A  B  C  D  E  F  G  H  I  K  L  M  N  O  P  R  S  T  U  V  W  Z  


Acceptable use policy - A document that establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before users can gain access to a network or the Internet.

Acceptance Criteria - Pre-established standards or requirements a product or project must meet.

Access - The ability to physically or logically enter or make use of an IT system or area (secured or unsecured). The process of interacting with a system.

Account Balancing Monitoring System (ABMS) - The Federal Reserve's computing system providing reserve account information to the Federal Reserve Banks and depository institutions on an intraday basis. ABMS serves both as an informational source and a monitoring tool. This information includes opening balances, funds and securities transfers, accounting activity, and depository institutions cap and collateral limits.

Account-To-Account Payment (A2A) - Payment system that allows the consumer to direct transfer of funds from one account to another account at a different financial institution.

Acquirer Fee - Fee paid to the acquirer of the merchant sales draft. The acquirer of the sales draft collects a merchant discount fee (or processing fee) from the merchant for the costs associated with processing the transaction.

Acquiring Bank and Acquirer - See Merchant acquirer.

Address Verification Service (AVS) - Bankcard company service that verifies the customer-provided billing address matches the billing address on their credit card account. The bankcard companies will not support merchants that opt for not using AVS if those transactions are disputed and will charge the merchant an additional 1.25% on those sales.

Administrator privileges - Computer system access to resources that are unavailable to most users. Administrator privileges permit execution of actions that would otherwise be restricted.

Agent Bank - A member of a bankcard company that agrees to participate in an acquirer's merchant processing program. The agent may be liable for losses incurred on its merchant accounts. An agent is usually a small financial institution that wants to offer merchant processing services as a customer service. Agent banks that only refer merchants to an acquiring financial institution's program are known as referral banks.

Aggregate Short Position - The sum of a Settlement Member's short positions, each such short position expressed in its base currency equivalent and adjusted by the applicable haircut.

Aggregate Short Position Limit - In respect of a Settlement Member, the maximum aggregate short position that such Settlement Member is permitted to incur at any time.

Agility - In IT systems, the ability to rapidly incorporate new technologies or changes to technologies allowing an organization to adapt to changing business needs.

Air-gapped environment - Security measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically.

Alternate Site Test / Exercise - A business continuity testing activity that tests the capability of staff, systems, and facilities, located at sites other than those generally designated for primary processing and business functions, to effectively support production processing and workloads. During the exercise, business line staff located at recovery site(s) participate in testing business functions and the supporting systems by performing typical production activities, including accessing applications and completing pending transactions. Staff members participate in testing alternate site facilities through the use of PCs, phones, and other equipment needed to perform testing of business activities.

Anomalous activity - Activity that deviates from normal. The result of the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.

Antivirus/anti-malware software - A program that monitors a computer or network to identify all types of malware and prevent or contain malware incidents.

Application - Software that performs automated functions for a user. Examples include home banking, word processing and payroll. Distinguished from operating system or utility software.

Application controls - Controls related to transactions and data within application systems. Application controls ensure the completeness and accuracy of the records and the validity of the entries made resulting from both programmed processing and manual data entry. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted.

Application development - The process of designing and building code to create a computer program (software) used for a particular type of job.

Application system - An integrated set of computer programs designed to serve a well- defined function and having specific input, processing, and output activities (e.g., general ledger, manufacturing resource planning, human resource management).

Asset - In computer security, a major application, general-support system, high-impact program, physical plant, mission-critical system, personnel, equipment, or a logically-related group of systems.

Asynchronous data replication - A process for copying data from one source to another while the application processing continues; an acknowledgement of the receipt of data at the copy location is not required for processing to continue. Consequently, the content of databases stored in alternate facilities may differ from those at the original storage site, and copies of data may not contain current information at the time of a disruption in processing as a result of the time (in fractions of a second) required to transmit the data over a communications network to the alternate facility. This technology is typically used to transfer data over greater distances than that allowed with synchronous data replication.

Asynchronous transfer mode - The method of transmitting bits of data one after another with a start bit and a stop bit to mark the beginning and end of each data unit. Can also mean automated teller machine.

Attack signature - A specific sequence of events indicative of an unauthorized access attempt.

Audit charter - A document approved by the board of directors that defines the IT audit function's responsibility, authority to review records, and accountability.

Audit plan - A description and schedule of audits to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work and includes other items such as budget, resource allocation, schedule dates, and type of report issued.

Audit program - The audit policies, procedures, and strategies that govern the audit function, including IT audit.

Authentication - The process of verifying the identity of an individual user, machine, software component, or any other entity.

Authorization (ACH) - A written or oral agreement between the originator and a receiver that allows payments processed through the ACH network to be deposited in, or withdrawn from, the receiver's account at a financial institution.

Automated Clearing House (ACH) - An electronic clearing system in which a data processing center handles payment orders that are exchanged among financial institutions, primarily via telecommunications networks. ACH systems process large volumes of individual payments electronically. Typical ACH payments include salaries, consumer and corporate bill payments, interest and dividend payments, and Social Security payments.

Automated Clearing House (ACH) Operator - A central clearing facility that depository financial institutions use to transmit and receive ACH entries. ACH operators are typically a Federal Reserve Bank or a private-sector organization that operates on behalf of a depository financial institution.

Automated Controls - Software routines designed into programs to ensure the validity, accuracy, completeness, and availability of input, processed, and stored data.

Automated Teller Machine (ATM) - An electronic funds transfer (EFT) terminal that allows customers using a PIN-based debit (ATM) card to initiate transactions (e.g., deposits, withdrawals, account balance inquiries).

Availability - Whether or how often a system is available for use by its intended users. Because downtime is usually costly, availability is an integral component of security.


Back Office Conversion (BOC) - Under NACHA rules, BOC allows retailers and billers that accept checks at the point-of-sale or at manned bill payment locations to convert eligible checks to ACH debits in the back-office.

Back-up Generations - A tape rotation methodology that creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers." This back-up methodology is frequently used to refer to master files for financial applications.

Bandwidth - Terminology used to indicate the transmission or processing capacity of a system or of a specific location in a system (usually a network system) for information (text, images, video, sound). Bandwidth is usually defined in bits per second (bps) but also is usually described as either large or small. Where a full page of English text is about 16,000 bits, a fast modem can move approx. 15,000 bps. Full-motion, full-screen video requires about 10,000,000 bps, depending on compression.

Bank Identification Number/Interbank Card Company (BIN/ICA) - A series of assigned numbers used to identify the settling financial institution for both acquiring and issuing bankcard transactions.

Bank Secrecy Act - The Currency and Foreign Transactions Reporting Act, also known as the Bank Secrecy Act (BSA), and its implementing regulation, 31 CFR 103, is a tool the U.S. government uses to fight drug trafficking, money laundering, and other crimes. Congress enacted the BSA to prevent banks and other financial service providers from being used as intermediaries for, or to hide the transfer or deposit of money derived from, criminal activity.

Bankcard - A general-purpose credit card, issued by a financial institution under agreement with the bankcard associations (Visa and MasterCard), which customers can use to purchase goods and services and to obtain cash against a line of credit established by the bankcard issuer.

Bankcard Companies - Visa and MasterCard International, Inc. are bankcard companies established as bank service companies. Financial institutions must be members of a bankcard company in order to offer their credit card services. The companies have established membership rights and obligations, and membership is limited to financial institutions.

Baseline - A documented version of a hardware component, software program, configuration, standard, procedure, or project management plan. Baseline versions are placed under formal change controls and should not be modified unless the changes are approved and documented.

Baseline configuration - A set of specifications for a system, or configuration item (CI) within a system, that has been formally reviewed and agreed on at a given point in time and that can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, or changes.

Batch Processing - The transmission or processing of a group of related payment instructions.

Benchmark - A standard, or point of reference, against which things may be compared or assessed.

Bilateral Key Security - A multi-level data encryption system, based on the exchange of Bilateral Keys, allowing users of SWIFT to create, send, and receive SWIFT messages. Bilateral Keys are unique authenticator keys possessed by only the two parties (either the provider or recipient of a message) involved and provide confirmation in both directions of the legitimacy of a message sent via SWIFT.

Bits per second (BPS) - A measurement of how fast data moves from one place to another. A 28.8 modem can move 28,800 bits per second.

Black holing - A method typically used by ISPs to stop a DDoS attack on one of its customers. This approach to block DDoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic.

Border router - A device located at the organization's boundary to an external network.

Buffer overflow - A condition at an interface under which more input can be placed into a buffer or data-holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially-crafted code that allows them to gain control of a system.

Business Continuity Plan (BCP) - A comprehensive written plan to maintain or resume business in the event of a disruption. BCP includes both the technology recovery capability (often referred to as disaster recovery) and the business unit(s) recovery capability.

Business Continuity Strategy - Comprehensive strategies to recover, resume, and maintain all critical business functions.

Business Continuity Test - A test of an institution's disaster recovery plan or BCP.

Business Impact Analysis (BIA) - The process of identifying the potential impact of uncontrolled, non-specific events on an institution's business processes.

Business Recovery Test/Exercise - An activity that tests an institution's BCP.


Call Tree - A documented list of employees and external entities that should be contacted in the event of an emergency declaration.

Capacity Testing - Activities structured to determine whether resources (human and IT) can support required processing volumes in recovery environments.

Card Issuer - A financial institution that issues general-purpose credit cards carrying one of the two bankcard company logos. The issuing financial institution establishes the credit relationship with the consumer.

Card Verification Code (CVC2) - Numeric security code printed on the back of MasterCard credit cards. CVC2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS. (See Address verification service).

Card Verification Value (CVV2) - Three-digit security number that is printed on the back of most Visa credit cards. CVV2 reduces credit card fraud and chargeback instances significantly when used in conjunction with AVS.

Cash Letter - A group of checks accompanied by a paper listing sent to a clearinghouse, a Federal Reserve Bank, or another institution. A cash letter contains a number of negotiable items, mostly checks, accompanied by a letter that lists the amounts and instructions for transmittal to another bank. May also be called a transmittal letter. An incoming cash letter is one that is received by an institution from a clearinghouse, a Federal Reserve Bank, or another institution and contains checks written on accounts at the institution that were cashed elsewhere. An outgoing cash letter is one that is being sent to a clearinghouse, a Federal Reserve Bank, or another institution and contains checks deposited at the institution, which are written on accounts at other institutions.

