Page 401 - ITGC_Audit Guides
P. 401
9
IT Security Incident – An assessed occurrence that actually or potentially jeopardizes the
confidentiality, integrity, or availability of an information system; or the information the
system processes, stores, or transmits; or that constitutes a violation or imminent threat of
violation of security policies, security procedures, or acceptable use policies.
Internal Audit Activity* – A department, division, team of consultants, or other practitioner(s) that
provides independent, objective assurance and consulting services designed to add value
and improve an organization’s operations. The internal audit activity helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of governance, risk management, and control processes.
Risk* – Is the possibility of an event occurring that will have an impact on the achievement of
objectives. Risk is measured in terms of impact and likelihood.
Risk Appetite* – The level of risk that an organization is willing to accept.
10
Social Engineering – In the context of information security, the manipulation of people to get
them to unwittingly perform actions that cause harm (or increase the probability of causing
future harm) to the confidentiality, integrity, or availability of the organization’s resources or
assets, including information, information systems, or financial systems.
9 Committee on National Security Systems Glossary Working Group, CNSS Instruction No. 4009: National Information
Assurance Glossary, (Washington, D.C.: National Security Agency, 2010), 35.
10 The CERT® Insider Threat Center, “Unintentional Insider Threats: Social Engineering,”
https://resources.sei.cmu.edu/asset_files/TechnicalNote/2014_004_001_77459.pdf, p. xi.
www.theiia.org Auditing Insider Threat Programs 33
