Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

CGRC - Domain1 & Glossary

Download as pdf or txt
Download as pdf or txt
You are on page 1of 17

Certified in Governance

Risk and Compliance


CGRC TM

Domain 1: Information Security Risk Management


Program
1.1 Understand the foundation of an organization information security risk management program
» Principles of information security Also known as Information Assurance, (IA) is the practice of protecting against
and managing risks related to the use, processing, storage, and transmission of data and information systems. The
U.S. Department of Defense has promulgated the Five Pillars of Information Assurance model that includes the
protection of confidentiality, integrity, availability, authenticity, and non‐repudiation of user data.
 Confidentiality: Preserving authorized restrictions on information access and disclosure, including means
for protecting personal privacy and proprietary information.
 Integrity: Guarding against improper information modification or destruction, and includes ensuring
information non‐repudiation and authenticity.
 Availability: Ensuring timely and reliable access to and use of information.
 Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the
validity of a transmission, a message, or message originator.
 Non‐Repudiation of User Data: A service that is used to provide assurance of the integrity and origin of
data in such a way that the integrity and origin can be verified and validated by a third party as having
originated from a specific entity in possession of the private key (i.e., the signatory).
» Risk Management Frameworks (e.g., National Institute of Standards and Technology (NIST), cyber security
framework, Control Objectives for Information and Related Technology (COBIT), International Organization for
Standardization (ISO) 27001, International Organization for Standardization (ISO) 31000)
» System Development Life Cycle (SDLC) ‐ The scope of activities associated with a system, encompassing the
system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its
disposal that instigates another system initiation.
 Initiation
 Development
 Operations / Maintenance
 Disposal
» Information system boundary requirements refers to the physical and logical boundaries of an information
system, which define the extent of the system's operation, control, and protection. Boundary requirements specify
the technical and non‐technical controls that are necessary to protect the information system boundary. These
controls are based on an assessment of the system's security and privacy risks, as well as an understanding of the
system's mission and business requirements.
» Security controls and practices Understanding the foundation of an organization's information security risk
management program involves understanding the security controls and practices that are in place to protect the
organization's information assets. The following are some key security controls and practices that are typically
included in a comprehensive information security risk management program:
1. Access Controls: Access controls are used to restrict access to sensitive information and systems to only
those individuals who have a legitimate need to access them. This may involve implementing strong
authentication mechanisms, such as multi‐factor authentication, and limiting access to systems and data
based on the principle of least privilege.
2. Encryption: Encryption is used to protect data both in transit and at rest. This may involve using encryption
to protect data as it is transmitted across networks, as well as encrypting data that is stored on servers or
other storage media.

CGRC Certification Exam Outline 4


Certified in Governance
Risk and Compliance
CGRC TM

3. Patch Management: Patch management involves ensuring that all software and systems are kept up‐to‐
date with the latest security patches and updates. This helps to prevent known vulnerabilities from being
exploited by attackers.
4. Incident Response: Incident response is the process of responding to security incidents and breaches when
they occur. This may involve implementing incident response plans and procedures, conducting regular
drills and exercises to test those plans, and ensuring that incident response teams are properly trained and
equipped to respond to security incidents.
5. Training and Awareness: Training and awareness programs are used to educate employees and other
stakeholders about the importance of information security and the specific risks and threats facing the
organization. This may involve conducting regular training sessions, distributing security awareness
materials, and promoting a culture of security throughout the organization.
6. Risk Assessment and Management: Risk assessment and management involves identifying and assessing
the risks facing the organization's information assets, and implementing appropriate controls and
safeguards to mitigate those risks. This may involve conducting regular risk assessments, developing risk
management plans, and monitoring the effectiveness of those plans over time.
» Roles and responsibilities in the authorization/approval process RMF is a structured process used by federal
agencies and other organizations to manage security and privacy risks associated with their information systems.
The authorization/approval process is a key step in the RMF, in which the information system owner or authorizing
official approves the system to operate, based on a comprehensive assessment of the system's security and privacy
risks. The following are common roles and responsibilities in the authorization/approval process within the RMF:
1. Information System Owner: The information system owner is responsible for identifying and managing the
information system's security and privacy risks. The information system owner provides information and
documentation to support the authorization/approval process and ensures that the system meets the
organization's security requirements.
2. Authorizing Official: The authorizing official is responsible for reviewing and approving the information
system's authorization package. The authorizing official has the authority to make final decisions regarding
the system's authorization to operate and is accountable for the outcomes of those decisions.
3. Security Control Assessor: The security control assessor is responsible for assessing the effectiveness of the
security controls implemented in the information system. The security control assessor provides the results
of the security control assessment to the authorizing official to support the authorization decision.
4. Risk Executive Function: The risk executive function is responsible for overseeing and managing the
organization's risk management activities. The risk executive function provides guidance and support to the
information system owner and authorizing official throughout the authorization/approval process.
5. Information System Security Officer: The information system security officer is responsible for
implementing and maintaining the security controls in the information system. The information system
security officer provides documentation and evidence of the effectiveness of the security controls to
support the authorization decision.

