search:
               

• Say What You Do Products
• Change Management
• Information Assurance Compliance Maturity Model Index (IACMMI)
• The Language of Compliance
• The Language of Compliance: Acronyms
• Language of Compliance: Definitions
• Field Editor Signup
• Spotlight Definitions
• Information Security vs. Information Assurance
• Authority Documents: regulations, principles, standards, guidelines, and controls
• A list of controls
• What are the principles that are behind all of this "compliance stuff?"
• Major Organizations
• Systems and Info Classification

What follows is a listing of all of the control types that we've found referenced so far within the Unified Compliance Framework.

Access control

Measures that limit access to information or information processing resources to those authorized persons or applications according to the system or data classification. HIPAA defines this as the ability to implement a mechanism to encrypt and decrypt regulated data. However, NIST defines this as the ability to enable authorized use of a resource while preventing unauthorized use or use in an unauthorized manner. Both share the same underlying principle of ensuring confidentiality and integrity. Access control can be defined by the system (mandatory access control, or MAC) or defined by the user who owns the object (discretionary access control, or DAC).

HIPAA, NIST 800 series, ISACA, FISCAM, Centers for Medicare & Medicaid Services (CMS), CobiT, ISO/IEC 27001:2005, PCI-DSS, Workgroup for Electronic Data Interchange, US National Information Assurance (IA) Glossary, FIPS Pubs

Access control software

Mechanisms that restrict access to computer resources. This type of software, which is external to the operating system, provides a means of specifying who has access to a system, who has access to specific resources, and what capabilities authorized users are granted. Access control software can generally be implemented in different modes that provide varying degrees of protection such as denying access for which the user is not expressly authorized, allowing access which is not expressly authorized but providing a warning, or allowing access to all resources without warning regardless of authority.

Centers for Medicare & Medicaid Services (CMS), FISCAM

Access control table

An internal computerized table of access rules regarding the levels of computer access permitted to logon IDs and computer terminals.

ISACA

Acquisition and Implementation

A high-level control objective that defines how IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems.

CobiT

Administrative controls

The actions/controls encompassing operational effectiveness, efficiency, and adherence to regulations and management policies.

ISACA

Administrative Safeguards

Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity's workforce in relation to protecting that information.

NIST 800 series

Application acquisition review

An evaluation of an application system being acquired or evaluated, which considers such matters as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is acquired in compliance with the established system acquisition process.

ISACA

Application controls

Application controls are directly related to individual applications. They ensure that transactions are valid, properly authorized, and completely and accurately processed and reported. They are management's control activities (procedures) that are incorporated directly into individual computer applications to provide reasonable assurance of accurate and reliable procession. Application controls address 1) data input, 2) data processing, and 3) data output. FISCAM categories of application controls that more closely tie into the FAM methodology are 1) authorization control, 2) completeness control, 3) accuracy control, and 4) control over integrity of processing and data files. Examples of application controls include data input validation, agreement of batch totals, and encryption of data transmitted.

FISCAM, GAO/PCIE Financial Audit Manual, ISACA, Centers for Medicare & Medicaid Services (CMS), CobiT, ISO/IEC 27001:2005

Application development review

An evaluation of an application system under development which considers matters such as: appropriate controls are designed into the system; the application will process information in a complete, accurate and reliable manner; the application will function as intended; the application will function in compliance with any applicable statutory provisions; the system is developed in compliance with the established systems development life cycle process.

ISACA

Application security controls

Refers to the security aspects supported by any application, primarily with regard to the roles or responsibilities and audit trails within the applications.

Network Frontiers

Assessing control risk

The process of evaluating the effectiveness of an entity's internal control in preventing or detecting misstatements in financial statement assertions.

GAO/PCIE Financial Audit Manual

Assessment Method

A focused activity or action employed by an assessor for evaluating a particular attribute of a security control.

NIST 800 series

Assessment Procedure

A set of activities or actions employed by an assessor to determine the extent to which a security control is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

NIST 800 series

Audit objective

The specific goal(s) of an audit. These often center on substantiating the existence of internal controls to minimize business risk.

ISACA

Authentication

The act of verifying the identity of a user and the user's eligibility to access computerized information. Designed to protect against fraudulent activity. NIST 800-33 would say that verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in a system is the definition of authentication. All systems that store, process or protect regulated data need to implement access controls in order to manage where this information is allowed to flow and who is allowed to create, view or change it. If the authentication attempt fails then access has to be blocked. For HIPAA, all attempts to gain access to a system containing ePHI have to be logged for later investigation. Authentication can also refer to the verification of the correctness of a piece of data. See also identification, key management, system access control.

