Definitions and pro-tips for the CISA certification.
An Acceptable Use Policy (AUP) is a documented set of rules specifying permissible and prohibited uses of an organization’s information assets, including hardware, software, and data. It defines user responsibilities and outlines consequences for policy violations, promoting responsible technology usage.
An Access Control List (ACL) is a set of rules specifying which users or system entities are granted access to specific objects or resources. ACLs define permissions – read, write, execute – controlling what actions are allowed on those resources, providing granular control over data access.
Agile methodology is an iterative approach to project management and software development emphasizing flexibility, collaboration, and rapid response to change. It breaks down projects into smaller, manageable sprints, delivering incremental value and incorporating feedback throughout the development process, unlike traditional waterfall methods.
Attribute sampling is a statistical sampling approach evaluating the presence or absence of a specified attribute within a population. It determines the rate of occurrences for characteristics like proper authorization or adherence to policy. Results are expressed as a percentage of items possessing the attribute.
The Audit Charter is a formal document outlining the internal audit function’s purpose, authority, and responsibility. Approved by the audit committee, it defines the audit’s scope, objectivity, and reporting structure. It establishes the auditor’s position within the organization and ensures alignment with the Institute of Internal Auditors (IIA) standards.
Audit Risk is the probability that an auditor will fail to detect a material misstatement in the information system being audited. It’s a function of inherent risk, control risk, and detection risk. Effective audit planning and execution aim to reduce audit risk to an acceptable level through appropriate procedures.
An audit trail is a sequential record of system activities, including user actions, data modifications, and system events. It provides a verifiable history for accountability, security investigations, and compliance auditing, enabling reconstruction of events and identification of anomalies.
A Business Continuity Plan (BCP) defines critical business functions and the procedures to maintain them during and after a disruption. It prioritizes operational resilience, encompassing people, processes, and technology. The BCP aims to minimize downtime and financial losses, ensuring continued service delivery.
Business Continuity Planning (BCP) establishes a framework of policies and procedures to ensure an organization can continue essential business functions during and after a disruptive event. It encompasses risk assessment, recovery strategies, and ongoing maintenance to minimize operational and financial impacts.
A Business Impact Analysis (BIA) systematically evaluates the potential consequences of disruptions to critical business functions. It identifies essential resources, estimates downtime tolerance (RTO/RPO), and quantifies financial and operational impacts to prioritize recovery efforts during a disaster.
A Business Process is a series of logically related activities designed to achieve a specific organizational objective. These processes define how work is performed, resources are utilized, and value is delivered to stakeholders, forming the foundation for effective governance and risk management.
Business Process Reengineering (BPR) involves a fundamental rethinking and radical redesign of business processes to achieve dramatic improvements in critical contemporary measures of performance, such as cost, quality, service, and speed. It often necessitates significant IT system changes and organizational restructuring.
Business Resiliency encompasses an organization’s ability to withstand and recover from disruptions, maintaining critical business functions. It integrates business continuity (sustaining operations during disruption) and disaster recovery (restoring systems after disruption) with proactive resilience planning to minimize impact.
Change Management is a structured approach to controlling modifications to IT systems and infrastructure. It encompasses request submission, impact assessment, authorization, testing, implementation, and documentation to minimize disruptions and maintain system stability and security.
COBIT (Control Objectives for Information and Related Technologies) is a comprehensive IT governance and management framework developed by ISACA. It provides a structured approach to align IT with business goals, manage IT-related risks, and optimize IT investments across an organization’s enterprise.
A cold site is a disaster recovery facility providing basic infrastructure—space, power, and cooling—but lacking pre-installed hardware or data. It requires significant time and effort to become operational, as all equipment and data must be transported and configured after a disaster declaration.
Compensating controls are alternative safeguards implemented when a primary control is not feasible due to cost, technical limitations, or operational constraints. They provide a comparable level of protection, reducing risk to an acceptable threshold, and require thorough documentation justifying their use.