1.2 Understand risk management program processes


» Select program management controls The selection of program management controls is a critical component of
an effective risk management program. Program management controls refer to the policies, procedures, and
mechanisms that are put in place to ensure that the program's objectives are achieved in a manner that is consistent
with the organization's risk management strategy.
In the context of a risk management program, the selection of program management controls involves the following
key steps:

CGRC Certification Exam Outline 5


Certified in Governance
Risk and Compliance
CGRC TM

1. Identify Program Management Control Requirements: The first step in selecting program management
controls is to identify the requirements of the program. This involves defining the scope of the program,
identifying the goals and objectives, and establishing the parameters for risk management.
2. Determine the Appropriate Controls: Once the program requirements have been identified, the next step is
to determine the appropriate controls to implement. This involves selecting controls that align with the
program's goals and objectives, and that are appropriate for the level of risk the program is intended to
address.
3. Develop Control Implementation Plan: After determining the appropriate controls, the next step is to
develop a control implementation plan. This plan outlines the steps required to implement the controls,
including assigning responsibilities, setting timelines, and determining the necessary resources.
4. Implement and Monitor Controls: The final step is to implement the program management controls and
monitor their effectiveness. This involves ensuring that the controls are being implemented as planned, and
that they are achieving the desired results.
» Privacy requirements Privacy requirements are an important aspect of a risk management program, particularly in
organizations that collect, store, or process sensitive information. The following are some key steps in addressing
privacy requirements within a risk management program:
1. Identify Privacy Risks: The first step in addressing privacy requirements is to identify the potential privacy
risks associated with the organization's information systems and processes. This involves identifying the
types of personal information that are collected, stored, or processed by the organization, and determining
how that information is used and shared.
2. Define Privacy Requirements: Once the privacy risks have been identified, the next step is to define the
privacy requirements for the organization. This involves determining the privacy controls and safeguards
that are necessary to protect personal information and ensure compliance with applicable privacy laws and
regulations.
3. Implement Privacy Controls: The next step is to implement the privacy controls that have been defined. This
may involve implementing technical safeguards, such as encryption and access controls, as well as
administrative and procedural safeguards, such as policies and training programs.
4. Monitor and Maintain Privacy Controls: Once the privacy controls have been implemented, it is important
to monitor and maintain them to ensure their continued effectiveness. This may involve conducting
periodic privacy risk assessments, reviewing and updating privacy policies and procedures, and conducting
privacy training for employees.
5. Respond to Privacy Incidents: Finally, it is important to have a plan in place to respond to privacy incidents,
such as data breaches or unauthorized access to personal information. This may involve notifying affected
individuals and regulatory authorities, as well as taking steps to mitigate the harm caused by the incident.
» Determine third‐party hosted information systems Determining third‐party hosted information systems is an
important aspect of a risk management program, particularly in organizations that use cloud services or outsource
their IT operations to third‐party providers. The following are some key steps in addressing third‐party hosted
information systems within a risk management program:
1. Identify Third‐Party Hosted Information Systems: The first step in addressing third‐party hosted information
systems is to identify all systems and applications that are hosted by third‐party providers. This may involve
conducting an inventory of all IT assets and systems used by the organization, including those that are
hosted in the cloud.
2. Assess Third‐Party Providers: Once the third‐party hosted information systems have been identified, the
next step is to assess the third‐party providers that are hosting those systems. This may involve conducting
due diligence on the provider, reviewing their security and privacy policies and procedures, and assessing
their compliance with applicable laws and regulations.

CGRC Certification Exam Outline 6


Certified in Governance
Risk and Compliance
CGRC TM

3. Define Contractual Requirements: After assessing the third‐party providers, the next step is to define the
contractual requirements for the services they provide. This may involve negotiating specific provisions
related to security, privacy, and compliance with applicable laws and regulations.
4. Implement Monitoring and Oversight Mechanisms: Once the contractual requirements have been defined,
it is important to implement monitoring and oversight mechanisms to ensure that the third‐party providers
are meeting those requirements. This may involve conducting periodic audits or assessments of the
provider's security and privacy controls, as well as monitoring their performance against established service
level agreements.
5. Plan for Continuity and Recovery: Finally, it is important to plan for continuity and recovery in the event of a
disruption or termination of the third‐party hosted information systems. This may involve defining backup
and recovery procedures, as well as establishing contingency plans for transitioning to a new provider if
necessary.