HIPAA, NIST 800 series, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), CobiT, ISO/IEC 27001:2005, PCI-DSS, FIPS Pubs, US National Information Assurance (IA) Glossary, FIPS Pubs, FIPS Pubs

Authorization

This term has two uses, one for information assurance, and another for the Payment Card Industry. 1) In terms of Information Technology security, authorization is the process of determining what types of activities are permitted and the granting of access for those activities. After the authentication process has identified the person, program, or process accessing the system and authenticated the claimed identity, an authorization mechanism needs to determine what data the user is allowed to access and what functions may be performed. The mechanism can be based on a role a person fulfills in the organization and use technologies such as LDAP. Authorization has to be implemented at the lowest level possible to ensure that all access to all regulated data is correctly managed. It must be non-bypassable to ensure that all access attempts are controlled and that no one can circumvent it. At the same time, in the case of a documented crisis, a procedure for emergency override access has to be provided. 2) For the payment card industry, this is the process by which a card issuer approves or declines a Visa card purchase. Authorization occurs automatically when you swipe the magnetic stripe of a payment card through a card reader. See also Voice Authorization Center.

HIPAA, NIST 800 series, ISACA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, PCI-DSS, US National Information Assurance (IA) Glossary, VISA Glossary of Terms

Automated controls

Electronic mechanisms to automate the protection of digital assets, such as log readers, intrusion prevention and detection systems, etc.

Network Frontiers

Baseline

An agreed upon specification or standard against which changes can be made. A baseline should be changed only through formal change control procedures. The recorded state of something at a specific point in time. A baseline can be created for a configuration, a process, or any other set of data. For example, a baseline can be used in 1) Continuous service improvement, to establish a starting point for planning improvements. 2) Capacity management, to document performance characteristics during normal operations. 3) Configuration management, to enable the IT infrastructure to be restored to a known configuration if a change fails. Also used to specify a standard configuration for data capture, release or audit purposes.

Centers for Medicare & Medicaid Services (CMS), ITIL

Batch control

Correctness checks built into data processing systems and applied to batches of input data, particularly in the data preparation stage. There are two main forms of batch controls: 1) sequence control, which involves numbering the records in a batch consecutively so that the presence of each record can be confirmed, and 2) control total, which is a total of the values in selected fields within the transactions.

ISACA

Boundary protection

Monitoring and control of communications at the external boundary between information systems completely under the management and control of the organization and information systems not completely under the management and control of the organization, and at key internal boundaries between information systems completely under the management and control of the organization, to prevent and detect malicious and other unauthorized communication, employing controlled interfaces (e.g., proxies, gateways, routers, firewalls, encrypted tunnels).

NIST 800 series

Budget controls

Management's policies and procedures to manage and control the use of appropriated funds and other forms of budget authority. These are considered part of financial reporting and compliance controls.

GAO/PCIE Financial Audit Manual

Build environment

A part of release management, a controlled environment where applications, IT services and other builds are assembled prior to being moved into a test or live environment.

ITIL

Business process integrity

Controls over the business processes that are supported by the ERP.

ISACA

Card swipes

A physical control technique that uses a secured card or ID to gain access to a highly sensitive location. Card swipes, if built correctly, act as a preventative control over physical access to those sensitive locations. After a card has been swiped, the application attached to the physical card swipe device logs all card users that try to access the secured location. The card swipe device prevents unauthorized access and logs all attempts to enter the secured location.

ISACA

Change management

The process responsible for controlling the lifecycle of all changes. The primary objective of change management is to enable beneficial changes to be made with minimum disruption to IT services.

ITIL

Classification

The systematic identification and arrangement of business activities and/or records into categories according to logically structured conventions, methods, and procedural rules represented in a classification system. The process of devising and applying schemes based on the business activities that generate records, whereby they are categorized in systematic and consistent ways to facilitate their capture, retrieval, maintenance, and disposal. Classification includes determining document or file naming conventions, user permissions, and security restrictions on records. A fundamental component of the intellectual control processes in a recordkeeping system is the use of a scheme for classifying records. The classification of a record is an essential element of the meta data that describes that record. This in turn enables the record to be managed, understood, linked to other related records and retrieved by users. Australian Standard AS 4390-1996, Records Management, requires records classification schemes to be based on a rigorous classification of business activities. This means that records are classified on the basis of why they exist (their function or the activity that caused the record to be brought into existence), rather than on the basis of what they are about (their subject). As such, the focus of classification is the context of a record's creation and use, rather than the content of the record itself. In addition to records, CIs, incidents, problems, changes etc. are usually classified.

