creation of adequate records; 2) the design, establishment, and operation of recordkeeping systems; and 3) the management of records used in business (traditionally regarded as the domain of records management) and as archives (traditionally regarded as the domain of archives administration). [DIRKS]
Recordkeeping metadata
Structured or semi-structured information which enables the creation, management, and use of records through time and across domains. Recordkeeping metadata can identify, authenticate, and contextualize records and the people, processes, and systems that create, manage, and use them. [DIRKS]
Recordkeeping requirements
Identified needs for evidence arising from various internal and/or external sources that may be satisfied through appropriate recordkeeping action (such as creation, capture, maintenance, preservation, and access). The sources include legislative and other regulatory sources, industry codes of best practice, broader government interests, external clients or stakeholders, and the general public. An umbrella term that covers identified requirements and prioritized requirements. [DIRKS]
Recordkeeping systems
Recordkeeping systems contain information which is linked to activities that they document. Their purpose is to capture, maintain and provide access to evidence over time, as required by the jurisdiction in which they are implemented and I accordance with common business practices. Recordkeeping systems include: 1) both records practitioners and records users; 2) a set of authorized polices, assigned responsibilities, delegations of authority, procedures, and practices; policy statements, procedures manuals, user guidelines, and other documents which are used to authorize and promulgate the policies, procedures, and practices; 3) the records themselves; 4) specialized information and records systems used to control the records; and 5) software, hardware and other equipment, and stationery. Recordkeeping systems may be distinguished from other types of information systems by the fact that they are organized to accomplish the specific functions of creating, storing, and accessing records for evidential purposes. [DIRKS]
Records and Information Management (RIM)
[Sedona Conference]
Records continuum
The whole extent of a record’s existence. Refers to a consistent and coherent regime of management processes from the time of the creation of records (and before creation, in the design of recordkeeping systems) through to the preservation and use of records as archives. [DIRKS]
Records hold
See Legal hold. [Sedona Conference]
Records Management (RM)
It is the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records. Also, records management are the policies and procedures that are to occur during a record’s lifecycle. Enables an organization to assign a specific life cycle to individual pieces of information from creation, receipt, maintenance, and use to the ultimate disposition of records. [AIIM, DOD 5015.2-STD: June 2002, ISO 15489, DIRKS, Sedona Conference]
Records Manager
The records manager is responsible for the implementation of a records management program in keeping with the policies and procedures that govern that program, including the identification, classification, handling and disposition of the organization’s records throughout their retention life. The physical storage and protection of records may be a component of this individual’s functions, but it may also be delegated to someone else. See also Records Custodian. [Sedona Conference]
Records retention period
The length of time a given records series must be kept, expressed as either a time period (e.g., four years), an event or action (e.g., audit), or a combination (e.g., six months after audit). [Sedona Conference]
Records Retention Schedule
A plan for the management of records listing types of records and how long they should be kept; the purpose is to provide continuing authority to dispose of or transfer records to historical archives. [Sedona Conference]
Records store
See Repository for electronic records. [Sedona Conference]
Records system
The information system which captures, manages and provides access to records through time. [ISO 15489, DIRKS]
Recovery
Returning a configuration item or an IT service to a working state. Recovery of an IT service often includes recovering data to a known consistent state. After recovery, further steps may be needed before the IT service can be made available to the users (restoration). See also restore. [ITIL, Sedona Conference]
Recovery center
Third party provision of a shared fixed facility for use in recovery. See also recovery options. [ITIL]
Recovery option
A strategy for responding to an interruption to service. Commonly used strategies are do nothing, manual workaround, reciprocal agreement, gradual recovery, intermediate recovery, immediate recovery. Recovery options may make use of dedicated facilities, or third party facilities shared by multiple businesses. [ITIL]
Recovery Point Objective (RPO)
The point in time to which data is restored, which may include the loss of data. For example, if a backup is performed at midnight, and the data is used to restore the system the next day right before happy hour, any information added, deleted, or changed between midnight and the point of recovery will be lost. Recovery point objectives for each IT service should be negotiated, agreed and documented. See also Business Impact Analysis. [ISACA, ITIL, PAS 56]
Recovery procedure
Actions necessary to restore data files of an IS and computational capability after a system failure. [Centers for Medicare & Medicaid Services (CMS)]
Recovery procedures
Actions necessary to restore data files of an information system and computational capability after a system failure. [US National Information Assurance (IA) Glossary]
Recovery testing
A test to check the system’s ability to recover after a software or hardware failure. [ISACA]
Recovery Time Objective (RTO)
The maximum time it takes to restore a system using backup data after the primary data has been corrupted or lost. The service level to be provided may be less than normal service level targets. Recovery Time Objectives for each IT service should be negotiated, agreed and documented. See also Business Impact Analysis, Recovery Point Objective. [ISACA, ITIL, PAS 56, BS 25999]