1.3 Understand regulatory and legal requirements


» Familiarize with governmental, organizational and international regulatory security and privacy requirements (e.g.,
International Organization for Standardization (ISO) 27001, Federal Information Security Modernization Act (FISMA),
Federal Risk and Authorization Management Program (FedRAMP), General Data Protection Regulation (GDPR),
Health Insurance Portability and Accountability Act (HIPAA)) » Familiarize with other applicable security‐related
mandates

CGRC Certification Exam Outline 7


Certified in Governance
Risk and Compliance
CGRC TM

Glossary
Adequate Security Security protections commensurate with the risk resulting from the unauthorized
access, use, disclosure, disruption, modification or destruction of the information. This includes
ensuring that information hosted on behalf of an agency and information systems and applications
used by the agency operate effectively and provide confidentiality, integrity and availability
protection through the application of cost‐effective security controls.

Allocation The process of an organization employs to assign security or its environment of operation;
or to assign controls to specific system elements responsible for providing a security or privacy
capability (e.g. router, server, remote sensor).

Application A software program hosted by an information system.

Assessment See: Control Assessment

Assessor The individual, group or organization responsible for conducting a security or privacy
assessment.

Asset System and subsystem components that must be protected, including but not limited to: all
hardware, software, data, personnel, supporting physical environment and environmental systems,
administrative support and supplies.

Authorization Boundary All components of an information system to be authorized for operation by


an authorizing official. This excludes separately authorized systems to which the information system
is connected.

Authorization Official (AO) A senior federal official or executive with the authority to authorize (i.e.,
assume responsibility for) the operation of an information system or the use of a designated set of
common controls at an acceptable level of risk to agency operations (including mission, functions,
image or reputation), agency assets, individuals, other organizations and the nation.

Authorizing Official Designated Representative (AO DR) An organizational official acting on behalf of
an authorizing official in carrying out and coordinating the required activities associated with the
authorization process.

Authorization Package The essential information that an authorizing official uses to determine
whether to authorize the operation of an information system or the provision of a designated set of
common controls. At a minimum, the authorization package includes an executive summary, system
security plan, privacy plan, security control assessment, privacy control assessment as well as any
relevant plans of action and milestones.

Authorization to Operate (ATO) The official management decision given by one or more senior
federal officials to authorize operation of an information system and to explicitly accept the risk to
agency operations (including mission, functions, image, or reputation), agency assets, individuals,
other organizations and the nation, based on the implementation of an agreed‐upon set of security
and privacy controls. Authorization also applies to common controls inherited by agency information
systems.

CGRC Certification Exam Outline 16


Certified in Governance
Risk and Compliance
CGRC TM

Authorization to Use (ATU) The official management decision given by an authorizing official to
authorize the use of an information system, service or application based on the information in an
existing authorization package generated by another organization, and to explicitly accept the risk to
agency operations (including mission, functions, image, or reputation), agency assets, individuals,
other organizations and the nation, based on the implementation of an agreed‐upon set of controls
in the system, service or application.

Availability Ensuring timely and reliable access to and use of information.

Baseline See: Control Baseline

Baseline Configuration A documented set of specifications for a system, or a configuration item


within a system, that has been formally reviewed and agreed on at a given point in time, and which
can be changed only through change control procedures.

Capability A combination of mutually reinforcing controls implemented by technical means, physical


means and procedural means. Such controls are typically selected to achieve a common information
security or privacy purpose.

Change Control Process for controlling modifications to hardware, firmware, software and
documentation to protect the information system against improper modifications before, during and
after system implementation.

Chief Information Officer (CIO) The senior official that provides advice and other assistance to the
head of the agency and other senior management personnel of the agency to ensure that IT is
acquired and information resources are managed for the agency in a manner that achieves the
agency's strategic goals and is responsible for ensuring agency compliance with, and prompt,
efficient and effective implementation of, the information policies and information resources
management responsibilities, including the reduction of information collection burdens on the
public.

Chief Information Security Officer (CISO) See Senior Agency Information Security Officer

Clear A method of sanitization by applying logical techniques to sanitize data in all user‐addressable
storage locations for protection against simple non‐invasive data recovery techniques using the same
interface available to the user; typically applied through the standard read and write commands to
the storage device, such as by re‐writing with a new value or using a menu option to reset the device
to the factory state (where re‐writing is not supported)

Common Control (CC) A security or privacy control that is inherited by multiple information systems
or programs.

Common Control Provider (CCP) An organizational official responsible for the development,
implementation, assessment and monitoring of common controls (i.e., controls inheritable by
organizational systems).

