CRISC Glossary (A - F) Flashcards
Access Control
The processes, rules and deployment mechanisms that control access to information systems, resources and physical access to premises
Access Rights
The permission or privileges granted to users, programs or workstations to create, change, delete or view data and files within a system, as defined by rules established by data owners and the information security policy
Accountability
The ability to map a given activity or event back to the responsible party
Advanced persistent threat
An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives using multiple attack vectors (NIST SP800-61)
Scope Notes: The APT:
- Pursues its objectives repeatedly over an extended period of time
- Adapts to defenders’ efforts to resist it
- Is determined to maintain the level of interaction needed to execute its objectives
Application controls
The policies, procedures and activities designed to provided reasonable assurance that objectives relevant to a given automated solution (application) are achieved
Architecture
Description of the fundamental underlying design of the components of the business system, (e.g. technology), the relationships among them, and the manner in which they support enterprise objectives
Asset
Something of either tangible or intangible value worth protecting, including people, information, infrastructure, finances and reputation
Asset value
The value of an asset is subject many factors including the value to both the business and to competitors. An asset may be valued according to what another person would pay for it, or by its measure of value to the company. Asset value is usually done using quantitative (monetary) value.
Authentication
- The act of verifying identity, i.e. user, system
Scope notes: Risk: Can also refer to the verification of the correctness of a piece of data.
- The act of verifying the identity of a user, the user’s eligibility to access computerized information
Scope notes: Assurance: Authentication is designed to protect against fraudulent logon activity. It can also refer to the verification of the correctness of a piece of data.
Authenticity
Undisputed authorship
Availability
Ensuring timely and reliable access to and use of information
Awareness
Being acquainted with, mindful of, conscious of and well informed on a specific subject, which implies knowing and understanding a subject and acting accordingly
Balanced scorecard (BSC)
Developed by Robert S Kaplan and David P. Norton as a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives
Business case
Documentaiton of the raitonale for making a business investment, used both to support a business decision on whether to proceed with the investment and as an operational tool to support management of the investment through its full economic life cycle
Business continuity
Preventing, mitigating and recovering from disruption
Scope notes: The terms “business resumption planning”, “disaster recovery planning” and “contingency planning” also may be used in this context; they focus on recovery aspects of continuity, and for that reason the ‘resilience’ aspect should also be taken into account.
Business continuity plan (BCP)
A plan used by an enterprise to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems
Business goal
The translation of the enterprise’s mission from a statement of intention into performance targets and results
Business impact
The net effect, positive or negative, on the achievement of business objectives
Business impact analysis/assessment
Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system.
Scope notes: This process also includes addressing:
- Income loss
- Unexpected expense
- Legal issues (regulatory compliance or contractual)
- Interdependent processes
- Loss of public reputation or public confidence
Business objective
A further development of the business goals into tactical targets and desired results and outcomes
Business process owner
The individual responsible for identifying process requirements, approving process design and managing process performance
Scope notes: Must be at an appropriately high level in the enterprise and have authority to commit resources to process-specific risk management activities