Change management - The broad processes for managing organizational change. Change management encompasses planning, oversight or governance, project management, testing, and implementation.

Chargeback - A transaction generated when a cardholder disputes a transaction or when the merchant does not follow bankcard company procedures. The issuer and acquirer research the facts to determine which party is responsible for the transaction. If the merchant is unable to pay, the acquirer will have to cover the chargeback.

Check - A written order from one party (payer) to another (payee) requiring the payer's financial institution to pay a specified sum on demand to the payee or to a third party specified by the payee

Check 21 Act - Formally known as the Check Clearing for the 21st Century Act. Creates a new document, the IRD (image replacement document or substitute check) that is the legal equivalent of the original check and should be accepted as such. The act does not require institutions to accept electronic images instead of checks or IRDs, but does require the acceptance of IRDs instead of paper checks. The exchange of electronic images is optional and will be done by agreements between individual institutions, groups of institutions, or clearinghouses.

Check Clearing - The movement of a check from the depository institution where it was deposited to the institution on which it was written. The funds move in the opposite direction, with a corresponding credit and debit to the involved accounts.

Check Image - Electronic or digital image of an original check that is created by a depositor, a bank or other participant in the check collection process. Check images can be exchanged electronically by financial institutions, printed for customer statement purposes, displayed on Internet banking websites, and used to create substitute checks.

Check Truncation - The practice of holding a check at the institution where it was deposited (or at an intermediary institution) and electronically forwarding the essential information on the check to the institution on which it was written. A truncated check is not returned to the writer.

Checklist Review - A preliminary procedure to testing that employs information checklists to guide staff activities. For example, checklists can be used to verify staff procedures, hardware and software configurations, or alternate communication mechanisms.

Checksum - A mathematical value that is assigned to a file and used to “test” the file at a later date to verify that the data contained in the file has not been maliciously or erroneously changed.

Classification - Categorization (e.g., "confidential," "sensitive," or "public") of the information processed by the service provider on behalf of the receiver company.

Clearance - The process of transmitting, reconciling, and in some cases, confirming payment orders or financial instrument transfer instructions prior to settlement.

Clearing Corporation - Also known as a clearing house or clearing house association. A central processing mechanism whereby members agree to net, clear, and settle transactions involving financial instruments. Clearing corporations fulfill one or all of the following functions: Net many trades so that the number and the amount of payments that have to be made are minimized, determine money obligations among traders, and guarantee that trades will go through by legally assuming the risk of payments not made or securities not delivered. The latter function is implied when it is stated that the clearing corporation becomes the "counterpart" to all trades entered into its system.

Clearing House Associations - Voluntary associations, formed by financial institutions that establish an exchange for checks drawn on them. Typically, institutions participating in check clearing houses use the Federal Reserve's National Settlement Service for the checks exchanged each business day.

Clearing House Interbank Payment Systems (CHIPS) - A "real time," multilateral, final payments system for large dollar value, business-to-business payment transactions between domestic or foreign institutions that have offices located in the United States. CHIPS is run by CHIP Co. LLC, a subsidiary of The Clearing House Payments Company, LLC.

Cloud computing - Generally a migration from owned resources to shared resources in which client users receive information technology services on demand from third-party service providers via the Internet "cloud." In cloud environments, a client or customer relocates its resources — such as data, applications, and services — to computing facilities outside the corporate firewall, which the end user then accesses via the Internet.

Cloud storage - A model of data storage in which the digital data is stored in logical pools, the physical storage spans multiple servers (and often locations), and the physical environment is typically owned and managed by a hosting company.

Clustering - Connecting two or more computers together in such a way that enables them to act as a single computer. Clustering is used for parallel processing, load balancing, and fault tolerance.

Code - Software program instructions.

Commercial off-the-shelf (COTS) - COTS products include software and hardware products that are ready-made and available for sale to the general public. COTS products are typically installed in existing systems and do not require customization. Also known as "shrink-wrap" applications.

Commercially Reasonable - Practices and procedures in widespread use in the business community generally considered to represent prudent and reasonable business methods.

Compensating control - A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.

Component - An element or part of a business process.

Component Test/Exercise - A testing activity designed to validate the continuity of individual systems, processes, or functions, in isolation. For example, component tests may focus on recovering specific network devices, application restoration procedures, off-site tape storage, or proving the validity of data for a particular business line.

Computer security - Technological and managerial procedures applied to computer systems to ensure the availability, integrity, and confidentiality of information managed by the computer system.

Concentrator - In data transmission, a concentrator is a functional unit that permits a common path to handle more data sources than there are channels currently available within the path. A device that connects a number of circuits, which are not all used at once, to a smaller group of circuits for economy.

Confidentiality - Assuring information will be kept secret, with access limited to appropriate persons.

Configuration management - The management of security features and assurances through control of changes made to a system's hardware, software, firmware, documentation, testing, test fixtures, and test documentation throughout the development and operational life of the system.

Connectivity Testing - A testing activity designed to validate the continuity of network communications.

Consumer - Usually refers to an individual engaged in non-commercial transactions.

Consumer Account - A deposit account held by a participating depository financial institution and established by a natural person primarily for personal, family, or household use and not for commercial purposes.

Consumer information - For purposes of the Information Security Standards, “consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report that is maintained by or on behalf of a financial institution for a business purpose, such as information that an institution obtains about a loan applicant or a prospective employee from a consumer report.

Control - The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature.

Control requirements - Process used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.

Control self-assessment - A technique used to internally assess the effectiveness of risk management and control processes.

Conversion plan - A plan that details transition planning and implementation issues in the period between the execution of an outsourcing agreement and the full production use of the outsourced services.

Core firm - Core clearing and settlement organization that serves critical financial markets.

Corrective control - A mitigating technique designed to lessen the impact to the institution when adverse events occur.

Correspondent Bank - An institution, acting on behalf of other institutions, that can settle the checks they collect for other institutions (respondents) by using accounts on their books or by sending a wire funds transfers. Generally, a provider of banking and payment services to other financial institutions.

Courtesy amount recognition (CAR) - The numeric amount of a check.

Credit Card - A card indicating the holder has been granted a line of credit. It enables the holder to make purchases or withdraw cash up to a prearranged ceiling. The credit granted can be settled in full by the end of a specified period or can be settled in part, with the balance taken as extended credit. Interest is charged based on the terms of the credit card agreement and the holder is sometimes charged an annual fee.

Credit Entry - An entry to the record of an account that represents the transfer or placement of funds into the account.

Crisis management - The process of managing an institution's operations in response to an emergency or event that threatens business continuity. An institution's ability to communicate with employees, customers, and the media, using various communications devices and methods, is a key component of crisis management.

Crisis Management Test/Exercise - A testing exercise that validates the capabilities of crisis management teams to respond to specific events. Crisis management exercises typically test the call tree notification process with employees, vendors, and key clients. Escalation procedures and disaster declaration criteria may also be validated.

Critical Financial Markets - Financial markets whose operations are critical to the economy. Critical financial markets provide the means for financial institutions to adjust their cash and securities positions and those of their customers in order to manage liquidity, market, and other risks to their organizations. Critical financial markets also provide support for the provision of a wide range of financial services to businesses and consumers in the United States and support the implementation of monetary policy. Examples of "critical financial markets" include: • Federal funds, foreign exchange, and commercial paper; • U.S. Government and agency securities; and • Corporate debt and equity securities.

Critical Market Participants - Participants in the financial markets that perform critical operations or provide critical services. Their inability to perform these operations or services could result in major disruptions in the financial system.

Critical Path - The critical path represents the business processes or systems that must receive the highest priority during the recovery phase.

Critical system (infrastructure) - The systems and assets, whether physical or virtual, that are so vital that the incapacity or destruction of such may have a debilitating impact.

Cross-Market Tests - Cross-market tests are also called market-wide tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.

Currency Balance - As at the time calculated, the current amount (positive or negative) of a particular eligible currency included in an account, as indicated on the books and records of CLS Bank. A currency balance is not a separate account.

Custom redirect service - This service enables control over the location of incoming calls or the redirection of calls to various locations or pre-established phone numbers to ensure customer service continuity.

Customer - For purposes of the Information Security Standards, “customer” means a consumer with whom a financial institution has a continuing relationship under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. In the case of a credit union, a customer relationship will exist between a credit union and certain consumers that are not the credit union’s members.

Customer information - A term used in the Information Security Standards to mean any record containing non-public personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution.

Customer information systems - For purposes of the Information Security Standards, “customer information systems” means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.

Cyber attack - An attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network. An attack, via cyberspace, targeting an institution for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.

Cyber event - A cybersecurity change or occurrence that may have an impact on organizational operations (including mission, capabilities, or reputation).

Cyber incident - Actions taken through the use of computer networks that result in an actual or potentially-adverse effect on an information system or the information residing therein.

Cyber resilience - The ability of a system or domain to withstand cyber attacks or failures and, in such events, to reestablish itself quickly.

Cyber threat - An internal or external circumstance, event, action, occurrence, or person with the potential to exploit technology-based vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.

Cybersecurity - The process of protecting consumer and bank information by preventing, detecting, and responding to attacks.


Data center - A facility that houses an institution's most important information systems components, including computer systems, telecommunications components, and storage systems.

Data classification program - A program that categorizes data to convey required safeguards for information confidentiality, integrity, and availability; establishes controls required based on value and level of sensitivity.

Data corruption - Errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data.

Data integrity - The property that data has not been destroyed or corrupted in an unauthorized manner; Maintaining and assuring the accuracy and consistency of data over its entire life-cycle.

Data loss prevention (DLP) program - A comprehensive approach (covering people, processes, and systems) of implementing policies and controls designed specifically to discover, monitor, and protect confidential data wherever it is stored, used, or in transit over the network and at the perimeter.

Data mining - The process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations.

Data mirroring - A back-up process that involves writing the same data to two physical disks or servers simultaneously.

Data replication - The process of copying data, usually with the objective of maintaining identical sets of data in separate locations. Two common data replication processes used for information systems are synchronous and asynchronous mirroring.

Data synchronization - The comparison and reconciliation of interdependent data files at the same time so that they contain the same information.

Database - A collection of information organized to be easily accessed, managed, and updated.