Common Criteria Governing document that provides a comprehensive, rigorous method for
specifying security function and assurance requirements for products and systems.

CGRC Certification Exam Outline 17


Certified in Governance
Risk and Compliance
CGRC TM

Compensating Controls The security and privacy controls implemented in lieu of the controls in the
baselines described in NIST Special Publication 800‐53 that provide equivalent or comparable
protection for a system or organization.

Confidentiality Preserving authorized restrictions on information access and disclosure, including


means for protecting personal privacy and proprietary information.

Configuration The possible conditions, parameters and specifications with which an information
system or system component can be described or arranged.

Configuration Control Process for controlling modifications to hardware, firmware, software and
documentation to protect the information system against improper modifications before, during and
after system implementation.

Configuration Control Board A group of qualified people with responsibility for the process of
regulating and approving changes to hardware, firmware, software, and documentation throughout
the development and operational lifecycle of an information system.

Configuration Item An aggregation of system components that is designated for configuration


management and treated as a single entity in the configuration management process.

Configuration Management A collection of activities focused on establishing and maintaining the


integrity of information technology products and systems, through control of processes for
initializing, changing and monitoring the configurations of those products and systems throughout
the system development life cycle.

Configuration Management Plan A comprehensive description of the roles, responsibilities, policies


and procedures that apply when managing the configuration of products and systems.

Configuration Settings The set of parameters that can be changed in hardware, software or firmware
that affect the security posture and/or functionality of the system.

Continuous Monitoring Maintaining ongoing awareness to support organizational risk decisions.

Continuous Monitoring Program A program established to collect information in accordance with


pre‐established metrics, utilizing information readily available in part through implemented security
controls. Note: Privacy and security continuous monitoring strategies, and programs can be the same
or different strategies and programs.

Control See security control and privacy control.

Control Assessment The testing or evaluation of the controls in an information system or an


organization to determine the extent to which the controls are implemented correctly, operating as
intended and producing the desired outcome with respect to meeting the security or privacy
requirements for the system or the organization.

Control Assessor The individual, group or organization responsible for conducting a control
assessment. See assessor.

CGRC Certification Exam Outline 18


Certified in Governance
Risk and Compliance
CGRC TM

Control Baseline The set of controls that are applicable to information or an information system to
meet legal, regulatory or policy requirements, as well address protection needs for the purpose of
managing risk.

Control Enhancement Augmentation of a control to build in additional, but related, functionality to


the control, increase the strength of the control or add assurance to the control.

Control Effectiveness A measure of whether a given control is contributing to the reduction of


information security or privacy risk.

Destroy A method of sanitization that renders target data recovery infeasible using state‐of‐the‐art
laboratory techniques and results in the subsequent inability to use the media for storage of data.

Disposal A release outcome following the decision that media does not contain sensitive data. This
occurs either because the media never contained sensitive data or because sanitization techniques
were applied, and the media no longer contains sensitive data.

Enterprise An organization with a defined mission / goal and a defined boundary, using systems to
execute that mission, and with responsibility for managing its own risks and performance. An
enterprise may consist of all or some of the following business aspects acquisition, program
management, human resources, financial management, security, as well as systems, information and
mission management. See organization.

Enterprise Architecture A strategic information asset base, which defines the mission; the
information necessary to perform the mission; the technologies necessary to perform the mission;
and the transitional processes for implementing new technologies in response changing mission
needs; and includes a baseline architecture; a target architecture; and a sequencing plan.

Environment of Operation The physical surroundings in which an information system processes,


stores and transmits information.

Federal Enterprise Architecture (FEA) A business‐based framework for government‐wide


improvement developed by the Office of Management and Budget that is intended to facilitate
efforts to transform the federal government to one that is citizen‐centered, results‐oriented and
market‐based.

Federal Information Security Management Act (FISMA) RESEARCH

Federal Information System An information system used or operated by an executive agency, by a


contractor of an executive agency, or by another organization on behalf of an executive agency.

Hardware The material physical components of a system. See software and firmware

High Impact Level The loss of CIA that could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, individuals, other organizations or the
nation

High‐Impact System A system in which at least one security objective (i.e., confidentiality, integrity
or availability) is assigned a FIPS publication 199 potential impact value of high.

CGRC Certification Exam Outline 19


Certified in Governance
Risk and Compliance
CGRC TM

High Value Assets RESEARCH

Hybrid Control A security or privacy control that is implemented for an information system in part as
a common control and in part as a system‐specific control.

Impact With respect to security, the effect on an organizational operations, organizational assts,
individuals, other organizations or the nation (including the national security interests of the United
States) of a loss of confidentiality, integrity or availability of an information or a system. With respect
to privacy, the adverse effects that individuals could experience when an information system
processes their PII.