ISO 15489, DIRKS, Australian Standard AS 4390-1996, ISO/IEC 27001:2005, ITIL

Command, control, and communications

The processes and infrastructure that enable an organization to effectively pass instructions and information. This enables management control of resources. This term is typically used in the management of major incidents, business continuity, and IT service continuity.

ITIL

Common security control

Security control that can be applied to one or more agency information systems and has the following properties: 1) the development, implementation, and assessment of the control can be assigned to a responsible official or organizational element (other than the information system owner); and 2) the results from the assessment of the control can be used to support the security certification and accreditation processes of an agency information system where that control has been applied.

NIST 800 series, FIPS Pubs

Communications security (COMSEC)

These are security controls in place to ensure that data transmission is protected from eavesdropping and message tampering. The information transmitted can be authenticated via strong cryptography and the exchange of strong encryption key information to protect all information from unauthorized users.

Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary

Compensating control

An internal control that reduces the risk of an existing or potential control weakness that could result in errors or omissions. Compensating controls may be considered when an organization does not wish to meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must 1) meet the intent and rigor of the original stated requirement; 2) repel a compromise attempt with similar force; 3) be "above and beyond" other requirements (not simply in compliance with other requirements); and 4) be commensurate with the additional risk imposed by not adhering to the originally stated requirement

FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), PCI-DSS

Compensating controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high security control baselines, that provide equivalent or comparable protection for an information system.

NIST 800 series, FIPS Pubs

Compensating security controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) employed by an organization in lieu of the recommended controls in the low, moderate, or high baselines described in NIST Special Publication 800-53, that provide equivalent or comparable protection for an information system.

NIST 800 series

Compliance control

A process, effected by management and other personnel, designed to provide reasonable assurance that transactions are executed in accordance with 1) laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements or required supplementary stewardship information and 2) any other laws, regulations, and government wide policies identified in OMB audit guidance.

GAO/PCIE Financial Audit Manual

Compliance tests/testing

Tests to obtain evidence on the entity's compliance with significant laws and regulations. Tests of control designed to obtain audit evidence on both the effectiveness of the controls and their operation during the audit period.

GAO/PCIE Financial Audit Manual, ISACA

Comprehensive audit

An audit designed to determine the accuracy of financial records as well as evaluate the internal controls of a function or department.

ISACA

Computer related controls

Computer-related controls help ensure the reliability, confidentiality, and availability of automated information. They include both general controls which apply to all or a large segment of an entity's information systems, and application controls which apply to individual applications.

FISCAM

Computer sequence checking

Verifies that the control number follows sequentially and any control numbers out of sequence are rejected or noted on an exception report for further research.

ISACA

Configuration control

The activity responsible for ensuring that adding, modifying or removing a CI is properly managed, for example, by submitting a request for change or service request.

ITIL, US National Information Assurance (IA) Glossary, Microsoft, NIST 800 Series

Configuration Item (CI)

Component of an infrastructure (or an item, such as a request for change, associated with an infrastructure) which is (or is to be) under the control of configuration management. CIs may vary widely in complexity, size, and type, from an entire system (including all hardware, software and documentation) to a single module or a minor hardware component. Information about each CI is recorded in a configuration record within the CMDB and is maintained throughout its lifecycle by configuration management. CIs are under the control of change management. CIs typically include hardware, software, buildings, people, and formal documentation such as process documentation and SLAs.

CobiT, ITIL, Microsoft

Configuration management

The control and documentation of changes made to a system's hardware, software, and documentation throughout the development and operational life of the system. Configuration management is the process responsible for maintaining information about configuration items required to deliver an IT service, including their relationships. This information is managed throughout the lifecycle of the CI. The primary objective of configuration management is to underpin the delivery of IT services by providing accurate data to all IT service management processes when and where it is needed. See also configuration and change management.

Centers for Medicare & Medicaid Services (CMS), ITIL, US National Information Assurance (IA) Glossary

Content filtering

Controlling access to a network by analyzing the contents of the incoming and outgoing packets and either letting them pass or denying them based on a list of rules. Differs from packet filtering in that it is the data in the packet that are analyzed instead of the attributes of the packet itself (e.g., source/target IP address, TCP flags).

ISACA

Continuity plan

Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failure, or disaster.

