Welcome » IT Booklets » Business Continuity Planning » Appendix B: Glossary
A B C D E F G H I M N O P R S T U V W Z
AAccess - The ability to physically or logically enter or make use of an IT system or area (secured or unsecured). The process of interacting with a system.Agency - A legal relationship between two parties who agree that one (the agent) is to act on behalf of another (the principal), subject to the latter’s general control. The principal generally is held liable for the agent’s actions.Air-gapped environment - Security measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically.Availability - Whether or how often a system is available for use by its intended users. Because downtime is usually costly, availability is an integral component of security.BBusiness continuity - The ability to maintain operations and services - both technology and business - in the event of a disruption to normal operations and services. Ensures that any impact or disruption of services is within a documented and acceptable recovery time period and that the system or operations is/are resumed at a documented and acceptable point in the processing cycle.Business resilience - The capacity to maintain functions and organizational structure in the face of an internal or external change or threat, recover from a significant disruption, and continue critical operations with minimal impact.CCapacity planning - The process used to determine whether a service, application, or process is sufficient to handle volumes at peak times and meet growth projections for a specific period of time. Analysis should consider hardware (networks, servers, routers, etc.), software (operating system and application software), and personnel.Classification - Categorization (e.g., “confidential,” “sensitive,” or “public”) of the information processed by the service provider on behalf of the receiver company.Cloud computing - Generally a migration from owned resources to shared resources in which client users receive information technology services on demand from third-party service providers via the Internet “cloud.” In cloud environments, a client or customer relocates its resources — such as data, applications, and services — to computing facilities outside the corporate firewall, which the end user then accesses via the Internet.Computer security - Technological and managerial procedures applied to computer systems to ensure the availability, integrity, and confidentiality of information managed by the computer system.Confidentiality - Assuring information will be kept secret, with access limited to appropriate persons.Configuration management - The management of security features and assurances through control of changes made to a system’s hardware, software, firmware, documentation, testing, test fixtures, and test documentation throughout the development and operational life of the system.Contingency plan - A plan for emergency response, backup operations, and post-disaster recovery maintained by an institution as a part of its security program. The plan ensures the availability of critical resources and facilitates the continuity of operations in an emergency situation.Control requirements - Process used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.Conversion plan - A plan that details transition planning and implementation issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services.Crisis management - The process of managing an institution’s operations in response to an emergency or event that threatens business continuity. An institution’s ability to communicate with employees, customers, and the media, using various communications devices and methods, is a key component of crisis management.Cyber attack - An attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network. An attack, via cyberspace, targeting an institution for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.Cyber event - A cybersecurity change or occurrence that may have an impact on organizational operations (including mission, capabilities, or reputation).Cyber incident - Actions taken through the use of computer networks that result in an actual or potentially-adverse effect on an information system or the information residing therein.Cyber resilience - The ability of a system or domain to withstand cyber attacks or failures and, in such events, to reestablish itself quickly.Cyber threat - An internal or external circumstance, event, action, occurrence, or person with the potential to exploit technology-based vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.Cybersecurity - The process of protecting consumer and bank information by preventing, detecting, and responding to attacks.DData corruption - Errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data. Data integrity - The property that data has not been destroyed or corrupted in an unauthorized manner; Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.Data synchronization - The comparison and reconciliation of interdependent data files at the same time so that they contain the same information.Database - A collection of data that is stored on any type of computer storage medium and may be used for more than one purpose.Dedicated Synchronous Optical NETwork (SONET) - SONET is a standard for telecommunications transmissions over fiber optic cables. SONET is self-healing so that if a break occurs in the lines, it can use a back-up redundant ring to ensure that the transmission continues. SONET networks can transmit voice and data over optical networks.Digital subscriber line (DSL) - DSL provides the ability to transmit high-speed digital signals over existing telephone lines.Disaster recovery - The process of recovering from major processing interruptions. Disaster recovery exercise - A test of an institution’s disaster recovery or BCP. Disaster recovery plan - A plan that describes the process to recover from major processing interruptions.Disk shadowing - A back-up process that involves writing