CRISC Glossary (O - R)

Question 1

Objectivity

Answer 1

The ability to exercise judgement, express opinions and present recommendations with impartiality

Question 2

Operational level agreement (OLA)

Answer 2

An internal agreement covering the delivery of services that support the IT organization in its delivery of services

Question 3

Owner

Answer 3

Individual or group that holds or possesses the rights of and the responsibilities for an enterprise, entity or asset

Scope notes: Examples: process owner, system owner

Question 4

Patent

Answer 4

Protection of research and ideas that lead to the development of a new, unique and useful product to prevent the unauthorized duplication of the patented item

Question 5

Penetration testing

Answer 5

A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers

Question 6

Performance indicators

Answer 6

A set of metrics designed to measure the extent to which performance objectives are being achieved on an ongoing basis

Scope note: Performance indicators can include service level agreements (SLA), critical success factors (CSF), customer satisfaction ratings, internal or external benchmarks, industry best practices and international standards

Question 7

Platform as a Service (PaaS

Answer 7

Offers the capability to deploy onto the cloud infrastructure customer-created or - acquired applications that are created using programming languages and tools supported by the provider

Question 8

Policy

Answer 8

1. Generally, a document that records a high-level principle or course of action that has been decided on

The intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.

Scope notes: In addition to policy content, policies need to describe the consequences of failing to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and measured.

2. Overall intention and direction as formally expressed by management

Scope notes: COBIT 5 and 2019 perspectives

Question 9

Portfolio

Answer 9

A grouping of “objects of interest” (investment programs, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value. (The investment portfolio is of primary interest of VAL IT. The IT Service, project, asset and other resource portfolios are of primary interest to COBIT).

Question 10

Preventive control

Answer 10

An internal control that is used to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product

Question 11

Privilege

Answer 11

The level of trust with which a system object is imbued

Question 12

Problem

Answer 12

In IT, the unknown underlying cause of one or more incidents

Question 13

Problem escalation procedure

Answer 13

The process of escalating a problem up from junior to senior support staff, and ultimately to higher levels of management

Scope notes: problem escalation procedure is often used in help desk management, when an unresolved problem is escalated up the chain of command, until it is solved.

Question 14

Program

Answer 14

A structured grouping of interdependent projects that is both necessary and sufficient to achieve a desired business outcome an create value. These projects could include, but are not limited to, changes in the nature of the business processes and work performed by people as well as the competencies required to carry out the work, the enabling technology and the organizational structure.

Question 15

Project

Answer 15

A structured set of activities concerned with delivering a defined capability (that is necessary, but not sufficient, to achieve a required business outcome) to the enterprise, based on a n agreed-on schedule and budget

Question 16

Project portfolio

Answer 16

The set of projects owned by a company

Scope note: It usually includes the main guidelines relative to each project, including objectives, costs, time lines and other information specific to the project

Question 17

Qualitative risk analysis

Answer 17

Defines risk using a scale or comparative values (i.e. defining risk factors in terms of high/medium/low or on a numeric scale from 1 to 10). It is based on judgment, intuition and experience rather than on financial values

Question 18

Quantitative risk analysis

Answer 18

The use of numerical and statistical techniques to calculate likelihood and impact of risk. It uses financial data, percentages and rations to provide an approximate measure of the magnitude of impact in financial terms

Question 19

RACI chart

Answer 19

illustrates who is Responsible, Accountable, Consulted and Informed within an organizational framework

Question 20

Recovery point objective (RPO)

Answer 20

Determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time to which it is acceptable to recovery the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.

Question 21

Recovery strategy

Answer 21

An approach by an enterprise that will ensure its recovery and continuity in the face of a disaster or other major outage

Scope notes: Plans and methodologies are determined by the enterprise’s strategy. There may be more than one methodology or solution for an enterprise’s strategy. Examples of methodologies and solutions include contracting for hot site or cold site, building an internal hot site or cold site, identifying an alternative work area, a consortium or reciprocal agreement, contracting for mobile recovery or crate and ship, and many others.

Question 22

Recovery testing

Answer 22

A test to check the system’s ability to recover after a software or hardware failure

Question 23

Recovery time objective (RTO)

Answer 23

The amount of time allowed for the recovery of a business function or resource after a disaster occurs

Question 24

Residual risk

Answer 24

The remaining risk after management has implemented risk response

Question 25

Resilience

Answer 25

The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognizable effect

Question 26

Return on investment (ROI)

Answer 26

A measure of operating performance and efficiency, compute in its simplest form by dividing net income by the total investment over the period being considered

Question 27

Risk

Answer 27

The combination of the probability of an event and its consequence. (ISO/IEC73)

Question 28

Risk acceptance

Answer 28

if the risk is within the enterprise’s risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the enterprise can assume the risk and absorb any losses.

Question 29

Risk aggregation

Answer 29

The process of integrating risk assessments at a corporate level to obtain a complete view on the overall risk for the enterprise

Question 30

Risk analysis

Answer 30

1. A process by which frequency and magnitude of IT risk scenarios are estimated.
2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats

Scope notes: if often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of the event

Question 31

Risk appetite

Answer 31

The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission

Question 32

Risk assessment

Answer 32

A process used to identify and evaluate risk and its potential effects

Scope note: includes assessing the critical functions necessary for an enterprise to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

Question 33

Risk avoidance

Answer 33

The process for systematically avoiding risk, constituting one approach to managing risk

Question 34

Risk culture

Answer 34

The set of shared values and beliefs that governs attitudes toward risk-taking, care and integrity, and determines how openly risk and losses are reported and discussed

Question 35

Risk evaluation

Answer 35

The process of comparing the estimated risk against given risk criteria to determine the significance of the risk (ISO/IEC Guide 73:2009)

Question 36

Risk factor

Answer 36

A condition that can influence the frequency and/or magnitude and, ultimately, the business impact of IT-related events/scenarios

Question 37

Risk identification

Answer 37

The process of determining and documenting the risk that an enterprise faces. The identification of risk is based on the recognition of threats, vulnerabilities, assets and controls in the enterprise’s operational environment

Question 38

Risk impact

Answer 38

The calculation of the amount of loss or damage that an organization may incur due to a risk event

Question 39

Risk indicator

Answer 39

A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite

Question 40

Risk management

Answer 40

1. The coordinated activities to direct and control an enterprise with regard to risk

Scope notes: in the International Standard, the term “control” is used as a synonym for “measure” (ISO/IEC Guide 73:2008)

2. One of the governance objectives. Entails recognizing risk; assessing the impact and likelihood of that risk; and developing strategies, such as avoiding the risk, reducing the negative effect of the risk and/or transferring the risk, to manage it within the context of the enterprise’s risk appetite

Question 41

Risk map

Answer 41

A (graphic) tool for ranking and displaying risk by defined ranges for frequency and magnitude

Question 42

Risk mitigation

Answer 42

The management of risk through the use of countermeasures and controls

Question 43

Risk portfolio view

Answer 43

1. A method to identify inter-dependencies and interconnections among risk, as well as the effect of risk responses on multiple types of risk
2. A method to estimate the aggregate impact of multiple types of risk (e.g., cascading and coincidental threat types/scenarios, risk concentration/correlation across silos) and the potential effect of risk response across multiple types of risk

Question 44

Risk owner

Answer 44

The person in whom the organization has invested the authority and accountability for making risk-based decisions and who owns the loss associated with a realized risk scenario

Scope notes: the risk owner may not be responsible for the implementation of risk treatment.

Question 45

Risk scenario

Answer 45

The tangible and assailable representation of risk

Scope notes: One of the key information items needed to identify, analyze and respond to risk (COBIT 2019 Process APO12)

Question 46

Risk statement

Answer 46

A description of the current conditions that may lead to the loss; and a description of the loss Source; Software Engineering Institute (SEI)

Scope notes: For a risk to be understandable, it must be expressed clearly. Such a treatment must include a description of the current conditions that may lead to the loss; and a description of the loss.

Question 47

Risk tolerance

Answer 47

The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives

Question 48

Risk transfer

Answer 48

The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service

Scope notes: Also known as risk sharing

Question 49

Root cause analysis

Answer 49

A process of diagnosis to establish the origins of events, which can be used for learning from consequences, typically from errors and problems