Network Frontiers, NIST 800 Series

Control activities

A component of internal control, in addition to the control environment, risk assessment, monitoring, and information and communication. Organizational control activities are the collected policies, procedures, practices, and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be detected and prevented . These control activities help ensure that management directives are carried out by providing a description of what physical, software, procedural or people related conditions must be met or in existence in order to satisfy a core requirement.

GAO/PCIE Financial Audit Manual, Centers for Medicare & Medicaid Services (CMS)

Control environment

The control environment is an important component of an entity's internal control structure. It sets the "tone at the top" and can influence the effectiveness of specific control techniques. A component of internal control, in addition to risk assessment, monitoring, information and communication, and control activities. The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The control environment represents the collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specific control activities. Such factors include 1) integrity and ethical values, 2) commitment to competence, 3) management's philosophy and operating style, 4) organizational structure, 5) assignment of authority and responsibility, 6) human resource policies and practices, 7) control methods over budget formulation and execution, 8) control methods over compliance with laws and regulations, and 9) oversight groups.

FISCAM, GAO/PCIE Financial Audit Manual

Control framework

A control framework is a structured way of categorizing controls to ensure the whole spectrum of control is covered adequately. The framework can be informal or formal. A formal approach will more readily satisfy the various regulatory or statutory requirements for organizations subject to them.

CobiT, Institute of Internal Auditors, ISO/IEC 27001:2005

Control objective

The objectives of management that are used as the framework for developing and implementing controls (control procedures). A statement of the desired result or purpose to be achieved by implementing control procedures in a particular process.

ISACA, CobiT, ISO/IEC 27001:2005

Control Objectives for Enterprise Governance

A discussion document which sets out an "enterprise governance model" focusing strongly on both the enterprise business goals and the information technology enablers which facilitate good enterprise governance, published by the Information Systems Audit and Control Foundation in 1999.

ISACA

Control or controls

The activities surrounding policies, procedures, practices, and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented or detected. Example controls include policies, procedures, roles, software configurations, passwords, fences, door-locks etc. A control is sometimes called a countermeasure or safeguard. For DIRKS, control systems and processes associated with records management include: registration, which provides evidence of the existence of records in a recordkeeping system; classification, which allows for appropriate grouping, naming, security protection, user permissions, and retrieval; indexing, which allocates attributes or codes to particular records to assist in their retrieval; and tracking, which provides evidence of where a record is located, what action is outstanding on a record, who has seen a record, when such access took place and the recordkeeping transactions that have been undertaken on the record. Control is also used as a generic term meaning to manage something. See also procedures.

DIRKS, ITIL, CobiT, ISO/IEC 27001:2005

Control perimeter

The boundary defining the scope of control authority for an entity. For example, if a system is within the control perimeter, the right and ability exists to control it in response to an attack.

ISACA

Control practice

Key control mechanism that supports the achievement of control objectives through responsible use of resources, appropriate management of risk, and alignment of IT with business.

CobiT

Control risk

Risk that a material misstatement that could occur in an assertion will not be prevented, or detected and corrected on a timely basis by the entity's internal control structure. By definition in the regulations and standards, this is an auditor's judgment call.

FISCAM, GAO/PCIE Financial Audit Manual, ISACA

Control risk self assessment

An empowering method/process by which management and staff of all levels collectively identify and evaluate IS related risks and controls under the guidance of a facilitator who could be an IS auditor. The IS auditor can utilize CRSA for gathering relevant information about risks and controls and to forge greater collaboration with management and staff. CRSA provides a framework and tools for management and employees to: identify and prioritize their business objectives, assess and manage high risk areas of business processes, self-evaluate the adequacy of controls, and develop risk treatment recommendations.

ISACA

Control section

The area of the central processing unit (CPU) that executes software, allocates internal memory and transfers operations between the arithmetic-logic, internal storage, and output sections of the computer.

ISACA

Control techniques

See control activities, procedures.

GAO/PCIE Financial Audit Manual, Centers for Medicare & Medicaid Services (CMS)

Control tests

Tests of a specific control activity to assess its effectiveness in achieving control objectives.

GAO/PCIE Financial Audit Manual

Control weakness

A deficiency in the design or operation of a control procedure. Control weaknesses can potentially result in risks relevant to the area of activity not being reduced to an acceptable level (relevant risks are those that threaten achievement of the objectives relevant to the area of activity being examined). Control weaknesses can be material when the design or operation of one or more control procedures does not reduce to a relatively low level the risk that misstatements caused by illegal acts or irregularities may occur and not be detected by the related control procedures.

