CISM Vocabulary

Question 1

Administrative controls

Answer 1

policies, processes, procedures, standards

Question 2

Annualized Loss Expectancy

Answer 2

ALE = SLExARO

Question 3

architecture standard

Answer 3

defines technology architecture at the database, system, or network level

Question 4

assessment

Answer 4

an examination that determines the effectiveness of a system or process

Question 5

asset value

Answer 5

the value of an IT asset - usually but not always the Replacement Value

Question 6

Asynchronous Replication

Answer 6

writing to data in a remote system is not synchronized with the local system.

No guarantee that remote system is identical to local system

Might be a time lag

Question 7

Attestation of compliance

Answer 7

assertion of compliance to a law, standard or requirement

Typically signed by high ranking official

Question 8

authentication

Answer 8

asserting an identity and providing proof of it

typically requires an ID (assertion) and a password (proof)

Question 9

business email compromise

ceo fraud

Answer 9

perpetrator impersonates a CEO and gets company personnel to transfer large amounts of money, typically for a “secret merger” or “acquisition”

Question 10

Business Impact Analysis

Answer 10

Study to identify the impact that different disaster scenarios will have on business operations

Question 11

Business Recovery Plan

Answer 11

activities required to recover and resume critical business processes and activities

Question 12

capability maturity model

Answer 12

measures relative maturity of an organization and its processes

Question 13

capability maturity model for Development

CMMi-DEV

Answer 13

maturity model used to measure software development process maturity

Question 14

certification practicer statement (CPS)

Answer 14

describes practices used by the CA to issue and manage digital certificates

Question 15

Change Control Board
aka
Change Advisory Board

Answer 15

stakeholders from IT and Business who propose, discuss, approve changes to the IT systems

Question 16

CIS Controls

Answer 16

framework maintained by the Center for Internet Security (CIS)

Question 17

COBIT

Answer 17

published by ISACA

control framework for managing information systems and security

Question 18

COSO

Answer 18

Committee of Sponsoring Organizations of the Treadway Commission

Organization providing control frameworks and guidance on enterprise risk management

Question 19

COOP

Answer 19

Continuity of Operations Plan

activities required to continue critical and strategic business functions at alternate site

Question 20

Control

Answer 20

Policy, Process or Procedure created to ensure desired outcomes or to avoid unwanted outcomes

Question 21

Control Framework

Answer 21

Collection of controls organized in logical categories

Question 22

Covered Entity

Answer 22

any organization that stores or processes information covered by HIPAA

Question 23

Critical Path Methodology (CPM)

Answer 23

Technique used to identify the most critical path in a project to understand which tasks are most likely to affect the project schedule

Question 24

Criticality Analysis (CA)

Answer 24

Study of each system and process, a consideration of the impact on the organization if it’s incapacitated, the likelihood of incapacitation and the estimated cost of mitigating the impact (risk)

Question 25

Digital envelope

Answer 25

method of using two layers of encryption symmetric key is used to encrypt a message and a public or private key is used to encrypt the symmetric key

Question 26

Disaster

Answer 26

unexpected and unplanned event that results in the disruption of business operations

Question 27

Dwell Time

Answer 27

amount of time from the start of an incident to the organization's awareness of the incident

Question 28

e-vaulting

Answer 28

backing up information to an off-site location, usually a 3rd-party service provider

Question 29

Exposure Factor

Answer 29

financial loss resulting from realization of a threat. expressed as a percentage of the asset's total value

Question 30

Facilities Classification

Answer 30

methods for assigning risk levels to facilities based based on their operational criticality or other risk factors

Question 31

fiduciary

Answer 31

person who has a legal trust relationship with another party

Question 32

fiduciary duty

Answer 32

highest standard of care that a fiduciary renders to a beneficiary

Question 33

File Activity Monitoring (FAM)

Answer 33

monitoring the use of files on a computer as a way to detect indicators of compromise

