Audit
An official examination and verification of accounts and records, especially of financial accounts.
http://dictionary.reference.com/browse/audit
Basel II
An international standard developed by the Basel Committee on Banking Supervision that requires financial institutions to maintain enough cash reserves to cover their operational risks.
Basel III
An international standard developed by the Basel Committee on Banking Supervision that builds on Basel I and II to strengthen the banking sector’s ability to deal with financial stress. Basel III effectively triples the size of the capital reserves that the world’s banks must hold against losses. The new rules will be phased in from January 2013 through January 2019.
Behavioral Analytics
The science of analyzing patterns and transactions activity to provide a unified view of user activity and ultimately a predictive model of user behavior.
Collector
An information or data aggregator that facilitates communication between a SIEM (Security Information and Event Management) engine and another data source.
Compliance
Adherence to a rule, regulation, policy, or guidance.
Continuous Audit (CA)
A constant and consistent evaluation of activities or inputs against a standard for record keeping or information gathering, particularly in financial institutions.
Continuous Monitoring (CM)
An ongoing assessment of the effectiveness of controls and policies, particularly with regard to security or compliance.
Data Loss Prevention (DLP)
A computer security term referring to systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, and so on) and with a centralized management framework.
http://en.wikipedia.org/wiki/Data_loss_prevention_software
Electronic Health Record (EHR)
A longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data, and radiology reports.
http://www.himss.org/ASP/topics_ehr.asp
Enterprise Fraud Management (EFM)
The process of monitoring, detecting, and preventing a range of abuses in large organizations. These abuses include deceptive activity for financial or material gain, information misuse or abuse, and IT sabotage. Among the EFM software solutions available today, the most effective are those that provide continuous monitoring, 100 percent visibility into user activity, real-time alerts, and zero impact on system performance.
FIPS 140-2 (Federal Information Processing Standard 140-2)
A computer security standard published by the National Institute of Standards and Technology (NIST) that is used to accredit cryptographic modules. FIPS 140-2 defines the U.S. government security requirements that must be satisfied by a cryptographic module used in a security system protecting unclassified information within IT systems. FIPS 140-2 includes specifications for algorithms, hash algorithms, and key negotiation standards.
http://www.nist.gov/itl/fips.cfm
FIPS Validated
Verification that a cryptography module or implementation has been formally validated by NIST laboratories.
FISMA (Federal Information Security Management Act)
A U.S. law enacted in 2002 to protect the integrity, security, and availability of government systems from natural or manmade threats. The National Institute of Standards and Technology (NIST) regularly issues guidance on security best practices, develops information security standards (Federal Information Processing Standards), and provides guidelines (Special Publications in the 800-series) for non-national security federal information systems in support of FISMA. Noncompliance with FISMA is published publically by Congress in the form of agency scorecards. Poor FISMA compliance may result in a requirement to report before Congress and significant budget-related penalties may be applied.
http://csrc.nist.gov/groups/SMA/fisma/index.html
Fraud
The definition of fraud has evolved as fraudsters become increasingly sophisticated and new threats and vulnerabilities are discovered in our complex information systems. Today, the word “fraud” covers the following types of activities:
- Intentional action for personal financial gain
In the simplest terms, fraud occurs when an individual knowingly engages in deceptive activity that benefits themselves or others. In the majority of fraud instances, the benefit is expressed in financial or material gain.
- Information misuse or abuse
Information misuse or abuse occurs when an individual knowingly, or unknowingly, commits an act contrary to an implicit or explicit policy around information control. These violations often impact the personal privacy of an individual or individuals, and may involve compliance and regulatory violations.
- IT attack or sabotage
IT attack or sabotage is defined as an underhanded attempt to disrupt normal activities, often related to commerce, production, or other business functions. This type of attack may involve vandalism of confidential information.
Spotting fraud can be difficult for two reasons: Traditional logging captures only about 25 percent of the activity that occurs, and nefarious actors often take pains to obscure their activities.
Gap Analysis/Assessment
A method of benchmarking compliance, audit, and security weaknesses, particularly when determining how to address enterprise risk.
GLBA (Gramm-Leach-Bliley Act)
A U.S. law enacted in 1999 to protect the personal financial information of consumers that is held by financial institutions. Under GLBA, financial institutions are required to implement safeguards that provide information security, privacy, and data integrity.
HIPAA (Health Insurance Portability and Accountability Act)
A U.S. law enacted in 1996 that preserves the privacy and security of personal health records. HIPAA requires that organizations in the healthcare industry adhere to specific physical, administrative, and technical safeguards in order to prevent unauthorized access to and manipulation of electronically stored and transmitted patient health information.
Insider
Any trusted party with credentialed access to a computer or security system and knowledge of how that system operates and the controls that act upon it.
J-SOX (Japanese Sarbarnes-Oxley Act)
The Japanese version of SOX, a U.S. law enacted in 2002 that regulates financial practices and corporate governance of public companies. Designed to protect the integrity of a public company’s financial data, J-SOX mandates that Japanese companies use a framework for internal controls over financial reporting systems (including the underlying information technology).
Log File
Computer file in which a program records certain events if logging is turned on. These files may serve to support an audit trail, diagnostic device, or security measure.
http://www.businessdictionary.com/definition/log-file.html
Network (or Computer Network)
A collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information.
http://en.wikipedia.org/wiki/Computer_network
Network Traffic
Data, encapsulated in packets, that traverses the network.
Packet
In computer networking, a formatted unit of data carried by a packet mode computer network.
http://en.wikipedia.org/wiki/Network_packet
PCI DSS (Payment Card Industry Data Security Standard)
A U.S. industry standard maintained by the PCI Security Standards Council that dictates rules for handling sensitive cardholder data—both in transit and in storage. Because PCI DSS is an industry standard, there are no government penalties for violations. But businesses (credit card companies, merchants, and service providers) that fail to comply may be restricted in their use of credit card services.
Risk Profile
An understanding of the hazards and potential impacts of a security event in a specific enterprise environment.
Sniffer
A network packet analyzer.
SOX (Sarbanes-Oxley Act)
A U.S. law enacted in 2002 to protect the financial information of public companies. SOX requires that companies ensure the integrity of data used in public financial statements. It holds CEOs and CFOs accountable for the accuracy of financial statements. And it specifies financial reporting responsibilities, including adherence to internal controls and procedures designed to ensure the validity of financial records. The Securities and Exchange Commission oversees SOX compliance.
Acronym Key
| CA |
Continuous audit |
| CCM |
Continuous controls monitoring |
| CCM-SOD |
Continuous controls monitoring for segregation of duties |
| DLP |
Data loss prevention |
| EFM |
Enterprise fraud management |
| ePHI |
Electronic patient health information |
| EHR |
Electronic health record |
| ERP |
Enterprise resource planning |
| FIPS |
Federal Information Processing Standard |
| FISMA |
Federal Information Security Management Act |
| GLBA |
Gramm-Leach-Bliley Act |
| GRC |
Governance, risk and compliance |
| HIPAA |
Health Insurance Portability and Accountability Act |
| HITECH |
Health Information Technology for Economic and Clinical Health Act |
| IC |
Internal controls |
| PHI |
Patient health information |
| PII |
Personally identifiable information |
| SHA |
Secure hash algorithm |
| SIEM |
Security information and event management |
| SOD |
Segregation of duties |
| SOX |
Sarbanes-Oxley Act |