ISACA

Controlled vocabulary

An alphabetical list containing terms or headings which are authorized or controlled so that only one heading or form of heading is allowed to represent a particular concept or name. It contrasts with natural language. A controlled vocabulary is also referred to as a thesaurus.

DIRKS

Corrective controls

These controls are designed to correct errors, omissions, and unauthorized uses and intrusions once they are detected.

ISACA

Countermeasures

Actions and system controls present or undertaken to reduce or moderate the effect of specific vulnerabilities. A synonym for control. The term countermeasure can be used to refer to any type of control, but it is most often used when referring to measures that increase resilience, fault tolerance, or reliability of an IT service.

Centers for Medicare & Medicaid Services (CMS), ITIL, NIST 800 Series, FIPS Pubs

Data administration

The function that plans for and administers the data used throughout the organization. This function is concerned with identifying, cataloging, controlling, and coordinating the information needs of the organization.

FISCAM, Centers for Medicare & Medicaid Services (CMS)

Data control

The function responsible for seeing that all data necessary for processing is present and that all output is complete and distributed properly. This function is generally responsible for reconciling record counts and control totals submitted by users with similar counts and totals generated during processing.

FISCAM, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005

Data dictionary

A repository of information about data, such as its meaning, relationships to other data, origin, usage, and format. The dictionary assists company management, database administrators, systems analysts, and application programmers in effectively planning, controlling, and evaluating the collection, storage, and use of data. It also indicates which application programs use that data so that when a data structure is contemplated, a list of the affected programs can be generated. The data dictionary may be a stand-alone information system used for management or documentation purposes, or it may control the operation of a database. CobiT also references an enterprise data dictionary.

FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), CobiT

Definitive Hardware Store

One or more physical locations in which hardware configuration items are securely stored when not in use. All hardware in the DHS is under the control of change and release management and is recorded in the CMDB. The DHS contains spare parts, maintained at suitable revision levels, and may also include hardware that is part of a future release.

ITIL

Definitive Software Library (DSL)

One or more locations in which the definitive and approved versions of all software configuration items are securely stored. The DSL may also contain associated CIs such as licenses and documentation. The DSL is a single logical storage area even if there are multiple locations. All software in the DSL is under the control of change and release management and is recorded in the CMDB. Only software from the DSL is acceptable for use in a release.

ITIL

Delivery and support

This high-level domain is concerned with the actual delivery of required services which range from traditional operations over security and continuity aspects to training. In order to deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls.

CobiT

Detailed Control Objectives (DCO)

DCOs are components of a particular control objective.

CobiT

Detailed IS controls

Controls over the acquisition, implementation, delivery and support of information systems and services. They are made up of application controls plus those general controls not included in pervasive controls.

ISACA

Detective controls

These controls exist to detect and report when errors, omissions, and unauthorized uses or entries occur. A control that is used to identify events (undesirable or desired), errors, and other occurrences that an enterprise has determined to have a material effect on a process or end product.

ISACA, CobiT

Development environment

An environment used to create or modify IT services or applications. Development environments are not typically subjected to the same degree of control as test environments or live environments. See also development.

ITIL

Dial-back

Used as a control over dial-up telecommunications lines. The telecommunications link established through dial-up into the computer from a remote location is interrupted so the computer can dial back to the caller. The link is permitted only if the caller is from a valid phone number or telecommunications channel. See also dial-in access controls.

ISACA

Dial-in access controls

Controls that prevent unauthorized access from remote users that attempt to access a secured environment. These controls range from dial-back controls to remote user authentication.

ISACA

Dial-up access

A means of connecting to another computer (or a network like the Internet) over a telecommunications line using a modem-equipped computer. See also dial-in access controls.

FISCAM, Centers for Medicare & Medicaid Services (CMS)

Dial-up security software

Software that controls access via remote dial-up. One method of preventing unauthorized users from accessing the system through an unapproved telephone line is through dial-back procedures in which the dial-up security software disconnects a call initiated from outside the network via dial-up lines, looks up the user's telephone number, and uses that number to call the user.

FISCAM

Discretionary Access Control (DAC)

Controls that regulate how users delegate access permissions or make files/information accessible to other users. The basis of this kind of security is that an individual user, or program operating on the user's behalf is allowed to specify explicitly the types of access other users (or programs executing on their behalf) may have to information under the user's control.