RED
Designation applied to an information system, and associated areas, circuits, components, and equipment in which unencrypted national security information is being processed. [US National Information Assurance (IA) Glossary]
RED signal
Any electronic emission (e.g., plain text, key, key stream, subkey stream, initial fill, or control signal) that would divulge national security information if recovered. [US National Information Assurance (IA) Glossary]
Red team
Interdisciplinary group of individuals authorized to conduct an independent and focused threat-based effort as a simulated adversary to expose and exploit system vulnerabilities for the purpose of improving the security posture of information systems. [US National Information Assurance (IA) Glossary]
Red, Green, Blue (RGB)
The three primary colors in the additive color family which create all the computer color video signals for a computer’s color terminal. [Sedona Conference]
RED/BLACK concept
Separation of electrical and electronic circuits, components, equipment, and systems that handle national security information (RED), in electrical form, from those that handle non-national security information (BLACK) in the same form. [US National Information Assurance (IA) Glossary]
Redaction
A portion of an image or document is intentionally concealed to prevent disclosure of specific portions. Often done to avoid production of privileged or irrelevant materials. [Sedona Conference]
Redo logs
Files maintained by a system, primarily a database management system, for the purposed of reapplying changes following an error or outage recovery. [ISACA]
Redundancy
The term redundant also has a generic meaning of obsolete, or no longer needed. See also fault tolerance. [ITIL]
Redundancy check
Detects transmission errors by appending calculated bits onto the end of each segment of data. [ISACA]
Redundant Array of Independent Disks (RAID)
A method of storing data on servers that usually combines multiple hard drives into one logical unit thereby increasing capacity, reliability and backup capability. RAID systems may vary in levels of redundancy, with no redundancy being a single, non-mirrored disk as level 0, two discs that mirror each other as level 1, on up, with level 5 being one of the most common. RAID systems are more complicated to copy and restore. [Sedona Conference]
Reengineering
A process involving the extraction of components from existing systems and restructuring these components to develop new systems or to enhance the efficiency of existing systems. Existing software systems thus can be modernized to prolong their functionality. An example of this is a software code translator that can take an existing hierarchical database system and transpose it to a relational database system. CASE includes a source code reengineering feature. [ISACA]
Reference monitor
The security engineering term for IT functionality that 1) controls all access, 2) cannot be by-passed, 3) is tamper-resistant, and 4) provides confidence that the other three items are true. [NIST 800 series, US National Information Assurance (IA) Glossary]
Refresh rate
The number of times per second a display (such as on a CRT or TV) is updated. [Sedona Conference]
Region (of an image)
An area of an image file that is selected for specialized processing. Also called a “zone.” [Sedona Conference]
Registered Certification Body (RCB)
An organization that has been accredited to perform certification against a published standard such as ISO/IEC 17799 or ISO/IEC 20000. [ITIL]
Registration
1) The act of giving a record a unique identity in a recordkeeping system. The purpose of registration is to provide evidence that a record has been created or captured in a recordkeeping system. It involves recording brief descriptive information about the record in a register and assigning the record a unique identifier. Registration should link the record to descriptive information about the context of the record and to other related records. In imaging, lining up a forms image to determine which fields are where. 2) Entering pages into a scanner such that they are correctly read. 3) The process through which a party applies to become a subscriber of a Credentials Service Provider (CSP) and a Registration Authority validates the identity of that party on behalf of the CSP. [ISO 15489, DIRKS, Sedona Conference, NIST 800 Series]
Registration Authority (RA)
An organization responsible for identifying individuals and requesting certificates from a certificate authority. An entity that may be given responsibility for performing some of the administrative tasks necessary in the registration of subjects, such as confirming the subject’s identity, validating that the subject is entitled to have the attributes requested in a certificate and verifying that the subject has possession of the private key associated with the public key requested for a certificate. [Centers for Medicare & Medicaid Services (CMS), ISACA, NIST 800 Series, FIPS Pubs]
Regression testing
Selective retesting to detect faults introduced during modification of a system. Used to retest earlier program abends or logical errors that occurred during the initial testing phase. [FISCAM, ISACA]
Regulated data
This is electronic information, whether in the form of e-mail, an instant message, a database or database record, or individual files that have been deemed by a law, regulation, or enforceable standard to fall within regulatory classifications. For Sarbanes-Oxley, regulated data is all data dealing with financial reporting. Healthcare and life sciences regulators use the term electronic protected health information. The payment card industry uses the term confidential information or personal information. US state and federal laws and regulations, as well as international laws and regulations use the terms confidential or personal information. See also electronic Protected Health Information (ePHI), electronic record, confidential information. [Sarbanes-Oxley, Basel II, 21 CFR Part 11, HIPAA, PCI-DSS, US Federal State, and International laws and regulations]
Regulated organization