Compliance Testing involves evaluating whether controls are operating effectively and consistently as designed. Auditors perform procedures to verify that policies and procedures are being followed, providing assurance that controls are functioning as intended. Documentation review and observation are common techniques.
Configuration Management establishes and maintains information about IT components, their relationships, and their attributes throughout their lifecycle. This process ensures accurate control of IT assets, supports change management, and provides a reliable baseline for security and operational stability.
Control Objectives are defined statements of desired outcomes for information systems, aligning with organizational goals. They establish criteria for evaluating control effectiveness and provide a basis for audit procedures. These objectives are crucial for ensuring risks are mitigated to acceptable levels and value is delivered.
Control Risk represents the probability that an organization’s internal controls will fail to prevent or detect material misstatements. It is a key component of inherent risk assessment and directly impacts the extent of substantive testing required. Effective controls reduce control risk, minimizing potential errors or fraud.
Control Self-Assessment (CSA) is a peer review process where control owners evaluate the design and operational effectiveness of controls within their areas of responsibility. This collaborative approach promotes ownership and accountability, identifying control gaps and improvement opportunities through facilitated workshops and questionnaires.
Corrective controls mitigate the impact of security incidents or errors after they occur. These actions restore systems to a normal state, rectify data inaccuracies, or address vulnerabilities exploited during an event. Examples include restoring from backups, applying patches, or re-performing processes.
Corrective controls mitigate the impact of security incidents or errors that have already occurred. These actions restore systems to a normal state, rectify data inaccuracies, or address policy violations. Examples include system reboots, data restoration from backups, and applying security patches post-incident.
The COSO Internal Control—Integrated Framework provides a comprehensive structure for designing, implementing, and evaluating internal controls. Its five interconnected components—Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities—work together to provide reasonable assurance regarding the achievement of organizational objectives.
Data classification is the systematic process of categorizing information based on its level of sensitivity, criticality, and legal or regulatory requirements. This categorization determines the appropriate security controls and handling procedures to protect data throughout its lifecycle, ensuring confidentiality, integrity, and availability.
Data encryption transforms readable data (plaintext) into an unreadable format (ciphertext) using cryptographic algorithms. This process protects data confidentiality by rendering it inaccessible to unauthorized individuals, safeguarding it during storage and transmission. Key management is a critical aspect of effective encryption.
Data Governance establishes the framework for managing data assets throughout their lifecycle. It encompasses policies, standards, and processes ensuring data quality, integrity, compliance, and accessibility. Effective governance supports informed decision-making and minimizes data-related risks within an organization.
Data integrity ensures the accuracy, completeness, and reliability of data throughout its entire lifecycle. This encompasses protection against unauthorized modification, deletion, or creation, maintaining data consistency and validity for informed decision-making and regulatory compliance.
Data Loss Prevention (DLP) utilizes technologies and processes to identify, monitor, and protect sensitive data in use, in motion, and at rest. It prevents unauthorized disclosure or exfiltration of confidential information through content inspection, contextual analysis, and enforcement of predefined policies.
Data migration is the transfer of data between storage types, formats, or computer systems. It’s a critical process involving extraction, transformation, and loading (ETL) to ensure data integrity and accessibility in the new environment. Proper planning minimizes downtime and data loss during the transition.
Detection Risk is the risk that the auditor’s procedures will not identify a material misstatement that exists. It is inversely related to the effectiveness of audit procedures and sample size. Auditors manage Detection Risk through careful planning, execution, and evaluation of audit evidence.
Detective controls are measures designed to identify errors, irregularities, or security incidents *after* they have occurred. These controls do not prevent issues but provide timely notification, allowing for investigation and corrective action to mitigate potential damage or loss. Examples include log monitoring and reconciliation.
Detective controls are security measures implemented to identify and flag errors, omissions, or malicious activities *after* they have occurred. These controls provide evidence of incidents and support investigations, enabling corrective actions and preventing future occurrences through analysis of past events.
