CRISC Glossary (O - R) Flashcards

1
Q

Objectivity

A

The ability to exercise judgement, express opinions and present recommendations with impartiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Operational level agreement (OLA)

A

An internal agreement covering the delivery of services that support the IT organization in its delivery of services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Owner

A

Individual or group that holds or possesses the rights of and the responsibilities for an enterprise, entity or asset

Scope notes: Examples: process owner, system owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Patent

A

Protection of research and ideas that lead to the development of a new, unique and useful product to prevent the unauthorized duplication of the patented item

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Penetration testing

A

A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Performance indicators

A

A set of metrics designed to measure the extent to which performance objectives are being achieved on an ongoing basis

Scope note: Performance indicators can include service level agreements (SLA), critical success factors (CSF), customer satisfaction ratings, internal or external benchmarks, industry best practices and international standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Platform as a Service (PaaS

A

Offers the capability to deploy onto the cloud infrastructure customer-created or - acquired applications that are created using programming languages and tools supported by the provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Policy

A
  1. Generally, a document that records a high-level principle or course of action that has been decided on

The intended purpose is to influence and guide both present and future decision making to be in line with the philosophy, objectives and strategic plans established by the enterprise’s management teams.

Scope notes: In addition to policy content, policies need to describe the consequences of failing to comply with the policy, the means for handling exceptions, and the manner in which compliance with the policy will be checked and measured.

  1. Overall intention and direction as formally expressed by management

Scope notes: COBIT 5 and 2019 perspectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Portfolio

A

A grouping of “objects of interest” (investment programs, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value. (The investment portfolio is of primary interest of VAL IT. The IT Service, project, asset and other resource portfolios are of primary interest to COBIT).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Preventive control

A

An internal control that is used to avoid undesirable events, errors, and other occurrences that an enterprise has determined could have a negative material effect on a process or end product

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Privilege

A

The level of trust with which a system object is imbued

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Problem

A

In IT, the unknown underlying cause of one or more incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Problem escalation procedure

A

The process of escalating a problem up from junior to senior support staff, and ultimately to higher levels of management

Scope notes: problem escalation procedure is often used in help desk management, when an unresolved problem is escalated up the chain of command, until it is solved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Program

A

A structured grouping of interdependent projects that is both necessary and sufficient to achieve a desired business outcome an create value. These projects could include, but are not limited to, changes in the nature of the business processes and work performed by people as well as the competencies required to carry out the work, the enabling technology and the organizational structure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Project

A

A structured set of activities concerned with delivering a defined capability (that is necessary, but not sufficient, to achieve a required business outcome) to the enterprise, based on a n agreed-on schedule and budget

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Project portfolio

A

The set of projects owned by a company

Scope note: It usually includes the main guidelines relative to each project, including objectives, costs, time lines and other information specific to the project

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Qualitative risk analysis

A

Defines risk using a scale or comparative values (i.e. defining risk factors in terms of high/medium/low or on a numeric scale from 1 to 10). It is based on judgment, intuition and experience rather than on financial values

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Quantitative risk analysis

A

The use of numerical and statistical techniques to calculate likelihood and impact of risk. It uses financial data, percentages and rations to provide an approximate measure of the magnitude of impact in financial terms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

RACI chart

A

illustrates who is Responsible, Accountable, Consulted and Informed within an organizational framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Recovery point objective (RPO)

A

Determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time to which it is acceptable to recovery the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.

21
Q

Recovery strategy

A

An approach by an enterprise that will ensure its recovery and continuity in the face of a disaster or other major outage

Scope notes: Plans and methodologies are determined by the enterprise’s strategy. There may be more than one methodology or solution for an enterprise’s strategy. Examples of methodologies and solutions include contracting for hot site or cold site, building an internal hot site or cold site, identifying an alternative work area, a consortium or reciprocal agreement, contracting for mobile recovery or crate and ship, and many others.

