Certified in Risk and Information Systems Control (CRISC) Glossary

Certified in Risk and Information

Systems Control (CRISC) Glossary
Created By: Cassandra Brunetto, Teaching Assistant
1. ISACA - is a nonprofit, independent association that advocates for professionals

involved in information security, assurance, risk management and governance.
2. Risk management - a detailed process of identifying factors that could damage or
disclose data, evaluating those factors in light of data value and countermeasure cost, and
implementing cost-effective solutions for mitigating or reducing risk.
3. Risk - the possibility or likelihood that a threat will exploit a vulnerability to cause harm to
an asset.
4. Asset - a resource that is valuable to an organization and must be protected.
5. Threat - any potential occurrence that may cause an undesirable or unwanted outcome
for an organization or for a specific asset..
6. Vulnerability - a weakness in a system.
7. Impact - the severity of damage, sometimes expressed in dollars (value).
8. Risk Governance - applies the principles of good governance to the identification,
assessment, management and communication of risks.
9. Four main objectives of Risk Governance:
· 1. Establish and maintain a common risk view.
· 2. Integrate risk management into the enterprise.
· 3. Make risk-aware business decisions.
· 4. Ensure that risk management controls are implemented and operating
correctly.
10. Risk assessment - A point-in-time evaluation of potential risks. It looks at the current
situation and then attempts to determine what risks exist and how to address them.
11. Inherent risk - is a category of threat that arises from the organization's human activity or
physical environment.

Brought to you by: Develop your team with the fastest growing catalog in the
cybersecurity industry. Enterprise-grade workforce development
management, advanced training features and detailed skill gap and

competency analytics.
1

12. Residual risk - the risk that remains once countermeasures are implemented. Residual
risk comprises threats to specific assets against which upper management choose not to
implement a safeguard.
13. Secondary risk - a risk that arises as a direct result of implementing a risk response.
14. Risk appetite - amount and type of risk that an organization is willing to pursue or retain.
15. Risk tolerance - levels of risk, types of risk, and degree of risk uncertainty that are
acceptable.
16. Risk profile - a chronological record of a risk’s current and historical risk state information.
17. Risk threshold - measure of the level of uncertainty or the level of impact at which a
stakeholder may have a specific interest. Below that risk threshold, the organization will
accept the risk. Above that risk threshold, the organization will not tolerate the risk.
18. Risk capacity - refers to the maximum amount of risk that an organization is able to
tolerate.
19. Threat agent - intentionally exploits vulnerabilities. Threat agents are usually people, but
they could also be programs, hardware, or systems.
20. Exploit - defined way to breach the security of information systems through vulnerability.
21. Security control - anything that removes or reduces a vulnerability or protects against one
or more specific threats.
22. Systemic risk - is a category of risk that describes threats to a system, market or
economic segment.
23. Confidentiality - is the concept of the measures used to ensure the protection of the
secrecy of data, objects, or resources. The goal of confidentiality is to prevent or minimize
unauthorized access to data.
24. Integrity - is the concept of protecting the reliability and correctness of data. Integrity
protection prevents unauthorized alterations of data..
25. Availability - means authorized subjects are granted timey and uninterrupted access to
objects. Availability protection controls support sufficient bandwidth and timeliness of
processing as deemed necessary by the organization or situation.
26. User account provisioning - is a business process for creating and managing access to
resources in an information technology (IT) system.
27. Identification - is the process by which a subject professes an identity and accountability
is initiated.
28. Authentication - the process of verifying or testing that the claimed identity is valid.
29. Authorization - the process of authorization ensures that the request activity or access to
an object is possible given the rights and privileges assigned to the authenticated identity..


