CRISC - Certified in Risk and Information Systems Control term definition - Part 49

The implementation of controls or countermeasures to reduce the likelihood or impact of a risk to a level within the organization’s risk tolerance.

Risk avoidance, risk acceptance, risk sharing/transfer, risk mitigation, leading to a situation that as much future residual risk (current risk with the risk response defined and implemented) as possible (usually depending on budgets available) falls within risk appetite limits.

A description of the current conditions that may lead to the loss; and a description of the loss Source: Software Engineering Institute (SEI) randomness. Randomness or entropy is an important concept in many cryptographic implementations. It is used to create keys; generate initialization vectors.

A practice, procedure or mechanism that reduces risk.

A method of computer fraud involving a computer code that instructs the computer to slice off small amounts of money from an authorized computer transaction and reroute this amount to the perpetrator’s account.

The probability that an IS auditor has reached an incorrect conclusion because an audit sample, rather than the entire population, was tested.

A method used in the information processing facility (IPF) to determine and establish the sequence of computer job processing.

Also called requirement creep, this refers to uncontrolled changes in a project’s scope. Scope creep can occur when the scope of a project is not properly defined, documented and controlled. Typically, the scope increase consists of either new products or new features of already approved products. Hence, the project team drifts away from its original purpose.

Identifying the boundary or extent to which a process, procedure, certification, contract, etc., applies.

A router configured to permit or deny traffic based on a set of permission rules installed by the administrator.

A protocol that is used to transmit private documents through the Internet. The SSL protocol uses a private key to encrypt the data that are to be transferred through the SSL connection.

The person responsible for implementing, monitoring and enforcing security rules established and authorized by management.

The extent to which every member of an enterprise and every other individual who potentially has access to the enterprise's information understand: Security and the levels of security appropriate to the enterprise</li> <li>The importance of security and consequences of a lack of security</li> <li>Their individual responsibilities regarding security (and act accordingly).

A predefined, organized number of actions aimed at improving the security awareness of a special target audience about a specific security problem. Each security awareness program consists of a number of security awareness campaigns.

The individual responsible for setting up and maintaining the security awareness program and coordinating the different campaigns and efforts of the various groups involved in the program. He/she is also responsible for making sure that all materials are prepared, advocates/trainers are trained, campaigns are scheduled, events are publicized and the program as a whole moves forward.

A clearly and formally defined plan, structured approach, and set of related activities and procedures with the objective of realizing and maintaining a security-aware culture. This definition clearly states that it is about realizing and maintaining a security-aware culture, meaning attaining and sustaining security awareness at all times. This implies that a security awareness program is not a one-time effort, but a continuous process.

Responsible for information security governance within the enterprise. A security forum can be part of an existing management body. Because information security is a business responsibility shared by all members of the executive management team, the forum needs to involve executives from all significant parts of the enterprise.

A series of unexpected events that involves an attack or series of attacks (compromise and/or breach of security) at one or more sites. A security incident normally includes an estimation of its level of impact. A limited number of impact levels are defined and, for each, the specific actions required and the people who need to be notified are identified.

The process of establishing and maintaining security for a computer or network system. The stages of the process of security management include prevention of security problems, detection of intrusions, and investigation of intrusions and resolution. In network management, the stages are: controlling access to the network and resources, finding intrusions, identifying entry points for intruders and repairing or otherwise closing those avenues of access.