Certification Education About


Use this glossary to study for the CISO-FS certification or as a quick reference for new vocabulary. Unless otherwise stated, definitions are taken from the FFIEC handbooks.



Acceptable use policy: A document that establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before users can gain access to a network or the Internet.
Access: The ability to physically or logically enter or make use of an IT system or area (secured or unsecured). The process of interacting with a system.
Administrator privileges: Computer system access to resources that are unavailable to most users. Administrator privileges permit execution of actions that would otherwise be restricted.
Agility: In IT systems, the ability to rapidly incorporate new technologies or changes to technologies allowing an organization to adapt to changing business needs.
Air-gapped environment: Security measure that isolates a secure network from unsecure networks physically, electrically, and electromagnetically. Source: FFIEC Joint Statement - Destructive Malware
Alternate Site Test / Exercise: A business continuity testing activity that tests the capability of staff, systems, and facilities, located at sites other than those generally designated for primary processing and business functions, to effectively support production processing and workloads. During the exercise, business line staff located at recovery site(s) participate in testing business functions and the supporting systems by performing typical production activities, including accessing applications and completing pending transactions. Staff members participate in testing alternate site facilities through the use of PCs, phones, and other equipment needed to perform testing of business activities.
Anomalous activity: Activity that deviates from normal. The result of the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations.
Antivirus/anti-malware software: A program that monitors a computer or network to identify all types of malware and prevent or contain malware incidents.
Application: Software that performs automated functions for a user. Examples include home banking, word processing and payroll. Distinguished from operating system or utility software.
Application controls: Controls related to transactions and data within application systems. Application controls ensure the completeness and accuracy of the records and the validity of the entries made resulting from both programmed processing and manual data entry. Examples of application controls include data input validation, agreement of batch totals and encryption of data transmitted.
Application development: The process of designing and building code to create a computer program (software) used for a particular type of job.
Application system: An integrated set of computer programs designed to serve a well defined function and having specific input, processing, and output activities (e.g., general ledger, manufacturing resource planning, human resource management).
Asset: In computer security, a major application, a general-support system, a high-impact program, a physical plant, a mission-critical system, personnel, equipment, or a logically related group of systems.
Asynchronous data replication: A process for copying data from one source to another while the application processing continues; an acknowledgement of the receipt of data at the copy location is not required for processing to continue. Consequently, the content of databases stored in alternate facilities may differ from those at the original storage site, and copies of data may not contain current information at the time of a disruption in processing as a result of the time (in fractions of a second) required to transmit the data over a communications network to the alternate facility. This technology is typically used to transfer data over greater distances than that allowed with synchronous data replication.
Asynchronous transfer mode: The method of transmitting bits of data one after another with a start bit and a stop bit to mark the beginning and end of each data unit. Can also mean automated teller machine.
Attack signature: A specific sequence of events indicative of an unauthorized access attempt. Source: NIST: SP 800-12
Attack signature: A specific sequence of events indicative of an unauthorized access attempt.
Audit charter: A document approved by the board of directors that defines the IT audit function's responsibility, authority to review records, and accountability.
Audit plan: A description and schedule of audits to be performed in a certain period of time (ordinarily a year). It includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work and includes other items such as budget, resource allocation, schedule dates, and type of report issued.
Audit program: The audit policies, procedures, and strategies that govern the audit function, including IT audit.
Authentication: The process of verifying the identity of an individual user, machine, software component, or any other entity.
Availability: Whether or how often a system is available for use by its intended users. Because downtime is usually costly, availability is an integral component of security.


Back-up Generations: A tape rotation methodology that creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers." This back-up methodology is frequently used to refer to master files for financial applications.
Bandwidth: Terminology used to indicate the transmission or processing capacity of a system or of a specific location in a system (usually a network system) for information (text, images, video, sound). Bandwidth is usually defined in bits per second (bps) but also is usually described as either large or small. Where a full page of English text is about 16,000 bits, a fast modem can move approx. 15,000 bps. Full-motion, full-screen video requires about 10,000,000 bps, depending on compression.
Baseline configuration: A set of specifications for a system, or configuration item within a system, that has been formally reviewed and agreed on at a given point in time and that can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, or changes.
Benchmark: A standard, or point of reference, against which things may be compared or assessed.
Bits per second (BPS): A measurement of how fast data moves from one place to another. A 28.8 modem can move 28,800 bits per second.
Black holing: A method typically used by ISPs to stop a distributed denial-of-service (DDoS) attack on one of its customers. This approach to blocking DDoS attacks makes the site in question completely inaccessible to all traffic, both malicious attack traffic and legitimate user traffic.
Border router: A device located at the organization’s boundary to an external network. Source: NIST: SP 800-41
Border router: A device located at the organization’s boundary to an external network.
Buffer overflow: A condition at an interface under which more input can be placed into a buffer or data-holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of a system. Source: NISTIR 7298 Revision 2
Business continuity: The ability to maintain operations and services—both technology and business—in the event of a disruption to normal operations and services. Ensures that any impact or disruption of services is within a documented and acceptable recovery time period and that system or operations are resumed at a documented and acceptable point in the processing cycle. Source: FFIEC IT Examination Handbook Glossary
Business Continuity Plan (BCP): A comprehensive written plan to maintain or resume business in the event of a disruption. BCP includes both the technology recovery capability (often referred to as disaster recovery) and the business unit(s) recovery capability.
Business Continuity Strategy: Comprehensive strategies to recover, resume, and maintain all critical business functions.
Business Continuity Test: A test of an institution's disaster recovery plan or BCP.
Business Impact Analysis (BIA): The process of identifying the potential impact of uncontrolled, non-specific events on an institution's business processes.
Business Recovery Test/Exercise: An activity that tests an institution's BCP.