A Disaster Recovery Plan (DRP) details the technical processes and resources required to restore IT infrastructure, data, and applications following a disruptive event. It focuses on recovery time objectives (RTOs) and recovery point objectives (RPOs) to minimize data loss and system downtime.
Due Care represents the level of prudence and caution exercised by a reasonable and competent professional under similar circumstances. It’s a legal standard used to determine negligence, requiring organizations to proactively protect assets and information through appropriate policies and procedures.
Due Diligence is a thorough investigation and evaluation conducted prior to entering into an agreement or transaction, such as a merger, acquisition, or outsourcing arrangement. It assesses the risks and benefits associated with the target entity, including its IT systems and security posture.
Due Professional Care represents the diligence expected of a skilled and prudent auditor during an examination. This encompasses thorough planning, appropriate supervision, obtaining sufficient and reliable audit evidence, and comprehensive documentation of all procedures performed and findings identified during the audit process.
Encryption is a cryptographic process converting data into an unreadable format (ciphertext) using an algorithm and a key. It protects data confidentiality by rendering it inaccessible to unauthorized individuals. Decryption reverses this process, restoring the original data using the correct key.
A firewall is a network security device, either hardware or software, that monitors and controls network traffic based on a defined set of security rules. It establishes a barrier between a trusted internal network and untrusted external networks, blocking unauthorized access while permitting legitimate communications.
The Fraud Triangle is a model identifying three conditions necessary for fraudulent activity: pressure (motivation), opportunity, and rationalization. Pressure represents financial or other incentives, opportunity arises from weak controls, and rationalization is the justification used by the perpetrator.
Governance establishes the organizational structures, processes, and relationships through which objectives are set and achieved. It ensures accountability, fairness, and transparency in decision-making, aligning IT with business strategy and managing stakeholder interests. Effective governance provides strategic direction.
A hot site is a fully operational disaster recovery facility mirroring the production environment, including hardware, software, and current data via continuous replication. It provides the fastest Recovery Time Objective (RTO), often measured in minutes or hours, enabling minimal business interruption following a disruptive event.
An Incident Response Plan (IRP) outlines the organized approach an organization takes to address and manage the aftermath of a security breach or disruptive event. It defines roles, responsibilities, and procedures for identification, containment, eradication, recovery, and post-incident activity.
Independence in IS audit signifies the objectivity and impartiality of the auditor. It requires freedom from conflicts of interest, undue influence, and organizational pressures that could compromise the audit’s integrity. Both actual and perceived independence are critical for maintaining stakeholder trust and reliable audit results.
Information Systems are integrated components encompassing hardware, software, data, personnel, and defined procedures. These elements collectively collect, process, store, and disseminate information to support organizational operations and decision-making. Understanding their interdependence is critical for effective control.
Inherent Risk represents the susceptibility of an assertion to material misstatement before considering any related internal controls. It’s influenced by factors like system complexity, transaction volume, and industry regulations. Higher inherent risk necessitates more rigorous audit procedures to obtain sufficient appropriate audit evidence.
An Intrusion Detection System (IDS) is a security tool that monitors network and/or system activities for malicious activities or policy violations. It analyzes data packets and system logs, generating alerts when suspicious events are identified, enabling security personnel to investigate and respond to potential threats.
IS Audit is a systematic evaluation of information systems, governance, and processes. It assesses controls to ensure the confidentiality, integrity, and availability of data, as well as compliance with policies, regulations, and objectives. Audits provide independent assurance to stakeholders regarding risk management and control effectiveness.
An IT Audit is a systematic process of objectively obtaining and evaluating evidence to determine whether systems, processes, and controls are designed and operating effectively. It assesses risks related to data integrity, system availability, regulatory compliance, and the achievement of organizational objectives.
