CRISC Glossary (A - F) Flashcards

1
Q

Access Control

A

The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access Rights

A

The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Accountability

A

The ability to map a given activity or event back to the responsible party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Advanced persistent threat

A

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800-61)

Scope Notes: The APT:

  1. Pursues its objectives repeatedly over an extended period of time
  2. Adapts to defenders’ efforts to resist it
  3. Is determined to maintain the level of interaction needed to execute its objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Application controls

A

The policies, procedures and activities designed to provided reasonable assurance that objectives relevant to a given automated solution (application) are achieved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Architecture

A

Description of the fundamental underlying design of the components of the business system, (e.g. technology), the relationships among them, and the manner in which they support enterprise objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Asset

A

Something of either tangible or intangible value worth protecting, including people, information, infrastructure, finances and reputation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Asset value

A

The value of an asset is subject many factors including the value to both the business and to competitors. An asset may be valued according to what another person would pay for it, or by its measure of value to the company. Asset value is usually done using quantitative (monetary) value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Authentication

A
  1. The act of verifying identity, i.e. user, system

Scope notes: Risk: Can also refer to the verification of the correctness of a piece of data.

  1. The act of verifying the identity of a user, the user’s eligibility to access computerized information

Scope notes: Assurance: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Authenticity

A

Undisputed authorship

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Availability

A

Ensuring timely and reliable access to and use of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Awareness

A

Being acquainted with, mindful of, conscious of and well informed on a specific subject, which implies knowing and understanding a subject and acting accordingly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Balanced scorecard (BSC)

A

Developed by Robert S Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Business case

A

Documentaiton of the raitonale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Business continuity

A

Preventing, mitigating and recovering from disruption

Scope notes: The terms “business resumption planning”, “disaster recovery planning” and “contingency planning” also may be used in this context; they focus on recovery aspects of continuity, and for that reason the ‘resilience’ aspect should also be taken into account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Business continuity plan (BCP)

A

A plan used by an enterprise to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Business goal

A

The translation of the enterprise’s mission from a statement of intention into performance targets and results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Business impact

A

The net effect, positive or negative, on the achievement of business objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Business impact analysis/assessment

A

Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system.

Scope notes: This process also includes addressing:

  • Income loss
  • Unexpected expense
  • Legal issues (regulatory compliance or contractual)
  • Interdependent processes
  • Loss of public reputation or public confidence
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Business objective

A

A further development of the business goals into tactical targets and desired results and outcomes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Business process owner

A

The individual responsible for identifying process requirements, approving process design and managing process performance

Scope notes: Must be at an appropriately high level in the enterprise and have authority to commit resources to process-specific risk management activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Business risk

A

A probable situation with uncertain frequency and magnitude of loss (or gain)

23
Q

Capability

A

An aptitude, competency or resource that an enterprise may possess or require at an enterprise, business function or individual level that has the potential, or is required, to contribute to a business outcome and to create value

24
Q

Capability Maturity Model (CMM)

A
  1. Contains the essential elements of effective processes for one or more disciplines. It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness.
  2. CMM for software, from the Software Engineering Institute (SEI), is a model used by many enterprises to identify best practices useful in helping them assess and increae the maturity of their software development processes

Scope notes: CMM ranks software development enterprises according to a hierarchy of five process maturity levels. Each level ranks the development environment according to its capability of producing quality software. A set of standards is associated with each of the five levels. The standards for level one describe the most immature or chaotic processes and the standards for level five describe the most mature or quality processes. A maturity model that indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives. A collection of instructions that an enterprise can follow to gain better control over its software development process

25
Q

Change management

A

A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or “soft” elements of change

Scope notes: Includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resources (HR) policies and procedures, executive coaching, change leadership training, team building and communications planning and execution

26
Q

Cloud computing

A

Convenient, on-demand network access to a shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction

27
Q

Compensating control

A

An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions

28
Q

Computer emergency response team (CERT)

A

A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information system emergency

This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems

29
Q

Confidentiality

A

Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information

30
Q

Configuration management

A

The control of changes to a set of configuration items over a system life cycle

31
Q

Control

A

The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management or legal nature

Scope Notes: Also used as a synonym for safeguard or countermeasure.

32
Q

Control risk

A

The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls (See Inherent risks).

33
Q

Control risk self-assessment

A

A method/process by which management and staff of all levels collectively identify and evaluate risk and controls with their business areas. This may be under the guidance of a facilitator such as an auditor or risk manager.

34
Q

Copyright

A

Protection of writing, recordings or other ways of expressing an idea. The idea itself may be common, but the way it is expressed is unique, such as a song or book

35
Q

Culture

A

A pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things

Scope Notes: COBIT 5 and COBIT 2019 perspective

36
Q

Data classification

A

The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the enterprise.

37
Q

Data classification scheme

A

An enterprise scheme for classifying data by factors such as criticality, sensitivity and ownership

38
Q

Data custodian

A

The individual(s) and department(s) responsible for the storage and safeguarding of computerized data

39
Q

Data owner

A

The individual(s), normally manager or director, who has responsibility for the integrity, accurate reporting and use of computerized data

40
Q

Demilitarized zone (DMZ)

A

A screened (firewalled) network segment that acts as a buffer zone between a trusted and untrusted network

Scope notes: A DMZ is typically used to house systems such as web servers that must be accessible from both internal networks and Internet

41
Q

Detective control

A

Exists to detect and report when errors, omissions and unauthorized uses or entries occur

42
Q

Disaster recovery plan (DRP_

A

A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster

43
Q

Encryption

A

The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)

44
Q

Encryption algorithm

A

A mathematically based function or calculation that encrypts/decrypts data

45
Q

Enterprise resource planning (ERP) system

A

A packaged business software system that sllows an enterprise to automate and integrate the majority of its business processess, share common data and practices across the entire enterprise, and produce and access information in a real-time enviroment

Scope notes: Examples of ERP include, SAP, Oracle Financials and J.D. Edwards

46
Q

Enterprise Risk Management (ERM)

A

The discipline by which an enterprise in any industry assesses, controls, exploits, finances and monitors risk fro mall sources for the purpose of increasing the enterprise’s short - and long-term value to its stakeholders

47
Q

Events

A

Something that happens at a specific place and/or time

48
Q

Event type

A

For the purpose of IT risk management, one of three possible sorts of events; threat events, loss event and vulnerability event

Scope notes: Being able to consistently and effectively differentiate the different types of events that contribute to risk is a critical element in developing good risk-related metrics and well-informed decisions. Unless these categorical differences are recognized and applied, any resulting metrics lose meaning and, as a result, decisions based on those metrics are far more likely to be flawed.

49
Q

Evidence

A
  1. Information that process or disproves a stated issue
  2. Information an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support

Scope notes: Audit perspective

50
Q

Fallback procedures

A

A plan of action or set of procedures to be performed if a system implementation, upgrade or modification does not work as intended

Scope note: May involve restoring the system to its state prior to the implementation or change. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and should always be considered in system migration or implementation

51
Q

Feasibility study

A

A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need

52
Q

Framework

A

A generally accepted, business-process-oriented structure that establishes a common language and enables repeatable business processes

Scope note: This term may be defined differently in different disciplines. This definition suits the purposes of this manual.

53
Q

Frequency

A

A measure of the rate by which events occur over a certain period of time