2

30. Accountability - relies on the capability to prove a subject’s identity and track their
activities.
31. User account deprovisioning - is the part of the employee life cycle in which access
rights to software and network services are taken away. Deprovisioning typically occurs
when an employee leaves a company or changes roles within the organization.
32. Nonrepudiation - ensures that the subject of an activity or event cannot deny that the
event occurred.
33. Data classification - is the primary means by which data is protected based on its need
for secrecy, sensitivity, or confidentiality
34. Project Management Institute (PMI) - advances careers, improves organizational
success and further matures the profession of project management through globally
recognized standards, certifications, resources, tools, academic research, publications,
professional development courses and networking opportunities.
35. Qualitative Analysis - assigns subjective and intangible values to the loss of an asset.
36. Quantitative Analysis - assigns real dollar figures to the loss of an asset.
37. ISACA Risk IT Framework - fills the gap between generic risk management frameworks
and detailed (primarily security-related) IT risk management frameworks. It provides an
end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough
treatment of risk management, from the tone and culture at the top, to operational issues..
38. Risk Management Lifecycle -
· 1. IT Risk Identification
· 2. IT Risk Assessment
· 3. Risk Response and Mitigation
· 4. Risk and Control Monitoring and Reporting
39. ISO/IEC 27005:2018 - this document provides guidelines for information security risk
management. This document supports the general concepts specified in ISO/IEC 27001 and
is designed to assist the satisfactory implementation of information security based on a risk
management approach..
40. Risk Analysis Steps:
· 1. Risk Identification
· 2. Risk Estimation
· 3. Risk Evaluation
· 4. Risk Response (treat, tolerate, transfer, terminate)
41. NIST Special Publication 800-39 - the purpose of Special
Publication 800-39 is to provide guidance for an integrated, organization-wide program for


3

managing information security risk to organizational operations (i.e., mission, functions, image,
and reputation), organizational assets, individuals, other organizations, and the Nation resulting
from the operation and use of federal information systems.
42. Risk framing - the set of assumptions, constraints, risk tolerances, and priorities/trade-offs
that shape an organization’s approach for managing risk. Risk framing is informed by the
organizational governance structure, financial posture, legal/regulatory environment,
investment strategy, culture, and trust relationships established within and among
organizations.
43. Risk assumptions - assumptions about the threats, vulnerabilities, consequences/impact,
and likelihood of occurrence that affect how risk is assessed, responded to, and monitored
over time.
44. Risk constraints - constraints on the risk assessment, response, and monitoring
alternatives under consideration.
45. Risk factors - threats, vulnerabilities, impact, or likelihood.
46. Threat source - The intent and method targeted at the intentional exploitation of a
vulnerability or a situation and method that may accidentally exploit a vulnerability.
47. Threat event - provides guidance on the level of detail with which the events are
described. Organizations also identify conditions for when to consider threat events in risk
assessments..
48. Risk assessment - A penetration test in which the tester has no prior knowledge of the
network infrastructure that is being tested.
49. NIST Special Publication 800-30 - the purpose of Special Publication 800-30 is to provide
guidance for conducting risk assessments of federal information systems and organizations,
amplifying the guidance in Special Publication 800-39.
50. Key risk indicator (KRI) - is a metric for measuring the likelihood that the combined
probability of an event and its consequence will exceed the organization's risk appetite and
have a profoundly negative impact on an organization's ability to be successful.
51. Key performance indicators (KPI) - are business metrics used by corporate executives
and other managers to track and analyze factors deemed crucial to the success of an
organization.
52. Tiers of organizational risk assessment:
· Tier 1 - Organization
· Tier 2 - Mission/business processes
· Tier 3 - Information systems


