A

Acceptable use policy - A policy that establishes an agreement between users and the organization
and defines for all parties' ranges of use that are approved before gaining access to a network or the
Internet.
Return to top of page.
B
Balanced scorecard - A coherent set of performance measures organized into four categories. It
includes traditional financial measures, but adds customer, internal business process, and learning
and growth perspectives. It was developed by Robert S. Kaplan and David P. Norton in 1992.
Benchmark - A test that has been designed to evaluate the performance of a system. In a benchmark
test, a system is subjected to a known workload and the performance of the system against this
workload is measured. Typically, the purpose is to compare the measured performance with that of
other systems that have been subject to the same benchmark test.
Benchmarking - A systematic approach to comparing an organization's performance against peers
and competitors in an effort to learn the best ways of conducting business (e.g., benchmarking of
quality, logistical efficiency and various other metrics).
Business case - A document that provides management with sufficient information, needed to enable
them to decide whether to support a proposed project, before significant resources are committed to
its development. A business case includes analysis of current business process performance;
associated assumptions, needs or problems; proposed solutions and potential constraints, based upon
a risk-adjusted, cost-benefit analysis.
Return to top of page.
C
COSO - Committee of Sponsoring Organizations of the Treadway Commission. Its 1992 report
"Internal Control--Integrated Framework" is an internationally accepted standard for corporate
governance. See www.coso.org.
Capability Maturity Model (CMM) - Contains the essential elements of effective processes for one or
more disciplines. It also describes an evolutionary improvement path from ad hoc, immature processes
to disciplined, mature processes with improved quality and effectiveness.
CobiT - Control Objectives for Information and related Technology, from the IT Governance Institute
(ITGI), is an internationally accepted standard for IT management processes.
Compliance testing - Tests of control designed to obtain audit evidence on both the effectiveness of
the controls and their operation during the audit period.
Continuous improvement - The goals of continuous improvement (Kaizen) include the elimination of
waste, defined as "activities that add cost but do not add value;" just-in-time delivery; production load
leveling of amounts and types; standardized work; paced moving lines; right-sized equipment, and so
on. A closer definition of the Japanese usage of Kaizen is "to take it apart and put back together in a
better way." What is taken apart is usually a process, system, product or service. Kaizen is a daily
activity whose purpose goes beyond improvement. It is also a process that, when done correctly,
humanizes the workplace, eliminates hard work (both mental and physical), and teaches people how
to do rapid experiments using the scientific method and how to learn to see and eliminate waste in
business processes.
Control objectives - A statement of the desired result or purpose to be achieved by implementing
control procedures in a particular process.
Corporate governance - The system by which organizations are directed and controlled. Boards of
directors are responsible for the governance of their organizations. It consists of the leadership and
organizational structures and processes that ensure the organization sustains and extends strategies
and objectives.
Critical success factor - Critical success factor; the most important issues or actions for management
to achieve control over and within its IT processes.
Return to top of page.
I
ISO 9001:2000 - Quality Management System - Code of practice for quality management from the
International Organisation for Standardisation (ISO). ISO 9001:2000, which specifies requirements for
a quality management system for any organisation that needs to demonstrate its ability to consistently
provide product or service that meets particular quality targets.
IT governance - IT governance is the responsibility of executives and the board of directors, and
consists of the leadership, organizational structures and processes that ensure that the enterprise's IT
sustains and extends the organization's strategies and objectives.
IT governance framework - A model that integrates a set of guidelines, policies and methods that
represent the organizational approach to the IT governance. Per COBIT 4.0, IT governance is the
responsibility of the board of directors and executive management. It is an integral part of institutional
governance and consists of the leadership and organizational structures and processes that ensure
that the organization's IT sustains and extends the organization's strategy and objectives.
IT strategic plan - A long-term plan, i.e., three- to five-year horizon, in which business and IT
management cooperatively describe how IT resources will contribute to the enterprise's strategic
objectives (goals).
IT strategy committee - Committee at the level of the board of directors to ensure the board is
involved in major IT matters/decisions. The committee is primarily accountable for managing the
portfolios of IT-enabled investments, IT services and other IT resources. The committee is the owner
of the portfolio.
ITIL - The UK Office of Government Commerce (OGC) IT Infrastructure Library. A set of guides on the
management and provision of operational IT services.
Information processing facility (IPF) - The computer room and support areas.
Information security - Ensures that only authorized users (confidentiality) have access to accurate
and complete information (integrity) when required (availability).
Information security governance - The set of responsibilities and practices exercised by the board
and executive management with the goal of providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's
resources are used responsibly.
Return to top of page.
K
Key goal indicator (KGIs) - Key goal indicator; measures that tell management, after the fact,
whether an IT process has achieved its business requirements, usually expressed in terms of
information criteria.
Key management practices - Those management practices required to successfully execute
business processes.
Key performance indicator (KPIs) - Measures to determine how well the IT process is performing in
enabling the goal to be reached. They are lead indicators of whether a goal will likely be reached or
not, and are good indicators of capabilities, practices, and skills.
Return to top of page.
M
Maturity - In business, indicates the degree of reliability or dependency the business can place on a
process achieving the desired goals or objectives.
Maturity model - A model that indicates the degree of reliability or dependency the business can
place on a process achieving the desired goals or objectives.
Metrics - Specific descriptions of how a quantitative and periodic assessment of performance is to be
measured. A complete metric defines the unit used, frequency, ideal target value, the procedure to
carry out the measurement and the procedure for the interpretation of the assessment.
Return to top of page.
N
Nondisclosure statement (NDA) - Also called a confidential disclosure agreement (CDA),
confidentiality agreement or secrecy agreement, it is a legal contract between at least two parties that