These are the organizations that have been targeted for regulatory compliance. See also covered organization, broker-dealer, transfer agent, transfer advisor, investment company, healthcare clearinghouse, healthcare provider, health plan, provider. [17 CFR 240.17a-4, HIPAA]
Regulation
To regulate is to bring under the force of law or a governing authority. Everyone in his or her own country falls within the realm of their national, regional, and local laws. Hence, traditional regulators are those within the levels of government just mentioned. When governmental agencies create their Acts, they are codifying legal documents that resulted from deliberations of their legislative bodies. Those Acts are then documented as regulations, such as the Code of Federal Regulations that we have in the United States. [de facto]
Regulatory value
Regulatory value is the measurement of an asset’s worth from a regulatory perspective. This includes all legal requirements such as record retention, fines, penalties, legal counsel, and other direct costs for noncompliance. [Network Frontiers]
Reimbursement activity
In intragovernmental activity, similar to goods or services except the amounts billed to the receiving entity by the providing entity are based on actual costs incurred instead of on fees. [GAO/PCIE Financial Audit Manual]
Related parties
Affiliates, management of the entity, their immediate families, and other parties the entity deals with if one party controls or can significantly influence the management or operating policies of the other to an extent that one of the parties might be prevented from fully pursuing its own separate interests. [GAO/PCIE Financial Audit Manual]
Relationship
A connection or interaction between two people or things. In business relationship management it is the interaction between the IT service provider and the business. In configuration management it is a link between two configuration items that identifies a dependency or connection between them. For example, applications may be linked to the servers they run on, IT services have many links to all the CIs that contribute to that IT service. [ITIL]
Relationship process
The ISO/IEC 20000 process group that includes business relationship management and supplier management. [ITIL]
Relative path
An implied path. [Sedona Conference]
Release
A collection of hardware, software, documentation, processes or other components required to implement one or more approved changes to IT services. The contents of each release are managed, tested, and deployed as a single entity. See also full release, delta release, package release, release identification. [ITIL]
Release acceptance
The activity responsible for testing a release, and its implementation and back-out plans to ensure they meet the agreed business and IT operations requirements. [ITIL]
Release identification
A naming convention used to uniquely identify a release. The release identification typically includes a reference to the configuration item and a version number. For example, Microsoft office 2003 SR2. [ITIL]
Release management
The process responsible for planning, scheduling and controlling the movement of releases to test and live environments. The primary objective of release management is to ensure that the integrity of the live environment is protected and that the correct components are released. Release management works closely with configuration management and change management. [ITIL]
Release mechanism
The methodology for deploying a release to its target environment. A release mechanism may include hardware and software tools as well as procedures. [ITIL]
Release prefix
Prefix appended to the short title of U.S.-produced keying material to indicate its foreign releasability. "A" designates material that is releasable to specific allied nations and "U.S." designates material intended exclusively for U. S. use. [US National Information Assurance (IA) Glossary]
Release process
The name used by ISO/IEC 20000 for the process group that includes release management. This group does not include any other processes. [ISO/IEC 27001:2005, ITIL]
Release record
A record in the CMDB that defines the content of a release. A release record has relationships with all configuration items that are affected by the release. [ITIL]
Release type
A category that is used to classify releases. A release type may be one of full, delta, or package release. [ITIL]
Release unit
Components of an IT service that are normally released together. A release unit typically includes sufficient components to perform a useful function. For example, one release unit could be a desktop PC, including hardware, software, licenses, documentation, etc.; a different release unit may be the complete payroll application including IT operations procedures and user training. See also release type. [ITIL]
Relevant audit evidence
Audit evidence is relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support. [ISACA]
Reliability
The capability of hardware or software to perform as the user expects and to do so consistently without failures or erratic behavior. A measure of how long a configuration item or IT service can perform its agreed function without interruption. Usually measured as MTBF or MTBSI. See also availability. [FISCAM, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ITIL]
Reliability of information
This relates to the provision of appropriate information for management to operate the organization and for management to exercise its financial and compliance reporting responsibilities. [CobiT]
Reliable audit evidence
Audit evidence is reliable if, in the IS auditor’s opinion, it is valid, factual, objective and supportable. [ISACA]
Relying party
An entity that relies upon the subscriber’s credentials, typically to process a transaction or grant access to information or a system. [NIST 800 series]
Remanence
Residual information remaining on storage media after clearing. See also magnetic remanence and clearing. [US National Information Assurance (IA) Glossary]
Remediation
The act of correcting a vulnerability or eliminating a threat. Three possible types of remediation are installing a patch, adjusting configuration settings, or uninstalling a software application. [NIST 800 series]
Remediation plan