22
Q

Recovery testing

A

A test to check the system’s ability to recover after a software or hardware failure

23
Q

Recovery time objective (RTO)

A

The amount of time allowed for the recovery of a business function or resource after a disaster occurs

24
Q

Residual risk

A

The remaining risk after management has implemented risk response

25
Q

Resilience

A

The ability of a system or network to resist failure or to recover quickly from any disruption, usually with minimal recognizable effect

26
Q

Return on investment (ROI)

A

A measure of operating performance and efficiency, compute in its simplest form by dividing net income by the total investment over the period being considered

27
Q

Risk

A

The combination of the probability of an event and its consequence. (ISO/IEC73)

28
Q

Risk acceptance

A

if the risk is within the enterprise’s risk tolerance or if the cost of otherwise mitigating the risk is higher than the potential loss, the enterprise can assume the risk and absorb any losses.

29
Q

Risk aggregation

A

The process of integrating risk assessments at a corporate level to obtain a complete view on the overall risk for the enterprise

30
Q

Risk analysis

A
  1. A process by which frequency and magnitude of IT risk scenarios are estimated.
  2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those assets and evaluating how vulnerable each asset is to those threats

Scope notes: if often involves an evaluation of the probable frequency of a particular event, as well as the probable impact of the event

31
Q

Risk appetite

A

The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission

32
Q

Risk assessment

A

A process used to identify and evaluate risk and its potential effects

Scope note: includes assessing the critical functions necessary for an enterprise to continue business operations, defining the controls in place to reduce organization exposure and evaluating the cost for such controls. Risk analysis often involves an evaluation of the probabilities of a particular event.

33
Q

Risk avoidance

A

The process for systematically avoiding risk, constituting one approach to managing risk

34
Q

Risk culture

A

The set of shared values and beliefs that governs attitudes toward risk-taking, care and integrity, and determines how openly risk and losses are reported and discussed

35
Q

Risk evaluation

A

The process of comparing the estimated risk against given risk criteria to determine the significance of the risk (ISO/IEC Guide 73:2009)

36
Q

Risk factor

A

A condition that can influence the frequency and/or magnitude and, ultimately, the business impact of IT-related events/scenarios

37
Q

Risk identification

A

The process of determining and documenting the risk that an enterprise faces. The identification of risk is based on the recognition of threats, vulnerabilities, assets and controls in the enterprise’s operational environment

38
Q

Risk impact

A

The calculation of the amount of loss or damage that an organization may incur due to a risk event

39
Q

Risk indicator

A

A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite

40
Q

Risk management

A
  1. The coordinated activities to direct and control an enterprise with regard to risk

Scope notes: in the International Standard, the term “control” is used as a synonym for “measure” (ISO/IEC Guide 73:2008)

  1. One of the governance objectives. Entails recognizing risk; assessing the impact and likelihood of that risk; and developing strategies, such as avoiding the risk, reducing the negative effect of the risk and/or transferring the risk, to manage it within the context of the enterprise’s risk appetite
41
Q

Risk map

A

A (graphic) tool for ranking and displaying risk by defined ranges for frequency and magnitude

42
Q

Risk mitigation

A

The management of risk through the use of countermeasures and controls

43
Q

Risk portfolio view

A
  1. A method to identify inter-dependencies and interconnections among risk, as well as the effect of risk responses on multiple types of risk
  2. A method to estimate the aggregate impact of multiple types of risk (e.g., cascading and coincidental threat types/scenarios, risk concentration/correlation across silos) and the potential effect of risk response across multiple types of risk
44
Q

Risk owner

A

The person in whom the organization has invested the authority and accountability for making risk-based decisions and who owns the loss associated with a realized risk scenario

Scope notes: the risk owner may not be responsible for the implementation of risk treatment.

45
Q

Risk scenario

A

The tangible and assailable representation of risk

Scope notes: One of the key information items needed to identify, analyze and respond to risk (COBIT 2019 Process APO12)

46
Q

Risk statement

A

A description of the current conditions that may lead to the loss; and a description of the loss Source; Software Engineering Institute (SEI)

Scope notes: For a risk to be understandable, it must be expressed clearly. Such a treatment must include a description of the current conditions that may lead to the loss; and a description of the loss.

47
Q

Risk tolerance

A

The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives

48
Q

Risk transfer

A

The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service

Scope notes: Also known as risk sharing

49
Q

Root cause analysis

A

A process of diagnosis to establish the origins of events, which can be used for learning from consequences, typically from errors and problems