OITPP Glossary

Resource type: template
Last changed: 2013-03-21 02:30:59
A| B| C| D| E| F| G| I| L| O| P| R| S| T| V| W


Abstraction is generally thought of as a physical or process layer that enables disparate components or objects to interact in ways that they could not do directly.

While there are many forms of abstraction, they all generally offer a benefit of simplifying business solutions by removing obstacles that are significant, but generally irrelevant to the problem being addressed.

Types of Abstraction
  • Data Abstraction: Data abstraction hides the implementation details of data representation. Objects and abstract data types are two forms of data abstraction.
  • Virtualization: Virtualization is a form of abstraction that removes or minimizes dependencies on physical resources or implementation details.
  • Hardware Abstraction: Hardware abstraction is generally implemented as a software layer that allows programs to be run on different types of hardware.
Information Governance Implications

Abstraction can simplify GRC solutions by simplifying the implementation and utilization of services, particularly data services because compliance is generally centered on the access and utilization of data. Data abstraction and data persistence services are often ignored in Service Oriented Architecture (SOA) initiatives, which creates GRC challenges. Data abstraction provides a unified solution for accessing and updating:

  • Data using different access methods and Application Programming Interfaces (APIs)
  • Different types of data
  • Data structured in different ways
  • Data with different semantics
  • Data in different locations
  • Data that spans different administrative regions
  • Data that spans different technology infrastructures

accelerated filer

Accelerated filer and large accelerated filer are terms defined by the Securities and Exchange Act of 1934, 17 CFR 240, Rule 12b-2, and referenced in regard to reporting requirements and deadlines for the Sarbanes-Oxley Act of 2002.

To be an accelerated filer, a company must:

  1. Have an aggregate market value of more than $75 million but less than $700 million
  2. 2. Have been subject to SEC reporting requirements for at least 12 prior months
  3. 3. Have published at least one prior annual report

In September 2005, the SEC voted to amend the definition of accelerated filer to include a new category of "large accelerated filers," for companies with a public float of $700 million. The amendments also:

  • Redefine "accelerated filers" as companies that have at least $75 million but less than $700 million in public float
  • Permit an accelerated filer whose public float has dropped below $25 million to file an annual report on a non-accelerated basis for the same fiscal year that the determination of public float is made
  • Permit a large accelerated filer to exit large accelerated filer status once its public float has dropped below $75 million
Related Authorities
  • Securities and Exchange Act of 1934 (17 CFR , Rule 12b-2—Definitions
  • SEC amendment to accelerated filer definition (PDF)
  • Text of 17 CFR 240 Rule 12b-2
  • SEC press release on revision to definitions and extension of Sarbanes-Oxley filing deadline for non-accelerated filers


(Also spelled "anti-virus.") A computer program that attempts to identify and neutralize computer viruses and other types of malicious software ("malware"). Antivirus software typically uses two different techniques to accomplish this:

  • Examining (scanning) files to look for known viruses matching definitions in a virus dictionary
  • Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach.

Requirements and Related Standards

Antivirus protection is indicated or required by several authorities, including:

  • The Payment Card Industry Data Security Standard (PCI DSS), Section 5
  • Health Insurance Portability and Accountability Act (HIPAA), §164.308(a) (5) (i)
  • NERC Cybersecurity Standard (CIP-007-1), §R4 (PDF)
  • FISMA/FISCAM/NIST 800-53 (PDF), "Recommended Security Controls for Federal Information Systems"
  • [AV-Comparatives, AV-Test, VirusBulletin: independent comparatives of several antivirus software](http://www.av-comparatives.org/)
  • [NIST National Vulnerability Database](http://nvd.nist.gov/)
  • [AntivirusWorld](http://www.antivirusworld.com/)

asset management

A strategic discipline that includes:

  • Asset lifecycle management (procurement, deployment, use, change, retirement)
  • Asset tracking and auditing
  • Asset investment and financial management

Although asset management has traditionally encompassed only on tangible assets, such as hardware and equipment, it is increasingly used in reference to software, systems, data, and digital rights.

Information Governance Implications

As a core component of operational governance, companies should define policies, procedures, and enforcement mechanisms for the effective use, control, and tracking of IT assets.