A plan to perform the remediation of one or more threats or vulnerabilities facing an organization’s systems. The plan typically includes options to remove threats and vulnerabilities and priorities for performing the remediation. [NIST 800 series]
Remote
The chance of the future event or events occurring is slight. [GAO/PCIE Financial Audit Manual]
Remote access
The process of communicating with a computer located in another place over a communications link. For example, to use a computer, modem, and some remote access software to connect to a network from a distant location. [FISCAM, Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary, Sedona Conference, NIST 800 Series]
Remote Authentication Dial-In User Service (RADIUS)
A type of service providing an authentication and accounting system often used for dial-up and remote access security. [ISACA, PCI-DSS]
Remote Job Entry (RJE)
With respect to computer systems with locations geographically separate from the main computer center, submitting batch processing jobs via a data communications link. The transmission of Job Control Language (JCL) and batches of transactions from a remote terminal location. [FISCAM, ISACA]
Remote logon
The act of gaining access to a machine across a network from a distant location through normal authentication methods. Generally, this implies a computer, a modem, and some remote access software to connect to the network. [Centers for Medicare & Medicaid Services (CMS)]
Remote maintenance
Maintenance activities conducted by individuals communicating external to an information system security perimeter. [NIST 800 series]
Remote Procedure Calls (RPC)
The traditional Internet service protocol widely used for many years on UNIX-based operating systems and supported by the Internet Engineering Task Force (IETF) that allows a program on one computer to execute a program on another (e.g., server). The primary benefit derived from its use is that a system developer need not develop specific procedures for the targeted computer system. For example, in a client-server arrangement, the client program sends a message to the server with appropriate arguments, and the server returns a message containing the results of the program executed. See also CORBA and DCOM, as two newer object-oriented methods for related RPC functionality. [ISACA]
Remote rekeying
Procedure by which a distant crypto-equipment is rekeyed electrically. See also automatic remote rekeying and manual remote rekeying. [US National Information Assurance (IA) Glossary]
Remote VPN user
A user connecting to your network from another location via a VPN (virtual private network) or private, encrypted channel through the Internet. [Network Frontiers]
Render images
To take a native format electronic file and convert it to an image that appears as the original format file as if printed to paper. [Sedona Conference]
Renew (a certificate)
The act or process of extending the validity of the data binding asserted by a public key certificate by issuing a new certificate. [NIST 800 series]
Repair
The replacement or correction of a failed configuration item. Often measured as Mean Time To Repair (MTTR). See also maintainability, recovery, restoration of service. [ITIL]
Repair action
NSA-approved change to a COMSEC end-item that does not affect the original characteristics of the end-item and is provided for optional application by holders. Repair actions are limited to minor electrical and/or mechanical improvements to enhance operation, maintenance, or reliability. They do not require an identification label, marking, or control but must be fully documented by changes to the maintenance manual. [US National Information Assurance (IA) Glossary]
Report
Formatted output of a system providing specific information. [Sedona Conference]
Report writer software
Software that allows access to data to produce customized reports. [FISCAM]
Reportable condition
Reportable conditions include matters coming to the auditor’s attention that, in the auditor’s judgment, should be communicated because they represent significant deficiencies in the design or operation of internal controls which could adversely affect the entity’s ability to meet its internal control objectives. [FISCAM]
Repository
The central database that stores and organizes data. A database containing information and data relating to certificates as specified in a CP; may also be referred to as a directory. [ISACA, NIST 800 Series]
Repository for Electronic Records
Repository for Electronic Records is a direct access device on which the electronic records and associated metadata are stored. (DoD 5015) Sometimes called a “records store” or “records archive.” [Sedona Conference]
Representment
A chargeback that is rejected and returned to a card issuer by a merchant bank on the merchant's behalf. A chargeback may be re-presented, or redeposited, if the merchant or merchant bank can remedy the problem that led to the chargeback. [VISA Glossary of Terms]
Repudiation
The denial by one of the parties to a transaction or participation in all or part of that transaction or of the content of communications related to that transaction. [ISACA]
Reputational risk
The current and prospective effect on earnings and capital arising from negative public opinion. This affects the bank’s ability to establish new relationships or services or continue servicing existing relationships. Reputation risk may expose the bank to litigation, financial loss, or a decline in its customer base. A bank’s reputation can be damaged by Internet banking services that are poorly executed or otherwise alienate customers and the public. An Internet bank has a greater reputation risk as compared to a traditional brick-and-mortar bank since it is easier for its customers to leave and go to a different Internet bank and since it cannot discuss any problems with the customer in person. [ISACA]
Request For Change (RFC)
A formal proposal for a change to be made. An RFC includes details of the proposed change and may be recorded on paper or electronically. The term RFC is often misused to mean a change record or the change itself. [ITIL]
Request For Comments (RFC)