Call Tree: A documented list of employees and external entities that should be contacted in the event of an emergency declaration.
Capacity Testing: Activities structured to determine whether resources (human and IT) can support required processing volumes in recovery environments.
Cash Letter: A group of checks accompanied by a paper listing sent to a clearinghouse, a Federal Reserve Bank, or another institution. A cash letter contains a number of negotiable items, mostly checks, accompanied by a letter that lists the amounts and instructions for transmittal to another bank. May also be called a transmittal letter. An incoming cash letter is one that is received by an institution from a clearinghouse, a Federal Reserve Bank, or another institution and contains checks written on accounts at the institution that were cashed elsewhere. An outgoing cash letter is one that is being sent to a clearinghouse, a Federal Reserve Bank, or another institution and contains checks deposited at the institution, which are written on accounts at other institutions.
Change management: The broad processes for managing organizational change. Change management encompasses planning, oversight or governance, project management, testing, and implementation.
Check 21 Act: Formally known as the Check Clearing for the 21st Century Act. Creates a new document, the IRD (image replacement document or substitute check) that is the legal equivalent of the original check and should be accepted as such. The act does not require institutions to accept electronic images instead of checks or IRDs, but does require the acceptance of IRDs instead of paper checks. The exchange of electronic images is optional and will be done by agreements between individual institutions, groups of institutions, or clearinghouses.
Checklist Review: A preliminary procedure to testing that employs information checklists to guide staff activities. For example, checklists can be used to verify staff procedures, hardware and software configurations, or alternate communication mechanisms.
Checksum: A mathematical value that is assigned to a file and used to “test” the file at a later date to verify that the data contained in the file has not been maliciously or erroneously changed.
CHIPS: A private-sector U.S.-dollar funds-transfer system, clearing and settling cross-border and domestic payments. Source: CHIPS
Classification: Categorization (e.g., “confidential,” “sensitive,” or “public”) of the information processed by the service provider on behalf of the receiver company.
Cloud computing: Generally a migration from owned resources to shared resources in which client users receive information technology services on demand from third-party service providers via the Internet “cloud.” In cloud environments, a client or customer relocates its resources—such as data, applications, and services—to computing facilities outside the corporate firewall, which the end user then accesses via the Internet. Source: FFIEC Statement on Outsourced Cloud Computing
Cloud storage: A model of data storage in which the digital data is stored in logical pools, the physical storage spans multiple servers (and often locations), and the physical environment is typically owned and managed by a hosting company.
Clustering: Connecting two or more computers together in such a way that enables them to act as a single computer. Clustering is used for parallel processing, load balancing, and fault tolerance.
Commercial off-the-shelf (COTS): COTS products include software and hardware products that are ready-made and available for sale to the general public. COTS products are typically installed in existing systems and do not require customization. Also known as "shrink-wrap" applications.
Compensating control: A management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.
Component: An element or part of a business process.
Component Test/Exercise: A testing activity designed to validate the continuity of individual systems, processes, or functions, in isolation. For example, component tests may focus on recovering specific network devices, application restoration procedures, off-site tape storage, or proving the validity of data for a particular business line.
Computer security: Technological and managerial procedures applied to computer systems to ensure the availability, integrity, and confidentiality of information managed by the computer system.
Concentrator: In data transmission, a concentrator is a functional unit that permits a common path to handle more data sources than there are channels currently available within the path. A device that connects a number of circuits, which are not all used at once, to a smaller group of circuits for economy.
Confidentiality: Assuring information will be kept secret, with access limited to appropriate persons.
Configuration management: The management of security features and assurances through control of changes made to a system’s hardware, software, firmware, documentation, testing, test fixtures, and test documentation throughout the development and operational life of the system.
Connectivity Testing: A testing activity designed to validate the continuity of network communications.
Consumer information: For purposes of the Information Security Standards, “consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report that is maintained by or on behalf of a financial institution for a business purpose, such as information that an institution obtains about a loan applicant or a prospective employee from a consumer report.
Control: The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature.
Control requirements: Process used to document and/or track internal processes to determine that those established procedures and/or physical security policies are being followed.
Control self-assessment: A technique used to internally assess the effectiveness of risk management and control processes.
Core firm: Core clearing and settlement organization that serves critical financial markets.
Corrective control: A mitigating technique designed to lessen the impact to the institution when adverse events occur.
Courtesy amount recognition (CAR): The numeric amount of a check.
Crisis management: The process of managing an institution's operations in response to an emergency or event that threatens business continuity. An institution's ability to communicate with employees, customers, and the media, using various communications devices and methods, is a key component of crisis management.
Crisis Management Test/Exercise: A testing exercise that validates the capabilities of crisis management teams to respond to specific events. Crisis management exercises typically test the call tree notification process with employees, vendors, and key clients. Escalation procedures and disaster declaration criteria may also be validated.
Critical Financial Markets: Financial markets whose operations are critical to the economy. Critical financial markets provide the means for financial institutions to adjust their cash and securities positions and those of their customers in order to manage liquidity, market, and other risks to their organizations. Critical financial markets also provide support for the provision of a wide range of financial services to businesses and consumers in the United States and support the implementation of monetary policy. Examples of "critical financial markets" include: • Federal funds, foreign exchange, and commercial paper; • U.S. Government and agency securities; and • Corporate debt and equity securities.
Critical Market Participants: Participants in the financial markets that perform critical operations or provide critical services. Their inability to perform these operations or services could result in major disruptions in the financial system.
Critical Path: The critical path represents the business processes or systems that must receive the highest priority during the recovery phase.
Critical system (infrastructure): The systems and assets, whether physical or virtual, that are so vital that the incapacity or destruction of them may have a debilitating impact.
Cross-Market Tests: Cross-market tests are also called market-wide tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.
Custom redirect service: This service enables control over the location of incoming calls or the redirection of calls to various locations or pre-established phone numbers to ensure customer service continuity.
Customer: For purposes of the Information Security Standards, “customer” means a consumer with whom a financial institution has a continuing relationship under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. In the case of a credit union, a customer relationship will exist between a credit union and certain consumers that are not the credit union’s members.
Customer information: A term used in the Information Security Standards to mean any record containing non-public personal information about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of a financial institution.
Customer information systems: For purposes of the Information Security Standards, “customer information systems” means any methods used to access, collect, store, use, transmit, protect, or dispose of customer information.
Cyber attack: An attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network. An attack, via cyberspace, targeting an institution for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; destroying the integrity of the data; or stealing controlled information.
Cyber event: A cybersecurity change or occurrence that may have an impact on organizational operations (including mission, capabilities, or reputation).
Cyber incident: Actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system or the information residing therein.
Cyber resilience: The ability of a system or domain to withstand cyber attacks or failures and, in such events, to reestablish itself quickly.
Cyber threat: An internal or external circumstance, event, action, occurrence, or person with the potential to exploit technology-based vulnerabilities and to adversely affect (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society.
Cybersecurity: The process of protecting consumer and bank information by preventing, detecting, and responding to attacks.


Data center: A facility that houses an institution’s most important information systems components, including computer systems, telecommunications components, and storage systems.
Data classification program: A program that categorizes data to convey required safeguards for information confidentiality, integrity, and availability, and establishes required controls based on value and level of sensitivity.
Data corruption: Errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data.
Data integrity: The property that data have not been destroyed or corrupted in an unauthorized manner; maintaining and assuring the accuracy and consistency of data over their entire life cycle.
Data loss prevention (DLP) program: A comprehensive approach (covering people, processes, and systems) of implementing policies and controls designed specifically to discover, monitor, and protect confidential data while it is stored, used, or in transit over the network and at the perimeter.
Data mining: The process or techniques used to analyze large sets of existing information to discover previously unrevealed patterns or correlations. Source: NICCS Glossary
Data mirroring: A back-up process that involves writing the same data to two physical disks or servers simultaneously.
Data replication: The process of copying data, usually with the objective of maintaining identical sets of data in separate locations. Two common data replication processes used for information systems are synchronous and asynchronous mirroring.
Data synchronization: The comparison and reconciliation of interdependent data files at the same time so that they contain the same information.
Database: A collection of data that is stored on any type of computer storage medium and may be used for more than one purpose.
Deep packet inspection: The capability to analyze network traffic to compare vendor-developed profiles of benign protocol activity against observed events to identify deviations. Source: NIST Guide to Intrusion Detection and Prevention Systems
Defense-in-depth: Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.
Demilitarized zone (DMZ): A computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet.
Detection device: A device designed to recognize an event and alert management when events occur.
Detective control: A mitigating technique designed to recognize an event and alert management when events occur.
Device: A generic term for any machine or component that attaches to a computer or connects to a network.
Digital certificate: The electronic equivalent of an ID card that authenticates the originator of a digital signature. Source: FFIEC IT Examination Handbook Glossary
Digital subscriber line (DSL): A technology that uses existing copper telephone lines and advanced modulation schemes to provide high-speed telecommunications to businesses and homes.
Direct access storage device (DASD): A magnetic disk storage device historically used in mainframe environments. DASD may also include hard drives used in personal computers.
Disaster recovery: The process of recovering from major processing interruptions.
Disaster recovery exercise: A test of an institution's disaster recovery or BCP.
Disaster recovery plan: A plan that describes the process to recover from major processing interruptions.
Disk shadowing: A back-up process that involves writing images to two physical disks or servers simultaneously.
Distributed denial of service (DDoS): A type of attack that makes a computer resource or resources unavailable to its intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary, it generally consists of the concerted efforts of a group that intends to affect an institution’s reputation by preventing an Internet site, service, or application from functioning efficiently.
Diversity: A description of financial services sectors in which primary and back-up telecommunications capabilities do not share a single point of failure.
Domain Name System Security Extensions (DNSSEC): A technology that was developed to, among other things, protect against such attacks by digitally ‘signing’ data so you can be assured it is valid. ICANN Source:
Dual control: Dividing the responsibility of a task into separate, accountable actions to ensure the integrity of the process.
Due diligence: Technical, functional, and financial review to verify a service provider’s ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.
Due diligence for service provider selection: Technical, functional, and financial review to verify a third-party service provider’s ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients.


Electronic vaulting: A back-up procedure that copies changed files and transmits them to an off-site location using a batch process.
Emergency plan: The steps to be followed during and immediately after an emergency such as a fire, tornado, bomb threat, etc.
Encryption: A data security technique used to protect information from unauthorized inspection or alteration. Information is encoded so that data appears as a meaningless string of letters and symbols during delivery or transmission. Upon receipt, the information is decoded using an encryption key.
End-of-life: All software products have life cycles. End-of-life refers to the date when a software development company no longer provides automatic fixes, updates, or online technical assistance for the product.
End-point security: Refers to a methodology of protecting the corporate network when accessed with remote devices, such as laptops, or other wireless and mobile devices. Each device with a remote connection to the network creates a potential entry (or exit) point for security threats.
End-to-end process flow: Document that details the flow of the processes, considering automated and manual control points, hardware, databases, network protocols, and real-time versus periodic processing characteristics.
End-to-end recoverability: The ability of an institution to recover a business process from initiation, such as customer contact, through process finalization, such as transaction closure.
Enterprise Architecture: The overall design and high-level plan that describes an institution’s operational framework and includes the institution’s mission, stakeholders, business and customers, work flow and processes, data processing, access, security, and availability.
Enterprise network: The configuration of computer systems within an organization. Includes local area networks (LAN), wide area networks (WAN), bridges, and applications. Source: FFIEC IT Examination Handbook Glossary
Enterprise-wide: Across an entire organization, rather than a single business department or function.
Exploit: A technique or code that uses a vulnerability to provide system access to the attacker. An exploit is an intentional attack to affect an operating system or application program.
Exposure: The potential loss to an area due to the occurrence of an adverse event.
External connections: An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness.


Fibre channel: A high performance serial link supporting its own, as well as higher-level protocols such as the small computer system interface, high performance parallel interface framing protocol and intelligent peripheral interface. The Fibre Channel standard addresses the need for very fast transfers of large amounts of information. The fast (up to 1 Giga byte per second) technology can be converted for LAN technology by adding a switch specified in the Fibre Channel standard that handles multipoint addressing. Fibre Channel gives users one port that supports both channel and network interfaces, unburdening the computers from large number of input and output (I/O) ports. Fibre Channel provides control and complete error checking over the link.
File transfer protocol (FTP): A standard high-level protocol for transferring files from one computer to another, usually implemented as an application-level program.
Financial Authority: A supervisory organization that is responsible for safeguarding and maintaining consumer confidence in the financial system.
Financial industry participants: Financial institutions and other companies that are involved in the banking, securities, and/or insurance industry and are regulated by supervisory authorities.
Financial Services Information Sharing and Analysis Center (FS-ISAC): A nonprofit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.
Firewall: A hardware or software link in a network that relays only data packets clearly intended and authorized to reach the other side.
Frame relay: A high-performance wide area network protocol that operates at the physical and data link layers of the Open Systems Interconnection reference model. Frame relay is an example of a packet-switched technology. Packet-switched networks enable end stations to dynamically share the network medium and the available bandwidth.
FTP (file transfer protocol): A standard high-level protocol for transferring files from one computer to another, usually implemented as an application level program. Source: National Telecommunications and Information Administration
Full-interruption/full-scale test (IT and Staff): A business continuity test that activates all the components of the disaster recovery plan at the same time. Hardware, software, staff, communications, utilities, and alternate site processing should be thoroughly tested in this type of testing activity. The exercise should include the business line end users and the IT group to ensure that each business line tests its key applications and is prepared to recover and resume its business operations in the event of an emergency. The full test verifies that systems and staff can recover and resume business within established recovery time objectives. End users should verify the integrity of the data at the alternate site after the IT group has restored systems and applications needed for the staff to perform production activities.
Functional drill/parallel test: This test involves the actual mobilization of personnel at other sites in an attempt to establish communications and coordination as set forth in the BCP.
Functionality testing: A test designed to validate that a business process or activity accomplishes expected results.