Daylight overdraft - A daylight overdraft occurs at any point in the business day when the balance in an institution's account becomes negative. Daylight overdrafts can occur in accounts at Federal Reserve Banks as well as at private financial institutions. Daylight credit can also arise in the form of net debit positions of participants in private payment systems. A daylight overdraft occurs at a Federal Reserve Bank when there are insufficient funds in an institution's Federal Reserve Bank account to cover outgoing funds transfers or incoming book-entry securities transfers. An overdraft can also be the result of other payment activity processed by the Federal Reserve Bank, such as check or automated clearinghouse transactions.

Debit card - A payment card issued as either a PIN-based debit (ATM) card or as a signature-based debit card from one of the bankcard associations. A payment card issued to a person for purchasing goods and services through an electronic transfer of funds from a demand deposit account rather than using cash, checks, or drafts at the point-of-sale.

Debit entry - An entry to the record of an account to represent the transfer or removal of funds from the account.

Deep packet inspection - The capability to analyze network traffic to compare vendor-developed profiles of benign protocol activity against observed events to identify deviations.

Defense-in-depth - Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.

Deferred net settlement - See "National Settlement Service".

Deliverable - A project goal or expectation. Deliverables include broadly-defined, project or phase requirements and specifically-defined tasks within project phases.

Demilitarized zone (DMZ) - A computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet.

Depository - An institution that holds funds or marketable securities for safekeeping. Depositories may be privately or publicly operated and allow securities transfers through book-entry and offer funds accounts permitting funds transfers as a means of payment.

Depository bank - The institution at which a check is first deposited. While this term is often used interchangeably with "depository," "depositary" is a term of art in laws and regulations related to check processing.

Depository bank (Check 21) - Also known as Bank of First Deposit (BOFD). The first bank to which a check is transferred even though it is also the paying bank or the payee. A check deposited in an account is deemed to be transferred to the financial institution holding the account into which the check is deposited, even though the check is physically received and endorsed first by another financial institution.

Detection device - A device designed to recognize an event and alert management when events occur.

Detective control - A mitigating technique designed to recognize an event and alert management when events occur.

Device - A generic term for any machine or component that attaches to a computer or connects to a network.

Dictionary attack - Discovery of authenticators by encrypting likely authenticators and comparing the actual encrypted authenticator with the newly encrypted possible authenticators.

Digital certificate - The electronic equivalent of an ID card that authenticates the originator of a digital signature.

Digital subscriber line (DSL) - A technology that uses existing copper telephone lines and advanced modulation schemes to provide high-speed telecommunications to businesses and homes.

Direct access storage device (DASD) - A magnetic disk storage device historically used in mainframe environments. DASD may also include hard drives used in personal computers.

Direct data feed - A process used by information aggregators to gather information directly from a website operator rather than copying it from a displayed webpage.

Direct debit - Electronic transfer, usually through ACH, out of an individual's checking (or savings) account to pay bills, such as mortgage payments, insurance premiums, and utility payments. Also referred to as "direct payment."

Direct deposit - Electronic deposits or credit, usually through ACH, to an individual's deposit account. Common uses of direct deposit include payroll payments, Social Security benefits, and income from investments such as CDs, annuities, and mutual funds.

Direct presentment - Depositary banks can present checks directly to the paying institution. The paying institution may be the depositary bank (no settlement is needed), or, if not, may settle on the books of the Federal Reserve, using the Federal Reserve's national settlement service.

Disaster recovery - The process of recovering from major processing interruptions.

Disaster recovery exercise - A test of an institution's disaster recovery or BCP.

Disaster recovery plan - A plan that describes the process to recover from major processing interruptions.

Disk shadowing - A back-up process that involves writing images to two physical disks or servers simultaneously.

Distributed denial of service (DDoS) - A type of attack that makes a computer resource or resources unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the concerted efforts of a group that intends to affect an institution's reputation by preventing an Internet site, service, or application from functioning efficiently.

Distributed environment - A computer system with data and program components physically distributed across more than one computer.

Diversity - A description of financial services sectors in which primary and back-up telecommunications capabilities do not share a single point of failure.

Domain Name System security extensions (DNSSEC) - A technology that was developed to, among other things, protect against such attacks by digitally 'signing' data so you can be assured it is valid.

Dual control - Dividing the responsibility of a task into separate, accountable actions to ensure the integrity of the process.

Due diligence for service provider selection - Technical, functional, and financial review to verify a third-party service provider's ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.


E-Banking - The remote delivery of new and traditional banking products and services through electronic delivery channels.

Electronic Benefits Transfer (EBT) - A type of EFT system involving the transfer of public entitlement payments, such as welfare or food stamps, through direct deposit or point-of-sale technology (see POS). The recipient can be given an identification card, similar to a benefit card, and a PIN allowing access to the benefits through an electronic network.

Electronic bill presentment and payment (EBPP) - An electronic alternative to traditional bill payment, allowing a merchant or utility to present its customers with an electronic bill and the payer to pay the bill electronically. EBPP systems usually fall within two models: direct and consolidation-aggregation. In the direct model, the merchant or utility generates an electronic version of the consumer's billing information, and notifies the consumer of a pending bill, generally via e-mail. The consumer can initiate payment of the electronically presented bill using a variety of payment mechanisms, typically a credit card. In the consolidation-aggregation model, the consumer's bills are consolidated by a consolidator acting on behalf of merchants and utilities (or aggregated on behalf of the consumer), combining data from multiple bills and presenting a single source for the consumer to initiate payment. Some consolidators present bills at their own web sites, typically most support the aggregation of bills by consumer service providers such an Internet portals, financial institutions, and brokerage web sites.

Electronic check conversion - The process by which a check is used as a source of information for the check number, the customer's account number, and the number that identifies the financial institution. The information is used to make a one-time electronic payment from the customer's account -- an electronic fund transfer. The check itself is not the method of payment.

Electronic check presentment (ECP) - Check truncation methodology in which the paper check's MICR line information is captured and stored electronically for presentment. The physical checks may or may not be presented after the electronic files are delivered, depending on the type of ECP service that is used.

Electronic commerce (E-Commerce) - A broad term encompassing the remote procurement and payment by businesses or consumers of goods and services through electronic systems such as the Internet.

Electronic data capture (EDC) - Process used for capturing and transferring the encoded information on the magnetic strip from a bankcard or debit card at the point-of-sale to the processor's database.

Electronic funds transfer (EFT) - A generic term describing any transfer of funds between parties or depository institutions through electronic data systems.

Electronic Funds Transfer Act (EFTA) - The Electronic Funds Transfer Act and Regulation E are designed to ensure adequate disclosure of basic terms, costs, and rights relating to electronic fund transfer (EFT) services provided to consumers. Institutions offering EFT services must disclose to consumers certain information, including: initial and updated EFT terms, transaction information, periodic statements of activity, the consumer's potential liability for unauthorized transfers, and error resolution rights and procedures. EFT services include automated teller machines, telephone bill payment, point-of-sale transfers in retail stores, fund transfers initiated through the Internet, and pre-authorized transfers to or from a consumer's account.

Electronic vaulting - A back-up procedure that copies changed files and transmits them to an off-site location using a batch process.

Electronically-created payment orders - These are payment orders received by merchants from consumers, typically by telephone or the Internet. These payment orders are processed through the check processing system although they were not initiated as paper checks. These payment orders are not subject to check law and are not warranted by the Federal Reserve Banks.

E-mail server - A computer that manages e-mail traffic.

Emergency plan - The steps to be followed during and immediately after an emergency such as a fire, tornado, bomb threat, etc.

Encryption - A data security technique used to protect information from unauthorized inspection or alteration. Information is encoded so that data appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt, the information is decoded using an encryption key.

End user - An individual who will utilize a product or program.

End-of-life - All software products have life cycles. End-of-life refers to the date when a software development company no longer provides automatic fixes, updates, or online technical assistance for the product.

End-point security - Refers to a methodology of protecting the corporate network when accessed with remote devices, such as laptops, or other wireless and mobile devices. Each device with a remote connection to the network creates a potential entry (or exit) point for security threats.

End-to-end process flow - Document that details the flow of the processes, considering automated and manual control points, hardware, databases, network protocols, and real-time versus periodic processing characteristics.

End-to-end recoverability - The ability of an institution to recover a business process from initiation, such as customer contact, through process finalization, such as transaction closure.

Enterprise architecture - The overall design and high-level plan that describes an institution's operational framework and includes the institution's mission, stakeholders, business and customers, work flow and processes, data processing, access, security, and availability.

Enterprise-wide - Across an entire organization, rather than a single business department or function.

Expedited Funds Availability Act (EFAA) - See Regulation CC.

Exploit - A technique or code that uses a vulnerability to provide system access to the attacker. An exploit is an intentional attack to impact an operating system or application program.

Exposure - The potential loss to an area due to the occurrence of an adverse event.

Exposure limit - In reference to the settlement of operating services, this is the maximum amount an ACH originator is allowed to originate. This amount can be based on the originator's credit rating, historical or predicted funding requirements, and the type of obligation.

Extensible Markup Language (XML) - XML (Extensible Markup Language) is a "metalanguage", a language for describing other languages – which lets you design your own customized markup languages for different types of documents. It is designed to improve the functionality of the Web by providing more flexible and adaptable information identification.

External connections - An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.


Federal Reserve Banks - The Federal Reserve Banks provide a variety of financial services including retail and wholesale payments. The Federal Reserve Bank operates a nationwide system for clearing and settling checks drawn on depository institutions located in all regions of the United States.

Fedwire - The Federal Reserve Bank's nationwide real time gross settlement electronic funds and securities transfer network. Fedwire® is a credit transfer system. Each funds transfer is settled individually against an institution's reserve or clearing account on the books of the Federal Reserve. The transaction is considered an irrevocable payment as it is processed.

Fedwire Funds Service - The Federal Reserve Banks' high-speed electronic funds transfer system. As a real-time gross settlement system, the Fedwire® Funds Service processes and settles individual payments between participants immediately in central bank money. Once processed, these payments are final.

Fedwire Securities Service - The Federal Reserve Banks' high-speed electronic payments system for maintaining securities accounts and for effecting securities transfers. The Fedwire® Securities Service provides a real-time, delivery-versus-payment (DVP), gross settlement system that allows for the immediate, simultaneous transfer of securities against payment. Once processed, securities transfers are final.