Impact Level See impact value

Impact Value The assessed worst‐case potential impact that could result from a compromise of the
confidentiality, integrity, or availability of information expressed as a value of low, moderate or high.

Independent Verification and Validation A comprehensive review, analysis and testing (software
and/or hardware) performed by an objective third party to confirm (i.e., verify) that the
requirements are correctly defined, and to confirm (i.e., validate) that the system correctly
implements the required functionality and security requirements.

Information Any communication or representation of knowledge such as facts, data or opinions in


any medium or form, including textual, numerical, graphic, cartographic narrative, electronic or
audiovisual forms.

Information Life Cycle The stages through which information passes, typically characterized as
creation or collection, processing dissemination, use, storage and disposition, to include destruction
and deletion. "Life cycle" typically appears as two words in NIST publications, but as one word in ISO
standards.

Information Owner (IO) Official with statutory or operational authority for specified information and
responsibility for establishing the controls for its generation, collection, processing, dissemination
and disposal.

Information Owner or Steward See Information Owner and Information Steward

Information Security The protection of information systems from unauthorized access, use,
disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and
availability.

Information Security Architecture An embedded integral part of the enterprise architecture that
describes the structure and behavior of the enterprise security processes, security systems,
personnel and organizational subunits, showing their alignment with the enterprise's mission and
strategic plans. See security architecture.

Information Security Management System (ISMS) Compilation of processes and management


structure that preserves the confidentiality, integrity and availability of information by applying a risk

CGRC Certification Exam Outline 20


Certified in Governance
Risk and Compliance
CGRC TM

management process and gives confidence to interested parties that risks are adequately managed.
The ISO 27001 standard defines the components of the ISMS.

Information System Owner (ISO) The organizational official responsible for the development,
implementation, assessment and monitoring of security controls in an information system.

Information Systems Security Officer (ISSO) Responsible for security an information system,
managing all security aspects of the system and assembling the security accreditation package while
serving as the point of contact for the Security Control Assessor (SCA)

Information Security Risk The risk to organizational operations (including mission, functions, image,
reputation), organizational assets, individuals, other organizations and the nation due to the
potential for unauthorized access, use, disclosure, disruption, modification or destruction of
information and/or systems.

Information Steward An agency official with statutory or operational authority for specified
information and responsibility for establishing the controls for its generation, collection, processing,
dissemination and disposal.

Information System A discrete set of information resources organized for the collection, processing,
maintenance, use, sharing, dissemination or disposition or information.

Information Technology (IT) Any services, equipment, or interconnected system(s) or subsystem(s)


of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation,
management, movement, control, display, switching, interchange, transmission or reception of data
or information by the agency. For purposes of this definition, such services or equipment if used by
the agency directly or if used by a contractor under a contract with the agency that requires its use;
or to a significant extent, its use in the performance of a service or the furnishing of a product.
Information technology includes computers, ancillary equipment (including imaging peripherals,
input, output and storage devices necessary for security and surveillance), peripheral equipment
designed to be controlled by the central processing unit of a computer, software, firmware and
similar procedures, services (including cloud computing and help‐desk services or other professional
services which support any point of the life cycle of the equipment or service) and related resources.
Information technology does not include any equipment that is acquired by a contractor incidental to
a contract which does not require its use.

Information Type A specific category of information (e.g., privacy, medical, proprietary, financial,
investigative, contractor‐sensitive, security management) defined by an organization or in some
instances, by a specific law, executive order, directive, policy or regulation.

Inheritance A situation in which a system or application receives protection from controls (or
portions of controls) that are developed, implemented, assessed, authorized and monitored by
entities other than those responsible for the system or application; entities either internal or external
to the organization where the system or application resides. NIST refers to this term as "Control
Inheritance." See: Common Control

CGRC Certification Exam Outline 21


Certified in Governance
Risk and Compliance
CGRC TM

Integrity Guarding against improper information modification or destruction and includes ensuring
information non‐repudiation and authenticity.

Likelihood RESEARCH

Likelihood Value COPY DEFINITION AND FORMAT TO IMPACT VALUE: The assessed worst‐case
potential impact that could result from a compromise of the confidentiality, integrity, or availability
of information expressed as a value of low, medium or high.

Low‐Impact System A system in which all three security objectives (i.e., confidentiality, integrity and
availability are assigned a FIPS Publication 199 potential impact value of low.

Moderate‐Impact System A system in which at least one security objective (i.e., confidentiality,
integrity or availability) is assigned a FIPS publication 199 potential impact value of moderate.