Gap analysis: A comparison that identifies the difference between actual and desired outcomes.
General controls: Controls, other than application controls, that relate to the environment within which application systems are developed, maintained, and operated, and that are therefore applicable to all the applications at an institution. The objectives of general controls are to ensure the proper development and implementation of systems, and the integrity of program and data files and of computer operations. Like application controls, general controls may be either manual or programmed. Examples of general controls include the development and implementation of an IT strategy and an IT security policy, the organization of IT staff to separate conflicting duties and planning for disaster prevention and recovery.
Governance: In computer security, governance means setting clear expectations for the conduct (behaviors and actions) of the entity being governed and directing, controlling, and strongly influencing the entity to achieve these expectations. Governance includes specifying a framework for decision making, with assigned decision rights and accountability, intended to consistently produce desired behaviors and actions.
Government Emergency Telecommunications Service (GETS): Acronym for the Government Emergency Telecommunications Service card program. GETS cards provide emergency access and priority processing for voice communications services in emergency situations.
Gramm–Leach–Bliley Act: The Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999 (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the Federal banking agencies to establish information security standards for financial institutions.
Grandfather-father-son: Retaining multiple versions of the back-up files off-site on a "grandfather-father-son" rotating basis is recommended. This tape methodology creates three sets of back-up tapes: daily incremental sets or "sons," weekly full sets or "fathers," and end-of-month tapes or "grandfathers."


Hardening: The process of securing a computer’s administrative functions or inactivating those features not needed for the computer’s intended business purpose.
Hardware: The physical elements of a computer system; the computer equipment as opposed to the programs or information stored in a machine.
Hash: A fixed-length cryptographic output of variables, such as a message, being operated on by a formula or cryptographic algorithm.
Hierarchical storage management (HSM): HSM is used to dynamically manage the back-up and retrieval of files based on how often they are accessed using storage media and devices that vary in speed and cost.
Hijacking: An attacker’s use of an authenticated user’s communication session to communicate with system components.
Homing beacons: Devices that send messages to the institution when they connect to a network and that enable recovery of the device.
Hop: Each step of a trip a data packet takes from its origination to its destination. For example, on the Internet a data packet may go through several routers before reaching its final destination.
Host: A computer that is accessed by a user from a remote location.
Host bus adapter (HBA): A host bus adapter provides I/O processing and physical connectivity between a server and storage. As the only part of a storage area network that resides in a server, HBAs also provide a critical link between the storage area network and the operating system and application software.
Hub: Simple devices that pass all data traffic in both directions between the LAN sections they link. Hubs forward every message they receive to the other sections of the LAN, even those that do not need to go there.
HVAC: Heating, ventilation, and air conditioning.
Hypervisor: A piece of software that provides abstraction of all physical resources (such as central processing units, memory, network, and storage) and thus enables multiple computing stacks (consisting of an operating system, middleware and application programs) called virtual machines to be run on a single physical host. Source: NIST SP 800-125a Draft


I/O (Acronym): Input/output.
Incident management: The process of identifying, analyzing, and correcting disruptions to operations and preventing future recurrences. The goal of incident management is to limit the disruption and restore operations as quickly as possible.
Incident response plan: A plan that defines the action steps, involved resources, and communication strategy upon identification of a threat or potential threat event, such as a breach in security protocol, power or telecommunications outage, severe weather, or workplace violence.
Independence: Self-governance, freedom from conflict of interest and undue influence. The IT auditor should be free to make his or her own decisions, not influenced by the organization being audited, or by its managers and employees.
Industry testing: A test designed to validate that business processes, integrated across firms and within the financial industry, which supports the business continuity objectives of the firms, both individually and collectively.
Information security: The result of any system of policies or procedures for identifying, controlling, and protecting information from unauthorized disclosure. Also, the processes by which an organization protects and secures its systems, media, and facilities that process and maintain information vital to its operations. Source: FFIEC IT Examination Handbook Glossary
Information systems: Electronic systems and physical components used to access, store, transmit, protect, and eventually dispose of information. Information systems can include networks (computer systems, connections to business partners and the Internet, and the interconnections between internal and external systems). Other examples are backup tapes, mobile devices, and other media.
Information technology (IT): Any services or equipment, or interconnected system(s) or subsystem(s) of equipment that compose the institution’s IT architecture or infrastructure. IT can include computers; ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance); peripheral equipment designed to be controlled by the central processing unit of a computer; software; firmware and similar procedures; services (including cloud computing and help-desk services or other professional services that support any point of the life cycle of the equipment or service); and related resources.
Infrastructure: Describes what has been implemented by IT architecture and often includes support facilities such as power, cooling, ventilation, server and data redundancy and resilience, and telecommunications lines. Specific architecture types may exist for the following: enterprise, data (information), technology, security, and application.
Integrated Systems Digital Networking (ISDN): A hierarchy of digital switching and transmission systems that provides voice, data, and image in a unified manner. Integrated Systems Digital Networking (ISDN) is synchronized so that all digital elements communicate in the same protocol at the same speed.
Integrated test/exercise: This integrated test/exercise incorporates more than one component or module, as well as external dependencies, to test the effectiveness of the continuity plans for a business line or major function.
Integrity: Assurance that information is trustworthy and accurate; ensuring that information will not be accidentally or maliciously altered or destroyed (see “Data integrity”).
Interconnectivity: The state or quality of being connected together. The interaction of a financial institution’s internal and external systems and applications and the entities with which they are linked.
Interdependencies: When two or more departments, processes, functions, or third-party providers support one another in some fashion.
Internal “trusted” zone: A channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include SSLIP security and a secure physical connection.
International Organization for Standardization (ISO): An independent, non-governmental, international organization that brings together experts to share knowledge and develop voluntary, consensus-based, market-relevant international standards.
Internet: The global system of interconnected computer networks that use the Internet protocol suite (TCP/IP) to link billions of devices worldwide.
Internet protocol (IP): IP is a standard format for routing data packets between computers. IP is efficient, flexible, routable, and widely used with many applications, and is gaining acceptance as the preferred communication protocol.
Internet service provider (ISP): A company that provides its customers with access to the Internet (e.g., AT&T, Verizon, and CenturyLink).
Internet Small Computer System Interface (iSCSI): An Internet protocol based storage networking standard for linking data storage facilities, used to facilitate. iSCSI is data transfers over intranets and to manage storage over long distances.
Interoperability: The ability of a system to work with or use the parts or equipment of another system.
Intrusion detection: Techniques that attempt to detect unauthorized entry or access into a computer or network by observation of actions, security logs, or audit data; detection of break-ins or attempts, either manually or via software expert systems that operate on logs or other information available on the network.
Intrusion detection system (IDS): Software or hardware product that detects and logs inappropriate, incorrect, or anomalous activity. It gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from within the organizations). IDS are typically characterized based on the source of the data they monitor: host or network. A host-based IDS uses system log files and other electronic audit data to identify suspicious activity. A network-based IDS uses a sensor to monitor packets on the network to which it is attached.
Intrusion prevention system (IPS): A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its target.
IT architecture: A subset of enterprise architecture, with detail to support data processing and access, including fundamental requirements for centralized or distributed computing, real or virtual servers, devices and workstations, and networking design. Architecture plans may also exist for data (information), security, and applications.
IT governance: An integral part of governance that consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.
IT strategic plan: A comprehensive blueprint that guides the organization’s technology management and contains high-level goals and plans for all areas of information technology that affect the business, not just the infrastructure. The plan should include areas that impact technology management, including cost management, human capital management, hardware and software management, third-party management, risk management, and all other considerations in the enterprise IT environment.
IT system inventory: A list containing information about the information resources owned or operated by an organization.


