CRISC Glossary (A - F)

Question 1

Access Control

Answer 1

The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises

Question 2

Access Rights

Answer 2

The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy

Question 3

Accountability

Answer 3

The ability to map a given activity or event back to the responsible party

Question 4

Advanced persistent threat

Answer 4

An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800-61)

Scope Notes: The APT:

1. Pursues its objectives repeatedly over an extended period of time
2. Adapts to defenders’ efforts to resist it
3. Is determined to maintain the level of interaction needed to execute its objectives

Question 5

Application controls

Answer 5

The policies, procedures and activities designed to provided reasonable assurance that objectives relevant to a given automated solution (application) are achieved

Question 6

Architecture

Answer 6

Description of the fundamental underlying design of the components of the business system, (e.g. technology), the relationships among them, and the manner in which they support enterprise objectives

Question 7

Asset

Answer 7

Something of either tangible or intangible value worth protecting, including people, information, infrastructure, finances and reputation

Question 8

Asset value

Answer 8

The value of an asset is subject many factors including the value to both the business and to competitors. An asset may be valued according to what another person would pay for it, or by its measure of value to the company. Asset value is usually done using quantitative (monetary) value.

Question 9

Authentication

Answer 9

1. The act of verifying identity, i.e. user, system

Scope notes: Risk: Can also refer to the verification of the correctness of a piece of data.

2. The act of verifying the identity of a user, the user’s eligibility to access computerized information

Scope notes: Assurance: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.

Question 10

Authenticity

Answer 10

Undisputed authorship

Question 11

Availability

Answer 11

Ensuring timely and reliable access to and use of information

Question 12

Awareness

Answer 12

Being acquainted with, mindful of, conscious of and well informed on a specific subject, which implies knowing and understanding a subject and acting accordingly

Question 13

Balanced scorecard (BSC)

Answer 13

Developed by Robert S Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives

Question 14

Business case

Answer 14

Documentaiton of the raitonale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle

Question 15

Business continuity

Answer 15

Preventing, mitigating and recovering from disruption

Scope notes: The terms “business resumption planning”, “disaster recovery planning” and “contingency planning” also may be used in this context; they focus on recovery aspects of continuity, and for that reason the ‘resilience’ aspect should also be taken into account.

Question 16

Business continuity plan (BCP)

Answer 16

A plan used by an enterprise to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems

Question 17

Business goal

Answer 17

The translation of the enterprise’s mission from a statement of intention into performance targets and results

Question 18

Business impact

Answer 18

The net effect, positive or negative, on the achievement of business objectives

Question 19

Business impact analysis/assessment

Answer 19

Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system.

Scope notes: This process also includes addressing:

• Income loss
• Unexpected expense
• Legal issues (regulatory compliance or contractual)
• Interdependent processes
• Loss of public reputation or public confidence

Question 20

Business objective

Answer 20

A further development of the business goals into tactical targets and desired results and outcomes

Question 21

Business process owner

Answer 21

The individual responsible for identifying process requirements, approving process design and managing process performance

Scope notes: Must be at an appropriately high level in the enterprise and have authority to commit resources to process-specific risk management activities

Question 22

Business risk

Answer 22

A probable situation with uncertain frequency and magnitude of loss (or gain)

Question 23

Capability

Answer 23

An aptitude, competency or resource that an enterprise may possess or require at an enterprise, business function or individual level that has the potential, or is required, to contribute to a business outcome and to create value

Question 24

Capability Maturity Model (CMM)

Answer 24

1. Contains the essential elements of effective processes for one or more disciplines. It also describes an evolutionary improvement path from ad hoc, immature processes to disciplined, mature processes with improved quality and effectiveness.
2. CMM for software, from the Software Engineering Institute (SEI), is a model used by many enterprises to identify best practices useful in helping them assess and increae the maturity of their software development processes

Scope notes: CMM ranks software development enterprises according to a hierarchy of five process maturity levels. Each level ranks the development environment according to its capability of producing quality software. A set of standards is associated with each of the five levels. The standards for level one describe the most immature or chaotic processes and the standards for level five describe the most mature or quality processes. A maturity model that indicates the degree of reliability or dependency the business can place on a process achieving the desired goals or objectives. A collection of instructions that an enterprise can follow to gain better control over its software development process

Question 25

Change management

Answer 25

A holistic and proactive approach to managing the transition from a current to a desired organizational state, focusing specifically on the critical human or “soft” elements of change