Fibre channel - A high performance serial link supporting its own, as well as higher-level protocols such as the small computer system interface, high performance parallel interface framing protocol and intelligent peripheral interface. The Fibre Channel standard addresses the need for very fast transfers of large amounts of information. The fast (up to 1 Giga byte per second) technology can be converted for LAN technology by adding a switch specified in the Fibre Channel standard that handles multipoint addressing. Fibre Channel gives users one port that supports both channel and network interfaces, unburdening the computers from large number of input and output (I/O) ports. Fibre Channel provides control and complete error checking over the link.

File transfer protocol (FTP) - A standard high-level protocol for transferring files from one computer to another, usually implemented as an application level program.

FIN (Financial Application) - The SWIFT application within which all SWIFT user-to-user messages are input and output.

Finality - Irrevocable and unconditional transfer of payment during settlement.

Financial Authority - A supervisory organization that is responsible for safeguarding and maintaining consumer confidence in the financial system.

Financial EDI (FEDI) - Financial electronic data interchange. An instrument for settling invoices by initiating payments, processing remittance data and automating reconciliation, through the exchange of electronic messages.

Financial industry participants - Financial institutions and other companies that are involved in the banking, securities, and/or insurance industry and are regulated by supervisory authorities.

Financial Services Information Sharing and Analysis Center (FS-ISAC) - A nonprofit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors' sharing of physical and cybersecurity threat and vulnerability information.

Firewall - A hardware or software link in a network that relays only data packets clearly intended and authorized to reach the other side.

Float - Funds held by an institution during the check-clearing process before being made available to a depositor. Interest may be earned on these funds.

Flowcharts - Traditional flowcharts involve the use of geometric symbols, such as diamonds, ovals, and rectangles to represent the sequencing of program logic. Software packages are available that automatically chart programs or enable a programmer to chart a program without the need to draw it manually.

Frame relay - A high-performance wide area network protocol that operates at the physical and data link layers of the Open Systems Interconnect (OSI) reference model. Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end stations to dynamically share the network medium and the available bandwidth. Frame relay uses existing T-1 and T-3 lines and provides connection speeds from 56 Kbps to T-1.

Framing - A frame is an area of a webpage that scrolls independently of the rest of the webpage. Framing generally refers to the use of a standard frame containing information (like company name and navigation bars) that remains on the screen while the user moves around the text in another frame.

Full duplex - A communications channel that carries data in both directions.

Full-interruption/full-scale test (IT and Staff) - A business continuity test that activates all the components of the disaster recovery plan at the same time. Hardware, software, staff, communications, utilities, and alternate site processing should be thoroughly tested in this type of testing activity. The exercise should include the business line end users and the IT group to ensure that each business line tests its key applications and is prepared to recover and resume its business operations in the event of an emergency. The full test verifies that systems and staff can recover and resume business within established recovery time objectives. End users should verify the integrity of the data at the alternate site after the IT group has restored systems and applications needed for the staff to perform production activities.

Functional drill/parallel test - This test involves the actual mobilization of personnel at other sites in an attempt to establish communications and coordination as set forth in the BCP.

Functional requirements - The business, operational, and security features an organization wants included in a program.

Functionality testing - A test designed to validate that a business process or activity accomplishes expected results.


Gap analysis - A comparison that identifies the difference between actual and desired outcomes.

Gateway server - A computer (server) that connects a private network to the private network of a servicer or other business.

General controls - Controls, other than application controls, that relate to the environment within which application systems are developed, maintained, and operated, and that are therefore applicable to all the applications at an institution. The objectives of general controls are to ensure the proper development and implementation of systems, and the integrity of program and data files and of computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IT strategy and an IT security policy, the organization of IT staff to separate conflicting duties and planning for disaster prevention and recovery.

Governance - In computer security, governance means setting clear expectations for the conduct (behaviors and actions) of the entity being governed and directing, controlling, and strongly influencing the entity to achieve these expectations. Governance includes specifying a framework for decision making, with assigned decision rights and accountability, intended to consistently produce desired behaviors and actions.

Government Emergency Telecommunications Service (GETS) - Acronym for the Government Emergency Telecommunications Service card program. GETS cards provide emergency access and priority processing for voice communications services in emergency situations.

Gramm-Leach-Bliley Act (GLBA) - The act, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the federal banking agencies to establish information security standards for financial institutions.

Grandfather-father-son - Retaining multiple versions of the back-up files off-site on a "grandfather-father-son" rotating basis is recommended. This tape methodology creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers."


Hacker - An individual who attempts to break into a computer without authorization.

Haircut - With respect of an eligible currency, the percentage increase of a negative currency balance or reduction of a positive currency balance and is based on (a) the volatility of the historic foreign exchange movements in the applicable eligible currency determined by CLS Bank and (b) an add-on component.

Hardening - The process of securing a computer's administrative functions or inactivating those features not needed for the computer's intended business purpose.

Hardware - The physical elements of a computer system; the computer equipment as opposed to the programs or information stored in a machine.

Hash - A fixed length cryptographic output of variables, such as a message, being operated on by a formula or cryptographic algorithm.

Hash Totals - A numerical summation of one or more corresponding fields of a file that would not ordinarily be summed. Typically used to detect when changes in electronic information have occurred.

Hierarchical storage management (HSM) - HSM is used to dynamically manage the back-up and retrieval of files based on how often they are accessed using storage media and devices that vary in speed and cost.

Hijacking - The use of an authenticated user's communication session to communicate with system components.

Homing beacons - Devices that send messages to the institution when they connect to a network and that enable recovery of the device.

Hop - Each step of a trip a data packet takes from its origination to its destination. For example, on the Internet a data packet may go through several routers before reaching its final destination.

Host - A computer that is accessed by a user from a remote location.

Host bus adapter (HBA) - A host bus adapter provides I/O processing and physical connectivity between a server and storage. As the only part of a storage area network that resides in a server, HBAs also provide a critical link between the storage area network and the operating system and application software.

Hosting - See "Website Hosting".

Hub - Simple devices that pass all data traffic in both directions between the LAN sections they link. Hubs forward every message they receive to the other sections of the LAN, even those that do not need to go there.

HVAC - Heating, ventilation, and air conditioning.

Hyperlink - An item on a webpage that, when selected, transfers the user directly to another location in a hypertext document or to another webpage, perhaps on a different machine. Also simply called a "link."

Hypertext Markup Language (HTML) - A set of codes that can be inserted into text files to indicate special typefaces, inserted images, and links to other hypertext documents.

Hypervisor - A piece of software that provides abstraction of all physical resources (such as central processing units, memory, network, and storage) and thus enables multiple computing stacks (consisting of an operating system, middleware and application programs) called virtual machines to be run on a single physical host.


I/O (Acronym) - Input/output.

Image archive (Check 21) - Database for storage and easy retrieval of check images.

Image capture (Check 21) - The process of digitizing both sides of physical items and their assorted MICR information as they are processed at the Federal Reserve Bank. Also includes storage of the images for up to 60 days.

Image exchange (Check 21) - Exchange of some or all of the digitized images of a check.

Implementation plan - A plan that details project management requirements and issues to be addressed during the period between the execution of an outsourcing agreement and the full production use of the outsourced services.

Incident management - The process of identifying, analyzing, and correcting disruptions to operations and preventing future recurrences. The goal of incident management is to limit the disruption and restore operations as quickly as possible.

Incident response plan - A plan that defines the action steps, involved resources, and communication strategy upon identification of a threat or potential threat event, such as a breach in security protocol, power or telecommunications outage, severe weather, or workplace violence.

Indemnifying bank (Check 21) - A financial institution that transfers, presents, or returns a substitute check or a paper or electronic representation of a substitute check for which it receives consideration. The financial institution shall indemnify the recipient and any subsequent recipient (including a collecting or returning financial institution, the depository financial institution, the drawer, the drawee, the payee, the depositor, and any endorser) for any loss incurred by any recipient of a substitute check if that loss occurred due to the receipt of a substitute check instead of the original.

Independence - Self-governance, freedom from conflict of interest and undue influence. The IT auditor should be free to make his or her own decisions, not influenced by the organization being audited, or by its managers and employees.

Independent sales organization - A non-financial institution organization that provides a variety of merchant processing functions on behalf of the acquirer. These functions include soliciting new merchant accounts, arranging for terminal purchases or leases, and providing backroom services. An Independent sales organization is also referred to as a member service provider (MSP). The acquirer must register all Independent sales organization/MSPs with the bankcard associations.

Industry testing - A test designed to validate that business processes, integrated across firms and within the financial industry, which supports the business continuity objectives of the firms, both individually and collectively.

Information security - The process by which an organization protects the creation, collection, storage, use, transmission, and disposal of information.

Information systems - Electronic systems and physical components used to access, store, transmit, protect, and eventually dispose of information. Information systems can include networks (computer systems, connections to business partners and the Internet, and the interconnections between internal and external systems). Other examples are backup tapes, mobile devices, and other media.

Information technology - Any services or equipment, or interconnected system(s) or subsystem(s) of equipment that comprise the institution's IT architecture or infrastructure. It can include computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources.

Infrastructure - Describes what has been implemented by IT architecture and often include support facilities such as power, cooling, ventilation, server and data redundancy and resilience, and telecommunications lines. Specific architecture types may exist for the following: enterprise, data (information), technology, security, and application.

Instruction - Means (i) any instruction submitted by a Member through the submission process directing CLS Bank to settle certain payment entitlements and obligations arising pursuant to an FX transaction eligible for settlement in CLS Bank and (ii) any instructions resulting from the split of Settlement Eligible Instructions.

Integrated Systems Digital Networking (ISDN) - A hierarchy of digital switching and transmission systems that provides voice, data, and image in a unified manner. Integrated Systems Digital Networking (ISDN) is synchronized so that all digital elements communicate in the same protocol at the same speed.

Integrated test/exercise - This integrated test/exercise incorporates more than one component or module, as well as external dependencies, to test the effectiveness of the continuity plans for a business line or major function.

Integrity - Assurance that information is trustworthy and accurate; ensuring that information will not be accidentally or maliciously altered or destroyed (see “Data integrity”).

Interbank checks - Checks that are not "on-us." They are cleared and settled either by direct presentment, a clearinghouse association, a correspondent bank, or a Federal Reserve Bank.

Interchange - Exchange of transactions between financial institutions participating in a bank card network, based on a common set of rules. Card interchange allows a financial institution's customers to use a bank credit card at any card honoring merchant and to gain access to multiple ATM systems from a single ATM.