outlines confidential materials the parties wish to share with one another for certain purposes, but wish
to restrict from generalized use. In other words, it is a contract through which the parties agree not to
disclose information covered by the agreement. An NDA creates a confidential relationship between
the parties to protect any type of trade secret. As such, an NDA can protect non-public business
information. (Note: In the case of certain governmental entities, the confidentiality of information other
than trade secrets may be subject to applicable statutory requirements, and in some cases may be
required to be revealed to an outside party requesting the information. Generally, the governmental
entity will include a provision in the contract to allow the seller to review a request for information the
seller identifies as confidential and the seller may appeal such a decision requiring disclosure.) NDAs
are commonly signed when two companies or individuals are considering doing business together and
need to understand the processes used in one another's businesses solely for the purpose of
evaluating the potential business relationship. NDAs can be "mutual," meaning both parties are
restricted in their use of the materials provided, or they can only restrict a single party. It is also
possible for an employee to sign an NDA or NDA-like agreement with a company at the time of hiring;
in fact, some employment agreements will include a clause restricting "confidential information" in
general.
Return to top of page.
O
Offshore - Staff work at a remote location in a different geographic region.
Offsite - Also known as nearshore, staff work at a remote location in the same geographical area.
Onsite - Staff work onsite in the IS department.
Outsourcing - A formal agreement with a third party to perform an IS function for an organization.
Return to top of page.
P
Performance drivers - Measures that are considered the 'drivers' of lag indicators. They can be
measured before the outcome is clear and, therefore, are called 'lead indicators'. There is an assumed
relationship between the two that suggests that improved performance in a leading indicator will drive
better performance in the lagging indicator. They are also referred to as key performance indicators
(KPIs) and are used to indicate whether goals are likely to be met.
Policy - Generally, a document that records a high-level principle or course of action which has been
decided upon. A policy's intended purpose is to influence and guide both present and future decision
making to be in line with the philosophy, objectives and strategic plans established by the enterprise's
management teams. In addition to policy content, policies need to describe the consequences of
failing to comply with the policy, the means for handling exceptions, and the manner in which
compliance with the policy will be checked and measured.
Portfolio - A grouping of programs, projects, services or assets, selected, managed and monitored to
optimize business return.
Procedure - A document containing steps that specify how to achieve an activity. Procedures are
defined as part of processes.
Process - Generally, a collection of procedures influenced by the organization's policies and
procedures that takes inputs from a number of sources, including other processes, manipulates the
inputs, and produces outputs, including other processes. Processes have clear business reasons for
existing, accountable owners, clear roles and responsibilities around the execution of the process, and
the means to measure performance.
Project - In business, a structured set of activities concerned with delivering to the enterprise a defined
capability (that is necessary but not sufficient to achieve a required business outcome) based on an
agreed-upon schedule and budget.
Return to top of page.
Q
Quality assurance (QA) - A planned and systematic pattern of all actions necessary to provide
adequate confidence that an item or product conforms to established technical requirements. (ISO/IEC
24765)
Return to top of page.
R
Residual risk - The amount of risk that remains after countermeasures and controls are in place.
Return on investment (ROI) - A measure of operating performance and efficiency, computed in its
simplest form by dividing net income by average total assets.
Risk analysis - The initial steps of risk management: analyzing the value of assets to the business,
identifying threats to those assets and evaluating how vulnerable each asset is to those threat.
Risk assessment - A process used to identify and evaluate risks and their potential impact on an
organization in quantitative or qualitative terms. Risk assessment includes assessing the critical
functions necessary for an organization to continue business operations, defining the controls in place
to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves
an evaluation of the probabilities of a particular event.
Risk avoidance - The process for systematically avoiding risk, constituting one approach to managing
risk.
Risk mitigation - The management of risk through the use of countermeasures and controls.
Risk transfer - The process of assigning risk to another organization, usually through the purchase of
an insurance policy or outsourcing the service.
Return to top of page.
S
Security administrator - The person responsible for implementing, monitoring and enforcing security
rules established and authorized by management.
Security awareness - The extent to which every member of an organization and every other
individual who potentially has access to the organization's information understand:
← Security and the levels of security appropriate to the organization
← The importance of security and consequences of a lack of security
← Their individual responsibilities regarding security (and act accordingly)

(Based on the definition for IT security awareness as defined in Implementation Guide: How to Make
Your Organisation Aware of IT Security, European SecurityForum (ESF), London, UK, 1993)

Security policy - A high-level document representing an organization's information security

philosophy and commitment.
Security procedures - The formal documentation of specific operational steps and processes that
specify how security goals and objectives set forward in the security policy and standards are to be
achieved.
Segregation of duties - A basic internal control that prevents or detects errors and irregularities by
assigning to separate individuals responsibility for initiating and recording transactions and custody of
assets to separate individuals. Segregation and separation of duties is commonly used in large IT
organizations so that no single person is in a position to introduce fraudulent or malicious code without
detection.
Standard - A mandatory requirement. Examples include ISO/IEC 20000 (an international standard),
an internal security standard for UNIX configuration or a government standard for how financial
records should be maintained. The term 'standard' is also used to refer to a code of practice or
specifications published by a standards organisation, such as ISO or BSI.
System development life cycle - The phases deployed in the development or acquisition of a
software system. Typical phases of SDLC include the feasibility study, requirements study,
requirements definition, detailed design, programming, testing, installation and post-implementation
review, but not the service delivery or benefits realization activities.