B.   1. A method to identify interdependencies and interconnections among risk - as well as the effect of risk responses on multiple types of risk 2. A method to estimate the aggregate impact of multiple types of risk (e.g. - cascading and coincidental th

C.   Critical success factor

D.   A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control - and should also act as a singl

A.   The ability of a system or network to resist failure or to recover quickly from any disruption - usually with minimal recognizable effect

C.   A plan of action or set of procedures to be performed if a system implementation - upgrade or modification does not work as intended Scope Note: May involve restoring the system to its state prior to the implementation or change. Fallback procedures

D.   International organization for standards

A.   1. A method to identify interdependencies and interconnections among risk - as well as the effect of risk responses on multiple types of risk 2. A method to estimate the aggregate impact of multiple types of risk (e.g. - cascading and coincidental th

B.   The ability to exercise judgment - express opinions and present recommendations with impartiality

C.   Operationally critical threat and vulnerability evaluation

A.   Description of the fundamental underlying design of the IT components of the business - the relationships among them - and the manner in which they support the enterprise's objectives

B.   Standards standards published by: ISACA

C.   A metric capable of showing that the enterprise is subject to - or has a high probability of being subject to - a risk that exceeds the defined risk appetite Risk management 1. The coordinated activities to direct and control an enterprise with regar

A.   A plan used by an enterprise to respond to disruption of critical business processes. Depends on the contingency plan for restoration of critical systems

C.   The individual responsible for identifying process requirements - approving process design and managing process performance. Scope Note: Must be at an appropriately high level in the enterprise and have authority to commit resources to process-specif

D.   The amount of risk - on a broad level - that an entity is willing to accept in pursuit of its mission

A.   Any event during which a threat element/actor acts against an asset in a manner that has the potential to directly result in harm

B.   1. An instance of IT risk 2. A combination of control - value and threat conditions that impose a noteworthy level of IT risk

C.   The individual(s) - normally a manager or director - who has responsibility for the integrity - accurate reporting and use of computerized data

A.   The permission or privileges granted to users - programs or workstations to create - change - delete or view data and files within a system - as defined by rules established by data owners and the information security policy

B.   A condition that can influence the frequency and/or magnitude and - ultimately - the business impact of IT-related events/scenarios

D.   Guarding against improper information modification or destruction - and includes ensuring information non-repudiation and authenticity

A.   A measure of the rate by which events occur over a certain period of time

C.   A weakness in the design - implementation - operation or internal control of a process that could expose the system to adverse threats from threat events

D.   1. The risk level or exposure without taking into account the actions that management has taken or might take (e.g. -implementing controls) 2. The risk that a material error could occur - assuming that there are no related internal controls to preven

A.   A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need

C.   A study to prioritize the criticality of information resources for the enterprise based on costs (or consequences) of adverse events In an impact analysis - threats to assets are identified and potential business losses determined for different time

D.   Business Process Reengineering

B.   Enterprise risk management

C.   A weakness in the design - implementation - operation or internal control of a process that could expose the system to adverse threats from threat events

D.   A enterprise to automate and integrate the majority of its planning. System packaged business software system that allows an business processes - share common data and practices across the entire enterprise - and produce and access information in a r

A.   The acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objectives

C.   A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control - and should also act as a singl

D.   A description of the overall (identified) IT risk to which the enterprise is exposed

A.   The ability of a system or network to resist failure or to recover quickly from any disruption - usually with minimal recognizable effect

C.   The individual(s) and department(s) responsible for the storage and safeguarding of computerized data

D.   A weakness in the design - implementation - operation or internal control of a process that could expose the system to adverse threats from threat events

A.   The discipline by which an enterprise in any industry assesses - controls - exploits - finances and monitors risk from all sources for the purpose of increasing the enterprise's short- and long-term value to its stakeholders

C.   Cumulative summary. each value is added for a cummulative total.

D.   International organization for standards

B.   An aptitude - competency or resource that an enterprise may possess or require at an enterprise - business function or individual level that has the potential - or is required - to contribute to a business outcome and to create value

C.   The permission or privileges granted to users - programs or workstations to create - change - delete or view data and files within a system - as defined by rules established by data owners and the information security policy

D.   Methodology for Information Systems Risk Analysis and Management

B.   Enterprise risk management

C.   An aptitude - competency or resource that an enterprise may possess or require at an enterprise - business function or individual level that has the potential - or is required - to contribute to a business outcome and to create value

D.   Cumulative summary. each value is added for a cummulative total.

B.   The set of shared values and beliefs that governs attitudes toward risk-taking - care and integrity - and determines how openly risk and losses are reported and discussed