Interchange fees - Fees paid by one financial institution to another to cover handling costs and credit risk in a financial institution card transaction. Interchange fees generally flow toward the institution funding the transaction and assuming the risk. In a credit card transaction, the interchange fee is paid by the merchant acquirer accepting the merchant's sales draft to the card-issuing institution, which, in turn, passes the fee to its merchants. In EFT/POS transactions, interchange flows in the opposite direction: the card-issuing institution (or customer) pays the fee to the terminal-owning institution. When a transaction is an off-line debit sale, the card-issuing institution collects an interchange fee from the merchant, rather than from the customer, unlike in an EFT/POS transaction, where the customer pays the interchange fee. Interchange revenue is derived from fees set by the card associations. Depending on the card association, fees can range from 1% to 3% of the value of the transaction. Interchange revenue is recognized as a card issuer's second largest revenue line item.

Interconnectivity - The state or quality of being connected together. The interaction of a financial institution's internal and external systems and applications and the entities with which they are linked.

Interdependencies - When two or more departments, processes, functions, or third-party providers support one another in some fashion.

Interface - Computer programs that translate information from one system or application into a format required for use by another system or application.

Internal "trusted" zone - A channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include SSLIP security and a secure physical connection.

International Organization for Standardization (ISO) - An independent, non-governmental, international organization that brings together experts to share knowledge and develop voluntary, consensus-based, market-relevant international standards.

Internet - The global system of interconnected computer networks that use the Internet protocol suite (TCP/IP) to link billions of devices worldwide.

Internet protocol (IP) - IP is a standard format for routing data packets between computers. IP is efficient, flexible, routable, and widely used with many applications, and is gaining acceptance as the preferred communication protocol.

Internet service provider (ISP) - A company that provides its customers with access to the Internet (e.g., AT&T, Verizon, CenturyLink).

Internet Small Computer System Interface (iSCSI) - An Internet protocol based storage networking standard for linking data storage facilities, used to facilitate. iSCSI is data transfers over intranets and to manage storage over long distances.

Interoperability - The ability of a system to work with or use the parts or equipment of another system.

Interoperability standards/protocols - Commonly agreed on standards that enable different computers or programs to share information. Example: HTTP (Hypertext Transfer Protocol) is a standard method of publishing information as hypertext in HTML format on the Internet.

Intrusion detection - Techniques that attempt to detect unauthorized entry or access into a computer or network by observation of actions, security logs, or audit data; detection of break-ins or attempts, either manually or via software expert systems that operate on logs or other information available on the network.

Intrusion detection system (IDS) - Software or hardware product that detects and logs inappropriate, incorrect, or anomalous activity. It gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from within the organizations). IDS are typically characterized based on the source of the data they monitor: host or network. A host-based IDS uses system log files and other electronic audit data to identify suspicious activity. A network-based IDS uses a sensor to monitor packets on the network to which it is attached.

Intrusion prevention systems (IPS) - A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its target.

IPv6 (Acronym) - Version 6 of the Internet Protocol.

ISAC (Acronym) - Information Sharing and Analysis Center.

IT architecture - A subset of enterprise architecture, with detail to support data processing and access, including fundamental requirements for centralized or distributed computing, real or virtual servers, devices and workstations, and networking design. Architecture plans may also exist for data (information), security, and applications.

IT governance - An integral part of governance that consists of the leadership and organizational structures and processes that ensure that the institution's IT sustains and extends the organization's strategies and objectives.

IT strategic plan - A comprehensive blueprint that guides the organization's technology management and contains high-level goals and plans for all areas of information technology that affect the business, not just the infrastructure. The plan should include areas that impact technology management, including cost management, human capital management, hardware and software management, third-party management, risk management, and all other considerations in the enterprise IT environment.

IT system inventory - A list containing information about the information resources owned or operated by an organization.

Iterative - Repetitive or cyclical. Iterative software development involves the completion of project tasks or phases in repetitive cycles. Tasks and phase activities are repeated until a desired result is achieved.


Key fob - A small portable device equipped with chip technology allowing the holder the ability to access network systems, such as those used for payments, and to store personal data.

Kiosk - A publicly accessible computer terminal that permits customers to directly communicate with the financial institution via a network.


LAN (Acronym) - Local Area Network.

Large value funds transfer system - A wholesale payment system used primarily by financial institutions in which large values of funds are transferred between parties. Fedwire® and CHIPS are the two large-value transfer systems in the United States.

Legacy systems - A term commonly used to refer to existing computers systems and applications with which new systems or applications must exchange information.

Legal amount recognition (LAR) - The handwritten dollar amount of the check.

Life-cycle process - The multi-step process that starts with the initiation, analysis, design, and implementation, and continues through the maintenance and disposal of the system.

Lockbox - Deposit mechanism used by commercial firms and businesses to facilitate their deposit transaction volume. Typically, commercial firms and businesses direct customers to send payments directly to a financial institution address or post office box controlled by the institution. Financial institution personnel record payments received and prepare deposit slips, and subsequent processing proceeds as with other deposit taking activities.

Lockout - The action of temporarily revoking network or application access privileges, normally due to repeated unsuccessful logon attempts.

Log - A record of information or events in an organized system, usually sequenced in the order in which the events occurred.

Logical access - Ability to interact with computer resources granted using identification, authentication, and authorization.

Logical access controls - The policies, procedures, organizational structure, and electronic access controls designed to restrict access to computer software and data files.

Long position - In respect of a currency balance that is greater than zero, the amount by which such currency balance is greater than zero. A position that appreciates in value if market prices increase. When one buys a currency, their position is long.


Magnetic ink character recognition (MICR) - Magnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check, and the amount of the check. The amount of the check is encoded when the proof department processes the check.

Mainframe - An industry term for a large computer, typically used for the commercial applications of businesses and other large-scale computing purposes. Generally, a mainframe is associated with centralized rather than distributed computing.

Malware - Software designed to secretly access a computer system without the owner’s informed consent. The expression is a general term (short for malicious software) used to mean a variety of forms of hostile, intrusive, or annoying software or program code. Malware includes computer viruses, worms, Trojan horses, spyware, dishonest adware, ransomware, crimeware, most rootkits, and other malicious and unwanted software or programs.

Management information systems (MIS) - A general term for the computer systems in an enterprise that provide information about its business operations.

Man-in-the-middle attack - Places the attacker's computer in the communication line between the server and the client. The attacker's machine can monitor and change communications.

Market-wide tests - Market-wide tests are also called cross-market tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.

Matched instructions - Two Instructions in which the information set forth in a specific CLS Bank Rule is matched in accordance with the parameters and procedures set forth in the CLS Bank Rules.

Matching - With respect to compared and non-compared transactions, the process of comparing the trade or settlement details provided by counterparties to ensure they agree with respect to the terms of the transaction. Also called comparison checking.

Media - Physical objects that store data, such as paper, hard disk drives, tapes, and compact disks (CDs).

Merchant acquirer - Bankcard association members that initiate and maintain contractual agreements with merchants for the purpose of accepting and processing bankcard transactions.

Merchant processing - Activity for the acceptance and settlement of bankcard products and transactions from merchants through the payment system.

Metric - A quantitative measurement.

Microwave technology - Narrowband technology that requires a direct line-of-sight to transmit voice and data communications and is used to integrate a broad range of fixed and mobile communication networks.

Middleware - Software that connects two or more software components or applications. It is another term for an application programmer interface or API, and it allows programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services.

Midrange - Computers that are more powerful and capable than personal computers but less powerful and capable than mainframe computers.

Milestone - A major project event.

Millions of instructions per second (MIPS) - A general measure of computing performance and, by implication, the amount of work a larger computer can do.

Mirroring - A process that copies data to multiple disks over a computer network in real time or close to real time. Mirroring reduces network traffic, ensures better availability of the website or files, or enables the site or downloaded files to arrive more quickly for users close to the mirror site.

Mnemonic - A symbol or expression that can help someone remember something. For example, the phrase "Hello! My name is Bill. I'm 9 years old." might help an individual remember a secure 10-character password of "H!MniBI9yo."

Mobile device - A portable computing and communications device with information-storage capability. Examples include notebook and laptop computers, cellular telephones and smart phones, tablets, digital cameras, and audio recording devices.

Mobile financial services - The products and services that a financial institution provides to its customers through mobile devices.

Modeling - The process of abstracting information from tangible processes, systems and/or components to create a paper or computer-based representation of an enterprise-wide or business line activity.

Module - A combination of various components of a business process or supporting system.

Module test/exercise - A test designed to verify the functionality of multiple components of a business line or supporting function at the same time.

Multi-factor authentication - The process of using two or more factors to achieve authentication. Factors include something you know (e.g., password or personal identification number); something you have (e.g., cryptographic identification device or token); and something you are (e.g., biometric).

Multilateral netting settlement system - Multilateral netting is an arrangement among three or more parties to net their obligations. In these settlement systems transfers are irrevocable but are only final after the completion of end-of-day-settlement.

Multiplexers - A device that encodes or multiplexes information from two or more data sources into a single channel. They are used in situations where the cost of implementing separate channels for each data source is more expensive than the cost and inconvenience of providing the multiplexing/de-multiplexing functions.


NACHA - The Electronic Payments Association - The national association that establishes the rules and procedures governing the exchange of ACH payments.

National Institute of Standards and Technology (NIST) - An agency of the U.S. Department of Commerce that works to develop and apply technology, measurements, and standards. NIST developed a voluntary cybersecurity framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructures.

National Settlement Service (NSS) - Also referred to as Deferred Net Settlement. The Federal Reserve Banks' multilateral settlement service. NSS is offered to depository institutions that settle for participants in clearinghouses, financial exchanges, and other clearing and settlement groups. Settlement agents acting on behalf of those depository institutions electronically submit settlement files to the Federal Reserve Banks. Files are processed on receipt, and entries are automatically posted to the depository institutions' Reserve Bank accounts. Entries are final when posted.

Net debit cap - The maximum dollar amount of uncollateralized daylight overdrafts that an institution is authorized to incur in its Federal Reserve account. The net debit cap is generally equal to an institution's capital times the cap multiple for its cap category.

Network - Two or more computer systems grouped together to share information, software, and hardware.

Network activity baseline - A base for determining typical utilization patterns so that significant deviations can be detected.

Network administrator - The individual responsible for the installation, management, and control of a network.

Network attached storage (NAS) - NAS systems usually contain one or more hard disks that are arranged into logical, redundant storage containers much like traditional file servers. NAS provides readily available storage resources and helps alleviate the bottlenecks associated with access to storage devices.