Legal amount recognition (LAR): The handwritten dollar amount of the check.
Life-cycle process: The multistep process that starts with the initiation, analysis, design, and implementation, and continues through the maintenance and disposal of the system.
Log: A record of information or events in an organized system, usually sequenced in the order in which the events occurred.
Logical access: Ability to interact with computer resources granted using identification, authentication, and authorization.
Logical access controls: The policies, procedures, organizational structure, and electronic access controls designed to restrict access to computer software and data files.


Magnetic ink character recognition (MICR): Magnetic codes found on the bottom of checks, deposit slips, and general ledger debit and credit tickets that allow a machine to scan (capture) the information. MICR encoding on a check includes the account number, the routing number, the serial number of the check, and the amount of the check. The amount of the check is encoded when the proof department processes the check.
Mainframe: An industry term for a large computer, typically used for the commercial applications of businesses and other large-scale computing purposes. Generally, a mainframe is associated with centralized rather than distributed computing.
Malware: Software designed to secretly access a computer system without the owner’s informed consent. The expression is a general term (short for malicious software) used to mean a variety of forms of hostile, intrusive, or annoying software or program code. Malware includes computer viruses, worms, Trojan horses, spyware, dishonest adware, ransomware, crimeware, most rootkits, and other malicious and unwanted software or programs.
Management information systems (MIS): A general term for the computer systems in an enterprise that provide information about its business operations.
Man-in-the-middle attack (MITM): Places the attacker’s computer in the communication line between the server and the client. The attacker’s machine can monitor and change communications. Source: FFIEC IT Examination Handbook Glossary
Market-wide tests: Market-wide tests are also called cross-market tests or "street tests" that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.
Media: Physical objects that store data, such as paper, hard disk drives, tapes, and compact disks (CDs).
Metrics: A quantitative measurement.
Microwave technology: Narrowband technology that requires a direct line-of-sight to transmit voice and data communications and is used to integrate a broad range of fixed and mobile communication networks.
Middleware: Software that connects two or more software components or applications. It is another term for an application programmer interface or API, and it allows programmers to access lower- or higher-level services by providing an intermediary layer that includes function calls to the services.
Midrange: Computers that are more powerful and capable than personal computers but less powerful and capable than mainframe computers.
Milestone: Major project event.
Millions of instructions per second (MIPS): A general measure of computing performance and, by implication, the amount of work a larger computer can do.
Mirroring: A process that copies data to multiple disks over a computer network in real time or close to real time. Mirroring reduces network traffic, ensures better availability of the website or files, or enables the site or downloaded files to arrive more quickly for users close to the mirror site.
Mobile device: A portable computing and communications device with information-storage capability. Examples include notebook and laptop computers, cellular telephones and smart phones, tablets, digital cameras, and audio recording devices.
Mobile financial services: A financial institution’s use of mobile devices to provide products and services to its customers.
Modeling: The process of abstracting information from tangible processes, systems and/ or components to create a paper or computer-based representation of an enterprise-wide or business line activity.
Module: A combination of various components of a business process or supporting system.
Module test/exercise: A test designed to verify the functionality of multiple components of a business line or supporting function at the same time.
Multi-factor authentication: The process of using two or more factors to achieve authentication. Factors include something you know (e.g., password or personal identification number); something you have (e.g., cryptographic identification device or token); and something you are (e.g., biometric).
Multiplexers: A device that encodes or multiplexes information from two or more data sources into a single channel. They are used in situations where the cost of implementing separate channels for each data source is more expensive than the cost and inconvenience of providing the multiplexing/de-multiplexing functions.


National Institute of Standards and Technology (NIST): An agency of the U.S. Department of Commerce that works to develop and apply technology, measurements, and standards. NIST developed a voluntary cybersecurity framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructures.
Network: Two or more computer systems grouped together to share information, software, and hardware. Source: FFIEC IT Examination Handbook Glossary
Network activity baseline: A base for determining typical utilization patterns so that significant deviations can be detected. Source: NIST: SP 800-61
Network administrator: An individual responsible for the installation, management, and control of a network. Source: FFIEC IT Examination Handbook Glossary
Network attached storage (NAS): NAS systems usually contain one or more hard disks that are arranged into logical, redundant storage containers much like traditional file servers. NAS provides readily available storage resources and helps alleviate the bottlenecks associated with access to storage devices.
Network diagram: A description of any kind of locality in terms of its physical layout. In the context of communication networks, a topology describes pictorially the configuration or arrangement of a network, including its nodes and connecting communication lines. Source: FFIEC IT Examination Handbook Glossary
Network security: The protection of computer networks and their services from unauthorized entry, modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and that there are no harmful side effects. Network security includes providing for data integrity.
Non-public personal information: For purposes of the Information Security Standards, non-public personal information means (i) “personally identifiable financial information”; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any “personally identifiable financial information” that is not publicly available.
Non-repudiation: Ensuring that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message.


Object Program: A program that has been translated into machine language and is ready to be run (i.e., executed) by the computer.
Operating system: A system that supports and manages software applications. Operating systems allocate system resources, provide access and security controls, maintain file systems, and manage communications between end users and hardware devices. Source: FFIEC IT Examination Handbook Glossary
Operational IT plan: Typically, the plans that are made by front-line, or low-level, IT managers. Operational IT plans are focused on the specific procedures and processes that implement the larger strategic plan.
Operational risk: The risk of failure or loss resulting from inadequate or failed processes, people, or systems.
Out-of-band: Activity outside of the primary means of interfacing with the customer. For example, if a user is performing activity online, he or she may be authenticated through a one-time password sent via text message.
Outsourcing: The practice of contracting with another entity to perform services that might otherwise be conducted in-house. Contracted relationship with a third party to provide services, systems, or support. Source: FFIEC IT Examination Handbook Glossary