4

53. Risk model - define the risk factors to be assessed and the relationships among those
factors.
54. Assessment approaches - quantitative, qualitative, or semi-quantitative.
55. Analysis approaches - differ with respect to the orientation or starting point of the risk
assessment, level of detail in the assessment, and how risks due to similar threat scenarios
are treated. An analysis approach can be: (i) threat-oriented; (ii) asset/impact-oriented; or
(iii) vulnerability oriented.
56. Risk assessment process:
· 1. How to prepare for risk assessments
· 2. How to conduct risk assessments
· 3. How to communicate risk assessment results to key organizational
personnel
· 4. How to maintain the risk assessments over time
57. Risk assessment methodology - typically includes: (i) a risk assessment process; (ii) an
explicit risk model, defining key terms and assessable risk factors and the relationships
among the factors; (iii) an assessment approach (e.g., quantitative, qualitative, or
semi-qualitative), specifying the range of values those risk factors can assume during the
risk assessment and how combinations of risk factors are identified/analyzed so that values
of those factors can be functionally combined to evaluate risk; and (iv) an analysis approach
(e.g., threatoriented, asset/impact-oriented, or vulnerability-oriented), describing how
combinations of risk factors are identified/analyzed to ensure adequate coverage of the
problem space at a consistent level of detail.
58. RACI Model - clearly lays out roles and responsibilities for any activity or group of activities
(R = Responsible; A = Accountable; C = Consulted; I = Informed).
59. Risk culture - a term describing the values, beliefs, knowledge, attitudes and
understanding about risk shared by a group of people with a common purpose.
60. Risk prioritization - in the risk prioritization step, the overall set of identified risk events,
their impact assessments, and their probabilities of occurrences are "processed" to derive a
most-to-least-critical rank-order of identified risks. A major purpose of prioritizing risks is to
form a basis for allocating resources.
61. Risk register - is used to identify potential risks in a project or an organization, sometimes
to fulfill regulatory compliance but mostly to stay on top of potential issues that can derail
intended outcomes. The risk register includes all information about each identified risk, such
as the nature of that risk, level of risk, who owns it and what are the mitigation measures in
place to respond to it.


5

62. Risk trigger - identifies the risk symptoms or warning signs. It indicates that a risk has
occurred or is about to occur.
63. Contingency planning - refers to interim measures to recover information system services
after a disruption. Interim measures may include relocation of information systems and
operations to an alternate site, recovery of information system functions using alternate
equipment, or performance of information system functions using manual methods..
64. Risk scenario - is comprised of: threat actor, threat type, event, asset affected by the risk
event, and the time (duration of event, criticality of asset, lag between event and
consequence, etc.).
65. Tangible assets - are physical assets such as equipment, plant, hard-copy documents
and cash.
66. Intangible assets - elements that you usually can't put your hands around but are still
subject to quantification. Types of intangible assets are intellectual property, such as trade
secrets, copyright, patents, trademarks.
67. Firewall - Software or hardware used to filter traffic into or out of a network. A firewall can
be a dedicated physical device or an additional application running on a system such as a
desktop computer.
68. Data validation - checking the accuracy and quality of source data before using,
importing, or otherwise processing data.
69. Virtual private network (VPN) - created by building a secure communications link
between two nodes, emulating the properties of a point-to-point private link. A VPN can be
used to facilitate secure remote access into a network, securely connect two networks
together, or create a secure data tunnel within a network.
70. Encryption - the process of converting plaintext data into cipher text data to prevent loss
of confidentiality. The process is reversed by decrypting the cipher text data with to create
the original plaintext data.
71. Demilitarized zone (DMZ) - A perimeter network used to host resources on the Internet
(such as web servers, email servers, or FTP servers). The DMZ provides a layer of
protection for the resources that would not be available if they were placed directly on the
Internet.
72. Service level agreement (SLA) - ensures that organizations providing services to internal
and/or external customers maintain an appropriate level of service agreed upon by both the
service provider and the vendor..


