ISACA CRISC Glossary Terms Exam 156
Questions and Answers.
Access Control - > The processes, rules and deployment mechanisms that control
access to information systems,
resources and physical access to premises
Access Rights - > The permission or privileges granted to users, programs or
workstations to create, change, delete or view data and files within a system, as defined
by rules established by data owners and the information security policy.
Accountability - > The ability to map a given activity or event back to the responsible
party.
Advanced persistent threat (APT) - > An adversary that possesses sophisticated levels of
expertise and significant resources which allow it
to create opportunities to achieve its objectives using multiple attack vectors (NIST
SP800-61).
The APT: 1. pursues its objectives repeatedly over an extended period of time
2. Adapts to defenders' efforts to resist it
3. is determined to maintain the level of interaction needed to execute its objectives
Application Controls - > The policies, procedures and activities designed to provide
reasonable assurance that objectives relevant to a given automated solution (application)
are achieved.
Architecture - > Description of the fundamental underlying design of the components of
the business system, or of one element of the business system (e.g., technology), the
relationships among them, and the manner in which they support enterprise objectives.
Asset - > Something of either tangible or intangible value that is worth protecting,
including people, information, infrastructure, finances and reputation.
,Asset Value - > The value of an asset is subject to many factors including the value of
both the business and to competitors. Asset value is usually done using a quantitative
(monetary) value
Authentication - > 1. The act of verifying identity, i.e., user, system.
Risk: Can also refer to the verification of the correctness of a piece of data.
2. The act of verifying the identity of a user, the user's eligibility to access computerized
information.
Assurance: Authentication is designed to protect against fraudulent logon activity.
It can also refer to the verification of the correctness of a piece of data.
Authenticity - > Undisputed authorship
Availability - > Ensuring timely and reliable access to and use of information
Awareness - > Being acquainted with, mindful of, conscious of and well informed on a
specific subject, which implies knowing and understanding a subject and acting
accordingly.
Balanced Scorecard (BSC) - > Developed by Robert S. Kaplan and David P. Norton as a
coherent set of performance measures organized into four categories that includes
traditional financial measures, but adds customer, internal business process, and
learning and growth perspectives.
Business Case - > Documentation of the rationale for making a business investment,
used both to support a business decision on whether to proceed with the investment and
as an operational tool to support management of the investment through its full economic
life cycle
Business Continuity - > Preventing, mitigating and recovering from disruption
Scope Notes: The terms 'business resumption planning', 'disaster recovery planning' and
'contingency planning' also may be used in this context;
they focus on recovery aspects of continuity, and for that reason the 'resilience' aspect
should also be taken into account.
COBIT 5 perspective
, Business Continuity Plan (BCP) - > A plan used by an enterprise to respond to disruption
of critical business processes. Depends on the contingency plan for restoration of critical
systems.
Business Goal - > The translation of the enterprise's mission from a statement of intention
into performance targets and results.
Business Impact - > The net effect, positive or negative, on the achievement of business
objectives
Business Impact Analysis/Assessment (BIA) - > Evaluating the criticality and sensitivity of
information assets.
An exercise that determines the impact of losing the support of any resource to an
enterprise, establishes the escalation of that loss over time, identifies the minimum
resources needed to recover, and prioritizes the recovery of processes and the
supporting system.
Scope Notes: This process also includes addressing: Income loss, Unexpected expense,
Legal issues (regulatory compliance or contractual), Interdependent processes, Loss of
public reputation or public confidence.
Business Objective - > A further development of the business goals into tactical targets
and desired results and outcomes.
Business Process Owner - > The individual responsible for identifying process
requirements, approving process design and managing process performance.
Scope Notes: Must be at an appropriately high level in the enterprise and have authority
to commit resources to process-specific risk management activities.
Business Risk - > A probable situation with uncertain frequency and magnitude of loss (or
gain).
Capability - > An aptitude, competency or resource that an enterprise may possess or
require at an enterprise, business function or individual level that has the potential, or is
required, to contribute to a business outcome and to create value.
Capability Maturity Model (CMM) - > 1. Contains the essential elements of effective
processes for one or more disciplines.It also describes