Packet: The data unit that is routed from source to destination in a packet-switched network.
Pandemic: An epidemic or infectious disease that can have a worldwide impact.
Patch: Software code that replaces or updates other code frequently to correct security flaws. Source: FFIEC IT Examination Handbook Glossary
Penetration test: The process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others. Source: FFIEC IT Examination Handbook Glossary
Permanent virtual circuit (PVC): PVC is a pathway through a network that is predefined and maintained by the end systems and nodes along the circuit, but the actual pathway through the network may change due to routing problems. The PVC is a fixed circuit that is defined in advance by the public network carrier. Refer to switched virtual circuit for an additional virtual circuit option.
Personally identifiable financial information: For purposes of the Information Security Standards, personally identifiable financial information means information (i) a consumer provides to a financial institution to obtain a financial product or service; (ii) about a consumer resulting from any transaction involving a financial product or service between the financial institution and a consumer; or (iii) that a financial institution otherwise obtains about a consumer in connection with providing a financial product or service, such as account balance information, payment history, overdraft history, and credit or debit card purchase information; or the fact that an individual is one of the financial institution’s customers.
Person-to-Person payments: Online payments using electronic messaging invoke a transfer of value between the parties over existing proprietary networks as “on-us” transactions. Source: FFIEC IT Examination Handbook Glossary
Phishing: A digital form of social engineering that uses authentic-looking—but bogus—e-mail to request information from users or direct them to fake Web sites that request information. Source: NIST: SP 800-83
Phishing: A digital form of social engineering that uses authentic-looking—but bogus—e-mail to request information from users or direct them to fake websites that request information.
Plain old telephone system (POTS): Basic telephone service.
Platform: The underlying computer system on which applications programs run. A platform consists of an operating system, the computer system's coordinating program, which in turn is built on the instruction set for a processor or microprocessor, and the hardware that performs logic operations and manages data movement in the computer.
Policy: A document that records a high-level principle or an agreed-upon course of action; overall intention and direction as formally expressed by management.
Port: Either an end point to a logical connection or a physical connection to a computer.
Positive pay: A technique that can reduce check fraud by requesting businesses to send electronic files of information to the financial institution on all checks the business has issued.
Preventive control: A mitigating technique designed to prevent an event from occurring.
Principles of least privilege: The security objective of granting users only the access needed to perform official duties. Source: NISTIR 7298 Revision 2
Private branch exchange (PBX): A telephone system within an enterprise that switches calls between enterprise users on local lines while allowing all users to share a certain number of external phone lines.
Privilege: The level of trust with which a system object is imbued.
Privileged access: Individuals with the ability to override system or application controls. Source: FFIEC Information Security Booklet
Project: A task involving the acquisition, development, or maintenance of a technology product.
Project management: Planning, monitoring, and controlling an activity.
Proof of deposit (POD): The verification of the dollar amount written on a negotiable instrument being deposited.
Protocol: A format for transmitting data between devices.


Real-time network monitoring: Immediate response to a penetration attempt that is detected and diagnosed in time to prevent access. Source: NISTIR 7298 Revision 2
Reciprocal agreement: An agreement whereby two organizations with similar computer systems agree to provide computer processing time for the other in the event one of the systems is rendered inoperable. Processing time may be provided on a "best effort" or as "time available" basis; therefore, reciprocal agreements are not usually acceptable as a primary recovery option.
Recovery point objective (RPO): The amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).
Recovery site: An alternate location for processing information (and possibly conducting business) in an emergency. Usually distinguished as "hot" sites that are fully configured centers with compatible computer equipment and "cold" sites that are operational computer centers without the computer equipment.
Recovery time objective (RTO): The maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable).
Recovery vendors: Organizations that provide recovery sites and support services for a fee.
Red team: A group of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. The red team’s objective is to improve enterprise information assurance by demonstrating the impacts of successful attacks and by demonstrating what works for the defenders in an operational environment. Source: NIST: CNSSI-4009
Redundant array of independent disks (RAID): The use of multiple hard disks to store the same data in different places. By placing data on multiple disks, I/O operations can overlap in a balanced way, improving performance. Since multiple disks increase the mean time between failures (MTBF), storing data redundantly also increases fault tolerance.
Remote access: The ability to obtain access to a computer or network from a remote location. Source: FFIEC IT Examination Handbook Glossary
Remote control software: Software that is used to obtain access to a computer or network from a remote distance.
Remote deletions: Use of a technology to remove data from a portable device without touching the device.
Remote deposit captures (RDC): A service that enables users at remote locations to scan digital images of checks and transmit the captured data to a financial institution or a merchant that is a customer of a financial institution. Source: FFIEC IT Examination Handbook Glossary
Remote journaling: Process used to transmit journal or transaction logs in real time to a back-up location.
Removable media: Portable electronic storage media, such as magnetic, optical, and solid-state devices, which can be inserted into and removed from a computing device and which is used to store text, video, audio, and image information. Such devices have no independent processing capabilities. Examples include hard disks, floppy disks, zip drives, compact disks (CD), thumb drives, pen drives, and similar storage devices. Source: NIST: CNSSI-4009
Residual risk: The amount of risk remaining after the implementation of controls.
Resilience: The ability of an organization to recover from a significant disruption and resume critical operations. Source: FFIEC IT Examination Handbook Glossary
Resilience testing: Testing of an institution’s business continuity and disaster recovery resumption plans. Source: FFIEC IT Examination Handbook Glossary
Resource: Any enterprise asset that can help the organization achieve its objectives.
Retention requirement: Requirement established by a company or by regulation for the length of time and/or for the amount of information that should be retained.
Risk: The potential that events, expected or unanticipated, may have an adverse effect on a financial institution's earnings, capital, or reputation.
Risk analysis: The process of identifying risks, determining their probability and impact, and identifying areas needing safeguards.
Risk assessment: A prioritization of potential business disruptions based on severity and likelihood of occurrence. The risk assessment includes an analysis of threats based on the impact to the institution, its customers, and financial markets, rather than the nature of the threat. Source: FFIEC IT Examination Handbook Glossary
Risk identification: The process of determining risks and existing safeguards. It generally includes inventories of systems and information necessary to operations and defines the potential threats to systems and operations.
Risk management: The total process required to identify, control, and minimize the impact of uncertain events. The objective of a risk management program is to reduce risk and obtain and maintain appropriate management approval. Source: FFIEC IT Examination Handbook Glossary
Risk measurement: A process of determining the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution. The result of risk measurement is the prioritization of potential risks based on severity and likelihood of occurrence.
Risk mitigation: The process of reducing risks through the introduction of specific controls and risk transfer. It includes the implementation of appropriate controls to reduce the potential for risk and bring the level of risk in line with the board’s risk appetite.
Rlogin: Remote login. A UNIX utility that allows a user to login to a remote host on a network, as if it were directly connected, and make use of various services. Remote login is an information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization’s security controls. Source: NIST Electronic Authentication Guidance
Rogue wireless access: An unauthorized wireless node on a network. Source: NISTIR 7298 Revision 2
Router: A hardware device that connects two or more networks and routes incoming data packets to the appropriate network. Source: FFIEC IT Examination Handbook Glossary
Routing: The process of moving information from its source to the destination.


