Appendix B: Glossary
A B C D E F G I M N O P R S T V
A |
||
| Term | Definition | Source |
| Acceptable use policy | A document that establishes an agreement between users and the enterprise and defines for all parties the ranges of use that are approved before users can gain access to a network or the Internet. | |
| Access | The ability to physically or logically enter or make use of an IT system or area (secured or unsecured). The process of interacting with a system. | |
| Administrator privileges | Computer system access to resources that are unavailable to most users. Administrator privileges permit execution of actions that would otherwise be restricted. | |
| Agility | In IT systems, the ability to rapidly incorporate new technologies or changes to technologies allowing an organization to adapt to changing business needs. | |
| Application development | The process of designing and building code to create a computer program (software) used for a particular type of job. | |
B |
||
| Term | Definition | Source |
| Benchmark | A standard, or point of reference, against which things may be compared or assessed. | |
C |
||
| Term | Definition | Source |
| Confidentiality | The property that sensitive information is not disclosed to unauthorized entities. | NIST Glossary |
| Control self-assessment | A technique used to internally assess the effectiveness of risk management and control processes. | |
| Corrective control | A mitigating technique designed to lessen the impact to the institution when adverse events occur. | |
| Cyber attack | An attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network. An attack, via cyberspace, targeting an institution for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. | |
| Cybersecurity | The process of protecting consumer and bank information by preventing, detecting, and responding to attacks. | |
D |
||
| Term | Definition | Source |
| Data center | A facility that houses virtual and/or physical information technology infrastructure(s) (e.g., computer, server, and networking systems and components) designed to store, process, and serve large amounts of data in support of an entity’s strategic and business objectives. A data center may be a dedicated facility or an area or room, that contains computer, server and networking systems and components, and may be private or shared (e.g., a co-location facility). | FFIEC Developed for Supervisory Purposes |
| Detective control | A mitigating technique designed to recognize an event and alert management when events occur. | |
| Disaster recovery | The process, policies, and procedures related to preparing for recovery or continuation of technology infrastructure, systems, and applications, which are vital to an organization after a disaster or outage. Disaster recovery focuses on the information or technology systems that support business functions, as opposed to business continuity, which involves planning for keeping all aspects of a business functioning in the midst of disruptive events. Disaster recovery is a subset of business continuity. | Business Continuity Institute Disaster Recovery Journal Glossary |
| Due diligence for service provider selection | Technical, functional, and financial review to verify a third-party service provider's ability to deliver the requirements specified in its proposal. The intent is to verify that the service provider has a well-developed plan and adequate resources and experience to ensure acceptable service, controls, systems backup, availability, and continuity of service to its clients. | |
E |
||
| Term | Definition | Source |
| Enterprise architecture | The description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture. | NIST Glossary |
| Enterprise-wide | Across an entire organization, rather than a single business department or function. | |
| External connections | An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. | |
F |
||
| Term | Definition | Source |
| Financial Services Information Sharing and Analysis Center (FS-ISAC) | A nonprofit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors' sharing of physical and cybersecurity threat and vulnerability information. | |
G |
||
| Term | Definition | Source |
| Gramm-Leach-Bliley Act (GLBA) | The act, also known as the Financial Services Modernization Act of 1999, (Pub.L. 106-102, 113 Stat. 1338, enacted November 12, 1999), required the federal banking agencies to establish information security standards for financial institutions. | |
I |
||
| Term | Definition | Source |
| Incident management | The process of identifying, analyzing, and correcting disruptions to operations and preventing future recurrences. The goal of incident management is to limit the disruption and restore operations as quickly as possible. | FFIEC Developed for Supervisory Purposes |
| Information security | The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. | NIST Glossary |
| Information systems | Electronic systems and physical components used to access, store, transmit, protect, and eventually dispose of information. Information systems can include networks (computer systems, connections to business partners and the Internet, and the interconnections between internal and external systems). Other examples are backup tapes, mobile devices, and other media. | |
| Information technology | Any services or equipment, or interconnected system(s) or subsystem(s) of equipment that comprise the institution's IT architecture or infrastructure. It can include computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. | |
| Infrastructure | System of facilities, equipment, and services needed for the operation of an organization. | ISO 22300:2018(en) |
| The physical elements, products, and services necessary to provide and maintain ongoing operations to support business activity and includes the maintenance of physical facilities. | FFIEC Adapted for Supervisory Purposes | |
| Interconnectivity | The state or quality of being connected together. The interaction of a financial institution's internal and external systems and applications and the entities with which they are linked. | |
| Interdependencies | When two or more departments, processes, functions, or third-party providers interact to successfully complete a task, business function, or process. | FFIEC Developed for Supervisory Purposes |
| Internet | The global system of interconnected computer networks that use the Internet protocol suite (TCP/IP) to link billions of devices worldwide. | |
| Interoperability | The ability of a system to work with or use the parts or equipment of another system. | |
| IT architecture | A subset of enterprise architecture, with detail to support data processing and access, including fundamental requirements for centralized or distributed computing, real or virtual servers, devices and workstations, and networking design. Architecture plans may also exist for data (information), security, and applications. | |
| IT governance | An integral part of governance that consists of the leadership and organizational structures and processes that ensure that the institution's IT sustains and extends the organization's strategies and objectives. | |
| IT strategic plan | A comprehensive blueprint that guides the organization's technology management and contains high-level goals and plans for all areas of information technology that affect the business, not just the infrastructure. The plan should include areas that impact technology management, including cost management, human capital management, hardware and software management, third-party management, risk management, and all other considerations in the enterprise IT environment. | |
