CRISC Glossary (S - V) Flashcards
Scope creep
Also called requirement creep, this refers to uncontrolled changes in a project’s scope
Scope notes: Scope creep can occur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consists of either new products or new features of already approved products. Hence, the project team drifts away from its original purpose. Because of one’s tendency to focus on only one dimension of a project, scope creep can also result in a project team overrunning its original budget and schedule. For example, scope creep can be a result of poor change control, lack of proper identification of what products and features are required to bring about the achievement of project objectives in the first place, or a weak project manager or executive sponsor
Segregation/separation of duties (SoD)
A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets
Scope notes: Segregation/separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection
Service level agreement (SLA)
An agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines minimum performance targets for a service and how they will be measured
Slack time (float)
Time in the project schedule, the use of which does not affect the project’s critical path; the minimum time to complete the project based on the estimated time for each project segment and their relationships
Scope note: Slack time is commonly referred to as “float” and generally is not “owned” by either party to the transaction
Software as a Service (SaaS)
Offers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible form various client devices through a think client interface such as a web browser (e.g. web-based email)
Standard
A mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as the International Organization for Standardization (ISO)
Statement of work (SOW)
A formal document that captures and defines the work activities, deliverable, and time line a vendor must execute in performance of specified work for a client
The SOW usually includes detailed requirements and pricing, with standard regulatory and governance terms and conditions
Strategic planning
The process of deciding on the enterprise’s objectives, on changes in these objectives, and the polices to govern their acquisition and use
System development life cycle (SDLC)
The phases deployed in the development or acquisition of a software system
Scope notes: SDLC is an approach used to plan, design, develop, test and implement an application system or a major modification to an application system. Typical phases of SDLC include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and post-implementation review, but not the service delivery or benefits realization activities.
Threat
Anything (e.g. object, substance, human) that is capable of acting against an asset in a manner that can result in harm
Scope note: A potential cause of an unwanted incident (ISO/IEC 13335)
Threat agent
Methods and things used to exploit a vulnerability
Scope notes: Examples include determination, capability, motive and resources
Threat analysis
An evaluation of the type, scope and nature of events or actions that can result in adverse consequences; identification of the threats that exist against enterprise assets
Scope notes: the threat analysis usually defines the level of threat and likelihood of it materializing
Threat event
Any event where a threat element/actor acts against an asset in a manner that has the potential to directly result in harm
Threat vector
The path or route used by the adversary to gain access to the target
Trademark
A sound, color, logo, saying or other distinctive symbol that is closely associated with a certain product or company