A document that has been approved by the IETF becomes an RFC and is assigned a unique number once published. If it gains enough interest, it may evolve into an Internet standard. [ISACA, PCI-DSS]
Request For Proposal (RFP)
A document distributed to software vendors requesting them to submit a proposal to develop or provide a software product. [ISACA]
Required Supplementary Information (RSI)
[GAO/PCIE Financial Audit Manual]
Required Supplementary Stewardship Information (RSSI)
[GAO/PCIE Financial Audit Manual]
Requirement
A formal statement of what is needed. For example, a service level requirement, a project requirement, or the required deliverables for a process. See also statement of requirements. [ITIL]
Requirements definition
A phase of an SDLC methodology where the affected user groups define the requirements of the system for meeting the defined needs. [ISACA]
Reserve keying material
Key held to satisfy unplanned needs. See also contingency key. [US National Information Assurance (IA) Glossary]
Residual data
Residual Data (sometimes referred to as “Ambient Data”) refers to data that is not active on a computer system. Residual data includes (1) data found on media free space; (2)data found in file slack space; and (3)data within files that has functionally been deleted in that it is not visible using the application with which the file was created, without use of undelete or special data recovery techniques. May contain copies of deleted files, Internet files and file fragments. [Sedona Conference]
Residual risk
The risk associated with an event when the control is in place to reduce the effect or likelihood of that event being taken into account. The remaining qualitative or quantitative substantiation of potential risk or loss after all mitigating controls are applied. There is a residual risk associated with each threat. [NIST 800 series, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ISO/IEC Guide 73:2002, US National Information Assurance (IA) Glossary, PAS 56]
Residue
Data left in storage after information processing operations are complete, but before degaussing or overwriting has taken place. [US National Information Assurance (IA) Glossary]
Resilience
The ability of a system or network to recover automatically or at least very quickly from any disruption, usually with minimal recognizable effect. For example, an armored cable will resist failure when put under stress. See also fault tolerance. [CobiT, ITIL, PAS 56, BS 25999]
Resiliency measure
Activity or facility put in place to absorb the impact of an interruption, disruption or loss and to continue to provide a minimum acceptable level of service. [PAS 56]
Resolution
An action taken to repair the root cause of an incident or problem or to implement a workaround. In ISO/IEC 20000, resolution processes is the process group that includes incident and problem management. See also workaround. In regards to images and imaging, see DPI. [ISO/IEC 27001:2005, ITIL, Sedona Conference]
Resolution process
The ISO/IEC 20000 process group that includes incident management and problem management. [ISO/IEC 27001:2005, ITIL]
Resource
Any function, device or collection of data in an organization that can be allocated for use by users or programs. Something that is needed to support computer operations including hardware, software, data, telecommunications services, computer supplies such as paper stock and preprinted forms, and other resources such as people, office facilities, and non-computerized records. See also asset. [FISCAM, Centers for Medicare & Medicaid Services (CMS), ITIL]
Resource Access Control Facility (RACF)
An access control software package developed by IBM. [FISCAM]
Resource Capacity Management (RCM)
The process responsible for understanding the capacity, utilization, and performance of configuration items. Data is collected, recorded and analyzed for use in the capacity plan. See also service capacity management. [ITIL]
Resource encapsulation
Method by which the reference monitor mediates accesses to an information system resource. Resource is protected and not directly accessible by a subject. Satisfies requirement for accurate auditing of resource usage. [US National Information Assurance (IA) Glossary]
Resource Owner
See owner. [FISCAM, Centers for Medicare & Medicaid Services (CMS)]
Resource recovery solution
Plan of action that identifies the specific resource required to carry out recovery actions. [PAS 56]
Responder
The entity that responds to the initiator of the authentication exchange. [NIST 800 series, FIPS Pubs]
Response
Action taken to address an incident in order to assess the level of containment and control activity required. [PAS 56]
Response principle
Participants should act in a timely and cooperative manner to prevent, detect, and respond to security incidents. [OECD Guidelines for the Security of Information Systems and Networks]
Response time
A measure of the time taken to complete an operation or transaction. Used in capacity management as a measure of IT infrastructure performance and in incident management as a measure of the time taken to answer the phone or to start diagnosis. [ITIL]
Responsibility
Responsibility is a broad term that defines obligations and expected behavior. It implies a proactive stance on the part of the responsible party and a causal relationship between the responsible party and a given outcome. [NIST 800 series, CobiT]
Responsibility principle
All participants are responsible for the security of information systems and networks. [OECD Guidelines for the Security of Information Systems and Networks]
Responsibility segment
In cost accounting, a significant organizational, operational, functional, or process component that has the following characteristics: 1) its manager reports to the entity’s top management, 2) it is responsible for carrying out a mission, performing a line of activities or services, or producing one or a group of products, and 3) for financial reporting and cost management purposes, its resources and results of operations can be clearly distinguished, physically and operationally, from those of other segments of the entity. [GAO/PCIE Financial Audit Manual]
Responsible individual
A trustworthy person designated by a sponsoring organization to authenticate individual applicants seeking certificates on the basis of their affiliation with the sponsor. [NIST 800 series]