NIST 800 series, US National Information Assurance (IA) Glossary, FIPS Pubs

Document management software

Software that controls and organizes documents throughout an enterprise. Incorporates document and content capture, workflow, document repositories, COLD/ERM and output systems, and information retrieval systems.

AIIM

Dual control

A method of preserving the integrity of a process by requiring that several individuals independently take some action before certain transactions are completed.

PCI-DSS

Due care

Diligence which a person would exercise under a given set of circumstances. Managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed.

ISACA, NIST 800 series

Edit controls

Detects errors in the input portion of information that is sent to the computer for processing. The controls may be manual or automated and allow the user to edit data errors before processing.

ISACA

Electronic signature

A computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature. A symbol, generated through electronic means, that can be used to 1) identify the sender of information and 2) ensure the integrity of the critical information received from the sender. An electronic signature may represent either an individual or an organization. Adequate electronic signatures are 1) unique to the signer, 2) under the signer's sole control, 3) capable of being verified, and 4) linked to the data in such a manner that if data are changed, the signature is invalidated upon verification. Traditional user identification code/password techniques do not meet these criteria. See also digital signature.

21 CFR Part 11, FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS), Workgroup for Electronic Data Interchange, US National Information Assurance (IA) Glossary

Environmental controls

This subset of physical access controls prevents or mitigates damage to facilities and interruptions in service. Smoke detectors, fire alarms and extinguishers, and uninterruptible power supplies are some examples of environmental controls.

FISCAM, Centers for Medicare & Medicaid Services (CMS)

Error control

The activity responsible for managing known errors until they are resolved by the successful implementation of changes. See also problem control.

ITIL

Exit

A predefined or in-house written routine that receives controls at a predefined point in processing. These routines provide an organization with flexibility to customize processing, but also create the opportunity to bypass security controls.

FISCAM

Federal financial management systems requirements

One of the three requirements of FFMIA. They include the requirements of OMB Circulars A-127, A-123, and A-130 and the JFMIP Federal Financial Management Systems Requirements series.

GAO/PCIE Financial Audit Manual

Filtering router

A router that is configured to control network access by comparing the attributes of the incoming or outgoing packets to a set of rules.

ISACA

Financial reporting control

A process, effected by management and other personnel, designed to provide reasonable assurance that transactions are properly recorded, processed, and summarized to permit the preparation of the financial statements and required supplementary stewardship information in accordance with GAAP, and that assets are safeguarded against loss from unauthorized acquisition, use, or disposition.

GAO/PCIE Financial Audit Manual

Framework

A framework is the arrangement of parts that gives a thing its basic form. See also control framework.

CobiT, ISO/IEC 27001:2005

Functions thesaurus

A keyword thesaurus, produced and maintained by an organization (which has implemented the keyword classification system) and which contains keywords, descriptors and forbidden terms. The thesaurus covers terms of a functional nature relating specifically to an organization's specific functions to provide comprehensive controlled vocabulary to describe paper and electronic records and recordkeeping systems. A thesaurus that reflects the unique functions of an organization.

DIRKS

General controls or general computer controls

Controls, other than application controls, which relate to the environment within which computer-based application systems are developed, maintained, and operated, and which are therefore applicable to all applications. General controls are the structure, policies, and procedures that apply to an entity's overall computer operations. They include an organization wide security program, access controls, application development and change controls, segregation of duties, system software controls, and service continuity controls. The objectives of general controls are to ensure the proper development and implementation of applications, the integrity of program, and data files and of computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IS strategy and an IS security policy, the organization of IS staff to separate conflicting duties, and planning for disaster prevention and recovery.

FISCAM, GAO/PCIE Financial Audit Manual, ISACA, Centers for Medicare & Medicaid Services (CMS), CobiT

Governance

The method by which an organization is directed, administered, or controlled.

CobiT

Hash total

The total of any numeric data field on a document or computer file. This total is checked against a control total of the same field to facilitate accuracy of processing.

ISACA, US National Information Assurance (IA) Glossary

Implementation life cycle review

Refers to the controls that support the process of transformation of the organization's legacy information systems into the ERP applications. This would largely cover all aspects of systems implementation and configuration such as change management.

ISACA

Incident response plan

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's IT systems(s).

NIST 800 series

Information and communication

A component of internal control in addition to the control environment, risk assessment, monitoring, and control activities. The identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. The accounting system and accounting manuals are examples of this component.

GAO/PCIE Financial Audit Manual

Information Security Management System (ISMS)

An information security management system (ISMS) is a system of management concerned with information security. It is that part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security. The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization, e.g. a simple situation requires a simple ISMS solution.

