CRISC Glossary (O - R) Flashcards
Objectivity
The ability to exercise judgement, express opinions and present recommendations with impartiality
Operational level agreement (OLA)
An internal agreement covering the delivery of services that support the IT organization in its delivery of services
Owner
Individual or group that holds or possesses the rights of and the responsibilities for an enterprise, entity or asset
Scope notes: Examples: process owner, system owner
Patent
Protection of research and ideas that lead to the development of a new, unique and useful product to prevent the unauthorized duplication of the patented item
Penetration testing
A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers
Performance indicators
A set of metrics designed to measure the extent to which performance objectives are being achieved on an ongoing basis
Scope note: Performance indicators can include service level agreements (SLA), critical success factors (CSF), customer satisfaction ratings, internal or external benchmarks, industry best practices and international standards
Platform as a Service (PaaS
Offers the capability to deploy onto the cloud infrastructure customer-created or - acquired applications that are created using programming languages and tools supported by the provider
Policy
- Generally, a document that records a high-level principle or course of action that has been decided on
The intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.
Scope notes: In addition to policy content, policies need to describe the consequences of failing to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and measured.
- Overall intention and direction as formally expressed by management
Scope notes: COBIT 5 and 2019 perspectives
Portfolio
A grouping of “objects of interest” (investment programs, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value. (The investment portfolio is of primary interest of VAL IT. The IT Service, project, asset and other resource portfolios are of primary interest to COBIT).
Preventive control
An internal control that is used to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product
Privilege
The level of trust with which a system object is imbued
Problem
In IT, the unknown underlying cause of one or more incidents
Problem escalation procedure
The process of escalating a problem up from junior to senior support staff, and ultimately to higher levels of management
Scope notes: problem escalation procedure is often used in help desk management, when an unresolved problem is escalated up the chain of command, until it is solved.
Program
A structured grouping of interdependent projects that is both necessary and sufficient to achieve a desired business outcome an create value. These projects could include, but are not limited to, changes in the nature of the business processes and work performed by people as well as the competencies required to carry out the work, the enabling technology and the organizational structure.
Project
A structured set of activities concerned with delivering a defined capability (that is necessary, but not sufficient, to achieve a required business outcome) to the enterprise, based on a n agreed-on schedule and budget
Project portfolio
The set of projects owned by a company
Scope note: It usually includes the main guidelines relative to each project, including objectives, costs, time lines and other information specific to the project
Qualitative risk analysis
Defines risk using a scale or comparative values (i.e. defining risk factors in terms of high/medium/low or on a numeric scale from 1 to 10). It is based on judgment, intuition and experience rather than on financial values
Quantitative risk analysis
The use of numerical and statistical techniques to calculate likelihood and impact of risk. It uses financial data, percentages and rations to provide an approximate measure of the magnitude of impact in financial terms
RACI chart
illustrates who is Responsible, Accountable, Consulted and Informed within an organizational framework