CRISC - Certified in Risk and Information Systems Control term definition - Part 47

IT Governance Basic

Risk assessment

A process used to identify and evaluate risk and its potential effects. Risk assessments are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan. Risk assessments are also used to manage the project delivery and project benefit risk.

Risk avoidance

The process for systematically avoiding risk, constituting one approach to managing risk

Risk culture

The set of shared values and beliefs that governs attitudes toward risk-taking, care and integrity, and determines how openly risk and losses are reported and discussed.

Risk evaluation

The process of comparing the estimated risk against given risk criteria to determine the significance of the risk. [ISO/IEC Guide 73:2002].

Risk factor

A condition that can influence the frequency and/or magnitude and, ultimately, the business impact of IT-related events/scenarios

Risk indicator

A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite

Risk management 1

The coordinated activities to direct and control an enterprise with regard to risk . In the International Standard, the term "control" is used as a synonym for "measure." (ISO/IEC Guide 73:2002)

Risk management 2

One of the governance objectives. Entails recognizing risk; assessing the impact and likelihood of that risk; and developing strategies, such as avoiding the risk, reducing the negative effect of the risk and/or transferring the risk, to manage it within the context of the enterprise's risk appetite. COBIT 5 perspective

Risk map

A (graphic) tool for ranking and displaying risk by defined ranges for frequency and magnitude.

Risk mitigation

The management of risk through the use of countermeasures and controls

Risk portfolio view 1

A method to identify interdependencies and interconnections among risk, as well as the effect of risk responses on multiple types of risk.

Risk portfolio view 2

A method to estimate the aggregate impact of multiple types of risk (e.g., cascading and coincidental threat types/scenarios, risk concentration/correlation across silos) and the potential effect of risk response across multiple types of risk.

Risk tolerance

The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives.

Risk transfer

The process of assigning risk to another enterprise, usually through the purchase of an insurance policy or by outsourcing the service. Also known as risk sharing

Risk treatment

The process of selection and implementation of measures to modify risk (ISO/IEC Guide 73:2002).

Root cause analysis

A process of diagnosis to establish the origins of events, which can be used for learning from consequences, typically from errors and problems.

Rootkit

A software suite designed to aid an intruder in gaining unauthorized administrative access to a computer system.

Rotating standby

A fail-over process in which there are two nodes (as in idle standby but without priority. The node that enters the cluster first owns the resource group, and the second will join as a standby node.

Rounding down

A method of computer fraud involving a computer code that instructs the computer to remove small amounts of money from an authorized computer transaction by rounding down to the nearest whole value denomination and rerouting the rounded off amount to the perpetrator’s account.

Router

A networking device that can send (route) data packets from one local area network (LAN) or wide area network (WAN) to another, based on addressing at the network layer (Layer 3) in the open systems interconnection (OSI) model. Networks connected by routers can use different or similar networking protocols. Routers usually are capable of filtering packets based on parameters, such as source addresses, destination addresses, protocol and network applications (ports).