Any unauthorized attempt to bypass the physical or logical security controls established to protect a computer, network, or information system. Most attacks are developed to alter, access, transmit, or deny access to data or systems.


A copy of digital assetsincluding files, software, and datamade to avoid loss of data and facilitate operational recovery in the event of a system disruption.

Basel II

A set of guidelines for the calculating of minimum solvency requirements for banks. Issued by the Basel Committee on Banking Supervision, Basel II compliance focuses on three primary risk categories:

  • Credit risk: The risk of a counterparty default. Credit risk measurement techniques have historically measured credit risk on a relative scale. The Basel II Accord attempts to transform relative risk measures into absolute risk measures based on four drivers of credit risk: exposure, probability of default, loss given default, and maturity.
  • Market risk: The risk of a market disruption.
  • Operational risk: The risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from external events.
Information Governance Implications

In general, Basel II compliance is a calculations exercise that IT systems to provide reliable enterprise-level information and analysis. Effective information governance is required to ensure availability and reliability of financial data, including customer and portfolio data, for use in credit and risk calculations.

Business Activity Monitoring (BAM)

The discovery, aggregation, analysis, delivery and presentation of information concerning business operations. Architectural components of Business Activity Monitoring (BAM) solutions typically include:

  • A message bus or service bus for aggregating, integrating and delivering events and relevant historical data
  • One or more databases
  • An interface for presenting the data contextually

Business Activity Monitoring (BAM) is related to Business Process Management (BPM), Event-Driven Architecture (EDA), Event Stream Processing (ESP), Complex Event Processing (CEP), Corporate Performance Management (CPM), and Governance Dashboarding.

Information Governance Implications

BAM provies real-time information on business processes, operational process, and system events that supports effective managerial decisions.

business process

A sequence of activities necessary to manipulate economically relevant objects (i.e. inputs) towards specific goals (i.e. customer deliverables) to satisfy customers (i.e. customer requirements).

Business Process Execution Language (BPEL)

A standard for defining business process flows using an eXtensible Markup Language (XML)-based language for Web services orchestration. BPEL is based on the Web services model and the concept of orchestration. BPEL executes processes and only interfaces to Web services. Business Process Modeling Notation (BPMN) expresses and abstracts processes and provides the ability to generate BPEL code as well as other code.

The medium- to long-range objective for Business Process Management (BPM) is interoperability at the model level (i.e. BPMN) vs. the code level (i.e. BPEL), and to transcend key limitations in BPEL such as no/poor support for human workflow and sub-processes. Sub-processes are process fragments that share context data and state management with the calling parent. With BPEL a sub-process is just another process, which requires data sharing and state management to be explicitly defined in the process logic.

Information Governance Implications

GRC objectives are facilitated by business processes with well-defined inputs and outputs that are focused on customer requirements. BPEL is one element of a business process technology stack useful for implementing business solutions more amenable to GRC constraints.

Business Process Management (BPM)

An operational discipline and technology for the provision of end-to-end visibility and control over long-lived, multistep information requests, workflows, or transactions that span multiple applications and people within and between one or more organizations.

As a discipline, BPM supports the definition and execution of business processes. Business processes are customer-centric because all processes start (customer requirements) and end (customer deliverables) with customers.

As a technology, BPM adds a layer of design time and runtime control to application, data management, document management and content management environments. BPM supports business strategy by encapsulating business strategy inside executable business process models.

BPM vs. Workflow Management

Workflows are often a component of BPM, but are not synonymous with it. Unlike workflow management, BPM:

  • Does not assume human interaction
  • Supports collaboration between processes
  • Views tasks and documents as implementation details rather than core elements of the model
BPM vs. Service Oriented Architecture (SOA)

BPM and SOA are converging as organizations recognize their mutual benefits:

  • BPM - Processes are composed of services, which are composed and then called to produce outputs for customers. Processes support the orchestration and late binding of services.
  • SOA - Services provide the granularity processes need, and without BPM to provide a business focus, it's hard to know what services to implement or how they should be designed.

business rule

A unit of executable, reusable business logic specified declaratively, and which can be called from a conventional application, a composite application or business process.