Network diagram - A description of any kind of locality in terms of its physical layout. In the context of communication networks, a topology describes pictorially the configuration or arrangement of a network, including its nodes and connecting communication lines.

Network security - The protection of computer networks and their services from unauthorized entry, modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. Network security includes providing for data integrity.

Non-public personal information - For purposes of the Information Security Standards, non-public personal information means (i) “personally identifiable financial information”; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any “personally identifiable financial information” that is not publicly available.

Non-repudiation - Ensuring that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.


Object code - Software program instructions compiled (translated) from source code into machine-readable formats.

Object Program - A program that has been translated into machine language and is ready to be run (i.e., executed) by the computer.

Office of Foreign Asset Control (OFAC) - The Office of Foreign Assets Control, United States Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.

Office of Foreign Assets Control (OFAC) - The Office of Foreign Assets Control, Department of the Treasury, administers and enforces economic sanctions programs primarily against countries and groups of individuals such as terrorists and narcotics traffickers. The sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.

Offsite rotation - Used for backup and/or disaster recovery; moving a copy of the most current database, information, file, or tape to an offsite storage facility to be used only in an emergency.

On-us checks - Checks that are deposited into the same institution on which they are drawn.

Open market operations - The buying and selling of government securities in the open market in order to expand or contract the amount of money in the banking system.

Operating system - A system that supports and manages software applications. Operating systems allocate system resources, provide access and security controls, maintain file systems, and manage communications between end users and hardware devices.

Operational IT plan - Typically, the plans that are made by front-line, or low-level, IT managers. Operational IT plans are focused on the specific procedures and processes that implement the larger strategic plan.

Operational risk - The risk of failure or loss resulting from inadequate or failed processes, people, or systems.

Originating depository financial institution (ODFI) - A participating financial institution that originates entries at the request of and by agreement with its originators in accordance with the provisions of the NACHA rules.

Originator - A person that has authorized an ODFI to transmit a credit or debit entry to the deposit account of a receiver at an RDFI.

Out-of-band - Activity outside of the primary means of interfacing with the customer. For example, if a user is performing activity online, he or she may be authenticated through a one-time password sent via text message.

Outsourcing - The practice of contracting with another entity to perform services that might otherwise be conducted in-house. Contracted relationship with a third party to provide services, systems, or support.


Packet - The data unit that is routed from source to destination in a packet-switched network.

Pandemic - An epidemic or infectious disease that can have a worldwide impact.

Passwords - A secret sequence of characters that is used as a means of authentication.

Patch - Software code that replaces or updates other code. Frequently patches are used to correct security flaws.

Patching - Software code that replaces or updates other code. Frequently patches are used to correct security flaws.

Paying bank - A paying bank is the institution where a check is payable and to which it is sent for payment.

Payment - A transfer of value.

Payment system - The mechanism, the rules, institutions, people, markets, and agreements that make the exchange of payments possible.

Payments System Risk Policy (PSR) - The Federal Reserve's Payments System Risk (PSR) policy addressing the risks that payment systems present to the Federal Reserve Banks, the banking system, and to other sectors of the economy.

Payroll card account - A bank account that is established directly or indirectly by an employer on behalf of an employee to which an electronic funds transfers the employee's wages or compensation on a recurring basis. The payroll card, often branded by one of the credit/debit card associations, provides the employee access to the funds.

PCI Security Standards Council - The governing body, representing key participants of the payment card industry, which establishes and maintains security standards for payment cards.

Peer-to-peer (P2P) - Peer-to-peer communication, the communications that travel from one user's computer to another user's computer without being stored for later access on a server. E-mail is not a P2P communication since it travels from the sender to a server, and is retrieved by the recipient from the server. On-line chat, however, is a P2P communication since messages travel directly from one user to another.

Penetration test - The process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others.

Permanent virtual circuit (PVC) - PVC is a pathway through a network that is predefined and maintained by the end systems and nodes along the circuit, but the actual pathway through the network may change due to routing problems. The PVC is a fixed circuit that is defined in advance by the public network carrier. Refer to switched virtual circuit for an additional virtual circuit option.

Personal digital assistant (PDA) - A pocket-sized, special-purpose personal computer that lacks a conventional keyboard.

Personally identifiable financial information - For purposes of the Information Security Standards, personally identifiable financial information means information (i) a consumer provides to a financial institution to obtain a financial product or service; (ii) about a consumer resulting from any transaction involving a financial product or service between the financial institution and a consumer; or (iii) that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service, such as account balance information, payment history, overdraft history, and credit or debit card purchase information; or the fact that an individual is one of the financial institution’s customers.

Person-to-person (P2P) payment - Online payments using electronic mail messages to invoke a transfer of value between the parties over existing proprietary networks as on-us transactions.

Phase - A project segment.

Phishing - A digital form of social engineering that uses authentic-looking—but bogus—e-mail to request information from users or direct them to fake websites that request information.

Plain old telephone system (POTS) - Basic telephone service.

Platform - The underlying computer system on which applications programs run. A platform consists of an operating system, the computer system's coordinating program, which in turn is built on the instruction set for a processor or microprocessor, and the hardware that performs logic operations and manages data movement in the computer.

Point-of-sale (POS) network - A network of institutions, debit cardholders, and merchants that permit consumers to make direct payment electronically at the place of purchase. The funds are withdrawn from the account of the cardholder.

Policy - A document that records a high-level principle or an agreed-upon course of action; overall intention and direction as formally expressed by management.

Pop-up box - A dialog box that automatically appears when a person accesses a webpage.

Port - Either an endpoint to a logical connection or a physical connection to a computer.

Positive pay - A technique that can reduce check fraud by requesting businesses to send electronic files of information to the financial institution on all checks the business has issued.

Presentment fee - A fee that an institution receiving a check may impose on the institution that presents the check for payment. No presentment fee may be charged for checks presented by 8 a.m. local time.

Preventive control - A mitigating technique designed to prevent an event from occurring.

Principle of least privilege - The security objective of granting users only the access needed to perform official duties.

Private branch exchange (PBX) - A telephone system within an enterprise that switches calls between enterprise users on local lines while allowing all users to share a certain number of external phone lines.

Private key infrastructure (PKI) - The use of public key cryptography in which each customer has a key pair (e.g., a unique electronic value called a public key and a mathematically-related private key). The private key is used to encrypt (sign) a message that can only be decrypted by the cor-responding public key or to decrypt a message previously encrypted with the public key. The public key is used to decrypt a message previously encrypted (signed) using an individual's private key or to encrypt a message so that it can only be decrypted (read) using the intended recipient's private key.

Private label card - See "Store Card".

Privilege - The level of trust with which a system object is imbued.

Privileged access - Individuals with the ability to override system or application controls.

Project - A task involving the acquisition, development, or maintenance of a technology product.

Project management - Planning, monitoring, and controlling an activity.

Proof of deposit (POD) - The verification of the dollar amount written on a negotiable instrument being deposited.

Protocol - A format for transmitting data between devices.

Proxy server - An Internet server that controls client computers' access to the Internet. Using a proxy server, a company can stop employees from accessing undesirable websites, improve performance by storing webpages locally, and hide the internal network's identity so monitoring is difficult for external users.

Public key - See "PKI".


Real time gross settlement (RTGS) System - A type of payments system operating in real time rather than batch processing mode. It provides immediate finality of transactions. Gross settlement refers to the settlement of each transfer individually rather than netting. FedwireÒ is an example of a real time gross settlement system.

Real-time network monitoring - Immediate response to a penetration attempt that is detected and diagnosed in time to prevent access.

Receiver - An individual, corporation, or other entity that has authorized a company or an originator to initiate a credit or debit entry to a transaction account belonging to the receiver held at its RDFI.

Receiving depository financial institution (RDFI) - Any financial institution qualified to receive debits or credits through its ACH operator in accordance with the ACH rules.

Reciprocal agreement - An agreement whereby two organizations with similar computer systems agree to provide computer processing time for the other in the event one of the systems is rendered inoperable. Processing time may be provided on a "best effort" or as "time available" basis; therefore, reciprocal agreements are not usually acceptable as a primary recovery option.

Reconverting bank (Check 21) - The financial institution that creates a substitute check. With respect to a substitute check that was created by a person that is not a financial institution, the reconverting bank is the first financial institution that transfers, presents, or returns that substitute check or, in lieu thereof, the first paper or electronic representation of that substitute check. The reconverting bank warrants that (1) the substitute check is the legal equivalent of the original check; and (2) the original check cannot be presented again in any form so the customer pays the check only once.

Recovery point objective (RPO) - The amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).

Recovery service levels - Collectively, terms that define the speed, quality, and quantity of recovery capability in response to a disaster, including recovery time objective, recovery point objective, timely notification, percentage of normal production service level agreements (SLAs) that will be delivered during recovery mode, etc.

Recovery site - An alternate location for processing information (and possibly conducting business) in an emergency. Usually distinguished as "hot" sites that are fully configured centers with compatible computer equipment and "cold" sites that are operational computer centers without the computer equipment.

Recovery time objective (RTO) - The maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable).

Recovery vendors - Organizations that provide recovery sites and support services for a fee.

Red team - A group of people authorized and organized to emulate a potential adversary's attack or exploitation capabilities against an enterprise's security posture. The red team's objective is to improve enterprise information assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders in an operational environment.

Redundant array of independent disks (RAID) - The use of multiple hard disks to store the same data in different places. By placing data on multiple disks, I/O operations can overlap in a balanced way, improving performance. Since multiple disks increase the mean time between failures (MTBF), storing data redundantly also increases fault-tolerance.

Regulation CC - A regulation (12 CFR 229) promulgated by the Board of Governors of the Federal Reserve System regarding the availability of funds and the collection of checks. The regulation governs the availability of funds deposited in checking accounts and the collection and return of checks.

Regulation E - A regulation (12 CFR 205) promulgated by the Board of Governors of the Federal Reserve System to ensure consumers a minimum level of protection in disputes arising from electronic fund transfers.

Regulation Z - Regulation Z, the Truth in Lending Act (TILA) (12 CFR 226) promulgated by the Board of Governors of the Federal Reserve System. The regulation prescribes uniform methods for computing the cost of credit, disclosing credit terms, and resolving errors on certain types of credit accounts.

Remittance cards - Payment cards that are typically used to facilitate cross-border movement of funds by individuals and for person-to-person transactions.