Scope notes: Includes activities such as culture change (values, beliefs and attitudes), development of reward systems (measures and appropriate incentives), organizational design, stakeholder management, human resources (HR) policies and procedures, executive coaching, change leadership training, team building and communications planning and execution

Question 26

Cloud computing

Answer 26

Convenient, on-demand network access to a shared pool of resources that can be rapidly provisioned and released with minimal management effort or service provider interaction

Question 27

Compensating control

Answer 27

An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions

Question 28

Computer emergency response team (CERT)

Answer 28

A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information system emergency

This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems

Question 29

Confidentiality

Answer 29

Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information

Question 30

Configuration management

Answer 30

The control of changes to a set of configuration items over a system life cycle

Question 31

Control

Answer 31

The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management or legal nature

Scope Notes: Also used as a synonym for safeguard or countermeasure.

Question 32

Control risk

Answer 32

The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal controls (See Inherent risks).

Question 33

Control risk self-assessment

Answer 33

A method/process by which management and staff of all levels collectively identify and evaluate risk and controls with their business areas. This may be under the guidance of a facilitator such as an auditor or risk manager.

Question 34

Copyright

Answer 34

Protection of writing, recordings or other ways of expressing an idea. The idea itself may be common, but the way it is expressed is unique, such as a song or book

Question 35

Culture

Answer 35

A pattern of behaviors, beliefs, assumptions, attitudes and ways of doing things

Scope Notes: COBIT 5 and COBIT 2019 perspective

Question 36

Data classification

Answer 36

The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the enterprise.

Question 37

Data classification scheme

Answer 37

An enterprise scheme for classifying data by factors such as criticality, sensitivity and ownership

Question 38

Data custodian

Answer 38

The individual(s) and department(s) responsible for the storage and safeguarding of computerized data

Question 39

Data owner

Answer 39

The individual(s), normally manager or director, who has responsibility for the integrity, accurate reporting and use of computerized data

Question 40

Demilitarized zone (DMZ)

Answer 40

A screened (firewalled) network segment that acts as a buffer zone between a trusted and untrusted network

Scope notes: A DMZ is typically used to house systems such as web servers that must be accessible from both internal networks and Internet

Question 41

Detective control

Answer 41

Exists to detect and report when errors, omissions and unauthorized uses or entries occur

Question 42

Disaster recovery plan (DRP_

Answer 42

A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster

Question 43

Encryption

Answer 43

The process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext)

Question 44

Encryption algorithm

Answer 44

A mathematically based function or calculation that encrypts/decrypts data

Question 45

Enterprise resource planning (ERP) system

Answer 45

A packaged business software system that sllows an enterprise to automate and integrate the majority of its business processess, share common data and practices across the entire enterprise, and produce and access information in a real-time enviroment

Scope notes: Examples of ERP include, SAP, Oracle Financials and J.D. Edwards

Question 46

Enterprise Risk Management (ERM)

Answer 46

The discipline by which an enterprise in any industry assesses, controls, exploits, finances and monitors risk fro mall sources for the purpose of increasing the enterprise’s short - and long-term value to its stakeholders

Question 47

Events

Answer 47

Something that happens at a specific place and/or time

Question 48

Event type

Answer 48

For the purpose of IT risk management, one of three possible sorts of events; threat events, loss event and vulnerability event

Scope notes: Being able to consistently and effectively differentiate the different types of events that contribute to risk is a critical element in developing good risk-related metrics and well-informed decisions. Unless these categorical differences are recognized and applied, any resulting metrics lose meaning and, as a result, decisions based on those metrics are far more likely to be flawed.

Question 49

Evidence

Answer 49

1. Information that process or disproves a stated issue
2. Information an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support

Scope notes: Audit perspective

Question 50

Fallback procedures

Answer 50

A plan of action or set of procedures to be performed if a system implementation, upgrade or modification does not work as intended

Scope note: May involve restoring the system to its state prior to the implementation or change. Fallback procedures are needed to ensure that normal business processes continue in the event of failure and should always be considered in system migration or implementation

Question 51

Feasibility study

Answer 51

A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need

Question 52

Framework

Answer 52

A generally accepted, business-process-oriented structure that establishes a common language and enables repeatable business processes

Scope note: This term may be defined differently in different disciplines. This definition suits the purposes of this manual.

Question 53

Frequency

Answer 53

A measure of the rate by which events occur over a certain period of time