CRISC Glossary (A - F) Flashcards
Access Control
The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises
Access Rights
The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy
Accountability
The ability to map a given activity or event back to the responsible party
Advanced persistent threat
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800-61)
Scope Notes: The APT:
- Pursues its objectives repeatedly over an extended period of time
- Adapts to defenders’ efforts to resist it
- Is determined to maintain the level of interaction needed to execute its objectives
Application controls
The policies, procedures and activities designed to provided reasonable assurance that objectives relevant to a given automated solution (application) are achieved
Architecture
Description of the fundamental underlying design of the components of the business system, (e.g. technology), the relationships among them, and the manner in which they support enterprise objectives
Asset
Something of either tangible or intangible value worth protecting, including people, information, infrastructure, finances and reputation
Asset value
The value of an asset is subject many factors including the value to both the business and to competitors. An asset may be valued according to what another person would pay for it, or by its measure of value to the company. Asset value is usually done using quantitative (monetary) value.
Authentication
- The act of verifying identity, i.e. user, system
Scope notes: Risk: Can also refer to the verification of the correctness of a piece of data.
- The act of verifying the identity of a user, the user’s eligibility to access computerized information
Scope notes: Assurance: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.
Authenticity
Undisputed authorship
Availability
Ensuring timely and reliable access to and use of information
Awareness
Being acquainted with, mindful of, conscious of and well informed on a specific subject, which implies knowing and understanding a subject and acting accordingly
Balanced scorecard (BSC)
Developed by Robert S Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives
Business case
Documentaiton of the raitonale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle
Business continuity
Preventing, mitigating and recovering from disruption
Scope notes: The terms “business resumption planning”, “disaster recovery planning” and “contingency planning” also may be used in this context; they focus on recovery aspects of continuity, and for that reason the ‘resilience’ aspect should also be taken into account.
Business continuity plan (BCP)
A plan used by an enterprise to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems
Business goal
The translation of the enterprise’s mission from a statement of intention into performance targets and results
Business impact
The net effect, positive or negative, on the achievement of business objectives
Business impact analysis/assessment
Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system.
Scope notes: This process also includes addressing:
- Income loss
- Unexpected expense
- Legal issues (regulatory compliance or contractual)
- Interdependent processes
- Loss of public reputation or public confidence
Business objective
A further development of the business goals into tactical targets and desired results and outcomes
Business process owner
The individual responsible for identifying process requirements, approving process design and managing process performance
Scope notes: Must be at an appropriately high level in the enterprise and have authority to commit resources to process-specific risk management activities
Business risk
A probable situation with uncertain frequency and magnitude of loss (or gain)
Capability
An aptitude, competency or resource that an enterprise may possess or require at an enterprise, business function or individual level that has the potential, or is required, to contribute to a business outcome and to create value
Capability Maturity Model (CMM)
- Contains the essential elements of effective processes for one or more disciplines. It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness.
- CMM for software, from the Software Engineering Institute (SEI), is a model used by many enterprises to identify best practices useful in helping them assess and increae the maturity of their software development processes
Scope notes: CMM ranks software development enterprises according to a hierarchy of five process maturity levels. Each level ranks the development environment according to its capability of producing quality software. A set of standards is associated with each of the five levels. The standards for level one describe the most immature or chaotic processes and the standards for level five describe the most mature or quality processes. A maturity model that indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives. A collection of instructions that an enterprise can follow to gain better control over its software development process
Change management
A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or “soft” elements of change
Scope notes: Includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resources (HR) policies and procedures, executive coaching, change leadership training, team building and communications planning and execution
Cloud computing
Convenient, on-demand network access to a shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction
Compensating control
An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions
Computer emergency response team (CERT)
A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information system emergency
This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems
Confidentiality
Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information
Configuration management
The control of changes to a set of configuration items over a system life cycle
Control
The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management or legal nature
Scope Notes: Also used as a synonym for safeguard or countermeasure.
Control risk
The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls (See Inherent risks).
Control risk self-assessment
A method/process by which management and staff of all levels collectively identify and evaluate risk and controls with their business areas. This may be under the guidance of a facilitator such as an auditor or risk manager.
Copyright
Protection of writing, recordings or other ways of expressing an idea. The idea itself may be common, but the way it is expressed is unique, such as a song or book
Culture
A pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things
Scope Notes: COBIT 5 and COBIT 2019 perspective
Data classification
The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the enterprise.
Data classification scheme
An enterprise scheme for classifying data by factors such as criticality, sensitivity and ownership
Data custodian
The individual(s) and department(s) responsible for the storage and safeguarding of computerized data
Data owner
The individual(s), normally manager or director, who has responsibility for the integrity, accurate reporting and use of computerized data
Demilitarized zone (DMZ)
A screened (firewalled) network segment that acts as a buffer zone between a trusted and untrusted network
Scope notes: A DMZ is typically used to house systems such as web servers that must be accessible from both internal networks and Internet
Detective control
Exists to detect and report when errors, omissions and unauthorized uses or entries occur
Disaster recovery plan (DRP_
A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster
Encryption
The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)
Encryption algorithm
A mathematically based function or calculation that encrypts/decrypts data
Enterprise resource planning (ERP) system
A packaged business software system that sllows an enterprise to automate and integrate the majority of its business processess, share common data and practices across the entire enterprise, and produce and access information in a real-time enviroment
Scope notes: Examples of ERP include, SAP, Oracle Financials and J.D. Edwards
Enterprise Risk Management (ERM)
The discipline by which an enterprise in any industry assesses, controls, exploits, finances and monitors risk fro mall sources for the purpose of increasing the enterprise’s short - and long-term value to its stakeholders
Events
Something that happens at a specific place and/or time
Event type
For the purpose of IT risk management, one of three possible sorts of events; threat events, loss event and vulnerability event
Scope notes: Being able to consistently and effectively differentiate the different types of events that contribute to risk is a critical element in developing good risk-related metrics and well-informed decisions. Unless these categorical differences are recognized and applied, any resulting metrics lose meaning and, as a result, decisions based on those metrics are far more likely to be flawed.
Evidence
- Information that process or disproves a stated issue
- Information an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support
Scope notes: Audit perspective
Fallback procedures
A plan of action or set of procedures to be performed if a system implementation, upgrade or modification does not work as intended
Scope note: May involve restoring the system to its state prior to the implementation or change. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and should always be considered in system migration or implementation
Feasibility study
A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need
Framework
A generally accepted, business-process-oriented structure that establishes a common language and enables repeatable business processes
Scope note: This term may be defined differently in different disciplines. This definition suits the purposes of this manual.
Frequency
A measure of the rate by which events occur over a certain period of time