| IT system inventory | A list containing information about the information resources owned or operated by an organization. | |
M |
||
| Term | Definition | Source |
| Malware | A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim. | NIST Glossary |
| Metric | A quantitative measurement. | |
| Milestone | A major project event. | |
| Mobile device | A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable data storage; and (iv) is powered-on for extended periods of time with a self-contained power source. | NIST Glossary |
| Mobile financial services | The products and services that a financial institution provides to its customers through mobile devices. | |
N |
||
| Term | Definition | Source |
| National Institute of Standards and Technology (NIST) | An agency of the U.S. Department of Commerce that works to develop and apply technology, measurements, and standards. NIST developed a voluntary cybersecurity framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructures. | |
| Network | A system implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices. | NIST Glossary |
O |
||
| Term | Definition | Source |
| Operating system (OS) | The software “master control application” that runs the computer. It is the first program loaded when the computer is turned on, and its main component, the kernel, resides in memory at all times. The operating system sets the standards for all application programs (such as the Web server) that run in the computer. The applications communicate with the operating system for most user interface and file management operations. | NIST Glossary |
| Operational IT plan | Typically, the plans that are made by front-line, or low-level, IT managers. Operational IT plans are focused on the specific procedures and processes that implement the larger strategic plan. | |
| Operational risk | The risk of failure or loss resulting from inadequate or failed processes, people, or systems. | |
P |
||
| Term | Definition | Source |
| Penetration test | The process of using approved, qualified personnel to conduct real-world attacks against a system to identify and correct security weaknesses before they are discovered and exploited by others. | |
| Preventive control | A mitigating technique designed to prevent an event from occurring. | |
| Principle of least privilege | The security objective of granting users only the access needed to perform official duties. | |
| Project | A task involving the acquisition, development, or maintenance of a technology product. | |
| Project management | Planning, monitoring, and controlling an activity. | |
R |
||
| Term | Definition | Source |
| Residual risk | The amount of risk remaining after the implementation of controls. | |
| Resilience | The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. | NIST Glossary |
| Risk | The potential that events, expected or unanticipated, may have an adverse effect on a financial institution's earnings, capital, or reputation. | |
| Risk identification | The process of determining risks and existing safeguards. It generally includes inventories of systems and information necessary to operations and defines the potential threats to systems and operations. | |
| Risk management | The total process required to identify, control, and minimize the impact of uncertain events. The objective of a risk management program is to reduce risk and obtain and maintain appropriate management approval at predefined stages in the life cycle. | |
| Risk measurement | A process to determine the likelihood of an adverse event or threat occurring and the potential impact of such an event on the institution. The result of risk measurement leads to the prioritization of potential risks based on severity and likelihood of occurrence. | |
| Risk mitigation | The process of reducing risks through the introduction of specific controls and risk transfer. It includes the implementation of appropriate controls to reduce the potential for risk and bring the level of risk in line with the board's risk appetite. | |
S |
||
| Term | Definition | Source |
| Scenario analysis | The process of analyzing possible future events by considering alternative possible outcomes. | |
| Scorecard | A dashboard of performance measures. | |
| Security breach | A security event that results in unauthorized access of data, applications, services, networks, or devices by bypassing underlying security mechanisms. | |
| Security event | An event that potentially compromises the confidentiality, integrity, availability, or accountability of an information system. | |
| Security posture | The security status of an enterprise's networks, information, and systems based on information security and assurance resources (e.g., people, hardware, software, and policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. | |
| Sensitive customer information | A customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log into or access the customer’s account, such as user name and password or password and account number. | |
| Service level agreement (SLA) | Defines the specific responsibilities of the service provider and sets the customer expectations. | NIST Glossary |
| A formal agreement between two parties that records: a common understanding about products or services to be delivered, priorities, responsibilities, guarantees, and warranties between the parties. In addition, the agreement describes the nature, quality, security, availability, scope, and timeliness of delivery and response of the parties, the point(s) of contact for end-user problems, and the metrics by which the effectiveness of the process is monitored and approved, and may include other measurable objectives. The agreement should cover not only expected day-to-day situations, but also unexpected or adverse events, as the need for the service may vary. | FFIEC Adapted for Supervisory Purposes | |
| Social engineering | The act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust. | NIST Glossary |
| System administration | The process of maintaining, configuring, and operating computer systems. | |
T |
||
| Term | Definition | Source |
| Tactical plan | Typically, a short-term plan that establishes the specific steps needed to implement a company's strategic plan. These plans are often created by mid-level managers. | |
| Telecommunications | The transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received. | NIST Glossary |
| Third-party relationship | Any business arrangement between a financial institution and another entity, by contract or otherwise. | |
| Third-party service provider | Any independent party to whom an entity outsources activities that the entity itself is authorized to perform, including a technology service provider. | FFIEC Developed for Supervisory Purposes |
| Threat intelligence | Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes. | NIST Glossary |
| Total cost of ownership (TCO) | The true cost of ownership of a computer or other technology system that includes original cost of the computer and software, hardware and software upgrades, maintenance, technical support, and training. | |
V |
||
| Term | Definition | Source |
| Virus | Malicious code that replicates itself within a computer. | |
| Vulnerability | Weakness in system security procedures, design, implementation, internal controls, etc., that could be accidentally triggered or intentionally exploited and result in a violation of the system’s security policy. | NIST Glossary |
| Previous Section Appendix A: Examination Procedures | Next Section Appendix C: References |