Information Governance Implications

Business rules improve governance by helping organizations simplify applications and break down silos using a centralized rules repository that all applications can access. Rules provide a natural mechanism for enforcing compliance requirements, which can be specified using rules.

Business Process Modeling Notation (BPMN)

A standard for graphically defining abstraction layers that specify business processes.


BPMN is designed to bridge the semantic gap between business users and developers, which is a critical requirement for Service Oriented Architecture (SOA) initatives. Some BPMN tools generate Business Process Execution Language (BPEL) code, and efforts are under way to generate executable code in other languages, which some believe will make BPEL obsolete.

Information Governance Implications

BPMN is facilitates Business Process Management (BPM), a critical component of effective business governance and risk management

  • Business processes help organizations focus their efforts on serving their customers, which helps reduce risks and optimize resource utilization consistent with meeting customer requirements.
  • Business processes provide an abstraction layer for managing data, content and behavior, which reduces management challenges.

certificate authority

A trusted third-party service provider that issues digital certificates used to create digital signatures using public and private key pairs. The certificate authority guarantees that certificates are issued to parties whose identity has been confirmed. Confirmation is often achieved by leveraging other relationships the certificate applicant has with financial institutions or government agencies.

Information Governance Implications

Effective governance and risk management require accurate identification of people and resources engaged in information and financial transactions.

change management

Management of cultural, technical, or physical changes and their impact on business resources, people, and processes.

Organizational change management is closely tied to organizational culture and behaviors, as well as human psychology. The field of organizational change management addresses human responses to either perceived or real change and how that response ca affect organizational cultures, employee attitudes and relationships, and business performance.

Within the sphere of information management, change management addresses the implementation and control of changes to technology resources, including hardware, software, documentation, people, and business processes. A common goal of change management control practices is the assurance that Information Resources are protected against improper modification before, during, and after system implementation.

Information Governance Implications

Change management is an integral component of operational risk management. Companies must develop strategic management policies, procedures, and standards in order to ensure continuity and continuous improvement of business process-enabling technologies. Change management, asset management, and business process management are three strategic management disciplines that predate attempts to approach governance, risk management, and compliance as an integrated enterprise discipline.

cloud computing

A sourcing and delivery model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services), often provisioned by a third-party resource. Three common service models of cloud computing include Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).


Collaboration is teh process of using common goals and trust models to mediate access to distributed resources, including people, processes, devices, applications, services, data and content, which are implemented within secure, virtual environments.

Networking requirements

Collaboration requirements are driving the convergence of application services and networking services. Collaborative environments must integrate synchronous and asynchronous networking services across spatial, temporal, operational, organizational, channel, application and technology platform boundaries. This requires support for direct, meeting-based, blackboard-based and space-based interaction models.

Resource types

Collaboration capabilities should be available to both human and machine-centric processes.

Information Governance Implications

Collaboration is a requirement of complex governance, performance, and risk management processes that involve multiple actors, either machine and human.

Complex Event Processing (CEP)

Complex Event Processing (CEP) is the discipline of detecting, filtering, correlating, aggregating and processing events in real-time, which have potentially complex relationships with other events and artifacts of interest.

Key Concepts
  • Events are occurrences of interest
  • Events are technology neutral
  • Events have context
  • Events can carry metadata about themselves
  • Events can be evaluated based on event data, event metadata (carried with the event) or event context (other event metadata)
  • Events form spatial, temporal or other types of patterns
  • Events represent ad hoc processes, i.e. a sequence of occurrences that represent a process and/or result in the execution of a process (e.g. a revenue recognition process might consist of "letter of intent signed," "contract signed," "purchase order received," "product shipped" and "product delivered and accepted" events)
  • Events may be nested (e.g. a "change of address" event followed by an "ATM card lost" event could represent a compound event called "attempted fraud")
  • Events can optionally generate responses or actions
Properties of Complex Event Processing

Unlike traditional process automation solutions, CEP is characterized by:

  • Nonlinear, often unpredictable activity flows
  • Bottom-up process control
  • Dynamic logic
  • Execution via event management rather than rules and workflow
  • Processes defined by "borders" using exception management
  • Closed-loop processes, with outcomes consumed by the next iteration for continuous adjustment
  • Time, sequencing, and affinity as integral components of evaluation
Event Stream Processing (ESP)

Event Stream Processing (ESP) engines process event streams to identify events of interest and derive information from these events in real-time. ESP may therefore be regarded as a subset of CEP to the extent that complex events are involved in these event streams. ESP may also be regarded as distinct from CEP to the extent that simple events are involved. ESP and CEP both involve real-time event processing that results in an Event-Driven Architecture (EDA).