images to two physical disks or servers simultaneously.Distributed denial of service (DDoS) - A type of attack that makes a computer resource or resources unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the concerted efforts of a group that intends to affect an institution’s reputation by preventing an Internet site, service, or application from functioning efficiently.Diversity - A description of financial services sectors in which primary and back-up telecommunications capabilities do not share a single point of failure.Dual control - Dividing the responsibility of a task into separate, accountable actions to ensure the integrity of the process.Due diligence - Technical, functional, and financial review to verify a third-party service provider’s ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.EElectronic vaulting - A back-up procedure that copies changed files and transmits them to an off-site location using a batch process.Emergency plan - The steps to be followed during and immediately after an emergency such as a fire, tornado, bomb threat, etc.Encryption - A data security technique used to protect information from unauthorized inspection or alteration. Information is encoded so that data appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt, the information is decoded using an encryption key.End-to-end process flow - Document that details the flow of the processes, considering automated and manual control points, hardware, databases, network protocols, and real-time versus periodic processing characteristics.End-to-end recoverability - The ability of an institution to recover a business process from initiation, such as customer contact, through process finalization, such as transaction closure. Enterprise-wide - Across an entire organization, rather than a single business department or function. External Connections - An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.FFEMA - FEMA is an acronym for Federal Emergency Management Agency.Financial industry participants - Financial institutions and other companies that are involved in the banking, securities, and/or insurance industry and are regulated by supervisory authorities.Frame relay - A high-performance WAN protocol that operates at the physical and data link layers of the Open Systems Interconnect (OSI) reference model. Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end stations to dynamically share the network medium and the available bandwidth. Frame relay uses existing T-1 and T-3 lines and provides connection speeds from 56 Kbps to T-1.Functional drill/parallel test - This test involves the actual mobilization of personnel at other sites in an attempt to establish communications and coordination as set forth in the BCP.Functionality testing - A test designed to validate that a business process or activity accomplishes expected results.GGap analysis - A comparison that identifies the difference between actual and desired outcomes.GETS - Acronym for the Government Emergency Telecommunications Service card program. GETS cards provide emergency access and priority processing for voice communications services in emergency situations. Governance - In computer security, governance means setting clear expectations for the conduct (behaviors and actions) of the entity being governed and directing, controlling, and strongly influencing the entity to achieve these expectations. Governance includes specifying a framework for decision making, with assigned decision rights and accountability, intended to consistently produce desired behaviors and actions.Grandfather-father-son - Retaining multiple versions of the back-up files off-site on a “grandfather-father-son” rotating basis is recommended. This tape methodology creates three sets of back-up tapes: daily incremental sets or “sons,” weekly full sets or “fathers,” and end-of-month tapes or “grandfathers.” HHardware - The physical elements of a computer system; the computer equipment as opposed to the programs or information stored in a machine.Hierarchical storage management (HSM) - HSM is used to dynamically manage the back-up and retrieval of files based on how often they are accessed using storage media and devices that vary in speed and cost.HVAC - Heating, ventilation, and air conditioning.IImplementation plan - A plan that details project management requirements and issues to be addressed during the period between the execution of an outsourcing agreement and the full production use of the outsourced services.Incident response plan - A plan that defines the action steps, involved resources, and communication strategy upon identification of a threat or potential threat event, such as a breach in security protocol, power or telecommunications outage, severe weather, or workplace violence.Industry testing - A test designed to validate that business processes, integrated across firms and within the financial industry, which supports the business continuity objectives of the firms, both individually and collectively.Information security - The process by which an organization protects the creation, collection, storage, use, transmission, and disposal of information.Information technology - Any services or equipment, or interconnected system(s) or subsystem(s) of equipment that comprise the institution’s IT architecture or infrastructure. It can include computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources.Infrastructure - Describes what has been implemented by IT architecture and often include support facilities such as power, cooling, ventilation, server and data redundancy and resilience, and telecommunications lines. Specific architecture types may exist for the following: enterprise, data (information), technology, security, and application.Integrated services digital network (ISDN) - Integrated test/exercise - This integrated test/exercise incorporates more than one component or module, as well as external dependencies, to test the effectiveness of the continuity plans