Responsiveness
A measurement of the time taken to respond to something. This could be response time of a transaction or the speed with which an IT service provider responds to an incident or request for change. [ITIL]
Restoration
The process of planning for and implementing business recovery which enables the organization to return to a normal service level. See also restore, immediate recovery. [Centers for Medicare & Medicaid Services (CMS)]
Restoration of service
See restore. [ITIL]
Restore
Taking action to return an IT service to the users after repair and recovery from an incident. This is the primary objective of incident management. It is the process of transferring data from a backup medium (such as tapes) to an on-line system, often for the purpose of recovery from a problem, failure, or disaster. Restoration of archival media is the transfer of data from an archival store to an on-line system for the purposes of processing (such as query, analysis, extraction, or disposition of that data). Archival restoration of systems may require not only data restoration but also replication of the original hardware and software operating environment. Restoration of systems is often called “recovery”. [ITIL, Sedona Conference]
Retention period
See Records retention period and Records retention schedule. [Sedona Conference]
Retention schedule
See Records retention schedule. [Sedona Conference]
Retire
Withdraw an application, IT service etc. from use in the live environment. Something we’ll never be able to do unless you buy many more books than you are currently buying. [ITIL, Network Frontiers]
Return on Capital Employed (ROCE)
A measurement of the expected benefit of an investment. Calculated by dividing net profit before tax and interest by total assets minus current liabilities. This ratio is used by business analysts to judge the effectiveness of the organization as a whole. Any changes to IT services or products are expected to improve this figure. See also cost effectiveness, investment appraisal, Return On Investment. [ITIL]
Return On Investment (ROI)
A measurement of the expected benefit of an investment. Calculated by dividing the average increase in financial benefit (taken over an agreed number of years) by the investment. See also cost effectiveness, return on capital employed. [ITIL]
Return to normal
The phase of an IT service continuity plan during which full normal operations are resumed. For example, if an alternate data center has been in use, then this phase will bring the primary data center back into operation, and restore the ability to invoke IT service continuity plans again. [ITIL]
Reverse engineering
A software engineering technique whereby an existing application system code can be redesigned and coded using computer-aided software engineering (CASE) technology. The process of analyzing a system to identify its intricacies and their interrelationships, and create depictions of the system in another form or at a higher level. Reverse engineering is usually undertaken in order to redesign the system for better maintainability or to produce a copy of a system without utilizing the design from which it was originally produced. For example, one might take the executable code of a computer program, run it to study how it behaved with different input, and then attempt to write a program which behaved the same or better.
Review: The culling process produces a dataset of potentially responsive documents which are then examined and evaluated for a final selection of relevant or responsive documents and assertion of privilege exception as appropriate. See also Online Review. [ISACA, Sedona Conference]
Review
An evaluation of a change, problem, process, project, etc. Reviews are typically carried out at predefined points in the lifecycle, and especially after closure. The purpose of a review is to ensure that all deliverables have been provided and to identify opportunities for improvement. See also post implementation review, review and approval. [ITIL]
Review and approval
The process whereby information pertaining to the security and integrity of an activity or network is collected, analyzed, and submitted to the appropriate organization for accreditation of the activity or network. See also review, post implementation review. [Centers for Medicare & Medicaid Services (CMS)]
Revoke a certificate
To prematurely end the operational period of a certificate effective at a specific date and time. [NIST 800 series]
Rewriteable technology
Storage devices where the data may be written more than once – typically hard drives, floppies and optical discs. [Sedona Conference]
RFC 822
Standard that specifies a syntax for text messages that are sent among computer users, within the framework of e-mail. [Sedona Conference]
Rijndael
Cryptographic algorithm specified in the Advanced Encryption Standard (AES). [NIST 800 series, FIPS Pubs]
Ring topology
A type of LAN architecture in which the cable forms a loop with stations attached at intervals around the loop. Signals transmitted around the ring take the form of messages. Each station receives the messages and each station determines, on the basis of an address, whether to accept or process a given message. However, after receiving a message, each station acts as a repeater, retransmitting the message at its original signal strength. [ISACA]
RIP
The procedures used to unbundle e-mail collections into individual e-mails during the e-discovery process while preserving authenticity and ownership. [Sedona Conference]
Risk
The combination of the probability and severity of impact that results from successfully breaking through a vulnerability by a threat. The possibility of an act or event occurring that would have an adverse effect on the organization and its information systems. The possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event. Risk refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence. The potential for harm or loss is best expressed as the answers to these four questions: What could happen? (What is the threat?) How bad could it be? (What is the impact or consequence?) How often might it happen? (What is the frequency?) How certain are the answers to the first three questions? (What is the degree of confidence? The key element among these is the issue of uncertainty captured in the fourth question. If there is no uncertainty, there is no “risk” per se. See also audit risk, inherent risk, control risk, detection risk, IT-related risk. [CERT OCTAVE, DIRKS, GAO/PCIE Financial Audit Manual, ISACA, Centers for Medicare & Medicaid Services (CMS), CobiT, NIST 800 series, FIPS Pubs, ITIL, US National Information Assurance (IA) Glossary, PAS 56, BS 25999]
