CRISC Glossary (G - N) Flashcards

1
Q

Governance

A

Ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives

Scope note: Conditions can include the cost of capital, foreign exchange rates, etc. Options can include shifting manufacturing to other locations, subcontracting portions of the enterprise to third parties, selecting a product mix from many available choices, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Governance enabler

A

Something (tangible or intangible) that assists in the realization of effective governance

Scope notes: COBIT 5 and 2019 perspective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Governance of enterprise IT

A

A governance view that ensures that information and related technology support and enable the enterprise strategy and the achievement of enterprise objectives; this also includes the functional governance of IT, i.e., ensuring that IT capabilities are provided efficiently and effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Impact

A

Magnitude of loss resulting from a threat exploiting a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Impact analysis

A

A study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events.

In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. This assessment is used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the recovery strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Impact assessment

A

A review of the possible consequences of a risk

Scope notes: See also Impact analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Incident

A

Any event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of that service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Information security

A

Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity), and non-access when required (availability)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Information systems (IS)

A

The combination of strategic, managerial and operational activities involved in the gathering, processing, storing, distributing and use of information, and its related technologies

Scope notes: Information systems are distinct from information technology (IT) in that an information system has an IT component that interacts with the process components

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Information technology (IT)

A

The hardware, software, communication and other facilities used to input, store, process, transmit and output data in whatever form

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Infrastructure as a Service (IaaS)

A

Offers the capability to provision processing, storage, networks and other fundamental computing resources, enabling the customer to deploy and run arbitrary software, which can include operating systems (OSs) and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Inherent risk

A

The risk level or exposure without taking into account the actions that management has taken or might take (e.g. implementing controls)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Integrity

A

The guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Intellectual property

A

Intangible assets that belong to an enterprise for its exclusive use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Internal controls

A

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented or detected and corrected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

IT architecture

A

Description of the fundamental underlying design of the IT components of the business, the relationships among them, and the manner in which they support the enterprise’s objectives

17
Q

IT infrastructure

A

The set of hardware, software and facilities that integrates an enterprise’s IT assets

Scope note: Specifically, the equipment (includes servers, routers, switches, and cabling), software, services and products used in storing, processing, transmitting and displaying all forms of information for the organization’s users

18
Q

IT-related incident

A

An IT-related event that causes an operational, development and/or strategic business impact

19
Q

IT risk

A

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise

20
Q

IT risk issue

A
  1. An instance of an IT risk

2. A combination of control, value and threat conditions that impose a noteworthy level of IT risk

21
Q

IT risk profile

A

A description of the overall (identified) IT risk to which the enterprise is exposed

22
Q

IT risk register

A

A repository of the key attributes of potential and known IT risk issues. Attributes may include name, description, owner, expected/actual frequency, potential/actual magnitude, potential/actual business impact and dispostion

23
Q

IT risk scenario

A

The description of an IT-related event that can lead to a business impact

24
Q

IT strategic plan

A

A long-term plan (i.e. three-to five-year horizon) in which business and IT management cooperatively describe how IT resources will contribute to the enterprise’s strategic objectives (goals)

25
Q

IT tactical plan

A

A medium-term plan (i.e. six- to 18-month horizon) that translates the IT strategic plan direction into required initiatives, resource requirements and ways in which resources and benefits will be monitored and managed

26
Q

Key performance indicator (KPI)

A

A measure that determines how well the process is performing in enabling the goal to be reached

Scope note: A lead indicator of whether a goal will likely be reached, and a good indicator of capabilities, practices and skills. It measures an activity goal, which is an action that the process owner must take to achieve effective process performance

27
Q

Key risk indicator (KRI)

A

A subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating important risk

Scope note: See Riks indicator

28
Q

Lag indicator

A

Metrics for achievement of goals - An indicator relating to the outcome or result of an enabler

Scope note: This indicator is only available after the facts or events

29
Q

Lead indicator

A

Metrics for application of good practice - An indicator relating to the functioning of an enabler

Scope note: This indicator will provide an indication on possible outcome of the enabler

30
Q

Likelihood

A

The probability of something happening

31
Q

Loss event

A

Any event where a threat event results in loss

Scope note: From Jones, J,; “FAIR Taxonomy”, Risk Management Insight, USA, 2008

32
Q

Magnitude

A

A measure of the potential severity of loss or the potential gain form realized events/scenarios

33
Q

Management

A

Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives

34
Q

Nondisclosure agreement (NDA)

A

A legal contract between at least two parities that outlines confidential materials that the parties wish to share with one another for certain purposes, but wish to restrict from generalized use; a contract through which the parties agree not to disclose information covered by the agreement

35
Q

Nonrepudiation

A

The assurance that a party cannot later deny originating data; provision of proof of the integrity and origin of the data and that can be verified by a third party

Scope note: A digital signature can provide nonrepudiation