IT Governance Glossary

APMG (also known as the APM Group) is a leading examination institute that accredits professional training and consulting organisations. The certification schemes they accredit include ITIL and PRINCE2.

As of summer 2013, AXELOS are the owners of ITIL and PRINCE2. AXELOS are a joint venture between Capita and the UK Cabinet Office.

A Business Continuity Management System (BCMS) is a life cycle of stages and activities that an organisation does to continue normal business operations. It establishes, implements, operates, monitors, reviews and improves the organisation's business continuity and resilience.

BCS is the Chartered Institute for IT which supports practitioners and establishes standards and frameworks to promote good working practices. It also provides a series of respected IT qualifications.

BS are British Standards produced/adopted by the UK's National Standards Body, the BSI Group.

The BSI Group is the UK's National Standards Body which represents the UK’s interests across European and international standards and organisations.

Business continuity is the term used to describe the activities that an organisation performs in order to ensure the continuation of their critical services in the event of a disaster, disruption or similar crisis.

The Cabinet Office is a ministerial department, ensuring the effective running of the UK government. They have responsibility for a number of areas within government and up until summer 2013, owned the ITIL and PRINCE2 methodologies. AXELOS have now taken ownership of these best practice methodologies.

Certification Bodies can externally and independently audit an organisation’s management system and award the appropriate certification. If you are seeking certification, it is highly advisable to choose an accredited certification body. A certification body which has been accredited means that they have been independently assessed against international standards to demonstrate their competence, impartiality and performance capability.

The Communications Electronics Security Group (CESG) is the UK government’s national authority for information assurance (IA). They provide services to protect electronic data and information within the interests of the UK government.

The Certified in the Governance of Enterprise IT (CGEIT) qualification is awarded by ISACA and is designed to provide a premier certificate for professionals responsible for directing, managing or otherwise supporting the governance of IT in a large organisation.

This is the qualification for Certified Information Systems Auditors (CISA), awarded by ISACA. It is accepted worldwide and will provide professionals with a stepping stone into information security auditor job roles.

The Certified Information Security Manager qualification (CISM) proves achievement in information security. It is awarded by ISACA and is assessed through exams in both September and December.

CISMP is the Certificate in Information Security Management Principle, awarded by BCS. It is an established and internationally-regarded foundation-level qualification which demonstrates a good knowledge and understanding of the key subject areas associated with information security management, including:

• risk management;
• technical and management controls;
• legal frameworks;
• people and physical security;
• security standards (e.g. ISO27001);
• business continuity.

This is the qualification for Certified Information Systems, comprising 10 areas of study (the Common Body of Knowledge). The CISSP certification provides information security professionals with an objective measure of competence and a globally recognised standard of achievement.

Sponsored by CESG, the CESG Listed Advisor Scheme (CLAS) is a list of approved and independent consultants. CLAS consultants meet the increasing demand for authoritative information assurance advice for UK Government departments and agencies.

Cloud computing is a variant of utility computing, where managed pool(s) of computing resources are made available on a convenient on-demand basis. It has minimal overheads, due to reduced management requirement and service provider interaction. A key characteristic is elasticity within the provisioning process, allowing rapid deployment and scaling back of the resource usage.

Control Objectives for Information and Related Technology is an IT governance control framework. It helps organisations meet business challenges in the areas of regulatory compliance, risk management and aligning IT strategy with organisational goals. COBIT 5 replaces the guidance found in COBIT 4.1 and now integrates other major frameworks, standards and resources.

This is the analysis of information contained within and created by computer systems, in order to explain its present condition. This needs to be done in line with Rules of Evidence (i.e. the result needs to be in a format acceptable in court).

Awarded by ISACA, the Certified in Risk and Information Systems Control (CRISC) qualification is awarded to IT professionals who identify and manage risks through the development, implementation and maintenance of information systems (IS) controls.

CSME (Certification Subject Matter Experts) is an exam institute that supports all IT Certification schemes, including ITIL. They provide certification experiences for both individuals and organisations.

Cyber security can be defined as the protection of systems, networks and data in cyber space. It is a critical issue for all businesses.

The Data Protection Act 1998 (DPA) applies to all organisations in the UK. All organisations that hold or process personal data MUST comply with the requirements of the DPA. The 8 key principals are to make sure your data:

• is kept fairly and lawfully
• is kept with specific and specified purposes
• is adequate, relevant and not excessive
• is accurate and up to date
• is not retained for longer than necessary
• is processed in accordance with individuals rights
• is held with appropriate levels of security
• is not transferred abroad without ensuring of adequate levels of legal protection.

Organisations found to be in breach of the DPA can be fined by the Information Commissioners Office of up to £500K.

