as I've mentioned before, I have a set of questions on information security. The context is the ISO standard on information security management. I just cannot comprehend the meaning of some phrases, e.g.:

1) Contacts should be developed to keep up with industrial trends, monitor standards and assessment methods and provide *** liasion *** when dealing with security incidents.

What is *liaison *** in this context? There are many meanings, and I cannot choose because I'm not quite aware of the English IT terminology

2) Access is provided to... hardware and software support staff, who need access to system level or *** level application *** - could you please explain what's that? Is it applications with a low level of functionality or is it functions of low-level applications [:^)] ?

3) What is "retention of evidence" in the context of security violation by employees? Is it the same as "collection of evidence" ?

4) Care should be taken that no single person can perpetrate fraud in areas of single responsibility without being detected. *** initiation of an *** should be separated from its authorization.

I clearly understand the first sentence, but the second one is totally vague. What is meant by "initiation of event"?

5) Development and test environments should be separated - in this case there's a need to maintain a stable and known environment in which to perfrom meaningful testing and to prevent *** developer *** - what's that ? Does this mean that access of the developer is inappropriate or what?

The questions are isolated, because they are from different paragraphs, but I hope they make sense... Hope they are not very bulky. I'd really appreciate your help.

So, no volunteers to help a lady? How sad... :/
I can answer a few of those:

2. Low level applications are generic here and describes any direct access to the operating system or the kernel.

4. Functionality 1 could be the entry of the data. Functionality 2 would be the validation of the data entered in Func. 1 and would be done by a different person. Here Func. 1 is the initiation process.(Data Entry is just an example here as it could be anything)

5. This means the developers should not be able to tamper with the data in the test systems. It is reserved entirely for the Test team. All the bug fix would be done in the development system and later migrated to the test through some pre-defined process.

For questions 1 and 3, I need more info regarding the context. retention of evidence looks more to me like keeping some sort of log on the employee's usage of the system.
Site Hint: Check out our list of pronunciation videos.
Thanks, Guest!