6

73. Bow tie analysis method - is a risk evaluation method that can be used to analyse and
demonstrate causal relationships in high risk scenarios. The method takes its name from the
shape of the diagram that you create, which looks like a men’s bowtie.
74. Decision tree - is a decision support tool that uses a tree-like graph or model of decisions
and their possible consequences, including chance event outcomes, resource costs, and
utility. It is one way to display an algorithm that only contains conditional control statements.
75. Cause and effect analysis - helps in understanding the ‘cause and effect’ relationship for
solving a problem. It is a very helpful tool as it gives a pictorial representation of what is the
cause of a problem or a phenomenon, what factors have a high/low impact to those
problem/phenomena and how can the situation be resolved.
76. Business impact analysis (BIA) - is the formal method for determining how a disruption
to the IT system(s) of an organization will impact the organization’s requirements,
processes, and interdependencies with respect to the business mission.
78. SWOT analysis - SWOT (strengths, weaknesses, opportunities, and threats) analysis is a
framework used to evaluate a company's competitive position and to develop strategic
planning. SWOT analysis assesses internal and external factors, as well as current and
future potential.
79. BCG matrix - is a corporate planning tool, which is used to portray a firm’s brand portfolio
or SBUs on a quadrant along relative market share axis (horizontal axis) and speed of
market growth (vertical axis) axis.
80. Expected monetary value (EMV) - is a risk management technique to help quantify and
compare risks in many aspects of the project. EMV is a quantitative risk analysis technique
since it relies on specific numbers and quantities to perform the calculations, rather than
high-level approximations like high, medium and low.
81. Root cause analysis - attempts to determine the underlying weakness or vulnerability that
allowed the incident to be realized.
82. Maximum tolerable downtime (MTD) - describes the total time a system can be
inoperable before an organization is severely impacted.
83. Recovery time objective (RTO) - describes the maximum time allowed to recover
business or IT systems.
84. Recovery point objective (RPO) - is the amount of data loss or system inaccessibility
(measured in time) that an organization can withstand.
85. Threat modeling - a way of prioritizing threats to an application.


7

86. STRIDE - is often used in relation to assessing threats against applications or operating
systems. STRIDE is an acronym standing for the following: Spoofing, Tampering,
Repudiation, Information disclosure, Denial of service, and Elevation of privilege.
87. Gap analysis - is a method of assessing the differences in performance between a
business' information systems or software applications to determine whether business
requirements are being met and, if not, what steps should be taken to ensure they are met
successful.
88. Capability Maturity Model Integration (CMMI) - is a proven set of global best practices
that drives business performance through building and benchmarking key capabilities.
89. Delphi Technique - is a forecasting process framework based on the results of multiple
rounds of questionnaires sent to a panel of experts.
90. Probability-impact matrix - a two-dimensional framework for determining the significance
of a risk based on both probability and impact.
91. Cost-benefit analysis - is a process businesses use to analyze decisions. The business
or analyst sums the benefits of a situation or action and then subtracts the costs associated
with taking that action.
92. Asset value (AV) - is the value of the asset you are trying to protect.
93. Exposure factor (EF) - is the percentage of value an asset lost due to an incident.
94. Single loss expectancy (SLE) - is the cost of a single loss.
95. Annual rate of occurrence (ARO) - is the number of losses you suffer per year.
96. Annualized loss expectancy (ALE) - is your yearly cost due to a risk.
97. Total cost of ownership (TCO) - is the total cost of a mitigating safeguard.
98. Return on investment (ROI) - is the amount of money saved by implementing a
safeguard.
99. Risk acceptance - some risks may be accepted: in some cases, it is cheaper to leave an
asset unprotected due to a specific risk rather than make the effort (and spend the money)
required to protect it.
100. Risk mitigation - mitigating the risk means lowering the risk to an acceptable level.
101. Risk transference - is sometimes referred to as the “insurance model.”
102. Risk avoidance - if the risk analysis discovers high or extreme risks that cannot be easily
mitigated, avoiding the risk (and the project) may be the best option.
103. ISO/IEC 27001 - is the international standard that describes best practice for an ISMS
(information security management system).
104. ISO/IEC 27002 - is the international standard that outlines best practices for implementing
information security controls.