IT Controls are safeguards—policies, procedures, standards, and technologies—implemented to protect the confidentiality, integrity, and availability of information assets. These controls mitigate risks related to unauthorized access, modification, or destruction of data and systems, ensuring compliance and operational efficiency.
IT Governance establishes the organizational structures, processes, and relationships needed to direct and control IT activities. It aligns IT strategy with business objectives, ensures accountability, optimizes resource utilization, and manages IT-related risks to deliver value and achieve strategic goals.
An IT Steering Committee is a cross-functional group of senior leaders responsible for aligning IT strategy with overall business goals. It prioritizes IT investments, oversees major projects, and ensures IT resources are allocated effectively to support organizational objectives and manage associated risks.
IT Strategy Alignment is the systematic process of integrating information technology investments and initiatives with an organization’s overarching business strategy. This ensures IT resources directly contribute to achieving strategic objectives, enhancing competitive advantage, and maximizing return on investment for the enterprise.
ITIL (Information Technology Infrastructure Library) is a globally recognized framework providing best practices for IT service management. It emphasizes aligning IT services with business needs through a lifecycle approach, encompassing strategy, design, transition, operation, and continual improvement of services.
Least Privilege is a security principle requiring users to have only the minimum necessary access rights to perform their assigned tasks. This limits potential damage from compromised accounts or malicious insiders by restricting lateral movement and unauthorized data access, enhancing overall system security.
Logical Access Controls are security mechanisms that govern system and data access based on verified user identities and assigned permissions. These controls utilize authentication methods to confirm user identity, authorization rules to define access rights, and accountability mechanisms to track user activity within systems.
Non-Repudiation provides irrefutable proof of the origin and authenticity of data or transactions. It prevents a party from denying involvement in an action, typically achieved through cryptographic techniques like digital signatures, audit trails, and timestamping, ensuring accountability and trust.
Patch Management is a systematic approach to acquiring, testing, and deploying software updates to correct vulnerabilities and improve system stability. This process includes vulnerability scanning, risk assessment, patch deployment, and verification of successful implementation across the IT environment.
Penetration Testing is an authorized simulated cyberattack against an organization’s computer systems to evaluate the effectiveness of security controls. It aims to identify exploitable vulnerabilities by actively attempting to breach security defenses, mimicking real-world attacker tactics and techniques.
Physical Access Controls are security measures implemented to restrict unauthorized physical access to sensitive areas, including facilities, equipment rooms, and data centers. These controls encompass perimeter security, surveillance systems, environmental safeguards, and personnel security procedures to protect assets from physical threats.
Preventive controls are proactive measures implemented *before* a transaction or event occurs to minimize the risk of errors, fraud, or security breaches. These controls aim to deter undesirable events by establishing policies, procedures, or physical safeguards that prevent issues from arising.
Preventive Controls are proactive security measures designed to deter errors, fraud, or security incidents before they occur. These controls aim to minimize risks by establishing policies, procedures, and technologies that restrict unauthorized actions and enforce compliance with established security standards and organizational guidelines.
Recovery Point Objective (RPO) defines the maximum tolerable period in which data loss is acceptable following a disruptive event. It represents the point in time to which data must be restored. RPO directly impacts backup frequency and data restoration granularity, influencing business continuity.
Recovery Time Objective (RTO) defines the maximum acceptable length of time that a business function or IT system can be unavailable following a disruptive event. It represents the targeted duration for restoration, influencing the selection of appropriate business continuity and disaster recovery strategies.
Remote access enables authorized users to connect to an organization’s network and resources from geographically distant locations. Secure implementations utilize technologies like Virtual Private Networks (VPNs) and require robust authentication mechanisms to protect sensitive data and systems from unauthorized access.
Residual Risk represents the level of risk remaining after implementing controls to mitigate identified threats. It is the portion of risk that cannot be eliminated through reasonable measures and must be accepted or further addressed through alternative strategies like risk transfer or avoidance.