Remote access - The ability to obtain access to a computer or network from a remote location.

Remote control software - Software that is used to obtain access to a computer or network from a remote distance.

Remote deletions - Use of a technology to remove data from a portable device without touching the device.

Remote deposit capture (RDC) - A service that enables users at remote locations to scan digital images of checks and transmit the captured data to a financial institution or a merchant that is a customer of a financial institution.

Remote journaling - Process used to transmit journal or transaction logs in real time to a back-up location.

Remotely created check (RCC) - A check that is drawn on a customer account at a financial institution, is created by the payee, and does not bear a signature in the format agreed to by the paying financial institution and customer. RCCs are also known as "demand drafts," "telechecks," "preauthorized drafts," "paper drafts," or "digital checks."

Removable media - Portable electronic storage media, such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device and which is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CD), thumb drives, pen drives, and similar storage devices.

Replay attack - The interception of communications, such as an authentication communication, and subsequently impersonation of the sender by retransmitting the intercepted communication.

Repudiation - The denial by one of the parties to a transaction of participation in all or part of that transaction or of the content of the communication.

Reserve account - A non-interest-earning balance account institutions maintain with the Federal Reserve Bank or with a correspondent bank to satisfy the Federal Reserve's reserve requirements. Reserve account balances play a central role in the exchange of funds between depository institutions.

Reserve requirements - The percentage of deposits that a depository institution may not lend out or invest and must hold either as vault cash or on deposit at a Federal Reserve Bank. Reserve requirements affect the potential of the banking system to create transaction deposits.

Residual risk - The amount of risk remaining after the implementation of controls.

Resilience - The ability of an institution to recover from a significant disruption and resume critical operations.

Resilience testing - Testing of an institution's business continuity and disaster recovery resumption plans.

Resource - Any enterprise asset that can help the organization achieve its objectives.

Retail payments - Payments, typically small, made in the goods and services market.

Retention requirement - Requirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.

Return (ACH) - Any ACH entry that has been returned to the ODFI by the RDFI or by the ACH operator because it cannot be processed. The reason for each return is included with the return in the form of a "return reason code." (See the NACHA "Operating Rules and Guidelines" for a complete reason code listing.)

Risk - The potential that events, expected or unanticipated, may have an adverse effect on a financial institution's earnings, capital, or reputation.

Risk analysis - The process of identifying risks, determining their probability and impact, and identifying areas needing safeguards.

Risk assessment - A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat.

Risk identification - The process of determining risks and existing safeguards. It generally includes inventories of systems and information necessary to operations and defines the potential threats to systems and operations.

Risk management - The total process required to identify, control, and minimize the impact of uncertain events. The objective of a risk management program is to reduce risk and obtain and maintain appropriate management approval at predefined stages in the life cycle.

Risk measurement - A process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution. The result of risk measurement leads to the prioritization of potential risks based on severity and likelihood of occurrence.

Risk mitigation - The process of reducing risks through the introduction of specific controls and risk transfer. It includes the implementation of appropriate controls to reduce the potential for risk and bring the level of risk in line with the board's risk appetite.

Rlogin - Remote login. A UNIX utility that allows a user to login to a remote host on a network, as if it were directly connected, and make use of various services. Remote login is an information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization's security controls.

Rogue wireless access - An unauthorized wireless node on a network.

Router - A hardware device that connects two or more networks and routes incoming data packets to the appropriate network.

Routing - The process of moving information from its source to the destination.

Routing number - Also referred to as the ABA number. A nine-digit number (eight digits and a check digit) that identifies a specific financial institution.


Sandbox - A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized.

SAS 70 report - An audit report of a servicing institution prepared in accordance with guidance provided in the American Institute of Certified Public Accountant's Statement of Auditing Standards Number 70. Replaced by SSAE 16.

Satellite technology - These links efficiently extend the reach of typical communication systems to distant areas and provide alternative traffic routing in an emergency.

Scalability - A term that refers to how well a hardware and software system can adapt to increased demands. For example, a scalable network system would be one that can start with just a few nodes but can easily expand to thousands of nodes. Scalability can be a very important feature because it means the entity can invest in a system with confidence they will not quickly outgrow it.

Scenario analysis - The process of analyzing possible future events by considering alternative possible outcomes.

Scorecard - A dashboard of performance measures.

Script - A file containing active content; for example, commands or instructions to be executed by the computer.

Secure shell - Network protocol that uses cryptography to secure communication, remote command line log-in, and remote command execution between two networked computers.

Secure Socket Layer (SSL) - A protocol that is used to transmit private documents through the Internet.

Security architecture - A detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.

Security audit - An independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.

Security breach - A security event that results in unauthorized access of data, applications, services, networks, or devices by bypassing underlying security mechanisms.

Security event - An event that potentially compromises the confidentiality, integrity, availability, or accountability of an information system.

Security log - A record that contains log-in and logout activity and other security-related events and that is used to track security-related information on a computer system.

Security posture - The security status of an enterprise's networks, information, and systems based on information security and assurance resources (e.g., people, hardware, software, and policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.

Security procedure agreement - An agreement between a financial institution and a Federal Reserve Bank whereby the financial institution agrees to certain security procedures if it uses an encrypted communications line with access controls for the transmission or receipt of a payment order to or from a Federal Reserve Bank.

Security violation - An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information or system resources.

Sensitive customer information - A customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log into or access the customer’s account, such as user name and password or password and account number.

Server - A computer or other device that manages a network service. An example is a print server, which is a device that manages network printing.

Service Level Agreement (SLA) - Formal documents between an institution and its third-party service provider that outline an institution’s predetermined requirements for a service and establish incentives to meet, or penalties for failure to meet, the requirements. SLAs should specify and clarify performance expectations, establish accountability, and detail remedies or consequences if performance or service quality standards are not met.

Service provider - For purposes of the Information Security Standards, service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to a financial institution.

Settlement - The final step in the transfer of ownership involving the physical exchange of securities or payment. In a banking transaction, settlement is the process of recording the debit and credit positions of the parties involved in a transfer of funds. In a financial instrument transaction, settlement includes both the transfer of securities by the seller and the payment by the buyer. Settlements can be "gross" or "net." Gross settlement means each transaction is settled individually. Net settlement means parties exchanging payments will offset mutual obligations to deliver identical items (e.g., dollars or EUROS), at a specified time, after which only one net amount of each item is exchanged.

Settlement date (ACH) - The date on which an exchange of funds with respect to an entry is reflected on the books of the Federal Reserve Bank.

Settlement eligible instructions - See "Matched Instructions".

Shadow IT - A term used to describe IT systems or applications used inside institutions without explicit approval.

Short position - In respect of a currency balance that is less than zero, the amount by which such currency balance is less than zero. An investment position that benefits from a decline in market price. When one sells a currency their position is short.

Short position limit - In respect of an eligible currency, the maximum short position a Settlement Member may have at any time in that eligible currency and, unless otherwise reduced pursuant to the CLS Bank Rules, shall equal (i) the total amount of all available committed liquidity facilities in such eligible currency (or such lesser amount that CLS Bank may determine from time to time) minus (ii) the amount of the largest available committed liquidity facility among such liquidity facilities (after taking into account any amounts already drawn.

Significant firms - Firms that process a significant share of transactions in critical financial markets.

Simulated loss of data center site(s) test/exercise - A type of disaster recovery test that involves the simulation of the loss of the primary, alternate, and/or tertiary data processing sites to verify that the institution can continue its data processing activities.

Simulation - The process of operating a model of an enterprise-wide or business line activity in order to test the functionality of the model. Computer systems may support the simulation of business models to aid in evaluating the BCP.

Single-Entry (ACH) - A one-time transfer of funds initiated by an originator in accordance with the receiver's authorization for a single ACH credit or debit to the receiver's consumer account.

Small Computer Systems Interface (SCSI) - Small computer systems interface (pronounced "scuzzy"). A standard way of interfacing a computer to disk drives, tape drives, and other devices that require high-speed data transfer. Also, a secondary SAN protocol that allows computer applications to talk to storage devices.

Smart cards - A card with an embedded computer chip on which information can be stored and processed.

Sniffing - The passive interception of data transmissions.

Social engineering - A general term for trying to trick people into revealing confidential information or performing certain actions.

Sound practices - Defined in the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," which was issued by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and Exchange Commission.

Source code - Software program instructions written in a format (language) readable by humans.

Source program - A program written in a programming language (such as C, Pascal, or COBOL). A compiler translates the source code into a machine-language object program.

Spear phishing - An attack targeting a specific user or group of users, and attempts to deceive the user into performing an action that launches an attack, such as opening a document or clicking a link. Spear phishers rely on knowing some personal piece of information about their target, such as an event, interest, travel plans, or current issues. Sometimes this information is gathered by hacking into the targeted network.

Spiral development - An iterative project management model that focuses on the identification of project and product risks and the selection of project management techniques that best control the identified risks.

Split Processing - The ongoing operational practice of dividing production processing between two or more geographically dispersed facilities.

Spoofing - A form of masquerading where a trusted IP address is used instead of the true IP address as a means of gaining access to a computer system.

Spot - The most common foreign exchange transaction. Spot or spot date refers to the spot transaction value date that requires settlement within two business days, subject to value date calculation.

SQL injection attack - An exploit of target software that constructs structure query language (SQL) statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database.

Sreen scraping - A process used by information aggregators to gather information from a customer's website, whereby the aggregator accesses the target site by logging in as the customer, electronically reads and copies selected information from the displayed webpage(s), then redisplays the information on the aggregator's site. The process is analogous to "scraping" the information off the computer screen.

Standard Entry Class (SEC) code - Three-character code in an ACH company/batch header record used to identify the payment type within an ACH batch.

Stateful inspection - A firewall inspection technique that examines the claimed purpose of a communication for validity. For example, a communication claiming to respond to a request is compared to a table of outstanding requests.

Storage area network (SAN) - A high-speed special-purpose network (or sub-network) that connects different types of data storage devices with associated data servers on behalf of a larger network of users.

Storage virtualization - The process of taking many different physical storage networks and devices, and making them appear as one "virtual" entity for purposes of management and administration.

Store card - A credit card issued by a financial institution for a specific merchant or vendor that does not carry a bankcard association logo. Store cards can only be used at the merchant or vendor whose name appears on the front of the card.