Risk acceptance
Formal process by which a management official agrees that no additional safeguards will be undertaken to control a specific risk. The decision to accept risk. [Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ISO/IEC Guide 73:2002]
Risk analysis
A component of internal control in addition to the control environment, monitoring, information and communication, and control activities. The process of identifying the risks to the system, determining the probability of occurrence, analyzing the related vulnerabilities of the system, the resulting impact, and the additional safeguards that mitigate this impact. Risk assessment forms the basis for determining how the risks should be managed. Part of risk management. [NIST 800 series, FISCAM, GAO/PCIE Financial Audit Manual, ISACA, Centers for Medicare & Medicaid Services (CMS), FIPS Pubs, ISO/IEC 27001:2005, ISO/IEC Guide 73:2002, PCI-DSS, US National Information Assurance (IA) Glossary]
Risk appetite
Willingness of an organization to accept a defined level of risk. Different organizations at different stages of their existence will have different risk appetites. [PAS 56, BS 25999]
Risk Assessment (RA)
The term risk assessment is used to characterize both the process and the result of analyzing and assessing risk. A part of risk management, risk assessment is the initial steps of risk management. Analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. See also CRAMM, risk analysis. [FISCAM, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ISO/IEC Guide 73:2002, NIST 800 series, ITIL, US National Information Assurance (IA) Glossary, PAS 56, BS 25999]
Risk assessment principle
Participants should conduct risk assessments. [OECD Guidelines for the Security of Information Systems and Networks]
Risk concentration
Concentration of MCAs within the same building or on the same site. [PAS 56]
Risk evaluation
The process of comparing the estimated risk against given risk criteria to determine the significance of the risk. See also risk analysis. [Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ISO/IEC 73:2002]
Risk index
Difference between the minimum clearance or authorization of IS users and the maximum sensitivity (e.g.; classification and categories) of data processed by the system. [US National Information Assurance (IA) Glossary]
Risk levels
The extent to which vulnerability could be exploited or the amount of damage that could be done. Risk levels are usually measured in a qualitative manner as high, moderate, or low. [Centers for Medicare & Medicaid Services (CMS)]
Risk management
The ongoing process of identifying risks and implementing plans to address them. The total process of identifying, controlling, and mitigating information technology related risks. It includes risk analysis; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission/business and constraints due to policy, regulations, and laws. This term characterizes the overall process. The first, or risk analysis, phase includes identifying risks, risk-reducing measures, and the budgetary impact of implementing decisions related to the acceptance, avoidance, or transfer of risk. The second phase of risk management includes the process of assigning priority to, budgeting, implementing, and maintaining appropriate risk-reducing measures. Risk management is a continuous process of ever-increasing complexity. Risk management can be quantitative (based on numerical data) or qualitative. See also risk assessment, risk treatment, CRAMM. [CERT OCTAVE, NIST 800 series, FISCAM, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ISO/IEC Guide 73:2002, FIPS Pubs, ITIL, US National Information Assurance (IA) Glossary, PAS 56, BS 25999]
Risk management program
The set of controls, processes and structures put in place to support risk management. See also risk mitigation plan. [PAS 56]
Risk mitigation
Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. [NIST 800 series]
Risk mitigation plan
A plan that is intended to reduce the risks to a critical asset. Risk mitigation plans tend to incorporate actions, or countermeasures, designed to counter the threats to the assets. See also risk reduction measure, countermeasure, control. See also risk management program. [CERT OCTAVE]
Risk profile
Defines the range of risks that can affect an asset. Risk profiles contain categories that are grouped according to threat source (human actors using network access, human actors using physical access, system problems, other problems). [CERT OCTAVE, PAS 56]
Risk reduction measure
See control, countermeasure. [ITIL]
Risk tolerance
The level of risk an entity is willing to assume in order to achieve a potential desired result. [NIST 800 series]
Risk treatment
The process of selection and implementation of measures/controls to modify risk. The part of risk management responsible for choosing and implementing an option for managing a risk. Options for risk treatments include: Applying cost effective controls to reduce the risk. Deciding to accept the risk Avoiding the risk by preventing the situation that could lead to it. Transferring the risk to a third party, for example, by taking out insurance. [ISO/IEC 27001:2005, ISO/IEC Guide 73:2002, ITIL]
Roadmap
A central repository intended to provide summary, as well as detailed, information regarding approved CMS policies, processes, procedures, templates, resources and standards established for the successful engineering, implementation, maintenance and management of all CMS Information Technology (IT) projects. As such, the Roadmap provides active contributors on IT projects with an entry point to a wealth of information for successfully accomplishing the IT investment management process and Systems Development Life Cycle at CMS. [Centers for Medicare & Medicaid Services (CMS)]
