CRISC Official Review Manual 8th Edition - Core Vocabulary

Essential vocabulary and concepts for IT risk practitioners based on organizational and risk governance, assessment, and technology principles.

Governance

The system by which organizations evaluate, direct, monitor, and ultimately control an enterprise to meet stakeholder needs by providing value.

The Four Are's

Key questions used to align IT and cybersecurity with business objectives: Are we doing the right things? Are we doing them the right way? Are we getting them done well? Are we seeing expected benefits?

Risk Management (ISO 31000:2018)

The coordinated activities, practices, and processes used to inform, direct, and influence an enterprise with regard to the effect of uncertainty on objectives.

Risk Taxonomy

A formal definition of how risk is classified within an enterprise to ensure consistent communication.

Risk Ontology

The set of concepts, categories, and their properties, as well as the relations between various risk elements.

IT Benefit/Value Enablement Risk

The risk that delivered projects do not create the expected value for the enterprise.

RACI Model

A tool used to outline roles and responsibilities by categorizing stakeholders as Responsible, Accountable, Consulted, or Informed.

Responsible (RACI)

Individuals tasked with performing the actual work effort to meet stated objectives.

Accountable (RACI)

The single person liable for the completion of a task who oversees those performing the work; accountability cannot be delegated.

Risk Owner

The individual invested with the authority and accountability for making risk-based decisions and who owns the loss associated with a realized risk scenario.

Control Steward

Individuals responsible for the routine management and maintenance of controls on behalf of the control owner.

Risk Culture

The set of shared values and beliefs that governs attitudes toward risk taking, care, and integrity, and determines how openly risk and losses are reported.

Standard

A mandatory requirement, code of practice, or specification approved by a recognized external standards organization or developed internally to ensure consistent practices.

Procedure

A document containing a detailed, step-by-step description of the operations necessary to perform specific tasks in conformance with standards.

Business Impact Analysis (BIA)

A process for establishing continuity requirements, prioritizing critical services, and determining the impact of losing resource support over time.

Recovery Point Objective (RPO)

A metric that defines how much data can be lost in recovery, reflecting dependency on records of prior iterations.

Recovery Time Objective (RTO)

A metric that establishes how quickly a process must be restored following an outage or disruption.

Maximum Tolerable Downtime (MTD)

The total amount of time an enterprise can tolerate the system or process being unavailable before the business is no longer viable.

Operational/Business Line (First Line of Defense)

The line of defense implemented by business units that perform daily activities and are responsible for managing risk as risk owners.

Oversight Line (Second Line of Defense)

The functions, typically risk management and compliance, that establish frameworks and monitor the first line's adherence to policies.

Assurance Line (Third Line of Defense)

The internal and external audit functions that provide independent and objective reviews of risk management effectiveness.

Risk Appetite

The broad amount of risk an entity is willing to accept in pursuit of its mission or strategic objectives.

Risk Tolerance

The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives.

Risk Capacity

The objective amount of loss an enterprise can accept without its continued existence being called into question.

Asset

Something of tangible or intangible value worth protecting, including data, reputation, intellectual property, and people.

Threat Event

Any event during which a threat element or actor acts against an asset in a manner that has the potential to result in harm.

Vulnerability

A weakness in the design, implementation, operation, or internal control of a process that could expose a system to adverse threats.

STRIDE

A mature threat-modeling method identifying Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege.

CVSS (Common Vulnerability Scoring System)

An open industry standard used to assess the severity of vulnerabilities, with scores ranging from a low of $0$ to a high of $10$.

Inherent Risk

The risk level or exposure without considering actions that management has taken or might take, such as implementing controls.

Residual Risk

The risk remaining after a risk response, typically mitigation or transfer, has been implemented.

Current Risk

The risk at a specific point in time, given the threat environment to which the asset is presently exposed, considering both pending and implemented actions.

Risk Mitigation

Actions taken to reduce risk, typically through the implementation of controls that affect frequency and/or impact.

Risk Transfer/Sharing

The decision to reduce loss by having another enterprise incur the cost, such as purchasing insurance or outsourcing.

Risk Avoidance

The choice to exit the activities or conditions that give rise to risk when mitigation or transfer is impossible or too costly.

Postimplementation Review

A review conducted after a project to capture lessons learned, verify business objectives were met, and assess if risk was brought within acceptable levels.

Key Performance Indicator (KPI)

A Close-correlated performance measure used to set benchmarks for activities and monitor if goals are being attained.

Key Risk Indicator (KRI)

A highly relevant indicator that measures risk levels against defined thresholds to provide an early warning of emerging high risk.

Key Control Indicator (KCI)

An indicator that quantifies how effectively a specific control tool, approach, or methodology is working.

Zero Trust Architecture (ZTA)

A cybersecurity paradigm that moves defenses from static network perimeters to a focus on users, assets, and resources based on a 'never trust, always verify' approach.

Symmetric Cryptography

An encryption method where both the sender and receiver use the same shared secret key for encryption and decryption.

Asymmetric Cryptography

Also known as public key cryptography; it uses a mathematically related pair of keys (public and private) where one encrypts and the other decrypts.

Digital Signature

A mechanism that combines a hash function with public key encryption to provide message integrity, proof of origin, and nonrepudiation.

Certificate Authority (CA)

A trusted third party that verifies identity and issues digital certificates linking public keys with their specific owners.

Social Engineering

The most effective current attack vector, focusing on human users as the weakest link to bypass security via deception like phishing or vishing.