Stored-value card - A card-based payment system that assigns a value to the card. The card's value can be stored on the card itself (i.e., on the magnetic stripe or in a computer chip) or in a network database. As the card is used for transactions, the transaction amounts are subtracted from the card's balance. As the balance approaches zero, some cards can be "reloaded" through various methods and others are designed to be discarded. These cards are often used in closed systems for specific types of purchases.

Stovepipe application - Stand-alone programs that may not easily integrate with other applications or systems.

Street tests - Street tests are also called cross-market tests or market-wide tests that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.

Substitute check (Check 21) - Also known as the Image Replacement Document (IRD). A paper reproduction of an original check that (1) contains an image of the front and back of the original check; (2) bears a MICR line that, except as provided under ANS X9.100-140, contains all the information appearing on the MICR line of the original check when it was issued and any additional information that was encoded on the original check's MICR line before an image of the original check was captured; (3) conforms in paper stock, dimension, and otherwise with ANS X9.100-140; and (4) is suitable for automated processing in the same manner as the original check. The Federal Reserve Board of Governors can by rule or order determine different standards.

Suspicious activity report (SAR) - Reports required to be filed by the Bank Secrecy Act when a financial institution identifies or suspects fraudulent activity.

Sustainability - The period of time for which operations can continue at an alternate processing facility.

Switch - A device that connects more than two LAN segments that use the same data link and network protocol.

Switched virtual circuit (SVC) - SVC is a temporary connection between workstations that is disabled after communication is complete. Refer to Permanent Virtual Circuit (PVC) for an additional communication method using circuits.

Synchronous data replication - A process for copying data from one source to another in which an acknowledgement of the receipt of data at the copy location is required for application processing to continue. Consequently, the content of databases stored in alternate facilities is identical to those at the original storage site, and copies of data contain current information at the time of a disruption in processing.

Synchronous Optical NETwork (SONET) - SONET is a standard for telecommunications transmissions over fiber optic cables. SONET is self-healing so that if a break occurs in the lines, it can use a back-up redundant ring to ensure that the transmission continues. SONET networks can transmit voice and data over optical networks.

System - institutions in which large values of funds are transferred between parties. Fedwire® and CHIPS are the two large-value transfer systems in the United States.

System administration - The process of maintaining, configuring, and operating computer systems.

System resources - Capabilities that can be accessed by a user or program either on the user's machine or across the network. Capabilities can be services, such as file or print services, or devices, such as routers.

Systems Development Life Cycle (SDLC) - An approach used to plan, design, develop, test, and implement an application system or a major modification to an application system.


T-1 line - A special type of telephone line for digital communication and transmission. T-1 lines provide for digital transmission with signaling speed of 1.544Mbps (1,544,000 bits per second). This is the standard for digital transmissions in North America. Usually delivered on fiber optic lines.

Table top exercise/structured walk-through test -

Tactical plan - Typically, a short-term plan that establishes the specific steps needed to implement a company's strategic plan. These plans are often created by mid-level managers.

Telecommunications - The exchange of information over significant distances by electronic means.

Telnet - An interactive, text-based communications session between a client and a host. It is used mainly for remote login and simple control services to systems with limited resources or to systems with limited needs for security.

Terminal services - A component of Microsoft Windows operating systems (both client and server versions) that allows a user to access applications or data stored on a remote computer over a network connection.

Test assumptions - The concepts underlying an institution's test strategies and plans.

Test key - Internal controls used to verify the authenticity of incoming wire requests involve the use of test keys. A test key is a formula used to develop or interpret test codes or test words. Test codes or words consist of a series of numbers signifying different types of information and usually precede the text of the message. As an example, a test code may contain a bank number, the amount of the transaction, and a number indicating the day and week of the month. As an additional precaution, many test codes contain a variable (sequence number) based on the number of messages received.

Test plan - A document that is based on the institution's test scope and objectives and includes various testing methods.

Test scenario - A potential event, identified as the operating environment for a business continuity or disaster recovery test, which the institution's recovery and resumption plan must address.

Test scripts - Documents that define the specific activities, tasks, and steps that test participants will conduct during the testing process.

Test strategy - Testing strategies establish expectations for individual business lines across the testing life cycle of planning, execution, measurement, reporting, and test process improvement. Testing strategies include the testing scope and objectives, which clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test.

Third-party relationship - Any business arrangement between a financial institution and another entity, by contract or otherwise.

Third-party sender - A special subset of a technology service provider that is authorized to transmit ACH files on behalf of an originator. Typically, the ODFI must rely upon warranties by the third- party sender regarding the originators' identity and credit worthiness, which places additional risks on the ODFI.

Third-party service provider - Any third party to whom a financial institution outsources activities that the institution itself is authorized to perform, including a technology service provider.

Third-party service provider (ACH) - A third party, other than the ODFI or RDFI, that performs any function on behalf of the ODFI or the RDFI related to ACH processing. These functions would include the creation and sending of ACH files or acting as a sending or receiving point on behalf of a participating depository financial institution.

Threat intelligence - The acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision-making.

Token - A small device with an embedded computer chip that can be used to store and transmit electronic information. A soft token is a software-based token.

Topology - See "Network diagram".

Total cost of ownership (TCO) - The true cost of ownership of a computer or other technology system that includes original cost of the computer and software, hardware and software upgrades, maintenance, technical support, and training.

Transaction testing - A testing activity designed to validate the continuity of business transactions and the replication of associated data.

Transmission control protocol/Internet protocol (TCP/IP) - A communication standard for transmitting data packets from one computer to another. TCP/IP is used on the Internet and other networks. The two parts of TCP/IP are TCP, which deals with constructions of data packets, and IP, which routes them from machine to machine.

Trojan horse - Malicious code that is hidden in software that has an apparently beneficial or harmless use.

Truncating bank (Check 21) - The financial institution that truncates the original check. If a person other than a financial institution truncates the original check, the truncating bank is the first financial institution that transfers, presents, or returns, in lieu of such original check, a substitute check or, by agreement with the recipient, information relating to the original check (including data taken from the MICR line of the original check or an electronic image of the original check), whether with or without the subsequent delivery of the original check.

Trusted zone - A channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include secure socket layer, internet protocol security and a secure physical connection.

Tunnel - The path that encapsulated packets follow in an Internet VPN.

Two-way polling - An emergency notification system that allows management to ensure that all employees are contacted and have confirmed delivery of pertinent messages.


U.S. Computer Emergency Readiness Team (US-CERT) - US-CERT is part of the U.S. Department of Homeland Security's National Cybersecurity and Communications Integration Center. US-CERT is a partnership between the Department of Homeland Security and the public and private sectors, established to protect the nation's Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the nation.

Ultra forward service - This service allows control over the re-routing of incoming phone calls to pre-determined alternate locations in the event of a telecommunications outage.

Uniform Resource Locator (URL) - Abbreviation for "Uniform (or Universal) Resource Locator." A way of specifying the location of publicly available information on the Internet, in the form: protocol://machine:port number/filename. Often the port number and/or filename are unnecessary.

Uninterruptible power supply (UPS) - A device that allows your computer to keep running for at least a short time when the primary power source is lost. A UPS may also provide protection from power surges. A UPS contains a battery that "kicks in" when the device senses a loss of power from the primary source allowing the user time to save any data they are working on and to exit before the secondary power source (the battery) runs out. When power surges occur, a UPS intercepts the surge so that it doesn't damage your computer.

USA Patriot Act - The USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law Pub.L. 107-56), commonly known as the "Patriot Act", was enacted by Congress to deter and punish terrorist acts in the United States and around the world by enhancing the law enforcement investigatory tools of both domestic law enforcement and foreign intelligence agencies.

User Identification - The process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).

Utility - A program used to configure or maintain systems, or to make changes to stored or transmitted data.


Very early smoke detection alert (VESDA) - A system that samples the air on a continuing basis and can detect fire at the pre-combustion stage.

Virtual local area network (VLAN) - Logical segmentation of a LAN into different broadcast domains.

Virtual machine - A software emulation of a physical computing environment.

Virtual Mall - An Internet website offering products and services from multiple vendors or suppliers.

Virtual private network (VPN) - A computer network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.

Virus - Malicious code that replicates itself within a computer.

Voice over Internet Protocol (VoIP) - The transmission of voice telephone conversations using the Internet or Internet Protocol networks.

Vulnerability - A hardware, firmware, or software flaw that leaves an information system open to potential exploitation; a weakness in automated system security procedures, administrative controls, physical layout, internal controls, etc., that could be exploited to gain unauthorized access to information or to disrupt critical processing.

Vulnerability Analysis - Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

Vulnerability Assessment - Systematic examination of systems to identify, quantify, and prioritize the security deficiencies of the systems.


Walk-through drill/simulation test - This test represents a preliminary step in the overall testing process that may be used for training employees but not as a preferred testing methodology. During this test, participants choose a specific scenario and apply the BCP to it.

Wallet card - Portable information cards that provide emergency communications information for customers and employees.

Warehouse attack - The compromise of systems that store authenticators.

WEB SEC code - An ACH debit entry initiated by an originator resulting from the receiver's authorization through the Internet to make a transfer of funds from a consumer account of the receiver.

Weblinking - The use of hyperlinks to direct users to webpages of other entities.

Website - A webpage or set of webpages designed, presented, and linked together to form a logical information resource and/or transaction initiation function.

Website hosting - The service of providing ongoing support and monitoring of an Internet-addressable computer that stores webpages and processes transactions initiated over the Internet.

Wide-scale disruption - An event that disrupts business operations in a broad geographic area.

Wireless application protocol (WAP) - A data transmission standard to deliver wireless markup language (WML) content.

Wireless communication - The transfer of signals from place to place without cables, usually using infrared light or radio waves.

Wireless gateway server - A computer (server) that transmits messages between a computer network and a cellular telephone or other wireless access device.

Wireless phone - See "Cellular Telephone".

Work program - A series of specific, detailed steps to achieve an audit objective.

Work transfer - Work-transfer is a process whereby the staff located at a recovery site accepts the workload of staff located at a primary production site, and a data center located at a recovery site accepts the workload of the primary data processing site.

Workstation - Any computer connected to a local-area network.

Worm - A self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is primarily because of security vulnerabilities on the target computers.

WORM (Acronym) - Write once, read many times. A type of optical disk where a computer can save information once, can then read that information, but cannot change it.


Zero-day attack - An attack on a piece of software that has a vulnerability for which there is no known patch.