Role of a system
Once a system’s role has been defined, the continuity requirements that are implicit in that role can be defined and then explicitly stated in terms of supporting the organization’s mission. [NIST 800 series]
Roles
A set of responsibilities defined in a process and assigned to a person or team. One person or team may have multiple roles, for example, the roles of configuration manager and change manager be carried out by a single person. See also job description. [ITIL]
Rollout
Most often used to refer to complex or phased deployments. See also deployment. [ITIL]
Root cause
The underlying or original cause of an incident or problem. [CobiT, ITIL]
Root Cause Analysis (RCA)
The process of learning from consequences, typically of errors and problems. RCA typically concentrates on IT infrastructure failures. See also service outage analysis. [CobiT, ITIL]
Root Certification Authority
In a hierarchical Public Key Infrastructure, the Certification Authority whose public key serves as the most trusted datum (i.e., the beginning of trust paths) for a security domain. [NIST 800 series]
Root directory
The top level in a hierarchical file system. For example on a PC, the root directory of your hard drive, usually C:, contains all the second-level subdirectories on that drive. [Sedona Conference]
Rootkit
A software suite designed to aid an intruder in gaining unauthorized administrative access to a computer system. After gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means. [ISACA, NIST 800 Series]
Rotary Camera
In microfilming, the papers are read “on the fly” with a camera that’s synchronized to the motion. [Sedona Conference]
Rotating standby
A fail-over process in which there are two nodes (as in idle standby but without priority). The node that enters the cluster first owns the resource group, and the second will join as a standby node. [ISACA]
Round key
Round keys are values derived from the Cipher Key using the Key Expansion routine; they are applied to the State in the Cipher and Inverse Cipher. [NIST 800 series, FIPS Pubs]
Router
A networking device that can send (route) data packets from one Local Area Network (LAN) or Wide Area Network (WAN) to another, based on addressing at the network layer (Layer 3) in the OSI model. Networks connected by routers can use different or similar networking protocols. As part of a LAN, a router receives transmitted messages and forwards them to their destination over the most efficient available route. Routers are usually capable of filtering packets based on parameters such as source addresses, destination addresses, protocol, and network applications (ports). Packet filtering routers, the simplest form of firewall protection, screen incoming and outgoing packets based on IP header information including source and destination addresses, protocol, source and destination port numbers. [Network Frontiers, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), PCI-DSS, Sedona Conference]
RS-232 interface
Interface between data terminal equipment and data communications equipment employing serial binary data interchange. [ISACA]
RSA
A public key cryptosystem developed by R. Rivest, A. Shamir, and L. Adleman. The RSA has two different keys, the public encryption key and the secret decryption key. The strength of the RSA depends on the difficulty of the prime number factorization. For applications with high-level security, the number of the decryption key bits should be greater than 512 bits. RSA is used for both encryption and digital signatures. [ISACA, PCI-DSS]
Rule-based security policy
A security policy based on global rules imposed for all subjects. These rules usually rely on a comparison of the sensitivity of the objects being accessed and the possession of corresponding attributes by the subjects requesting access. [NIST 800 series]
Rulebase
The list of rules and/or guidance that is used to analyze event data. [ISACA]
Rules Of Behavior (ROB)
Guidelines describing permitted actions by users and their responsibilities when utilizing a computer system. ROB are the rules that have been established and implemented concerning use of, security in, and acceptable level of risk for the system. Rules will clearly delineate responsibilities and expected behavior of all individuals with access to the system. Rules should cover such matters as work at home, dial-in access, connection to the Internet, use of copyrighted works, unofficial use of federal government equipment, the assignment and limitation of system privileges and individual accountability. Rules for individual users of each general support system or application. These rules should clearly delineate responsibilities of and expectations for all individuals with access to the system. They should be consistent with system-specific policy. In addition, they should state the consequences of noncompliance. The rules should be in writing and will form the basis for security awareness and training. [Centers for Medicare & Medicaid Services (CMS)]
Run
A popular, idiomatic expression for program execution. [FISCAM, Centers for Medicare & Medicaid Services (CMS)]
Run instructions or run manual
A manual that provides application-specific operating instructions, such as instructions on job setup, console and error messages, job checkpoints, and restart and recovery steps after system failures. It also identifies how to address problems that occur during processing. [FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS)]
Run Length Encoded (RLE)
Compressed image format; supports only 256 colors; most effective on images with large areas of black or white. [Sedona Conference]
Run to run totals
Provide verification that all transmitted data are read and processed. [ISACA]
Running costs
See operational costs. [ITIL]
Running down
A method of computer fraud involving a computer code that instructs the computer to remove small amounts of money from an authorized computer transaction by rounding down to the nearest whole value denomination and rerouting the rounded off amount to the perpetrator’s account. [ISACA]
Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.