National Security System Any system (including any telecommunications system) used or operated
by an agency or by a contractor of an agency, or other organization on behalf of an agency ‐ (i) the
function, operation or use of which involves intelligence activities related to national security;
involves command and control of military forces; involves equipment that is an integral part of a
weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions
(excluding a system that is to be used for routine administrative and business applications, for
example: payroll, finance, logistics and personnel management applications); or (ii) is protected at all
times by procedures established for information that have been specifically authorized under criteria
established by an Executive Order or an Act of Congress to be kept classified in the interest of
national defense or foreign policy.

Organization An entity of any size, complexity, or positioning within an organizational structure (e.g.,
federal agencies, private enterprises, academic institutions, state, local, or tribal governments or, as
appropriate, any of their operational elements).

Organization Defined Control Parameter The variable part of a control or control enhancement that
can be instantiated by an organization during the tailoring process by either assigning an
organization defined value or selecting a value from a pre‐defined list provided as part of the control
or control enhancement.

Organizationally Tailored Control Baseline A control baseline tailored for a defined notional (type of)
information system using overlays and/or system‐specific control tailoring and intended for use in
selecting controls for multiple systems within one or more organizations. See Also: Tailoring

Overlay A specification of security or privacy controls, control enhancements, supplemental


guidance and other supporting information employed during the tailoring process, that is intended to
complement (and further refine) security control baselines. The overlay specification may be more
stringent or less stringent than the original security control baseline specification and can be applied
to multiple information systems.

CGRC Certification Exam Outline 22


Certified in Governance
Risk and Compliance
CGRC TM

Personally Identifiable Information (PII) Information that can be used to distinguish or trace an
individual's identity, either alone or when combined with other information that is linked or linkable
to a specific individual.

Plan of action and Milestones (POAM) A document that identifies tasks needing to be accomplished.
It details resources required to accomplish the elements of the plan, any milestones in meeting the
tasks and scheduled completion dates for the milestones.

Potential Impact The loss of confidentiality, integrity or availability could be expected to have a
limited adverse effect (FIPS Publication 199 low); a serious adverse effect (FIPS Publication 199
Moderate); or a severe or catastrophic adverse effect (FIPS Publication 199 High) on organizational
operations, organizational assets or individuals.

Privacy Architect Individual, group or organization responsible for ensuring that the system privacy
requirements necessary to protect individuals' privacy are adequately addressed in all aspects of
enterprise architecture including reference models, segment and solution architectures, and
information systems processing PII.

Privacy Architecture An embedded, integral part of the enterprise architecture that describes the
structure and behavior for an enterprise's privacy protection processes, technical measures,
personnel and organizational sub‐units, showing their alignment with the enterprise's mission and
strategic plans.

Privacy Control The administrative, technical, and physical safeguards employed within an agency to
ensure compliance with applicable privacy requirements and manage privacy risks. Note: Controls
can be selected to achieve multiple objectives; those controls that are selected to achieve both
security and privacy objectives require a degree of collaboration between the organization's
information security program and privacy program.

Privacy Control Baseline A collection of controls specifically assembled or brought together by a


group, organization or community of interest to address the privacy protection needs of individuals.

Privacy Control Assessment The assessment of privacy controls to determine whether the controls
are implemented correctly, operating as intended, and sufficient to ensure compliance with
applicable privacy requirements and manage privacy risks. A privacy control assessment is both an
assessment and a formal document detailing the process and the outcome of the assessment.

Privacy Impact Assets (PIA) RESEARCH

Privacy Information Information that describes the privacy posture of an information system or
organization.

Privacy Plan A formal document that details the privacy controls selected for an information system
or environment of operation that are in place or planned, to meet applicable privacy requirements
and manage privacy risks, details how the controls have been implemented, and describes the
methodologies and metrics that will be used to assess the controls.

CGRC Certification Exam Outline 23


Certified in Governance
Risk and Compliance
CGRC TM

Privacy Requirement A requirement that applies to an information system or an organization that is


derived from applicable laws, executive orders, directives, policies, standards, regulations,
procedures and /or mission / business needs with respect to privacy. Note: The term privacy
requirement can be used in a variety of contexts from high‐level policy activities to low‐level
implementation activities in system development and engineering principles.

Program Management Controls RESEARCH

Purge A method of sanitization by applying physical or logical techniques that renders target data
recovery infeasible using state‐of‐the‐art laboratory techniques

Reciprocity Agreement among participating organizations to accept each other's security


assessments to reuse system resources and/or to accept each other's assessed security posture to
share information.

Risk A measure of the extent to which an entity is threatened by a potential circumstance or event
and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the
circumstance or event occurs; and (ii) the likelihood of occurrence.

