CRISC Glossary (G - N)

Question 1

Governance

Answer 1

Ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives

Scope note: Conditions can include the cost of capital, foreign exchange rates, etc. Options can include shifting manufacturing to other locations, subcontracting portions of the enterprise to third parties, selecting a product mix from many available choices, etc.

Question 2

Governance enabler

Answer 2

Something (tangible or intangible) that assists in the realization of effective governance

Scope notes: COBIT 5 and 2019 perspective

Question 3

Governance of enterprise IT

Answer 3

A governance view that ensures that information and related technology support and enable the enterprise strategy and the achievement of enterprise objectives; this also includes the functional governance of IT, i.e., ensuring that IT capabilities are provided efficiently and effectively.

Question 4

Impact

Answer 4

Magnitude of loss resulting from a threat exploiting a vulnerability

Question 5

Impact analysis

Answer 5

A study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events.

In an impact analysis, threats to assets are identified and potential business losses determined for different time periods. This assessment is used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the recovery strategy.

Question 6

Impact assessment

Answer 6

A review of the possible consequences of a risk

Scope notes: See also Impact analysis

Question 7

Incident

Answer 7

Any event that is not part of the standard operation of a service and that causes, or may cause, an interruption to, or a reduction in, the quality of that service

Question 8

Information security

Answer 8

Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity), and non-access when required (availability)

Question 9

Information systems (IS)

Answer 9

The combination of strategic, managerial and operational activities involved in the gathering, processing, storing, distributing and use of information, and its related technologies

Scope notes: Information systems are distinct from information technology (IT) in that an information system has an IT component that interacts with the process components

Question 10

Information technology (IT)

Answer 10

The hardware, software, communication and other facilities used to input, store, process, transmit and output data in whatever form

Question 11

Infrastructure as a Service (IaaS)

Answer 11

Offers the capability to provision processing, storage, networks and other fundamental computing resources, enabling the customer to deploy and run arbitrary software, which can include operating systems (OSs) and applications

Question 12

Inherent risk

Answer 12

The risk level or exposure without taking into account the actions that management has taken or might take (e.g. implementing controls)

Question 13

Integrity

Answer 13

The guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity

Question 14

Intellectual property

Answer 14

Intangible assets that belong to an enterprise for its exclusive use

Question 15

Internal controls

Answer 15

The policies, procedures, practices and organizational structures designed to provide reasonable assurance that the business objectives will be achieved and undesired events will be prevented or detected and corrected

Question 16

IT architecture

Answer 16

Description of the fundamental underlying design of the IT components of the business, the relationships among them, and the manner in which they support the enterprise’s objectives

Question 17

IT infrastructure

Answer 17

The set of hardware, software and facilities that integrates an enterprise’s IT assets

Scope note: Specifically, the equipment (includes servers, routers, switches, and cabling), software, services and products used in storing, processing, transmitting and displaying all forms of information for the organization’s users

Question 18

IT-related incident

Answer 18

An IT-related event that causes an operational, development and/or strategic business impact

Question 19

IT risk

Answer 19

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise

Question 20

IT risk issue

Answer 20

1. An instance of an IT risk

2. A combination of control, value and threat conditions that impose a noteworthy level of IT risk

Question 21

IT risk profile

Answer 21

A description of the overall (identified) IT risk to which the enterprise is exposed

Question 22

IT risk register

Answer 22

A repository of the key attributes of potential and known IT risk issues. Attributes may include name, description, owner, expected/actual frequency, potential/actual magnitude, potential/actual business impact and dispostion

Question 23

IT risk scenario

Answer 23

The description of an IT-related event that can lead to a business impact

Question 24

IT strategic plan

Answer 24

A long-term plan (i.e. three-to five-year horizon) in which business and IT management cooperatively describe how IT resources will contribute to the enterprise’s strategic objectives (goals)

Question 25

IT tactical plan

Answer 25

A medium-term plan (i.e. six- to 18-month horizon) that translates the IT strategic plan direction into required initiatives, resource requirements and ways in which resources and benefits will be monitored and managed

Question 26

Key performance indicator (KPI)

Answer 26

A measure that determines how well the process is performing in enabling the goal to be reached

Scope note: A lead indicator of whether a goal will likely be reached, and a good indicator of capabilities, practices and skills. It measures an activity goal, which is an action that the process owner must take to achieve effective process performance

Question 27

Key risk indicator (KRI)

Answer 27

A subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating important risk

Scope note: See Riks indicator

Question 28

Lag indicator

Answer 28

Metrics for achievement of goals - An indicator relating to the outcome or result of an enabler

Scope note: This indicator is only available after the facts or events

Question 29

Lead indicator

Answer 29

Metrics for application of good practice - An indicator relating to the functioning of an enabler

Scope note: This indicator will provide an indication on possible outcome of the enabler

Question 30

Likelihood

Answer 30

The probability of something happening

Question 31

Loss event

Answer 31

Any event where a threat event results in loss

Scope note: From Jones, J,; “FAIR Taxonomy”, Risk Management Insight, USA, 2008

Question 32

Magnitude

Answer 32

A measure of the potential severity of loss or the potential gain form realized events/scenarios

Question 33

Management

Answer 33

Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives

Question 34

Nondisclosure agreement (NDA)

Answer 34

A legal contract between at least two parities that outlines confidential materials that the parties wish to share with one another for certain purposes, but wish to restrict from generalized use; a contract through which the parties agree not to disclose information covered by the agreement

Question 35

Nonrepudiation

Answer 35

The assurance that a party cannot later deny originating data; provision of proof of the integrity and origin of the data and that can be verified by a third party

Scope note: A digital signature can provide nonrepudiation