Sandbox: A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized. Source: NIST: CNSSI-4009
SAS 70 report: An audit report of a servicing institution prepared in accordance with guidance provided in the American Institute of Certified Public Accountant's Statement of Auditing Standards Number 70. Replaced by SSAE 16.
Satellite technology: These links efficiently extend the reach of typical communication systems to distant areas and provide alternative traffic routing in an emergency.
Scalability: A term that refers to how well a hardware and software system can adapt to increased demands. For example, a scalable network system would be one that can start with just a few nodes but can easily expand to thousands of nodes. Scalability can be a very important feature because it means the entity can invest in a system with confidence they will not quickly outgrow it.
Scenario analysis: The process of analyzing possible future events by considering alternative possible outcomes.
Scorecard: A dashboard of performance measures.
Secure shell: Network protocol that uses cryptography to secure communication, remote command line log-in, and remote command execution between two networked computers.
Secure Sockets Layer (SSL): A protocol that is used to transmit private documents through the Internet.
Security architecture: A detailed description of all aspects of the system that relate to security, along with a set of principles to guide the design. A security architecture describes how the system is put together to satisfy the security requirements.
Security audit: An independent review and examination of system records and activities to test for adequacy of system controls, ensure compliance with established policy and operational procedures, and recommend any indicated changes in control, policy, and procedures.
Security breach: A security event that results in unauthorized access of data, applications, services, networks, or devices by bypassing underlying security mechanisms.
Security event: An event that potentially compromises the confidentiality, integrity, availability, or accountability of an information system.
Security log: A record that contains login and logout activity and other security-related events and that is used to track security-related information on a computer system. Source: NIST: SP 800-92
Security posture: The security status of an enterprise’s networks, information, and systems based on information security and assurance resources (e.g., people, hardware, software, and policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.
Security violation: An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information or system resources.
Sensitive customer information: A customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number. Source: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice
Server: A computer or other device that manages a network service. An example is a print server, which is a device that manages network printing. Source: FFIEC IT Examination Handbook Glossary
Service provider: For purposes of the Information Security Standards, service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through its provision of services directly to a financial institution.
Service level agreement (SLA): An agreement that details the responsibilities of an IT service provider, the rights of the service provider’s customers, and the penalties assessed when the service provider violates any element of the SLA. SLAs also identify and define the service, plus the supported products, evaluation criteria, and quality of service customers should expect. SLAs are typically measured in terms of metrics. Examples include processing completion times and systems availability times. Source: FFIEC IT Examination Handbook Glossary
Shadow IT: A term used to describe IT systems or applications used inside institutions without explicit approval.
Significant firms: Firms that process a significant share of transactions in critical financial markets.
Simulated loss of data center site(s) test/exercise: A type of disaster recovery test that involves the simulation of the loss of the primary, alternate, and/or tertiary data processing sites to verify that the institution can continue its data processing activities.
Simulation: The process of operating a model of an enterprise-wide or business line activity in order to test the functionality of the model. Computer systems may support the simulation of business models to aid in evaluating the BCP.
Small Computer Systems Interface (SCSI): Small computer systems interface (pronounced "scuzzy"). A standard way of interfacing a computer to disk drives, tape drives, and other devices that require high-speed data transfer. Also, a secondary SAN protocol that allows computer applications to talk to storage devices.
Sniffing: The passive interception of data transmissions.
Social engineering: A general term for trying to trick people into revealing confidential information or performing certain actions.
Sound practices: Defined in the "Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," which was issued by the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Securities and Exchange Commission.
Source program: A program written in a programming language (such as C, Pascal, or COBOL). A compiler translates the source code into a machine-language object program.
Spear phishing: An attack targeting a specific user or group of users, and attempts to deceive the user into performing an action that launches an attack, such as opening a document or clicking a link. Spear phishers rely on knowing some personal piece of information about their target, such as an event, interest, travel plans, or current issues. Sometimes this information is gathered by hacking into the targeted network. Source: Guidelines for Secure Use of Social Media by Federal Departments and Agencies
Split Processing: The ongoing operational practice of dividing production processing between two or more geographically dispersed facilities.
Spoofing: A form of masquerading in which a trusted IP address is used instead of the true IP address as a means of gaining access to a computer system.
SQL Injection Attack: An exploit of target software that constructs structured query language (SQL) statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as the ability to add or modify data in the database.
Stateful inspection: A firewall inspection technique that examines the claimed purpose of a communication for validity. For example, a communication claiming to respond to a request is compared to a table of outstanding requests.
Storage area network (SAN): A high-speed special-purpose network (or sub-network) that connects different types of data storage devices with associated data servers on behalf of a larger network of users.
Storage virtualization: The process of taking many different physical storage networks and devices, and making them appear as one "virtual" entity for purposes of management and administration.
Stovepipe application: Stand-alone programs that may not easily integrate with other applications or systems.
Street tests: Street tests are also called cross-market tests or market-wide tests that are sponsored by the Securities Industry Association, Bond Market Association, and Futures Industry Association. These tests validate the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical.
Sustainability: The period of time for which operations can continue at an alternate processing facility.
Switch: A device that connects more than two LAN segments that use the same data link and network protocol.
Switched virtual circuit (SVC): SVC is a temporary connection between workstations that is disabled after communication is complete. Refer to Permanent Virtual Circuit (PVC) for an additional communication method using circuits.
Synchronous data replication: A process for copying data from one source to another in which an acknowledgement of the receipt of data at the copy location is required for application processing to continue. Consequently, the content of databases stored in alternate facilities is identical to those at the original storage site, and copies of data contain current information at the time of a disruption in processing.
Synchronous Optical NETwork (SONET): SONET is a standard for telecommunications transmissions over fiber optic cables. SONET is self-healing so that if a break occurs in the lines, it can use a back-up redundant ring to ensure that the transmission continues. SONET networks can transmit voice and data over optical networks.
System administration: The process of maintaining, configuring, and operating computer systems.
System development lifecycle process: The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation. Source: NIST System Development Life Cycle
System resources: Capabilities that can be accessed by a user or program either on the user’s machine or across the network. Capabilities can be services, such as file or print services, or devices, such as routers.
Systems administration: The process of maintaining, configuring, and operating computer systems.
Systems Development Life Cycle (SDLC): An approach used to plan, design, develop, test, and implement an application system or a major modification to an application system.