Question 34

File Integrity Monitoring (FIM)

Answer 34

periodically scanning file systems to detect changes to file contents or permissions that may indicate compromise

Question 35

HITRUST

Answer 35

healthcare control framework and certification servers as external attestation of an organization's IT controls

Question 36

Hybrid cryptography

Answer 36

cryptosystem that uses two or more iterations of cryptography

Question 37

Impact

Answer 37

actual or expected result from a threat or disaster

Question 38

incident

Answer 38

any event not part of standard operation of a service and that causes or may cause interruption or reduction in quality of service

Question 39

Information Risk

Answer 39

business risk associated with use, ownership, operation, involvement, influence and adoption of information in an enterprise

Question 40

ISMS | Information Security Management System

Answer 40

ISO/IEC 27001 - activities for managing information security in an organization

Question 41

inherent risk

Answer 41

the risk that there are material weaknesses in existing business processes and no compensating controls to detect or prevent them

Question 42

integrated audit

Answer 42

financial and operational audit

Question 43

intrusion kill chain

Answer 43

intrusion model developed by Lockheed Martin ``` Phases are: reconnaissance weaponization delivery exploitation installation command and control actions on objective ```

Question 44

ISAE 3402 | International Standard on Assurance Engagement

Answer 44

external audit of a service provider performed according to rules from International Auditing and Assurance Standards Board

Question 45

ISO/IEC 20000

Answer 45

standard for IT service management (ITSM)

Question 46

ISO/IEC 27001

Answer 46

standard for IT security management

Question 47

ISO/IEC 27002

Answer 47

standard for IT security controls

Question 48

ITIL

Answer 48

standard for IT service management

Question 49

Key Performance Indicator (KPI)

Answer 49

Measure of business process' performance and quality Used to reveal trends related to efficiency and effectiveness of key processes in the organization

Question 50

Key Risk Indicator (KRI)

Answer 50

measure of information risk used to reveal trends related to levels of risk of security incidents in the organization

Question 51

Maximum Tolerable Downtime (MTD)

Answer 51

Amount of time after a disaster, after which, an organization's survival is at risk

Question 52

Maximum Tolerable Outage (MTO)

Answer 52

Maximum period of time that an organization can tolerate operating in recovery mode

Question 53

North American Reliability Corporation (NERC)

Answer 53

maintains resilience and security controls for use by public utitilities

Question 54

North American Reliability Corporation Infrastructure Protection (NERC CIP)

Answer 54

Standards and Requirements defined by NERC to protect power plants and grids

Question 55

Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE)

Answer 55

Qualitative risk analysis methodology from Carnegie Mellon

Question 56

orchestration

Answer 56

in context of SIEM, it is the scripted automated response when specific events occur

Question 57

PCI-DSS

Answer 57

Security standard to protect credit card numbers in storage, processing and transmission. Developed by consortium of credit card companies

Question 58

Policy

Answer 58

Specifies what must be done or not done in an organization Defines who is responsible for monitoring and enforcing policy

Question 59

Population

Answer 59

Complete set of entities, transactions or events that are the subject of an audit

Question 60

Process

Answer 60

collection of procedures that perform a business function

Question 61

Responsible, Accountable, Consulted, Informed (RACI) Chart

Answer 61

Tool to assign roles to people and groups according to their responsibilities

Question 62

Recovery Capacity Objective (RCapO)

Answer 62

Processing and/or Storage capacity of an alternate system as compared to the normal system. Usually expressed as a percentage compared to the primary processing site

Question 63

Recovery Capacity Objection (RCO)

Answer 63

Measure of the consistency and integrity of processing at a recovery site, compared to the primary site. Calculated as 1 - (number of inconsistent objects) / (number of objects)

Question 64

Recovery Consistency Objective (RCO)

Answer 64

Measure of the consistency and integrity of processing at a recovery site, compared to the primary site. Calculated as 1 - (number of inconsistent objects) / (number of objects)