8

105. COBIT - Control Objectives for Information and related Technology is a control framework
for employing information security governance best practices within an organization. COBIT
was developed by ISACA.
106. Vulnerability management - management of vulnerability information.
107. Certification - a detailed inspection that verifies whether a system meets the documented
security requirements.
108. Accreditation - the data owner’s acceptance of the risk represented by a system.
109. Packet filter - each filtering decision must be made on the basis of a single packet. There
is no way to refer to past packets to make current decisions.
110. Stateful firewalls - have a state table that allows the firewall to compare current packets
to previous ones.
111. Proxy firewalls - act as intermediary servers. Proxies terminate connections.
112. Application-layer proxy firewalls - operate up to layer 7 of the OSI model.
Application-layer proxies can make filtering decisions based on application-layer data, such
as HTTP traffic, in addition to layers 3 and 4.
113. Wired Equivalent Privacy (WEP) - an early attempt to provide 802.11 wireless security.
WEP has been proved to be critically weak: new attacks can break any WEP key in minutes.
114. Wi-Fi Protected Access 2 (WPA2) - a full implementation of 802.11i. By default, WPA2
uses AES encryption to provide confidentiality, and CCMP (Counter Mode BC MAC
Protocol) to create a Message Integrity Check (MIC).
115. 802.1X - Port-based Network Access COntrol, layer 2 authentication.
116. RADIUS - Remote Authentication Dial In User Service protocol is a third-party
authentication system.
117. DNS - Domain Name System, a distributed global hierarchical database that translated
names to IP addresses, and vice versa.
118. DHCP - Dynamic Host Configuration Protocol, assigns temporary IP address leases to
systems, as well as DNS and default gateway configuration.
119. LDAP - Lightweight Directory Access Protocol, open protocol for interfacing and querying
directory service information provided by network operating systems. Uses port 389 via TCP
or UDP.
120. Pharming - when an attacker redirects one website’s traffic to another bogus and possibly
malicious website by modifying a DNS server or hosts file.
121. Cache poisoning - The impact of a maliciously constructed response can be magnified if
it is cached either by a web cache used by multiple users or even the browser cache of a
single user. If a response is cached in a shared web cache, such as those commonly found


9

in proxy servers, then all users of that cache will continue to receive the malicious content
until the cache entry is purged.
122. Network access control (NAC) - is a concept of controlling access to an environment
through strict adherence to and implementation of security policy.
123. System hardening - is a collection of tools, techniques, and best practices to reduce
vulnerability in technology applications, systems, infrastructure, firmware, and other areas.
124. Non-repudiation - means a user cannot deny (repudiate) having performed a transaction.
125. TLS - Transport Layer Security, the successor to SSL.
126. IPsec - Internet Protocol Security, a suite of protocols that provide a cryptographic layer to
both IPv4 and IPv6.
127. Administrative controls - implemented by creating and following organizational policy,
procedure, or regulation.
128. Technical controls - are implemented using software, hardware, or firmware that restricts
logical access on an information technology system.
129. Physical controls - are implemented with physical devices, such as locks, fences, gates,
security guards, etc.
130. Preventive controls - prevent actions from occurring. It applies restrictions to what a
potential user, either authorized or unauthorized, can do.
131. Detective controls - are controls that alert during or after a successful attack.
132. Corrective controls - work by “correcting” a damaged system or process.
133. Recovery controls - after a security incident has occurred, recovery controls may need to
be taken in order to restore functionality of the system and organization.
134. Deterrent controls - deter users from performing actions on a system.
135. Compensating controls - are additional security controls put in place to compensate for
weaknesses in other controls.
136. Request for quote (RFQ) - is a solicitation for goods or services in which a company asks
suppliers to submit a price quote and bid on the chance to fulfill certain tasks or projects. An
RFQ, also known as an invitation for bid (IFB), is usually the first step in submitting a request
for proposal (RFP).
137. Request for proposal (RFP) - is a project funding announcement posted by a business or
organization for which companies can place bids to complete the project.
138. Memorandum of agreement (MOA) - also known as a memorandum of understanding, is
a formal business document used to outline an agreement made between two separate
entities, groups or individuals.