Information Governance Implications

Complex Event Processing (CEP) concepts are sometimes applied by governance, risk management, and compliance (GRC) solutions for detection and response of complex event sequences. As real-time processing requirements increasingly impacts GRC solutions spanning organizational and risk management silos, CEP capabilities will become more important.


Compliance is the act or process of adhering to rules, particularly those imposed by external or internal authorities.

Types of Compliance

Compliance requirements come from various sources:

  • Regulatory - Government agencies impose compliance requirements for organizations operating within their jurisdiction (e.g. SOX).
  • Industry - Industry bodies impose compliance requirements on their members (e.g. PCI).
  • Internal - Organizations define policies that apply to their internal operating units (e.g. expenditures exceeding $500,000 require CFO approval).
Relationship to Risk Management

Because most laws, standards, and policies are risk-reactive (e.g, they are enacted in response to or as a protection against negative contingencies) compliance is considered an element of business risk management, which may include:

  • Legal risks - compliance failures could result in litigation
  • Regulatory risks - compliance failures could result in regulatory sanctions, including fines
  • Reputation risks - compliance failures could result in reputation damage
  • Competitive risks - compliance failures could result in competitive disadvantages that extend beyond reputation risk
Compliance Trends

Recent years have seen the following trends in corporate compliance:

  • Risk-sensitive execution - Risk priorities, including nature, likelihood, and severity, guide compliance program definition, management, and execution
  • Integration - Corporate efforts have already largely shifted from checkbox compliance to sustainability and will continue to migrate towards business process integration, in an effort to find better paths to sustainability.
  • Complex identity (lifecycle) management - More organizations will accept the need for identity management of people and ther types of resources.
  • Mobility - Mobile devices and data will challenge all organizations to improve their security and risk management disciplines.
  • Virtualization - As virtual machines gain traction, companies are increasingly facing tricky data protection (particularly PCI) and e-discovery issues
  • E-discovery -Records retention practices are changing based on a growing body rulings and court-issued e-discovery protocols
  • Green policies - More organizations implement green policies to reduce energy consumption and pollution.
  • Cybercrime - Criminals will challenge all organizations to improve their security and risk management disciplines.
  • Service Oriented Architecture (SOA) - SOA will continue to make inroads at organizations seeking more adaptable and cost effective IT infrastructures.
  • Strategic gaps - Most organizations will continue to have serious gaps in their GRC focus areas, mostly revolving around security.
  • SOX - Less stringent and more flexible requirements are leading to less of a single-minded focus on SOX, which requires more knowledge about the internal state and systems environment to properly apply the new rules.
Compliance Technologies

A wide variety of technologies is used to meet compliance challenges. Many of these technologies intersect or offer overlapping capabilities, and some are in the process of converging. The technology categories below are assuming a primary role in the implementation of compliance solutions. These are high-level categories that subsume other technologies sometimes known by different names:

  • Data management - Data management technology manages structured data, which often reflects business transactions. Improvements to data management technology are being applied to strengthen compliance solutions, including data encryption, data archiving, Enterprise Information Integration (EII), and Event Stream Processing (ESP), which are separate technologies in their own right but which are being integrated with database engines.
  • Content management - Content management technology manages semi-structured and unstructured content such as legal documents and Web content, which may be subject to compliance requirements and may require the maintenance of relationships to structured data.
  • Process management - Process management technologies help define and manage end-to-end processes that translate customer requirements into customer deliverables.
  • Identity management - The identity of resources involved in business transactions must be known. Identity management disciplines must increasingly be applied not just to people but also to applications, services, processes and devices to ensure rogue resources do not impersonate legitimate resources.
  • Security information and event management - Host systems, applications, services, processes and devices generate security related information and events that must be managed and reported on consistent with security policies and compliance requirements.
Information Governance Implications

Compliance is increasingly part of an integrated governance- and performance-management disciplines; executed as a subset of risk management, as risk management is executed as a subset of governance. Achieving compliance objectives generally requires improved data and content management capabilities through improved data management and content management disciplines.

component technology

A software artifact that makes a clear distinction between interface and implementation, and conforms to a binary standard.