Question 65

Recovery Point Objective (RPO)

Answer 65

Period of acceptable data loss from an incident. Usually measured in hours or days

Question 66

Recovery Time Objective (RTO)

Answer 66

Time from the onset of an outage until the resumption of service. Usually measured in hours or days

Question 67

Reperformance

Answer 67

audit technique where an IS auditor repeats actual tasks done by auditees in order to confirm they were performed correctly

Question 68

Replication (aka Synchronous replication)

Answer 68

activity where data written to a storage system is also copied to another storage system. Result is the presence of up-to-date data on two or more storage systems, each of which could be in different locations

Question 69

Residual Risk

Answer 69

risk that remains after being reduced through other risk treatments

Question 70

Response Document

Answer 70

Required action of personnel after a disaster strikes. Includes business recovery plan, occupant emergency plan, emergency communication plan, contact lists, disaster recovery plan, continuity of operations plan, security incident response plan

Question 71

Risk

Answer 71

event scenario that can result in property damage or disruption

Question 72

Risk Appetite (Risk Tolerance)

Answer 72

level of risk an organization is willing to accept to pursue its mission and before action is needed to treat the risk

Question 73

Risk Capacity

Answer 73

Objective amount of loss an organization can tolerate without its existence being called into question

Question 74

Risk Treatments

Answer 74

mitigate avoid transfer accept

Question 75

Roadmap

Answer 75

steps needed to achieve strategic objective

Question 76

Sample

Answer 76

portion of a population that's selected for auditing

Question 77

Sample Mean

Answer 77

sum of all samples divided by number of samples

Question 78

Sample Standard Deviation

Answer 78

measures the spread of values in the sample Computation of the variance of sample values from the sample mean

Question 79

Sarbanes Oxley

Answer 79

law requiring public corporations to enact controls, perform internal and external audits

Question 80

SAS 70 | Statement of Accounting Standards No. 70

Answer 80

external audit of a service provider

Question 81

Security Incident

Answer 81

event where the confidentiality, integrity or availability of information has been compromised

Question 82

Service Delivery Objective (SDO)

Answer 82

level of service needed after an event, compared to normal business operations

Question 83

Single Loss Expectancy (SLE)

Answer 83

financial loss when a threat is realized SLE = AV x EF

Question 84

Snapshot

Answer 84

a continuous auditing technique Uses special audit modules embedded in online applications, that sample specific transactions

Question 85

Standard

Answer 85

defines technologies, protocols, suppliers, methods used by an IT organization

Question 86

Statements on Standards for Attestation Engagements No. 16 (SSAE 16)

Answer 86

Audit standard superseded by SSAE 18

Question 87

Statements on Standards for Attestation Engagements No. 18 (SSAE 18)

Answer 87

Audit standard for financial service provider audits Performed by AICPA (American Institute of CPAs)

Question 88

System and Organization Controls 1 (SOC1)

Answer 88

External audit of a service provider SOC1 audit is performed according to the SSAE 18 standard

Question 89

System and Organization Controls 2 (SOC2)

Answer 89

External audit of a service provider on one or more of the following trust principles: ``` security availability processing integrity confidentiality privacy ``` SOC 2 audits performed according to audit standards from the AICPA

Question 90

System and Organization Controls 3 (SOC3)

Answer 90

external audit of a service provider like SOC 2

Question 91

Stratified Sampling

Answer 91

sampling technique where population is divided into classes (strata) based on the value of one of the attributes Samples selected from each class (strata)

Question 92

The Open Group Architecture Framework (TOGAF)

Answer 92

lifecycle architecture framework used for the design, plan, implementation and governance of a security architecture

Question 93

Threat modeling

Answer 93

activity of looking for potential threats in a business process, information system or application

Question 94

Zachman Framework

Answer 94

architecture framework used to describe IT architecture in increasing levels of details

Question 95

Procedure

Answer 95

Written sequence of instructions to perform a task