Risk Assessment The process of identifying risks to organizational operations (including mission,
functions, image, reputation), organizational assets, individuals, other organizations and the nation,
resulting from the operation of a system.

Risk Executive (Function) An individual or group within an organization, led by the senior
accountable official for risk management, that helps to ensure that security risk considerations for
individual systems, to include the authorization decisions for those systems, are viewed from an
organization‐wide perspective with regard to the overall strategic goals and objectives of the
organization in carrying out its missions and business functions; and managing risk from individual
systems is consistent across the organization, reflects organizational risk tolerance and is considered
along with other organizational risks affecting mission/business success.

Risk Management The program and supporting processes to manage risk to agency operations
(including mission, functions, image, reputation), agency assets, individuals, other organizations and
the nation, and includes: establishing the context for risk‐related activities; assessing risk; responding
to risk once determined; and monitoring risk over time.

Risk Mitigation Prioritizing, evaluating and implementing the appropriate risk‐reducing


controls/countermeasures recommended from the risk management process.

Risk Response Accepting, avoiding, mitigating, sharing or transferring risk to agency operations,
agency assets, individuals, other organizations or the nation.

Sanitize A process to render access to target data on the media infeasible for a given level of effort.
Clear, purge and destroy are actions that can be taken to sanitize media.

Security Architect Individual, group or organization responsible for ensuring that the information
security requirements necessary to protect the organization's core missions and business processes
are adequately addressed in all aspects of enterprise architecture including reference models,

CGRC Certification Exam Outline 24


Certified in Governance
Risk and Compliance
CGRC TM

segment and solution architectures, and the resulting information systems supporting those missions
and business processes.

Security Architecture An embedded, integral part of the enterprise architecture that describes the
structure and behavior for an enterprise's security processes, information security systems,
personnel and organizational sub‐units, showing their alignment with the enterprise's mission and
strategic plans. See information security architecture.

Security Categorization The process of determining the security category for information or a
system. Security categorization methodologies are described in CNSS Instruction 1253 for national
security systems and in FIPS Publication 199 for other than national security systems. See: security
category

Security Category The characterization of information or an information system based on an


assessment of the potential impact that a loss of confidentiality of such information or information
system would have on agency operations, agency assets, individuals, other organizations and the
nation.

Security Control The safeguards or countermeasures prescribed for an information system or an


organization to protect the confidentiality, integrity and availability of the system and its
information.

Security Controls The management, operational and technical controls (i.e., safeguards or
countermeasures) prescribed for an information system to protect the confidentiality, integrity and
availability of the system and its information.

Security Control Baseline The set of minimum security controls defined for a low‐impact, moderate‐
impact or high‐impact information system. See Also: Control Baseline

Security Control Assessment The testing or evaluation of security controls to determine the extent
to which the controls are implemented correctly, operating as intended and producing the desired
outcome with respect to meeting the security requirements for an information system or
organization.

Security Impact Analysis The analysis conducted by an organizational official to determine the extent
to which a change to the information system has affected the security state of the system.

Security Objective Confidentiality, integrity or availability

Security Plan A formal document that provides an overview of the security requirements for an
information system and describes the security controls in place or planned for meeting those
requirements.

Security Posture The security status of an enterprise's networks, information and systems based on
information security resources (e.g., people hardware, software, policies) and capabilities in place to
manage the defense of the enterprise and to react as the situation changes. Synonymous with
security status.

CGRC Certification Exam Outline 25


Certified in Governance
Risk and Compliance
CGRC TM

Security Requirement A requirement levied on an information system or an organization that is


derived from applicable laws, executive orders, directives, policies, standards, instructions,
regulations , procedures and/or mission / business needs to ensure the confidentiality, integrity and
availability of information that is being processed, stored or transmitted. Note: Security
requirements can be used in a variety of contexts from high‐level policy activities in system
development and engineering disciplines.

Security Risk Risk that arises through the loss of confidentiality, integrity, or availability of
information or systems, and that considers impacts to the organization (including assets, mission,
functions, image or reputation), individuals, other organizations and the nation. See: Risk.

Senior Accountable Official for Risk Management (SAORM) The senior official, designated by the
head of each agency, who has vision into all areas of the organization, and is responsible for
alignment of information security management processes with strategic, operational and budgetary
planning processes.

Senior Agency Information Security Officer (SAISO) Official responsible for carrying out the Chief
Information Officer responsibilities under FISMA and serving as the chief Information Officer's
primary liaison to the agency's authorizing officials, information system security officers.