for a business line or major function. Integrity - Assurance that information is trustworthy and accurate; Ensuring that information will not be accidentally or maliciously altered or destroyed (see “Data Integrity”).Interconnectivity - The state or quality of being connected together. The interaction of a financial institution’s internal and external systems and applications and the entities with which they are linked.Interdependencies - Where two or more departments, processes, functions, and/or third-party providers support one another in some fashion. Internet protocol (IP) - IP is a standard format for routing data packets between computers. IP is efficient, flexible, routable, and widely used with many applications, and is gaining acceptance as the preferred communication protocol. Intrusion detection - Techniques that attempt to detect unauthorized entry or access into a computer or network by observation of actions, security logs, or audit data; detection of break-ins or attempts, either manually or via software expert systems that operate on logs or other information available on the network. Intrusion detection system (IDS) - Software/hardware that detects and logs inappropriate, incorrect, or anomalous activity. IDS are typically characterized based on the source of the data they monitor: host or network. A host-based IDS uses system log files and other electronic audit data to identify suspicious activity. A network-based IDS uses a sensor to monitor packets on the network to which it is attached.MMagnetic ink character recognition (MICR) - Magnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check, and the amount of the check. The amount of the check is encoded when the proof department processes the check. Malware - Software designed to secretly access a computer system without the owner’s informed consent. The expression is a general term (short for malicious software) used to mean a variety of forms of hostile, intrusive, or annoying software or program code. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, ransomware, crimeware, most rootkits, and other malicious and unwanted software or programs.Media - Physical objects that store data, such as paper, hard disk drives, tapes, and compact disks (CDs).Microwave technology - Narrowband technology that requires a direct line-of-sight to transmit voice and data communications and is used to integrate a broad range of fixed and mobile communication networks.Mobile device - A portable computing and communications device with information-storage capability. Examples include notebook and laptop computers, cellular telephones and smart phones, tablets, digital cameras, and audio recording devices.Modeling - The process of abstracting information from tangible processes, systems and/or components to create a paper or computer-based representation of an enterprise-wide or business line activity. Module - A combination of various components of a business process or supporting system. Module test/exercise - A test designed to verify the functionality of multiple components of a business line or supporting function at the same time. Multiplexers - A device that encodes or multiplexes information from two or more data sources into a single channel. They are used in situations where the cost of implementing separate channels for each data source is more expensive than the cost and inconvenience of providing the multiplexing/de-multiplexing functions.NNational Institute of Standards and Technology (NIST) - An agency of the U.S. Department of Commerce that works to develop and apply technology, measurements, and standards. NIST developed a voluntary cybersecurity framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructures.Network - Two or more computer systems grouped together to share information, software, and hardware.Network attached storage (NAS) - NAS systems usually contain one or more hard disks that are arranged into logical, redundant storage containers much like traditional file servers. NAS provides readily available storage resources and helps alleviate the bottlenecks associated with access to storage devices. Network diagram - A description of any kind of locality in terms of its physical layout. In the context of communication networks, a topology describes pictorially the configuration or arrangement of a network, including its nodes and connecting communication lines.Network security - The protection of computer networks and their services from unauthorized entry, modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. Network security includes providing for data integrity.OObject Program - A program that has been translated into machine language and is ready to be run (i.e., executed) by the computer.Offsite rotation - Used for backup and/or disaster recovery; moving a copy of the most current database, information, file, or tape to an offsite storage facility to be used only in an emergency.PPandemic - An epidemic or infectious disease that can have a worldwide impact.PBX - Private branch exchange. A telephone system within an enterprise that switches calls between enterprise users on local lines while allowing all users to share a certain number of external phone lines.Permanent virtual circuit (PVC) - PVC is a pathway through a network that is predefined and maintained by the end systems and nodes along the circuit, but the actual pathway through the network may change due to routing problems. The PVC is a fixed circuit that is defined in advance by the public network carrier. Refer to switched virtual circuit for an additional virtual circuit option.RReciprocal agreement - An agreement whereby two organizations with similar computer systems agree to provide computer processing time for the other in the event one of the systems is rendered inoperable. Processing time may be provided on a “best effort” or as “time available” basis; therefore, reciprocal agreements are not usually acceptable as a primary recovery option.Recovery point