Welcome » IT Booklets » Audit » Appendix B: Glossary
G I O R S T
GGeneral controls - Controls, other than application controls, that relate to the environment within which application systems are developed, maintained, and operated, and that are therefore applicable to all the applications at an institution. The objectives of general controls are to ensure the proper development and implementation of systems, and the integrity of program and data files and of computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IT strategy and an IT security policy, the organization of IT staff to separate conflicting duties and planning for disaster prevention and recovery.IIndependence - Self-governance, freedom from conflict of interest and undue influence. The IT auditor should be free to make his or her own decisions, not influenced by the organization being audited, or by its managers and employees. OOutsourcing - The practice of contracting with another entity to perform services that might otherwise be conducted in-house. Contracted relationship with a third party to provide services, systems, or support.RRisk - The potential that events, expected or unanticipated, may have an adverse effect on a financial institution’s earnings, capital, or reputation.Risk assessment - A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat. SSecurity Audit - An independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.Security log - A record that contains login and logout activity and other security-related events and that is used to track security-related information on a computer system. Social engineering - A general term for trying to trick people into revealing confidential information or performing certain actions.SQL Injection Attack - An exploit of target software that constructs structure query language (SQL) statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. Systems development life cycle - An approach used to plan, design, develop, test, and implement an application system or a major modification to an application system. TThird-party relationship - Any business arrangement between a financial institution and another entity, by contract or otherwise.