10

139. Organizational policy - focuses on issues relevant to every aspect of an organization.

140. Issue-specific policy - focuses on specific network service, department, function, or
other aspect that is distinct from the organization as a whole.
141. System-specific policy - focuses on individual systems or types of systems and
prescribes approved hardware and software, outlines methods for locking down a system,
and even mandates firewall or other specific security controls.
142. Security policy - is a document that defines the scope of security needed by the
organization and discusses the assets that require protection and the extent to which
security solutions should go to provide the necessary protection.
143. Standards - define compulsory requirements for the homogenous use of hardware,
software, technology, and security controls.
144. Baseline - defines a minimum level of security that every system throughout the
organization must meet.
145. Guideline - offers recommendations on how standards and baselines are implemented
and serves as an operational guide or both security professionals and users.
146. Procedures - is a detailed, step-by-step how-to document that describes the exact actions
necessary to implement a specific security mechanism, control, or solution.
147. TCSEC - Trusted Computer System Evaluation Criteria, created in the 1980s as the
Department of Defense (DoD) worked to develop and impose security standards for the
systems it purchased and used.
148. ITSEC - Information Technology Security Evaluation Criteria, a European model
developed in 1990 and used through 1998.
149. Common Criteria - represents a more or less global effort that involves everybody who
worked on TCSEC and ITSEC as well as other global players. The Common Criteria defines
various levels of testing and confirmation of systems’ security capabilities, and the number
of the level indicates what kind of testing and confirmation has been performed.
150. Target of evaluation (TOE) - any system being evaluated.
151. Protection profiles (PPs) - specify for a product that is to be evaluated (the TOE) the
security requirements and protections, which are considered the security desires or the “I
want” from a customer.
152. Security targets (STs) - specify the claims of security from the vendor that are built into a
TOE.
153. Evaluation assurance level (EAL) - provide a method for comparing vendor systems that
is more standardized.


11

154. Security event and incident management (SEIM) - is the process of identifying,
monitoring, recording and analyzing security events or incidents within a real-time IT
environment. It provides a comprehensive and centralized view of the security scenario of
an IT infrastructure.



12

References
Trust In, and Value From, Information Systems. (n.d.). Retrieved from
https://www.isaca.org/Pages/default.aspx
Prowse, D. (2015). CompTIA Security SY0-401 Academic Edition. Indianapolis, IN: Pearson.
Conrad, E., Misenar, S., & Feldman, J. (n.d.). CISSP Study Guide Third Edition.
Chapple, M., Stewart, J. M., & D. G. (n.d.). CISSP Official Study Guide Eighth Edition.
Indianapolis, IN: John Wiley & Sons.
What is Risk Governance? (n.d.). Retrieved from

https://irgc.org/risk-governance/what-is-risk-governance/
Joint Task Force Transformation Initiative. (2018). Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security Life Cycle Approach (No. NIST
Special Publication (SP) 800-37 Rev. 2). National Institute of Standards and Technology.
A Guide to the Project Management Body of Knowledge (PMBOK® Guide) — Fifth Edition
ISO/IEC TR 38502:2017 - Information technology — Governance of IT — Framework and

model
ISO/IEC 16085:2006 - Systems and software engineering — Life cycle processes — Risk
management
Bugajenko, O. (n.d.). Risk Capacity vs. Risk Appetite. Retrieved from

https://study.com/academy/lesson/risk-capacity-vs-risk-appetite.html
ISO/IEC 27039:2015 - Information technology — Security techniques — Selection, deployment

and operations of intrusion detection and prevention systems (IDPS)



13

What is systemic risk? - Definition from WhatIs.com. (n.d.). Retrieved from

https://searchcompliance.techtarget.com/definition/systemic-risk
What is user account provisioning? - Definition from WhatIs.com. (n.d.). Retrieved from
https://searchsecurity.techtarget.com/definition/user-account-provisioning
The Risk IT Framework . (n.d.). Retrieved from

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/The-Risk-IT
-Framework.aspx
Joint Task Force Transformation Initiative. (2011). Managing Information Security Risk:
Organization, Mission, and Information System View (SP) 800-39 Rev. 1). National Institute
of Standards and Technology.
Gibson, D. (2012). SSCP systems security certified practitioner: Exam guide. New York:
McGraw-Hill Education.
Joint Task Force Transformation Initiative. (2012). Guide for conducting risk assessments (No.
NIST Special Publication (SP) 800-30 Rev. 1). National Institute of Standards and
Technology.
What is key risk indicator (KRI)? - Definition from WhatIs.com. (n.d.). Retrieved from
https://searchcio.techtarget.com/definition/key-risk-indicator-KRI
What is key performance indicators (KPIs)? - Definition from WhatIs.com. (n.d.). Retrieved from
https://searchbusinessanalytics.techtarget.com/definition/key-performance-indicators-KPIs
RACI Charts. (n.d.). Retrieved from https://racichart.org/the-raci-model/
Risk culture. (n.d.). Retrieved from

https://www.theirm.org/knowledge-and-resources/thought-leadership/risk-culture.aspx
Risk Impact Assessment and Prioritization. (2015, April 10). Retrieved from
https://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineeri
ng/risk-management/risk-impact-assessment-and-prioritization