objective (RPO) - The amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).Recovery point objectives (RPOs) - RPOs represent the amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption). Recovery service levels - Collectively, terms that define the speed, quality, and quantity of recovery capability in response to a disaster, including recovery time objective, recovery point objective, timely notification, percentage of normal production service level agreements (SLAs) that will be delivered during recovery mode, etc.Recovery site - An alternate location for processing information (and possibly conducting business) in an emergency. Usually distinguished as “hot” sites that are fully configured centers with compatible computer equipment and “cold” sites that are operational computer centers without the computer equipment.Recovery time objective (RTO) - The maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable). Recovery time objectives (RTOs) - RTOs represent the maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable). Recovery vendors - Organizations that provide recovery sites and support services for a fee. Remote access - The ability to obtain access to a computer or network from a remote location.Remote capture - Process that is used to scan and transmit check images and data electronically.Remote control software - Software that is used to obtain access to a computer or network from a remote distance.Remote journaling - Process used to transmit journal or transaction logs in real time to a back-up location.Resilience - The ability of an institution to recover from a significant disruption and resume critical operations.Resilience testing - Testing of an institution’s business continuity and disaster recovery resumption plans.Retention requirement - Requirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.Risk analysis - The process of identifying risks, determining their probability and impact, and identifying areas needing safeguards; Risk analysis is an integral part of risk management.Risk assessment - A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat. Rlogin - Remote login. A UNIX utility that allows a user to login to a remote host on a network, as if it were directly connected, and make use of various services. Remote login is an information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization’s security controls. SSAS 70 report - An audit report of a servicing institution prepared in accordance with guidance provided in the American Institute of Certified Public Accountant's Statement of Auditing Standards Number 70.Satellite technology - These links efficiently extend the reach of typical communication systems to distant areas and provide alternative traffic routing in an emergency.Scenario analysis - The process of analyzing possible future events by considering alternative possible outcomes.Security architecture - A detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.Security Audit - An independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.Security Violation - An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information or system resources.Server - A computer or other device that manages a network service. An example is a print server, which is a device that manages network printing.Service level agreement (SLA) - Formal documents between an institution and its third-party provider that outline an institution’s predetermined requirements for a service and establish incentives to meet, or penalties for failure to meet, the requirements. SLAs should specify and clarify performance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met.Service Level Agreement (SLA) - Formal documents that outline the institution's predetermined requirements for the service and establish incentives to meet, or penalties for failure to meet, the requirements. They should specify and clarify performance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met.Service Provider - Also referred to as a technology service provider (TSP). Among a broad range of entities, including affiliated entities, non-affiliated entities, and alliances of companies providing products and services. Other terms used to describe service providers include vendors, subcontractors, external service providers, application service providers, and outsourcers.Significant firms - Firms that process a significant share of transactions in critical financial markets. Simulated loss of data center site(s) test/exercise - A type of disaster recovery test that involves the simulation of the loss of the primary, alternate, and/or tertiary data processing sites to verify that the institution can continue its data processing activities. Simulation - The process of operating a model of an enterprise-wide or business line activity in order to test the functionality of the model. Computer systems may support the simulation of business models to aid in evaluating the BCP. Sound practices - Defined in the “Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System,” which was issued by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and Exchange Commission. Source program - A program written in a programming language (such as C, Pascal, or COBOL). A compiler translates the source code into a machine-language object program.Split Processing - The ongoing operational practice of dividing production processing between two or more geographically dispersed facilities.Storage area network (SAN) - SAN represents several storage systems that are interconnected to form one back-up network, which allows various systems to be connected to any storage device and prevents dependence on a single line of communication.Stovepipe application - Stand-alone programs that may not easily integrate with other applications or systems.Street tests - Street tests are also called cross-market tests or market-wide tests that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical. Sustainability - The period of time for which operations