Ethical Hacking is also known as Penetration Testing and refers to the process of legitimately testing the security of an IT system using the same tools and methods employed by an illegal hacker. Effective Penetration Testing involves the simulation of a malicious attack against the system under test and should only be conducted by a certificated, ethical hacking professional.

EXIN^® is a global Examination Institute that specialises in information management and helps professionals and organisations achieve certification. They set exams for the Best Management Practice Portfolio of Frameworks for professionals as well as their own qualifications.

Green Information Technology, or Green IT, is a catch-all phrase for sustainable, eco-friendly products, services, practices and management systems used in the information and communications technology sector.

It is becoming increasingly important for all businesses to act (and to be seen to act) in an environmentally responsible manner, both to fulfil their legal and moral obligations, but also to enhance their brand and image.

The International Board for IT Governance Qualifications (IBITGQ) is a not-for-profit association dedicated to the provision of training and the continued professional development of information security, business resilience and IT governance professionals.

Read more about IBITGQ.

The Information Commissioner's Office (ICO) upholds information rights of the public interest, giving guidance to organisations and citizens and takes appropriate action when the law is broken. They are a UK independent authority.

ISACA is an international professional association that engages the adoption of globally accepted knowledge and practices for information systems. It owns and manages a number of certifications and frameworks including CISA, CISM, COBIT and Val IT™.

An Information Security Management System (ISMS) is a systematic approach to managing confidential or sensitive corporate information so that it remains secure (which means available, confidential and with its integrity intact). It encompasses people, processes and IT systems.

ISO, the International Organization for Standardization develops international standards which specify products, services and good practice to make industry more efficient and effective.

Documents that are prefixed with ISO/IEC are jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO 14001 is the International Organisation for Standardisation standard relating to Environmental Management Systems, which can lead to certification. It provides a framework for an organisation to control the environmental impacts of its activities, products and services, and to continually improve its environmental performance.

ISO 20000 is the International Organisation for Standardisation (ISO) standard which organisations can be externally, independently audited and certified against for their service management system (SMS).

ISO 22301 is the International Organisation for Standardisation (ISO) standard for Business Continuity, replacing BS25999 in 2012. The standard sets out the requirements for a Business Continuity Management System (BCMS) and describes how organisations maintain business processes through difficulties, disasters and other interruptions.

ISO 27001 is the International Organisation for Standardisation standard describing the best practice for an Information Security Management System (ISMS), which maintains the availability, confidentiality and integrity of the assets of an organisation.

This standard provides guidance in the form of a code of practice for the implementation of information security controls in any organisation. Closely aligned with the ISO27001 Standard, ISO27002 serves as practical guideline for all staff who are required to initiate, implement and maintain an information security control.

ISO27005 is the International Organisation for Standardisation (ISO) standard that provides guidelines for effective information security risk management and directly supports the risk management approach as specified in ISO27001.

ISO 31000 provides principals and generic guidelines on risk management that can be applied throughout a wide range of activities within an organisation.

ISO 38500 is the International Organisation for Standardisation (ISO) which provides guidance to those advising, informing or assisting directors on the effective and acceptable use of Information Technology (IT) within the organisation. The standard sets out three activities for directors to engage in:

• Evaluate
• Direct
• Monitor

This is the international standard for Energy Management Systems that helps organisations develop an efficient energy management system and can be used to meet legal energy compliance and for winning new contracts.

ISO 9001 is a standard that specifies a Quality Management System designed to demonstrate, manage and improve quality of products and services. It covers:

• Quality Management Systems
• Management Responsibility
• Resource Management
• Realisation (of customer requirements)
• Measurement, analysis and improvement.

A framework for the leadership, organisational structures, business processes, standards and compliance to these standards, which ensures that an organisation’s IT supports and enables the achievement of its strategies and objectives.

IT Governance is a comprehensive provider of information, advice, guidance, books, tools, training and consultancy for organisations that need to meet the evolving information security, risk management and compliance requirements

IT-GRC is an acronym for IT governance, risk management and compliance.

IT health checks identify vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system.

ITIL is a series of best practices for IT service management. It is a methodology on how to manage IT services to meet customer expectations.

The current core ITIL manuals are - Service Strategy; Service Design; Service Transition; Service Operation; Continual Service Improvement.

ITIL^® has a comprehensive qualification scheme that allows IT service management professionals to gain recognition of their level of ITIL and ITSM management competency. There are currently four levels of certification:

• Foundation
• Intermediate
• Expert
• Master

IT Service Management(ITSM) deals with the definition and user-focused delivery of IT infrastructure guidance and support, including hardware, software and communication facilities. ITSM is a set of processes and functions that help align IT with organisational goals and deliver value.