Senior Agency Official for Privacy (SAOP) The senior official, designated by the head of each agency,
who has agency‐wife responsibility for privacy, including implementation of privacy protections;
compliance with federal laws, regulations and policies relating to privacy; management of privacy
risks at the agency; and a central policymaking role int eh agency's development and evaluation of
legislative, regulatory and other policy proposals.

Software Computer Programs and associated data that may be dynamically written or modified
during execution.

Supply Chain Linked set of resources and processes between multiple tiers of developers that begins
with the sourcing of products and services and extends through the design, development,
manufacturing, processing, handling and delivery of products and services to the acquirer.

Supply Chain Risk Risks that arise from the loss of confidentiality, integrity or availability of
information or information systems, and reflect the potential adverse impacts to organizational
operations (including mission, functions, image or reputation), organizational assets, individuals,
other organizations and the nation.

Supply Chain Risk ManagementThe process of identifying, assessing and mitigating the risks
associated it the global and distributed nature of information and communications technology
product and service supply chains.

System Any organized assembly of resources and procedures united and regulated by interaction or
interdependence to accomplish a set of specific functions. See information system. Note: Systems
also include specialized systems such as industrial/process controls systems, telephone switching and
private branch exchange (PBX) systems, and environmental control systems. Combination of
interacting elements organized to achieve one or more stated purposes. Note 1: There are many

CGRC Certification Exam Outline 26


Certified in Governance
Risk and Compliance
CGRC TM

types of systems. Examples include: general and special‐purpose information systems; command,
control and communication systems; crypto modules; central processing unit and graphics processor
boards; industrial/process control systems; flight control systems; weapons, targeting and fire
control systems; medical devices and treatment systems; financial, banking and merchandising
transaction systems; and social networking systems. Note 2: The interacting elements in the
definition of system include hardware, software, data, humans, processes, facilities, materials and
naturally occurring physical entities. Note 3: System of systems is included in the definition of
system.

System Boundary See authorization boundary

System Component A discrete identifiable information technology asset that represents a building
block of a system and may include hardware, software and firmware.

System Development Life Cycle (SDLC) The scope of activities associated with a system,
encompassing the system's initiation, development and acquisition, implementation, operation and
maintenance and ultimately its disposal that instigates another system initiation.

System Element Member of a set of elements that constitute a system. Note 1: A system element
can be a discrete component, product, service, subsystem, system, infrastructure or enterprise. Note
2: Each element of the system is implemented to fulfill specified requirements. Note 3: The recursive
nature of the term allows the term system to apply equally when referring to a discrete component
or to a large, complex, geographically distributed system‐of‐systems. Note 4: System elements are
implemented by: hardware, software and firmware that perform operations on data/information;
physical structures, devices and components in the environment of operation; and the people,
processes and procedures for operating, sustaining and supporting the system elements. Note 5:
System elements and information resources (as defined at 44 U.S.C. Sec. 3502 and in this document)
are interchangeable terms as used in this document.

System Privacy Officer Individual with assigned responsibility for maintaining the appropriate
operational privacy posture for a system or program.

System Security Officer Individual with assigned responsibility for maintaining the appropriate
operational security posture for an information system or program.

System Security Plan Principally used to verify that Information Systems (ISs) are meting their stated
security goals and objectives

System‐Specific Control A security or privacy control for an information system that is implemented
at the system level and is not inherited by any other information system.

System User Individual, or (system) process acting on behalf of an individual, authorized to access a
system.

System Privacy Engineer Individual assigned responsibility for conducting systems privacy
engineering activities.

CGRC Certification Exam Outline 27


Certified in Governance
Risk and Compliance
CGRC TM

Systems Security Engineer Individual assigned responsibility for conducting systems security
engineering activities.

Systems Security or Privacy Engineer See Systems Security Engineer and Systems Privacy Engineer

Tailored Control Baseline A set of controls resulting from the application of tailoring guidance to a
control baseline. See: Tailoring

Tailoring The process by which security control baselines are modified by identifying and designating
common controls, applying scoping considerations, selecting compensating controls, assigning
specific values to agency‐defined control parameters, supplementing baselines with additional
controls or control enhancements and providing additional specification information for control
implementation. The tailoring process may also be applied to privacy controls.

Threat Any circumstance or event with the potential to adversely impact organizational operations,
organizational assets, individuals, other organizations or the nation through a system via
unauthorized access, destruction, disclosure, modification of information and/or denial of service.

Threat Source The intent and method targeted at the intentional exploitation of a vulnerability or a
situation and method that may accidentally trigger a vulnerability.

Vulnerability Weakness in an information system, system security procedures, internal controls or


implementation that could be exploited or triggered by a threat source. Note: The term weakness is
synonymous with deficiency. Weakness may result in security and/or privacy risks.

CGRC Certification Exam Outline 28

You might also like