CRISC Glossary (S - V)

Question 1

Scope creep

Answer 1

Also called requirement creep, this refers to uncontrolled changes in a project’s scope

Scope notes: Scope creep can occur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consists of either new products or new features of already approved products. Hence, the project team drifts away from its original purpose. Because of one’s tendency to focus on only one dimension of a project, scope creep can also result in a project team overrunning its original budget and schedule. For example, scope creep can be a result of poor change control, lack of proper identification of what products and features are required to bring about the achievement of project objectives in the first place, or a weak project manager or executive sponsor

Question 2

Segregation/separation of duties (SoD)

Answer 2

A basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets

Scope notes: Segregation/separation of duties is commonly used in large IT organizations so that no single person is in a position to introduce fraudulent or malicious code without detection

Question 3

Service level agreement (SLA)

Answer 3

An agreement, preferably documented, between a service provider and the customer(s)/user(s) that defines minimum performance targets for a service and how they will be measured

Question 4

Slack time (float)

Answer 4

Time in the project schedule, the use of which does not affect the project’s critical path; the minimum time to complete the project based on the estimated time for each project segment and their relationships

Scope note: Slack time is commonly referred to as “float” and generally is not “owned” by either party to the transaction

Question 5

Software as a Service (SaaS)

Answer 5

Offers the capability to use the provider’s applications running on cloud infrastructure. The applications are accessible form various client devices through a think client interface such as a web browser (e.g. web-based email)

Question 6

Standard

Answer 6

A mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as the International Organization for Standardization (ISO)

Question 7

Statement of work (SOW)

Answer 7

A formal document that captures and defines the work activities, deliverable, and time line a vendor must execute in performance of specified work for a client

The SOW usually includes detailed requirements and pricing, with standard regulatory and governance terms and conditions

Question 8

Strategic planning

Answer 8

The process of deciding on the enterprise’s objectives, on changes in these objectives, and the polices to govern their acquisition and use

Question 9

System development life cycle (SDLC)

Answer 9

The phases deployed in the development or acquisition of a software system

Scope notes: SDLC is an approach used to plan, design, develop, test and implement an application system or a major modification to an application system. Typical phases of SDLC include the feasibility study, requirements study, requirements definition, detailed design, programming, testing, installation and post-implementation review, but not the service delivery or benefits realization activities.

Question 10

Threat

Answer 10

Anything (e.g. object, substance, human) that is capable of acting against an asset in a manner that can result in harm

Scope note: A potential cause of an unwanted incident (ISO/IEC 13335)

Question 11

Threat agent

Answer 11

Methods and things used to exploit a vulnerability

Scope notes: Examples include determination, capability, motive and resources

Question 12

Threat analysis

Answer 12

An evaluation of the type, scope and nature of events or actions that can result in adverse consequences; identification of the threats that exist against enterprise assets

Scope notes: the threat analysis usually defines the level of threat and likelihood of it materializing

Question 13

Threat event

Answer 13

Any event where a threat element/actor acts against an asset in a manner that has the potential to directly result in harm

Question 14

Threat vector

Answer 14

The path or route used by the adversary to gain access to the target

Question 15

Trademark

Answer 15

A sound, color, logo, saying or other distinctive symbol that is closely associated with a certain product or company

Question 16

Vulnerability

Answer 16

A weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events

Question 17

Vulnerability analysis

Answer 17

A process of identifying and classifying vulnerabilities

Question 18

Vulnerability event

Answer 18

Any event where a material increase in vulnerability results. Note that this increase in vulnerability can result from changes in control conditions or form changes in threat capability/force

Question 19

Vulnerability scanning

Answer 19

An automated process to proactively identify security weaknesses in a network or individual system