Information Governance Implications

Business solutions may be delivered as one or more software components that conform to a standard component model. This enables easy extension to or modification of the business solution and facilitates reuse by different applications, services, business processes and business units. Components tend to be reused, which over time makes them more reliable, and business solutions built with components are more adaptable than monolithic applications. Reliability and adaptability help meet governance, risk management, and compliance requirements.

GRC solutions may be delivered as one or more components that conform to a standard component model. This enables easy extension to or modification of the GRC solution and facilitates reuse by different applications, services, business processes and business units. GRC solutions built with components are also easier to integrate with business solutions.

Hybrid solutions, in which GRC capabilities are built into business solutions, integrate risk management with business-process automation.

composite application

Composite applications reflect a new application integration model using code and data from multiple sources, which are accessed and composed using Service Oriented Architecture (SOA) concepts and Web services standards.

The composite application model comes from the enterprise world while the mashup model (a similar concept) comes from the Web 2.0 world. These two models are converging. Composite applications reflect the rising importance of the assembly, composition and orchestration of code vs. the writing of code. This parallels the rising importance of assembly, composition and orchestration in the business process management and document management domains. SOA is a key element in all of these trends.

Computer Incident Response Team (CIRT)

A Computer Incident Response Team (CIRT) is an internal organizational body responsible for coordinating the response to computer security Incidents, including theft, misuse of data, intrusions, hostile probes, and malicious software.

Computer Incident Response Team (CIRT) Director

The CIRT director is a manager or role responsible (and accountable) for:

1. Publishing and maintaining policy guidance on corporate responses to computer security incidents

2. Providing managerial oversight of computer security incident response processes


Content is broadly defined in the business context as unstructured data, semi-structured data, rich media, or combinations of these, often manifested in the form of documents.

Content Addressable Storage (CAS)

Content Addressable Storage (CAS) locates data using array-assigned hashed addresses rather than a physical address or directory.

CAS uses storage nodes for data and content, and access nodes for metadata. Because CAS enhances data management and content management capabilities, it can be viewed as an element of portal technology stacks. CAS is relevant for e-discovery involving large numbers of documents and emails.

Information Governance Implications

CAS is one approach to mitigating the risks of failure to meet e-discovery requirements in legal proceedings. Notable cases of e-discovery failures include:

  • UBS Securities was fined $2.1 million in 2005 for failing to preserve email communications in an "easily accessible place."
  • KPMG was fined $456 million in a case involving 5 to 6 million discoverable documents. The cost of finding these documents was in addition to the fine.
  • [UBS Securities to Pay $2.1 Million in Penalties and Fines for Failure to Preserve Email](http://www.ediscoverylaw.com/2005/07/articles/news-updates/ubs-securities-to-pay-21-million-in-penalties-and-fines-for-failure-to-preserve-email/)
  • [IRS press release about KPMG verdict: \KPMG to Pay $456 Million for Criminal Violations\"](http://www.irs.gov/newsroom/article/0

contract, technology

Techology contracts, in contrast to interfaces, specify only the information exchanged over some type of connection. Contracts can be used to improve the integration, compliance and data management disciplines by more effectively linking business requirements with technical solutions.

  • Compliance example: Contracts are able to delimit specify what must be done to meet compliance requirements.
  • Integration example: Contracts are able to clearly specify what is required to successfully integrate services, applications, processes and devices.
  • Data management example: Contracts are able to precisely specify required data management services, which go beyond the availability and response time orientation of Service Level Agreements (SLAs).

Technology contracts are designed to provide a higher level abstraction than an interface; e.g., an artifact that does not require communicating parties to share a type system or a common understanding of how to access in-memory representations of objects or components. Rather, technical contracts merely specify the information to be exchanged "over the wire" between software artifacts.