can continue at an alternate processing facility. Synchronous data replication - A process for copying data from one source to another in which an acknowledgement of the receipt of data at the copy location is required for application processing to continue. Consequently, the content of databases stored in alternate facilities is identical to those at the original storage site, and copies of data contain current information at the time of a disruption in processing.TT-1 line - A special type of telephone line for digital communication and transmission. T-1 lines provide for digital transmission with signaling speed of 1.544Mbps (1,544,000 bits per second). This is the standard for digital transmissions in North America. Usually delivered on fiber optic lines.Table top exercise/structured walk-through test - Terminal services - A component of Microsoft Windows operating systems (both client and server versions) that allows a user to access applications or data stored on a remote computer over a network connection.Test assumptions - The concepts underlying an institution’s test strategies and plans. Test plan - A document that is based on the institution’s test scope and objectives and includes various testing methods. Test scenario - A potential event, identified as the operating environment for a business continuity or disaster recovery test, which the institution’s recovery and resumption plan must address. Test scripts - Documents that define the specific activities, tasks, and steps that test participants will conduct during the testing process. Test strategy - Testing strategies establish expectations for individual business lines across the testing life cycle of planning, execution, measurement, reporting, and test process improvement. Testing strategies include the testing scope and objectives, which clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test.Third-party relationship - Any business arrangement between a financial institution and another entity, by contract or otherwise. Third-party service provider - Any type of company, including affiliated entities, non-affiliated entities, and alliances of companies providing products and services to the financial institution. Other terms used to describe service providers include subcontractors, external service providers, application service providers, and outsourcers. Threat intelligence - The acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision-making. Transaction testing - A testing activity designed to validate the continuity of business transactions and the replication of associated data. Two-way polling - An emergency notification system that allows management to ensure that all employees are contacted and have confirmed delivery of pertinent messages.UUltra forward service - This service allows control over the re-routing of incoming phone calls to pre-determined alternate locations in the event of a telecommunications outage.UPS - Uninterruptible power supply. A device that allows your computer to keep running for at least a short time when the primary power source is lost. A UPS may also provide protection from power surges. A UPS contains a battery that "kicks in" when the device senses a loss of power from the primary source allowing the user time to save any data they are working on and to exit before the secondary power source (the battery) runs out. When power surges occur, a UPS intercepts the surge so that it doesn't damage your computer. US-CERT - The U.S. Computer Emergency Readiness Team, part of the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center. US-CERT is a partnership between the Department of Homeland Security and the public and private sectors, established to protect the nation’s Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the nation. Utility programs - A program used to configure or maintain systems, or to make changes to stored or transmitted data.VVirtual machine - A software emulation of a physical computing environment. Virtual private network (VPN) - A computer network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. Voice over Internet Protocol (VoIP) - The transmission of voice telephone conversations using the Internet or Internet Protocol networks.Vulnerability - A hardware, firmware, or software flaw that leaves an information system open to potential exploitation; a weakness in automated system security procedures, administrative controls, physical layout, internal controls, etc., that could be exploited to gain unauthorized access to information or to disrupt critical processing. Vulnerability Analysis - Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.Vulnerability Scanning - Systematic examination of systems to determine the adequacy of security measures, identify security deficiencies, and provide data from which to predict the effectiveness of proposed security measures.WWalk-through drill/simulation test - This test represents a preliminary step in the overall testing process that may be used for training employees but not as a preferred testing methodology. During this test, participants choose a specific scenario and apply the BCP to it. Wallet card - Portable information cards that provide emergency communications information for customers and employees. Wide-scale disruption - An event that disrupts business operations in a broad geographic area. Wireless communication - The transfer of signals from place to place without cables, usually using infrared light or radio waves.Work transfer - Work-transfer is a process whereby the staff located at a recovery site accepts the workload of staff located at a primary production site, and a data center located at a recovery site accepts the workload of the primary data processing site. Worm - A self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is primarily because of security vulnerabilities on the target computers. ZZero-day attack - An attack on a piece of software that has a vulnerability for which there is no known patch.