Risk Management is a systematic process for identifying, analyzing, evaluating, and mitigating potential threats and vulnerabilities to organizational assets. It involves prioritizing risks based on likelihood and impact, and implementing controls to reduce exposure to acceptable levels. Continuous monitoring is essential.
Root Cause Analysis (RCA) is a structured, systematic problem-solving method used to identify the fundamental reasons an incident occurred. It moves beyond superficial symptoms to uncover underlying issues, preventing recurrence through corrective actions and process improvements, ultimately enhancing system reliability.
Sampling is an audit procedure applying procedures to less than the entire population of items. It’s used to gather sufficient appropriate audit evidence when testing large volumes of data. Sampling allows auditors to form conclusions about the population without examining every item individually.
The Sarbanes-Oxley Act (SOX) is a US federal law enacted in 2002 to protect investors from fraudulent accounting practices. It establishes standards for corporate governance, internal controls, and financial reporting for public companies, holding executives accountable for the accuracy of financial statements.
Segregation of Duties (SoD) is a critical internal control designed to minimize fraud and errors. It prevents any single individual from controlling all phases of a transaction or process by dividing responsibilities among multiple people, ensuring independent checks and balances.
A Service Level Agreement (SLA) is a documented agreement between a service provider and a customer outlining the expected level of service, including performance metrics, responsibilities, and remedies for non-compliance. It defines key performance indicators (KPIs) and establishes accountability.
Social Engineering exploits human psychology to manipulate individuals into performing actions or divulging confidential information. Attackers leverage trust, fear, or helpfulness to bypass security controls. Common techniques include phishing, pretexting, baiting, and quid pro quo, often targeting weak authentication practices.
Substantive Testing consists of audit procedures performed to detect material misstatements at the assertion level. This includes tests of details and analytical procedures, directly examining financial statement balances, transactions, and disclosures to confirm accuracy and validity.
The System Development Life Cycle (SDLC) is a conceptual model used in project management that defines the stages involved in bringing a system to life. These phases include planning, analysis, design, implementation, testing, deployment, and maintenance, ensuring a structured approach to system development and ongoing support.
Third-Party Risk Management (TPRM) is the process of identifying, analyzing, and mitigating risks introduced by engaging external organizations. This includes assessing vendor security practices, contractual obligations, and ongoing performance to ensure data protection and regulatory compliance throughout the vendor lifecycle.
A threat agent is any individual, group, or entity possessing the intent and capability to exploit vulnerabilities within an information system. These agents can be malicious insiders, external attackers, or even unintentional actors causing harm through negligence. Understanding agent motivations is crucial for risk assessment.
User Acceptance Testing (UAT) is a critical phase of software testing where designated end-users evaluate the system in a real-world environment to confirm it meets specified business requirements and functions as expected. Successful UAT signifies user readiness and provides final validation before deployment into production.
Variable sampling is a statistical technique used to estimate the monetary value of a population by examining a sample. It involves assessing each item in the sample for a quantifiable amount, then extrapolating to the entire population. This method is used for substantive testing of financial data.
A vulnerability represents a weakness or flaw in a system’s design, implementation, or operation that could be exploited to violate security policies. These weaknesses can exist in hardware, software, or procedures, creating opportunities for unauthorized access, modification, or disruption of information assets.
A Vulnerability Assessment systematically identifies, quantifies, and prioritizes security weaknesses in an organization’s systems, networks, and applications. This process utilizes automated tools and manual techniques to discover potential entry points for attackers and assess their severity.
A warm site is a disaster recovery facility possessing hardware, network connectivity, and operating systems, but requiring data restoration from backups. Recovery Time Objectives (RTOs) typically range from several days to a week, representing a compromise between cost and recovery speed. It’s regularly updated with partial data.
We're adding new exams every week. Let us know what you're studying for, and we'll bump it up our priority list! (Typical turnaround: 2-3 days)
Your feedback has been submitted successfully. We appreciate your help in making Cert Sensei better!