Type I and II reports
The Statement on Auditing Standards 70 (SAS 70) of the American Institute of Certified Public Accountants (AICPA) prescribe Type I and Type II attestation reports for its clients after the auditors’ review of the client’s information systems. The SAS 70 is applicable to service organizations (software companies) that develop, provide, and maintain software used by user organizations (that is, user clients and customers). The Type I report states that information systems at the service organizations for processing user transactions are suitably designed with internal controls to achieve the related control objectives. The Type II report states that internal controls at the service organizations are properly designed and operating effectively. The Type I and the Type II reports are an essential part of the ISO/IEC 27001 dealing with information technology, security techniques, and information security management systems requirements.
Types of evidence
The types of evidence required to be admissible in a court of law to prove the truth or falsity of a given fact include the best evidence rule (primary evidence that is natural and in writing), oral testimony from a witness (secondary and direct evidence), physical evidence (tools and equipment), Change to circumstantial evidence based on logical inference (introduction of a defendant's fingerprint or DNA sample), corroborative evidence (oral evidence consistent with a written document), authentication of records and their contents, demonstrative evidence (charts and models), and documentary evidence such as business records produced in the regular course of business (purchase orders and sales orders).
U
UMTS subscriber identity module (USIM)
A module similar to the SIM in GSM/GPRS networks, but with additional capabilities suited to third-generation networks.
Unauthorized access
A person gains logical or physical access without permission to a network, system, application, data, or other IT resource.
Uncertainty
The probability of experiencing a loss as a consequence of a threat event. A risk event that is an identifiable uncertainty is termed as known unknown.
Unclassified information
Any information that doesn't need to be safeguarded against disclosure but must be safeguarded against tampering, destruction, or loss due to record value, utility, replacement cost, or susceptibility to fraud, waste, or abuse.
Unified modeling language (UML)
Activities related to the industry-standard unified modeling language (UML) for specifying, visualizing, constructing, and documenting the artifacts of software systems. It simplifies the complex process of software design, making a “blueprint” for construction.
Uniform resource locator (URL)
It is the global address of documents and other resources on the World Wide Web. The first part of the address indicates what protocol to use, and the second part specifies the IP address or the domain name where the resource is located.
Unit testing
Focuses on testing individual program modules, and is a part of white-box testing technique. Program modules are collections of program instructions sufficient to accomplish a single, specific logical function.
Universal description, discovery, and integration (UDDI)
An XML-based lookup service for locating Web services in an Internet topology. UDDI provides a platform-independent way of describing and discovering Web services and the Web service providers. The UDDI data structures provide a framework for the description of basic service information, and an extensible mechanism to specify detailed service access information using any standard description language. UDDI is a single point-of-failure.
Universal mobile telecommunications system (UMTS)
A third-generation mobile phone technology standardized by the 3GPP as the successor to GSM.
Universal serial bus (USB)
A hardware interface for low-cost and low-speed peripherals such as the keyboard, mouse, joystick, scanner, printer, and telephony devices.
Unrecoverable bit error rate (UBE)
The rate at which a disk drive is unable to recover data after application of cyclic redundancy check (CRC) codes and multiple retries.
Update (patch)
An update (sometimes called a “patch”) is a “repair” for a piece of software (application or operating system). During a piece of a software’s life, problems (called bugs) will almost invariably be found. A patch is the immediate solution that is provided to users; it can sometimes be downloaded from the software vendor’s website. The patch is not necessarily the best solution for the problem, and the product developers often find a better solution to provide when they package the product for its next release. A patch is usually developed and distributed as a replacement for or an insertion in compiled code (that is, in a binary file or object module). In larger operating systems, a special program is provided to manage and keep track of the installation of patches.
Upgrade
A new version of an operating system, application, or other software.
Usability
A set of attributes that bear on the effort needed for use, and on the individual assessment of such use, by a stated or implied set of users.
User
An individual, system, or a process authorized to access an information system by directly interacting with a computer system.
User authentication
User authentication can be achieved with either secret or public key cryptography. Creating a one-time password is an example of achieving user authentication and increasing security.
User-based threats
Examples include attackers using social engineering and phishing attacks, where the attackers try to trick users into accessing a fake website and divulging personal information. In some phishing attacks, users receive a legitimate-looking e-mail asking them to update their information on the company’s website. Instead of legitimate links, however, the URLs in the e-mail actually point to a rogue website.
User datagram protocol (UDP)
A commonly used transport layer protocol of the TCP/IP suite. It is a connectionless service without error correction or retransmission of misordered or lost packets. It is easier to spoof UDP packets than TCP packets, because there is no initial connection setup (handshake) involved between the two connected systems. Thus, there is a higher risk associated with UDP-based services.
User-directed access control
Access control in which users (or subjects generally) may alter the access rights. Such alterations may be restricted to certain individuals approved by the owner of an object.
User entitlement
Occurs when a user can access a system’s resources that he is authorized to access, no more or no less. It assumes that users have certain rights, obligations, and limitations and that they must adhere to the rules of behavior (ROB) at all times in order to keep their entitlement in honesty and integrity. For example, internal users must not misuse or abuse their access rights because they can modify data and cause damage to computer systems and IT assets similar to hackers.
User entitlement operates based on the principles of access control lists, access profiles, access levels, and access types (read, write, execute, append, modify, delete, or create), and access accountability. Users must understand the user entitlement rules, which are follows: