CRISC Glossary (O - R) Flashcards
Objectivity
The ability to exercise judgement, express opinions and present recommendations with impartiality
Operational level agreement (OLA)
An internal agreement covering the delivery of services that support the IT organization in its delivery of services
Owner
Individual or group that holds or possesses the rights of and the responsibilities for an enterprise, entity or asset
Scope notes: Examples: process owner, system owner
Patent
Protection of research and ideas that lead to the development of a new, unique and useful product to prevent the unauthorized duplication of the patented item
Penetration testing
A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers
Performance indicators
A set of metrics designed to measure the extent to which performance objectives are being achieved on an ongoing basis
Scope note: Performance indicators can include service level agreements (SLA), critical success factors (CSF), customer satisfaction ratings, internal or external benchmarks, industry best practices and international standards
Platform as a Service (PaaS
Offers the capability to deploy onto the cloud infrastructure customer-created or - acquired applications that are created using programming languages and tools supported by the provider
Policy
- Generally, a document that records a high-level principle or course of action that has been decided on
The intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.
Scope notes: In addition to policy content, policies need to describe the consequences of failing to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and measured.
- Overall intention and direction as formally expressed by management
Scope notes: COBIT 5 and 2019 perspectives
Portfolio
A grouping of “objects of interest” (investment programs, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value. (The investment portfolio is of primary interest of VAL IT. The IT Service, project, asset and other resource portfolios are of primary interest to COBIT).
Preventive control
An internal control that is used to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product
Privilege
The level of trust with which a system object is imbued
Problem
In IT, the unknown underlying cause of one or more incidents
Problem escalation procedure
The process of escalating a problem up from junior to senior support staff, and ultimately to higher levels of management
Scope notes: problem escalation procedure is often used in help desk management, when an unresolved problem is escalated up the chain of command, until it is solved.
Program
A structured grouping of interdependent projects that is both necessary and sufficient to achieve a desired business outcome an create value. These projects could include, but are not limited to, changes in the nature of the business processes and work performed by people as well as the competencies required to carry out the work, the enabling technology and the organizational structure.
Project
A structured set of activities concerned with delivering a defined capability (that is necessary, but not sufficient, to achieve a required business outcome) to the enterprise, based on a n agreed-on schedule and budget
Project portfolio
The set of projects owned by a company
Scope note: It usually includes the main guidelines relative to each project, including objectives, costs, time lines and other information specific to the project
Qualitative risk analysis
Defines risk using a scale or comparative values (i.e. defining risk factors in terms of high/medium/low or on a numeric scale from 1 to 10). It is based on judgment, intuition and experience rather than on financial values
Quantitative risk analysis
The use of numerical and statistical techniques to calculate likelihood and impact of risk. It uses financial data, percentages and rations to provide an approximate measure of the magnitude of impact in financial terms
RACI chart
illustrates who is Responsible, Accountable, Consulted and Informed within an organizational framework
Recovery point objective (RPO)
Determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time to which it is acceptable to recovery the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.
Recovery strategy
An approach by an enterprise that will ensure its recovery and continuity in the face of a disaster or other major outage
Scope notes: Plans and methodologies are determined by the enterprise’s strategy. There may be more than one methodology or solution for an enterprise’s strategy. Examples of methodologies and solutions include contracting for hot site or cold site, building an internal hot site or cold site, identifying an alternative work area, a consortium or reciprocal agreement, contracting for mobile recovery or crate and ship, and many others.
Recovery testing
A test to check the system’s ability to recover after a software or hardware failure
Recovery time objective (RTO)
The amount of time allowed for the recovery of a business function or resource after a disaster occurs
Residual risk
The remaining risk after management has implemented risk response
Resilience
The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognizable effect
Return on investment (ROI)
A measure of operating performance and efficiency, compute in its simplest form by dividing net income by the total investment over the period being considered
Risk
The combination of the probability of an event and its consequence. (ISO/IEC73)
Risk acceptance
if the risk is within the enterprise’s risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the enterprise can assume the risk and absorb any losses.
Risk aggregation
The process of integrating risk assessments at a corporate level to obtain a complete view on the overall risk for the enterprise
Risk analysis
- A process by which frequency and magnitude of IT risk scenarios are estimated.
- The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats
Scope notes: if often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of the event
Risk appetite
The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission
Risk assessment
A process used to identify and evaluate risk and its potential effects
Scope note: includes assessing the critical functions necessary for an enterprise to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.
Risk avoidance
The process for systematically avoiding risk, constituting one approach to managing risk
Risk culture
The set of shared values and beliefs that governs attitudes toward risk-taking, care and integrity, and determines how openly risk and losses are reported and discussed
Risk evaluation
The process of comparing the estimated risk against given risk criteria to determine the significance of the risk (ISO/IEC Guide 73:2009)
Risk factor
A condition that can influence the frequency and/or magnitude and, ultimately, the business impact of IT-related events/scenarios
Risk identification
The process of determining and documenting the risk that an enterprise faces. The identification of risk is based on the recognition of threats, vulnerabilities, assets and controls in the enterprise’s operational environment
Risk impact
The calculation of the amount of loss or damage that an organization may incur due to a risk event
Risk indicator
A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite
Risk management
- The coordinated activities to direct and control an enterprise with regard to risk
Scope notes: in the International Standard, the term “control” is used as a synonym for “measure” (ISO/IEC Guide 73:2008)
- One of the governance objectives. Entails recognizing risk; assessing the impact and likelihood of that risk; and developing strategies, such as avoiding the risk, reducing the negative effect of the risk and/or transferring the risk, to manage it within the context of the enterprise’s risk appetite
Risk map
A (graphic) tool for ranking and displaying risk by defined ranges for frequency and magnitude
Risk mitigation
The management of risk through the use of countermeasures and controls
Risk portfolio view
- A method to identify inter-dependencies and interconnections among risk, as well as the effect of risk responses on multiple types of risk
- A method to estimate the aggregate impact of multiple types of risk (e.g., cascading and coincidental threat types/scenarios, risk concentration/correlation across silos) and the potential effect of risk response across multiple types of risk
Risk owner
The person in whom the organization has invested the authority and accountability for making risk-based decisions and who owns the loss associated with a realized risk scenario
Scope notes: the risk owner may not be responsible for the implementation of risk treatment.
Risk scenario
The tangible and assailable representation of risk
Scope notes: One of the key information items needed to identify, analyze and respond to risk (COBIT 2019 Process APO12)
Risk statement
A description of the current conditions that may lead to the loss; and a description of the loss Source; Software Engineering Institute (SEI)
Scope notes: For a risk to be understandable, it must be expressed clearly. Such a treatment must include a description of the current conditions that may lead to the loss; and a description of the loss.
Risk tolerance
The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives
Risk transfer
The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service
Scope notes: Also known as risk sharing
Root cause analysis
A process of diagnosis to establish the origins of events, which can be used for learning from consequences, typically from errors and problems