ISO/IEC 27001:2005

Information systems controls

Controls whose effectiveness depends on computer processing, including general, application, and user controls.

GAO/PCIE Financial Audit Manual

Information systems security

The protection afforded to information systems to preserve the availability, integrity, and confidentiality of the systems and information contained in the systems. Protection results from the application of a combination of security measures, including crypto security, transmission security, emission security, computer security, information security, personnel security, resource security, and physical security.

Centers for Medicare & Medicaid Services (CMS), US National Information Assurance (IA) Glossary

Input controls

Techniques and procedures used to verify, validate, and edit data to ensure that only correct data are entered into the computer.

ISACA

Input/output appendage

A routine designed to provide additional controls for system input/output operations.

FISCAM

Integrity controls

Implement security measures to ensure that electronically transmitted regulated data is not inadvertently modified or deleted without detection, until disposed of. Many information objects contain cyclic redundancy checks or checksums that indicate if the data has been corrupted while in storage or transit. These methods do not, however, protect against accidental or malicious modification of the data by an otherwise authorized user. Integrity proofing allows receivers of the object to verify that the information within it has not been modified and that the information comes from the claimed sender. As a type of checksum it is calculated from the original object and encrypted using asymmetric, or private/public key encryption technology. Any modification after this digital signature is applied will fail the subsequent verification process. Replacing a digital signature is, in practical terms, not possible when the secret key, i.e. the private key of the private/public key pair is unknown to the modifier.

HIPAA

Intellectual control

The control established over the informational content of records and archives resulting from ascertaining and documenting their provenance, and from the processes of arrangement and description.

DIRKS

Internal control

The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. A process, affected by organization management and other personnel, designed to provide reasonable assurance that 1) operations, including the use of organization resources, are effective and efficient; 2) financial reporting, including reports on budget execution, financial statements, and other reports for internal and external use, are reliable; and 3) applicable laws and regulations are followed. Internal control also includes the safeguarding of organization assets against unauthorized acquisition, use, or disposition. Internal control consists of five interrelated components that form an integrated process that can react to changing circumstances and conditions within the organization. These components include the control environment, risk assessment, control activities, information and communication, and monitoring. See also internal control structure.

FISCAM, GAO/PCIE Financial Audit Manual, ISACA, Centers for Medicare & Medicaid Services (CMS), CobiT

Internal control structure

The dynamic, integrated processes, effected by the governing body, management and all other staff, that are designed to provide reasonable assurance regarding the achievement of the following general objectives: effectiveness, efficiency and economy of operations; reliability of management; Compliance with applicable laws, regulations and internal policies. Management's strategies for achieving these general objectives are affected by the design and operation of the following components: control environment, information system, control procedures. See also internal control.

FISCAM, ISACA

Investigation

The review and analysis of system security features (e.g., the investigation of system control programs using flow charts, assembly listings, and related documentation) to determine the security provided by the operating system.

Centers for Medicare & Medicaid Services (CMS)

IT governance

A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over IT and its processes. See also governance, corporate governance.

ISACA

Library control/management

The function responsible for controlling program and data files that are either kept online or are on tapes and discs that are loaded onto the computer as needed.

FISCAM, Centers for Medicare & Medicaid Services (CMS)

Logical access control

A technical means of controlling what information users can utilize, the programs they can run, and the modifications they can make. The policies, procedures, organizational structure and electronic access controls designed to restrict access to computer software and data files. The use of computer hardware and software to prevent or detect unauthorized access. For example, users may be required to input user identification numbers, passwords, or other identifiers that are linked to predetermined access privileges.

FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS)

Management controls

Controls put in place to manage computer security systems or applications and the associated risks. The organization, policies, and procedures used to provide reasonable assurance that 1) programs achieve their intended result, 2) resources are used consistent with the organization's mission, 3) programs and resources are protected from waste, fraud, and mismanagement, 4) laws and regulations are followed, and 5) reliable and timely information is obtained, maintained, reported, and used for decision-making.

FISCAM, Centers for Medicare & Medicaid Services (CMS), FIPS Pubs, NIST 800 Series

Management system

The framework of policy and processes that ensures an organization can achieve its objectives.

ITIL

Mandatory Access Control (MAC)

A means of restricting access to system resources based on the sensitivity (as represented by a label) of the information contained in the system resource and the formal authorization (i.e., clearance) of users to access information of such sensitivity.