T-1 line: A special type of telephone line for digital communication and transmission. T1 lines provide for digital transmission with signaling speed of 1.544 Mbps (1,544,000 bits per second). This is the standard for digital transmissions in North America. Usually delivered on fiber optic lines. Source:
T-1 line: A special type of telephone line for digital communication and transmission. T-1 lines provide for digital transmission with signaling speed of 1.544Mbps (1,544,000 bits per second). This is the standard for digital transmissions in North America. Usually delivered on fiber optic lines.
Tactical plan: Typically, a short-term plan that establishes the specific steps needed to implement a company’s strategic plan.
Telecommunications: The exchange of information over significant distances by electronic means.
Telnet: An interactive, text-based communications session between a client and a host. It is used mainly for remote login and simple control services to systems with limited resources or to systems with limited needs for security. Source: Guide to Industrial Control Systems (ICS) Security
Terminal services: A component of Microsoft Windows operating systems (both client and server versions) that allows a user to access applications or data stored on a remote computer over a network connection.
Test assumptions: The concepts underlying an institution's test strategies and plans.
Test plan: A document that is based on the institution's test scope and objectives and includes various testing methods.
Test scenario: A potential event, identified as the operating environment for a business continuity or disaster recovery test, which the institution's recovery and resumption plan must address.
Test scripts: Documents that define the specific activities, tasks, and steps that test participants will conduct during the testing process.
Test strategy: Testing strategies establish expectations for individual business lines across the testing life cycle of planning, execution, measurement, reporting, and test process improvement. Testing strategies include the testing scope and objectives, which clearly define what functions, systems, or processes are going to be tested and what will constitute a successful test.
Third-party provider: Any type of company, including affiliated entities, nonaffiliated entities, and alliances of companies providing products and services to a financial institution. Other terms used to describe service providers include subcontractors, external service providers, application service providers, and outsourcers. Also called a third-party service provider.
Third-party relationship: Any business arrangement between a financial institution and another entity, by contract or otherwise.
Third-party service provider: Any type of company, including affiliated entities, non-affiliated entities, and alliances of companies providing products and services to the financial institution. Other terms used to describe service providers include vendors, subcontractors, external service providers, application service providers, and outsourcers. Source: FFIEC IT Examination Handbook Glossary
Threat intelligence: The acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision-making. Source: SEI Emerging Technology Center: Cyber Intelligence Tradecraft Project
Token: A small device with an embedded computer chip that can be used to store and transmit electronic information. Source: FFIEC IT Examination Handbook Glossary
Total cost of ownership (TCO): The true cost of ownership of a computer or other technology system that includes: original cost of the computer and software; hardware and software upgrades; maintenance; technical support; and training.
Transaction testing: A testing activity designed to validate the continuity of business transactions and the replication of associated data.
Transmission control protocol/Internet protocol (TCP/IP): A communication standard for transmitting data packets from one computer to another. TCP/IP is used on the Internet and other networks. The two parts of TCP/IP are TCP, which deals with constructions of data packets, and IP, which routes them from machine to machine.
Trojan horse: Malicious code hidden in software that has an apparently beneficial or harmless use.
Trusted zone: A channel in which the end points are known and data integrity is protected in transit. Depending on the communications protocol used, data privacy may be protected in transit. Examples include secure socket layer, internet protocol security and a secure physical connection. Source: CNSSI Glossary
Tunnel: The path that encapsulated packets follow in an Internet VPN.
Two-way polling: An emergency notification system that allows management to ensure that all employees are contacted and have confirmed delivery of pertinent messages.


U.S. Computer Emergency Readiness Team (US-CERT): US-CERT is part of the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center in the Office of Cybersecurity and Communications. US-CERT is a partnership between the Department of Homeland Security and the public and private sectors, established to protect the nation’s Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the nation.
Ultra forward service: This service allows control over the re-routing of incoming phone calls to pre-determined alternate locations in the event of a telecommunications outage.
Uninterruptible power supply (UPS): A device that allows your computer to keep running for at least a short time when the primary power source is lost. A UPS may also provide protection from power surges. A UPS contains a battery that "kicks in" when the device senses a loss of power from the primary source allowing the user time to save any data they are working on and to exit before the secondary power source (the battery) runs out. When power surges occur, a UPS intercepts the surge so that it doesn't damage your computer.
US-CERT: The U.S. Computer Emergency Readiness Team, part of the U.S. Department of Homeland Security's National Cybersecurity and Communications Integration Center. US-CERT is a partnership between the Department of Homeland Security and the public and private sectors, established to protect the nation’s Internet infrastructure. US-CERT coordinates defense against and responses to cyber attacks across the nation. Source: US-CERT
User identification: The process, control, or information by which a user identifies himself or herself to the system as a valid user (as opposed to authentication).
Utility: A program used to configure or maintain systems, or to make changes to stored or transmitted data.


Very early smoke detection alert (VESDA): A system that samples the air on a continuing basis and can detect fire at the pre-combustion stage.
Virtual local area network (VLAN): Logical segmentation of a LAN into different broadcast domains.
Virtual machine: A software emulation of a physical computing environment.
Virtual private network (VPN): A computer network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network.
Virus: Malicious code that replicates itself within a computer.
Voice over Internet Protocol (VoIP): The transmission of voice telephone conversations using the Internet or Internet Protocol networks.
VPN (virtual private network): A computer network that uses public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization’s network. Source: FFIEC IT Examination Handbook Glossary
Vulnerability: A hardware, firmware, or software flaw that leaves an information system open to potential exploitation; a weakness in automated system security procedures, administrative controls, physical layout, internal controls, etc., that could be exploited to gain unauthorized access to information or to disrupt critical processing. Source: FFIEC IT Examination Handbook Glossary
Vulnerability assessment: Systematic examination of systems to identify, quantify, and prioritize the security deficiencies of the systems.


Walk-through drill/simulation test: This test represents a preliminary step in the overall testing process that may be used for training employees but not as a preferred testing methodology. During this test, participants choose a specific scenario and apply the BCP to it.
Wallet card: Portable information cards that provide emergency communications information for customers and employees.
Wide-scale disruption: An event that disrupts business operations in a broad geographic area.
Wireless communication: The transfer of signals from place to place without cables, usually using infrared light or radio waves.
Work program: A series of specific, detailed steps to achieve an audit objective.
Work transfer: Work-transfer is a process whereby the staff located at a recovery site accepts the workload of staff located at a primary production site, and a data center located at a recovery site accepts the workload of the primary data processing site.
Workstation: Any computer connected to a local-area network.
Worm: A self-replicating malware computer program. It uses a computer network to send copies of itself to other nodes (computers on the network), possibly without any user intervention. This occurs primarily because of security vulnerabilities on the target computers.
WORM (Acronym): Write once, read many times. A type of optical disk where a computer can save information once, can then read that information, but cannot change it.


Zero-day attack: An attack on a piece of software that has a vulnerability for which there is no known patch. Source: DHS Continuous Diagnostics and Mitigation