C.   The individual(s) and department(s) responsible for the storage and safeguarding of computerized data

D.   Risk management framework

A.   International organization for standards

B.   Expected loss

D.   The individual responsible for identifying process requirements - approving process design and managing process performance. Scope Note: Must be at an appropriately high level in the enterprise and have authority to commit resources to process-specif

A.   The permission or privileges granted to users - programs or workstations to create - change - delete or view data and files within a system - as defined by rules established by data owners and the information security policy

B.   Ensures that stakeholder needs - conditions and options are evaluated to determine balanced - agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance agai

C.   The current and prospective effect on earnings and capital arising from negative public opinion. Scope Note: Reputation risk affects a bank's ability to establish new relationships or services - or to continue servicing existing relationships. It may

A.   The remaining risk after management has implemented a risk response

B.   The process of integrating risk assessments at a corporate level to obtain a complete view on the overall risk for the enterprise

C.   Risk management information systems

B.   Ensures that stakeholder needs - conditions and options are evaluated to determine balanced - agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance agai

C.   The description of an IT-related event that can lead to a business impact IT-related incident An IT-related event that causes an operational - developmental and/or strategic business impact

D.   The permission or privileges granted to users - programs or workstations to create - change - delete or view data and files within a system - as defined by rules established by data owners and the information security policy

A.   1. An instance of IT risk 2. A combination of control - value and threat conditions that impose a noteworthy level of IT risk

C.   The description of an IT-related event that can lead to a business impact IT-related incident An IT-related event that causes an operational - developmental and/or strategic business impact

D.   The set of hardware - software and facilities that integrates an enterprise's IT assets. Scope Note: Specifically - the equipment (including servers - routers - switches and cabling) - software - services and products used in storing - processing - t

A.   1. The risk level or exposure without taking into account the actions that management has taken or might take (e.g. -implementing controls) 2. The risk that a material error could occur - assuming that there are no related internal controls to preven

B.   The process of integrating risk assessments at a corporate level to obtain a complete view on the overall risk for the enterprise

D.   A repository of the key attributes of potential and known IT risk issues. Attributes may include name - description - owner - expected/actual frequency - potential/actual magnitude - potential/actual business impact - disposition.

A.   The amount of time allowed for the recovery of a business function or resource after a disaster occurs

B.   1. An instance of IT risk 2. A combination of control - value and threat conditions that impose a noteworthy level of IT risk

D.   British Standards Institution

A.   Risk management information systems

B.   Carnegie Mellon University

C.   International organization for standards

A.   The phases deployed in the development or acquisition of a software system. Scope Note: SDLC is an approach used to plan - design - develop - test and implement an application system or a major modification to an application system. Typical phases of

B.   1. A process by which frequency and magnitude of IT risk scenarios are estimated. 2. The initial steps of risk management: analyzing the value of assets to the business - identifying threats to those assets and evaluating how vulnerable each asset is

C.   For the purpose of IT risk management - one of three possible sorts of events: threat event - loss event and vulnerability event. Scope Note: Being able to consistently and effectively differentiate the different types of events that contribute to ri

A.   Carnegie Mellon University

B.   1. An instance of IT risk 2. A combination of control - value and threat conditions that impose a noteworthy level of IT risk

C.   The set of projects owned by a company. Scope Note: It usually includes the main guidelines relative to each project - including objectives - costs - time lines and other information specific to the project.

B.   Ensures that stakeholder needs - conditions and options are evaluated to determine balanced - agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance agai

C.   A description of the overall (identified) IT risk to which the enterprise is exposed

D.   Critical success factor

A.   The processes - rules and deployment mechanisms that control access to information systems - resources and physical access to premises

B.   The set of shared values and beliefs that governs attitudes toward risk-taking - care and integrity - and determines how openly risk and losses are reported and discussed

C.   The business risk associated with the use - ownership - operation - involvement - influence and adoption of IT within an enterprise

A.   Software Engineering Institute

B.   Expected loss

D.   1. A process by which frequency and magnitude of IT risk scenarios are estimated. 2. The initial steps of risk management: analyzing the value of assets to the business - identifying threats to those assets and evaluating how vulnerable each asset is

B.   1. A process by which frequency and magnitude of IT risk scenarios are estimated. 2. The initial steps of risk management: analyzing the value of assets to the business - identifying threats to those assets and evaluating how vulnerable each asset is

C.   Committee of sponsoring organizations

D.   A phase of a system development life cycle (SDLC) methodology that researches the feasibility and adequacy of resources for the development or acquisition of a system solution to a user need

A.   Intelligent agents

C.   Information Literacy

D.   Cybersquatting

A.   Database normalization

C.   Data warehousing

D.   Data mining