14

Ray, S., & Ray, S. (2019, June 21). Guide to Using a Risk Register (Example Included).
Retrieved from https://www.projectmanager.com/blog/guide-using-risk-register
Swanson, M. (2011). Contingency planning guide for federal information systems (Vol. 800).
DIANE Publishing.
What is Data Validation: Definition. (n.d.). Retrieved from

https://www.informatica.com/services-and-training/glossary-of-terms/data-validation-definitio
n.html
Krutz, R. L., & Vines, R. D. (2007). The CISSP and CAP prep guide. Indianapolis, IN: Wiley.
The history of bowtie. (n.d.). Retrieved from

https://www.cgerisk.com/knowledgebase/The_history_of_bowtie
Brid, R. (2018, October 26). Decision Trees - A simple way to visualize a decision. Retrieved
from
https://medium.com/greyatom/decision-trees-a-simple-way-to-visualize-a-decision-dc506a40
3aeb
What is Ishikawa?: The Fishbone Diagram: Ishikawa Diagram. (2018, November 26). Retrieved
from https://www.6sigma.us/etc/what-is-ishikawa-fishbone-diagram/
Grant, M. (2019, July 11). How SWOT (Strength, Weakness, Opportunity, and Threat) Analysis
Works. Retrieved from https://www.investopedia.com/terms/s/swot.asp
Jurevicius, O. (2013, May 01). How to Focus on the Stars with a Clever BCG Matrix. Retrieved
from https://www.strategicmanagementinsight.com/tools/bcg-matrix-growth-share.html
Use Expected Monetary Value (EMV) to Determine Risk Impact. (n.d.). Retrieved from
https://tenstep.com/use-expected-monetary-value-emv-to-determine-risk-impact/



15

What is gap analysis? - Definition from WhatIs.com. (n.d.). Retrieved from https://searchcio.tec
htarget.com/definition/gap-analysis
CMMI Institute. (n.d.). Retrieved from https://cmmiinstitute.com/cmmi/intro
Twin, A. (2019, June 25). How the Delphi Method Works. Retrieved from
https://www.investopedia.com/terms/d/delphi-method.asp
Assessing Risk Probability: Impact Alternative Approaches. (n.d.). Retrieved from

https://www.pmi.org/learning/library/assessing-risk-probability-impact-alternative-approaches
-8444
Kenton, W. (2019, June 23). How Cost-Benefit Analysis Process Is Performed. Retrieved from
https://www.investopedia.com/terms/c/cost-bemnefitanalysis.asp
ISO 27001, the international information security standard. (n.d.). Retrieved from
https://www.itgovernanceusa.com/iso27001
ISO 27002. (n.d.). Retrieved from https://www.itgovernanceusa.com/iso27002
Cache Poisoning. (n.d.). Retrieved from https://www.owasp.org/index.php/Cache_Poisoning
What is Systems Hardening? (n.d.). Retrieved from

https://www.beyondtrust.com/resources/glossary/systems-hardening
Kenton, W. (2019, May 07). RFQ Revealed. Retrieved from

https://www.investopedia.com/terms/r/request-for-quote.asp
Kenton, W. (2019, April 15). How Requests for Proposal (RFP) Work. Retrieved from
https://www.investopedia.com/terms/r/request-for-proposal.asp
US Legal, Inc. (n.d.). Memorandum of Agreement Law and Legal Definition. Retrieved from
https://definitions.uslegal.com/m/memorandum-of-agreement/



16

What is Security Incident and Event Management (SIEM)? - Definition from Techopedia. (n.d.).
Retrieved from
https://www.techopedia.com/definition/4097/security-incident-and-event-management-siem



17

Certified in Risk and Information Systems Control (CRISC) Glossary

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Certified in Risk and Information Systems Control (CRISC) Glossary

Uploaded by

Copyright:

Available Formats