NIST 800 series, US National Information Assurance (IA) Glossary, PCI-DSS

Operational controls

The day-to-day security procedures and mechanisms to protect operational systems. The operational controls consist of the physical, environmental, and personnel security controls. These controls relate to managing the entity's business and include policies and procedures to carry out organizational objectives such as planning, productivity, programmatic, quality, economy, efficiency, and effectiveness objectives. Management uses these controls to provide reasonable assurance that the organization 1) meets its goals, 2) maintains quality standards, and 3) does what management directs it to do.

FISCAM, GAO/PCIE Financial Audit Manual, ISACA, Centers for Medicare & Medicaid Services (CMS), FIPS Pubs, NIST 800 Series

Plan of Action and Milestones (POA&M)

A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones.

NIST 800 series, OMB Memorandum 02-01

Privacy impact assessment

An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

NIST 800 series, OMB Memorandum 03-22

Remediation

The act of correcting a vulnerability or eliminating a threat. Three possible types of remediation are installing a patch, adjusting configuration settings, or uninstalling a software application.

NIST 800 series

Remediation plan

A plan to perform the remediation of one or more threats or vulnerabilities facing an organization's systems. The plan typically includes options to remove threats and vulnerabilities and priorities for performing the remediation.

NIST 800 series

Risk Assessment (RA)

The term risk assessment is used to characterize both the process and the result of analyzing and assessing risk. A part of risk management, risk assessment is the initial steps of risk management. Analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. See also CRAMM, risk analysis.

FISCAM, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005, ISO/IEC Guide 73:2002, NIST 800 series, ITIL, US National Information Assurance (IA) Glossary, PAS 56, BS 25999

Safeguards

Protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Synonymous with security controls and countermeasures. See also safeguarding controls.

FIPS Pubs, NIST 800 Series

Security control enhancements

Statements of security capability to: 1) build in additional, but related, functionality to a basic control; and/or 2) increase the strength of a basic control.

NIST 800 series

Security controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

FIPS Pubs, US National Information Assurance (IA) Glossary, NIST 800 Series

System access control

This system manages end user access to computers and the software residing within them in order to manage the need-to-know and need-to-do of users attempting to access, change, or delete regulatory data. See also authentication and access control.

HIPAA, Centers for Medicare & Medicaid Services (CMS), ISO/IEC 27001:2005

System acquisition process

The procedures established to purchase application software, or an upgrade, including evaluation of the supplier's financial stability, track record, resources, and references from existing customers.

ISACA

System event auditing

The process of identifying, detecting, and logging a set of predefined system and user activities.

Centers for Medicare & Medicaid Services (CMS)

System integrity

System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. It is the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.

National Computer Security Center Pub. NCSC-TC-004-88, US National Information Assurance (IA) Glossary, NIST 800 Series

System security

Refers to the concepts, techniques, technical measures, and administrative measures used to protect the hardware, software, and data of an information processing system from deliberate or inadvertent unauthorized acquisition, damage, destruction, disclosure, manipulation, modification, use, or loss. See also system security plan.

Centers for Medicare & Medicaid Services (CMS), FIPS Pubs, US National Information Assurance (IA) Glossary

System testing

Testing to determine that the results generated by the enterprise's information systems and their components are accurate and the systems perform to specification. These test procedures typically are performed by the system maintenance staff in their development library.

FISCAM, ISACA, Centers for Medicare & Medicaid Services (CMS)

System-specific security control

A security control for an information system that has not been designated as a common security control.

NIST 800 series

Systems analysis and design

The process used to develop a system. The systems development life cycle is the traditional methodology used by information system professionals to develop a new computer application. It includes three general phases; definition, construction, and implementation. The methodology defines the activities necessary for these three phases, as well as a framework for planning and managing a development project. Operations and maintenance are included in the implementation phase. See also System Development Life Cycle methodology.

DIRKS

Technical controls

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. Technical controls can also be found in software measures that ensure the confidentiality, availability, and integrity of a system and/or data. See also logical access control.

FISCAM, Centers for Medicare & Medicaid Services (CMS), FIPS Pubs, US National Information Assurance (IA) Glossary, NIST 800 Series

Training effectiveness evaluation

Information collected to assist employees and their supervisors in assessing individual students' subsequent on-the-job performance, to provide trend data to assist trainers in improving both learning and teaching, and to be used in return-on-investment statistics to enable responsible officials to allocate limited resources in a thoughtful, strategic manner among the spectrum of IT security awareness, security literacy, training, and education options for optimal results among the workforce as a whole.

NIST 800 series