Technology contract types include:

  • Syntax-based, which separates interfaces from implementation (e.g., contracts based on interface description language, or IDL)
  • Behavior-based
  • Synchronization-based
  • Quality of service (QoS) based
Information Governance Implications

Technical Contracts can be used to directly define and enforce business and operational requirements by bridging the gap between requirements and the implementation of software systems designed to enforce these requirements.

control framework

Integral sets of internal control objectives designed to achieve business objective(s). They provide a systematic approach to addressing complex, and potentially intersecting, compliance requirements.

COBIT (Control Objectives for Information Technology)

COBIT (Control Objectives for Information and related Technology) is a widely adopted framework for information technology (IT) management issued by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.

COBIT provides benefits to managers, IT users, and auditors. Managers benefit from COBIT because it provides them with a foundation upon which IT related decisions and investments can be based. Decision making is more effective because COBIT aids management in defining a strategic IT plan, defining the information architecture, acquiring the necessary IT hardware and software to execute an IT strategy, ensuring continuous service, and monitoring the performance of the IT system. IT users benefit from COBIT because of the assurance provided to them by COBIT's defined controls, security, and process governance. COBIT benefits auditors because it helps them identify IT control issues within a company's IT infrastructure. It also helps them corroborate their audit findings.

COBIT in Relation to Other Rules and Standards
ISO/IEC 17799:2005

COBIT was released and used primarily by the IT community, and has become the internationally accepted framework for IT governance and control. ISO/IEC 17799 ISO/IEC 17799:2005 (The Code of Practice for Information Security Management) is also an international standard and is best practice for implementing security management. The two standards do not compete with each other and actually complement one another. COBIT typically covers a broader area of IT management while ISO/IEC 17799 focuses on information security management.


Public companies subject to the US Sarbanes-Oxley Act of 2002 are encouraged to adopt COBIT and/or the Committee of Sponsoring Organizations of the Treadway Commission (COSO) "Internal Control - Integrated Framework." In choosing which of the control frameworks to implement in order to comply with Sarbanes-Oxley, the U.S. Securities and Exchange Commission suggests that companies follow the COSO framework.

COSO Internal Control-Integrated Framework states that internal control is a process established by an entity's board of directors, management, and other personnel and is designed to provide reasonable assurance regarding the achievement of stated objectives. COBIT approaches IT control by looking at information—not just financial information—that is needed to support business requirements and the associated IT resources and processes. COSO control objectives focus on effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations. The two frameworks have different audiences. COSO is useful for management at large, while COBIT is useful for IT management, users, and auditors. COBIT focuses on IT controls. Because of these differences, auditors should not expect a one-to-one relationship between the five COSO control components and the four COBIT objective domains.

  • [ISACA](http://www.isaca.org/)
  • [COBIT Open Guide](http://it.safemode.org/)
  • [ControlIT User Group](http://www.controlit.org/)

data custodian

An organizational role charged with the implementation of data controls specified by process owners. The data custodian is responsible for the processing and storage of information. For mainframe applications an information services manager is typically the custodian; for micro and mini applications the process owner or data user may retain custodial responsibilities. The custodian is normally a provider of services.


A message, image, form, attachment, data, or other communication sent, received, or stored by an electronic mail system.

email system

A software application that sends and receives messages electronically over a computer network from one computer system to another.


A security and access-control mechanism that separates segments of a computer network or client/server architecture. Firewalls are typically employed to prevent unauthorized access to trusted networks from untrusted networks or less-trusted network segments.

governance, risk management, and compliance (GRC)

The body of business strategies, practices, and policies that 1) support strong, sustainable, and legal business performance; and 2) protection business processes from failure, disruption; and unplanned loss. Because the strategies that effect business governance are defined at the highest levels of a company, GRC has definitive and pervasive impact on business decisions and operations. However, GRC is also defined at more strategically limited and operational levels of a business. And, finally, it is bounded and directed by laws, contractual requirements, best practices, and audit standards that are external to the business.

GRC implies a coordinated, integrated initiative; however, in practice, GRC most often encompasses many disparate and overlapping efforts a various levels of the enterpriseand in particular very disparate types of technological and performance oriented strategies.