The IT Service Management Forum (itSMF) is a not-for-profit, independent and internationally recognised forum for IT service management professionals. With chapters around the world, itSMF allows members to exchange views, best practices and network, which in turn delivers significant value to their businesses.

Loyalist, also known as Loyalist Certification Services (LCS), is an examination institute that provides examinations and certification services for IT professionals and organisations.

Management of Risk (M_o_R) is a route map for risk management, bringing together principles, interrelated processes and pointers to more detailed sources of advice on risk management techniques and specialisms.

Management of Value (MoV) is a value management methodology that can be utilised to get the best financial and non-financial benefits from programmes, projects and portfolios. MoV matches the organisation’s strategic goals with the agenda for the programmes. These programmes in turn deliver these goals through their underlying projects.

Managing Successful Programmers (MSP) is the best practice methodology for programme management.

MSP is designed to be used in conjunction with AXELOS and other PPM methodologies: PRINCE2, M_o_R, MoV and P30.

N3 is the National network for the NHS, providing reliable IT infrastructure and services.

Portfolio, Programme and Project Offices (P3O) is a methodology from the AXELOS which gives guidance on establishing a P3O office within an organisation.

P3O is aligned with PRINCE2, MSP and M_o_R, MoP, MoV - it brings together in one place a set of principles, processes and techniques to facilitate effective portfolio, programme and project management through enablement, challenge and support structures - the P3O.

PAS, a Publicly Available Specification, is a sponsored fast-track standard that is driven by the needs of client organisations and developed according to the BSI guidelines.

PAS 555 is the Publicly Available Specification for Cyber Security Risk Governance and Management and defines what effective cyber security looks like. The approach in this standard allows organisations to choose how they achieve the specified outcomes of cybersecurity, irrespective of their size, type, nature of business or location.

The Payment Card Industry Data Security Standard (PCI DSS) is administered by the PCI Security Standards Council and aims to decrease payment card fraud across the internet and increase credit card data security. Organisations that store, transmit or process card holder data must comply with PCI DSS.

Pen Testing, short for Penetration Testing, examines IT systems, networks & applications to make sure they are secure against cyber-attacks. A pen test can encompass some or all of the following areas:

• Application testing
• Web Application Testing
• Internal Network Testing
• Vulnerability Assessment
• Wireless Network Testing
• Telecom Security Testing
• VOIP Security Testing
• Security Audit
• Database Security Testing

The Project Management Body of Knowledge PMBOK documents and standardises generally accepted project management information and practices for professionals. Published by PMI^®, the current edition, A Guide to the Project Management Body of Knowledge (PMBOK Guide) – Fifth Edition, was released in 2012 and it provides a basic reference for project management.

The Project Management Institute (PMI^®) provides individuals and organisations with standards and certifications to showcase best practice project management.

PPM, or Project, Programme and Portfolio Management, is the core collection of methods, processes and technologies used to manage a project or programme which is based on numerous key characteristics. The main objective is to achieve the organisation's operational and financial goals by using the best mix of resources.

PRINCE2 (Projects in Controlled Environments), is a project management method that deals with the organisation, management and control of projects. Individuals can get certified against PRINCE2, which demonstrates their expertise in PRINCE2 and project management.

RSA Security LLC is a US network security company that organises the annual RSA conference.

Six Sigma is a disciplined methodology that measures quality in an organisation and eliminates defects. It focuses on process improvement and variation reduction, using six standard deviations to describe how a process is performing.

Service level agreements (SLAs) are commonly used for setting out how two parties have agreed that a specific service (usually, but not necessarily, IT-related) will be delivered by one party to another party. SLAs also define the standards or levels to which the service will be delivered. SLAs are a key part of the ITIL approach to service management.

Service level management (SLM) deals with the monitoring and reporting on service levels. It ensures that the service levels within the SLAs are monitored and, if they are not met, the relevant processes are informed so that they can take the appropriate actions.

TickITplus, which replaced the TickIT scheme, is a software quality certification scheme designed to encourage good software development, auditing and certification practices.

The Stationary Office (TSO) is one of the largest publishers in the UK, predominately for the public sector. It publishes the official ITIL and PRINCE2 titles, which are now owned by AXELOS.

Val IT consists of a governance framework, and supporting publications addressing the governance of IT-enabled business investments. Published by ISACA, it has now been incorporated into the COBIT5 IT governance best practice.

A ‘zero-day’ (or zero-hour or day-zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application or operating system, which developers have not had time to address and patch. The term ‘zero-day’ refers to the fact that the programmer has had zero days to fix the flaw (in other words, a patch is not available). Once a patch is available, it is no longer a ‘zero-day exploit’. It is common for individuals or companies who discover zero-day attacks to sell them to anybody for a variety of purposes.