CRISC Glossary (S - V) Flashcards

1
Q

Scope creep

A

Also called requirement creep, this refers to uncontrolled changes in a project’s scope

Scope notes: Scope creep can occur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consists of either new products or new features of already approved products. Hence, the project team drifts away from its original purpose. Because of one’s tendency to focus on only one dimension of a project, scope creep can also result in a project team overrunning its original budget and schedule. For example, scope creep can be a result of poor change control, lack of proper identification of what products and features are required to bring about the achievement of project objectives in the first place, or a weak project manager or executive sponsor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Segregation/separation of duties (SoD)

A

A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets

Scope notes: Segregation/separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Service level agreement (SLA)

A

An agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines minimum performance targets for a service and how they will be measured

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Slack time (float)

A

Time in the project schedule, the use of which does not affect the project’s critical path; the minimum time to complete the project based on the estimated time for each project segment and their relationships

Scope note: Slack time is commonly referred to as “float” and generally is not “owned” by either party to the transaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Software as a Service (SaaS)

A

Offers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible form various client devices through a think client interface such as a web browser (e.g. web-based email)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Standard

A

A mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as the International Organization for Standardization (ISO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Statement of work (SOW)

A

A formal document that captures and defines the work activities, deliverable, and time line a vendor must execute in performance of specified work for a client

The SOW usually includes detailed requirements and pricing, with standard regulatory and governance terms and conditions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Strategic planning

A

The process of deciding on the enterprise’s objectives, on changes in these objectives, and the polices to govern their acquisition and use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

System development life cycle (SDLC)

A

The phases deployed in the development or acquisition of a software system

Scope notes: SDLC is an approach used to plan, design, develop, test and implement an application system or a major modification to an application system. Typical phases of SDLC include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and post-implementation review, but not the service delivery or benefits realization activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Threat

A

Anything (e.g. object, substance, human) that is capable of acting against an asset in a manner that can result in harm

Scope note: A potential cause of an unwanted incident (ISO/IEC 13335)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Threat agent

A

Methods and things used to exploit a vulnerability

Scope notes: Examples include determination, capability, motive and resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Threat analysis

A

An evaluation of the type, scope and nature of events or actions that can result in adverse consequences; identification of the threats that exist against enterprise assets

Scope notes: the threat analysis usually defines the level of threat and likelihood of it materializing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Threat event

A

Any event where a threat element/actor acts against an asset in a manner that has the potential to directly result in harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Threat vector

A

The path or route used by the adversary to gain access to the target

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Trademark

A

A sound, color, logo, saying or other distinctive symbol that is closely associated with a certain product or company

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Vulnerability

A

A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

17
Q

Vulnerability analysis

A

A process of identifying and classifying vulnerabilities

18
Q

Vulnerability event

A

Any event where a material increase in vulnerability results. Note that this increase in vulnerability can result from changes in control conditions or form changes in threat capability/force

19
Q

Vulnerability scanning

A

An automated process to proactively identify security weaknesses in a network or individual system