GRC Software

In technology press, the GRC is often synonymous with software designed to support regulatory compliance. Common types of software promoted under this category include:

  • Integrated financial management and reporting software that supports managerial assurance and reporting requirements for the Sarbanes-Oxley Act and other financial management laws
  • Information security software that supports compliance with data privacy and protection requirements, including privacy laws, the Payment Card Industry Data Security Standard (PCI DSS), HIPAA, and banking privacy laws
  • Enterprise records management software that supports records retention, protection, access, and e-discovery rules and regulations
  • Enterprise resource planning software that supports an integrated view of business processes and performance
  • Business intelligence (BI) and analytical applications that support business decision making and risk recognition
  • Policy management and compliance tracking software, including executive dashboards, that support measurement- and metrics-based approaches to strategy, compliance and audit performance tracking, and risk assessment.
Information Technology (IT) GRC

GRC's increasing conceptual convergence with GRC software, coupled with an growing focus on technology-related risks, have given rise to a subset of GRC known as IT GRC. In practicality, this concept is often synonymous with software-based information protection for the purpose of compliance with data protection and privacy rules and standards.


A recognized attempt by an unauthorized party to access a trusted network, or an attack on an information system. The term encompasses unauthorized probing and browsing; disruption or denial of service; altered or destroyed input, processing, storage, or output of information; loss of accountability or damage to any part of the system; or changes to information system hardware, firmware, or software characteristics with or without users' knowledge, instruction, or intent.

Incidents are generally perceived as malicious attempts to violate or degrade the confidentiality, integrity, and/or availability of information resources.

information resources

Equipment, media, activities, and information assets that comprise the information technology infrastructure, services, and processes of an organization. As a component of internal policies the term encompasses all resources that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information. This includes:

  • Equipment: display devices; any device capable of sending or receiving electronic messages, accessing networked resources sites, or otherwise receiving, storing, managing, or transmitting electronic data; mainframes; servers; personal computers; notebook computers; hand-held and mobile computing devices; pagers; cell phones; distributed processing systems, computer-controlled medical and laboratory equipment, telephones and telecommunications resources, network hardware and appliances, fax machines, printers, and service bureaus.
  • Software and operating systems
  • Data and content
  • Media: Computer printouts, magnetic storage media
  • Activities: All activities related to information technology infrastructure, services, and processes of an organization
  • Facilities: Physical sites dedicated to the storage, protection, and/or housing of information technology equipment and processes
  • Information technology processes and procedures

information resources manager

A person or role responsible for the management of Information Resources. The role is authorized to establish and implement information management policies, procedures, standards, and guidelines necessary to protect the Information Resources of the organization.. The role also helps coordinate information management activities within the organization and promotes visibility of information management efforts.

information security officer (ISO)

A person or role responsible to executive management for the oversight of organizational information security processes and procedures, including administration of information security functions and the development of policy guidelines for establishment and implementation of incident response teams and processes. The ISO typically serves as a central, internal and external, point of contact for all information security matters.

internal control

Methods, procedures, processes, systems, policies, procedures, practices, structures, software, and other means by which an organization enforces and enacts its risk management objectives. Internal controls are typically designed to provide reasonable assurance that 1) business objectives will be achieved, and 2) undesirable events will be prevented, or detected and corrected.

Controls vs. Control Objectives

Controls are processes that define and delimit internal processes; e.g., a password management subroutine in a software application. By contrast, control objectives are operational criteria against which the effectiveness of internal controls are measured.

least privilege access

The principle that employees should be granted access rights:

  1. To only the systems, applications, and data that they needed to effectively perform their jobs
  2. For only as long as job requirements necessitate access

Least privilege access is generally intended to improve the confidentiality, integrity, and availability of information and systems by allowing access based on the "need to know." Since the practice of least privilege principles requires constant access-rights reviews and active account management, however, least privilege can be can be process intensive and error prone.

offsite storage

Retention of stored data or media at a geographically different location than the site of its generation and/or primary use. Decisions to store data offsite are often based on data criticality and reflect the objective of removing data from whatever physical threat profile exists at the originating location.

process owner

A process owner is one or more managers or agents responsible for the function which is supported by an information resource. Process owners are responsible for:

  • The body of information associated with a particular business process
  • The business results of a system or the business use of a set of Information Resources
  • Carrying out the program that uses Information Resources
  • Establishing or contributing to the definition of controls that impact the Information Resources for which they're responsible


Broadly, the combination of internal and external factors and influences that introduce uncertainty into an organization's ability to meet its objectives. Risk is also sometimes defined more strictly as the potential for a negative impact or outcome.

security administrator

A person or role charged with the monitoring and implementation of security controls and procedures for a system. Whereas organizations typically have only one information security officer, there may be multiple security administrators.

separation of duties

Separation of duties (also called segregation of duties) is an organizational practice of allocating roles, responsibilities, and access rights so that a single individual cannot deliberately or unintentionally subvert a critical process.

