Risk & Controls
This is the combination of likelihood and impact used to prioritize audit focus.
What is risk?
Screenshots, system logs, and policy documents are all examples of this.
What is audit evidence?
This document logs who approved, implemented, and reviewed a change.
What is a change ticket?
This access method requires more than one type of credential.
What is Multi-Factor Authentication (MFA)?
A plan that outlines how to restore IT services after a major disruption.
What is a Disaster Recovery Plan (DRP)?
Controls that automatically detect and correct issues are known as these.
What are corrective controls?
The term for evidence obtained by watching a control in action.
What is observation?
Before deploying a system update, this plan ensures it won’t break everything.
What is a test plan?
This process confirms a user’s identity before granting access.
What is authentication?
A test where participants simulate a real disaster response without touching systems.
What is a tabletop exercise?
These controls are designed to flag problems as they happen.
What are detective controls?
Auditors use this method to assess the operation of a control over time.
What is sampling?
Before releasing a change, organizations test it in this environment.
What is staging?
This is the process of removing access when an employee leaves.
What is deprovisioning?
An alternative location with full infrastructure to restore operations quickly.
What is a hot site?
Controls that are potentially not implemented yet but planned in the future as listed within a risk assessment.
What are compensating controls?
This term describes following a transaction from initiation to reporting.
What is walkthrough?
The term used for returning to a previous system state after a failed update.
What is rollback?
IAM systems often use this model where access is determined by job role.
What is Role-Based Access Control (RBAC)?
This test actually spins up systems at an alternate site to verify recoverability.
What is a failover test?
This term describes leftover combination of likelihood and impact after controls have been applied.
What is residual risk?
The principle that evidence should be obtained from reliable, independent sources.
What is objectivity?
This is the governance body that evaluates and approves significant system changes.
What is the Change Advisory Board (CAB)?
This is the minimum level of access needed for a user to perform their job.
This defines the maximum tolerable length of time a system can be down.
What is Recovery Time Objective (RTO)?