  • Within development environments, implementation of separate production, development, and testing environments and provisioning of developer access rights so that any given developer can access only one environment at a time. This practice controls against an individual developer's ability to write, test, and post unauthorized code; it can prevent developers from making potentially problematic changes to live production systems and applications; and it discourages the use of production data in application testing.
  • Policies that prohibit managers from both initiating and approving purchase orders. This practice controls against managerial ability to corruptly complete purchase orders that violate corporate, ethical, or legal standards.
  • Organizational structures that prohibit auditors from also producing or managing the operational functions covered by their audits. This practice controls against the potential that and auditor will incompletely or inaccurately audit functions for which he is also managerially responsible.


1. A computer program that provides services to other computer programs on the same or another computer

2. A computing machine that runs a server program


Both the result and practice of electronically sending, mailing, or posting unsolicited and unauthorized messages. Spam communications are usually commercial in nature; however, the definition also encompasses unsolicited non-commercial communications. Message content needs not be fraudulent to qualify as spam.

The US Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM) is the first US law to document a quantifiable definition of spam. The CAN-SPAM Act defines spam narrowly as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose). Under CAN-SPAM, mass e-mails must adhere to the following rules:

  1. Emails must not contain false or deceptive content
  2. Emails must contain accurate sender ("from") information, relevant subject lines, and a legitimate physical address of the business from which the email originates
  3. Emails must contain accurate header information (source, destination, and routing descriptors). A sender may not mask its identity in headers by relaying messages through a third-party computer with the purpose of disguising the email's origin.
  4. Emails containing sexually explicit content must include the phrase "Sexually Explicit" in the subject line.
  5. Emails must contain a visible and functional unsubscribe mechanism that is operable for at least 30 days after the email is sent. Requests by recipients to unsubscribe from future mailings must be honored by the sender within 10 days.
  6. Companies must not send commercial emails to "harvested" or generically fabricated addresses. Harvested addresses are those have been obtained using an automated means from a third-party Web site or online service that includes a notice stating that the operator of said Web site or service will not give, sell, or otherwise transfer addresses maintained by the Web site. Generically fabricated addresses are the email address obtained by using an automated means that generates possible electronic mail addresses by combining names, letters, or numbers into numerous permutations.

Emails to existing customers of a company and others who have independently contacted the company about its produces and services are not covered by the CAN-SPAM law.

Organizations may also define spam according to their own criteria.

  • [The CAN-SPAM Act: A Compliance Guide for Business.](http://business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business)\" US Federal Trade Commission (FTC) Bureau of Consumer Protection.

system administrator

A person or role responsible for the effective operation and maintenance of information resources, including implementation of standard procedures and controls to enforce organizational security policy.


A destructive program—usually a virus or worm—hidden in another piece of software, such as a game or graphics program. Trojans are typically distributed with malicious intent for the purpose of harvesting data, disrupting computing activities, or enabling unauthorized access to restricted networks or devices.


An individual or company that exchanges goods or services for money.

virtual private network (VPN)

A mechanism that provides a secure connection over unsecured or public networks for the purpose of protected communications and transmissions with protected networks (usually internal corporate networks).


A program that is attached to or embedded in an executable file or vulnerable application. Viruses deliver payloads that can range from annoying to extremely destructive.

There are many types of viruses. A file virus, for example, executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allows users to generate macros.


A software program that, once downloaded to a computer system, copies of itself elsewhere on the system. Today the term is usually used to describe software that maliciously propagates itself over a network, often with the intent of overloading network capabilities. Worm is often used synonymously with \"virus\"; however.


Please register (and/or log in) to view comments on this resource.