CRISC Exam with correct answers
| | | |
What |is |the |difference |between |a |standard |and |a |policy? |- |correct |answer |Standard |= |A |
mandatory |action, |explicit |rules, |controls |or |configuration |settings |that |are |designed |to |
support |and |conform |to |a |policy. |A |standard |should |make |a |policy |more |meaningful |and |
effective |by |including |accepted |specifications |for |hardware, |software |or |behavior. |Standards |
should |always |point |to |the |policy |to |which |they |relate.
Policy |= |IT |policies |help |organizations |to |properly |articulate |the |organization's |desired |
behavior, |mitigate |risk |and |contribute |to |achieving |the |organization's |goals.
What |are |the |4 |risk |elements? |- |correct |answer |Threats, |Vulnerabilities, |Likelihood, |and |
Impact. |Threats |exploit |vulnerabilities |and |the |level |of |risk |is |based |on |likelihood |and |the |
impact |to |the |system.
Describe |risk |appetite |vs. |risk |tollerance |- |correct |answer |Risk |appetite |is |how |much |risk |an |
organization |is |willing |to |endure; |Risk |Tolerance |is |how |much |variation |from |that |amount |is |
acceptable.
Name |the |6 |steps |of |the |NIST |Risk |Management |Framework |(RMF) |- |correct |answer |1. |
Categorize |Information |Systems
2. |Select |Security |Controls
3. |Implement |Security |Controls
4. |Assess |Security |Controls
5. |Authorize |Information |Systems
6. |Monitor |Security |Controls
Which |framework |is |developed |by |ISACA |and |integrates |other |frameworks?
a) |(Val) |IT
,b) |IT |Assurance |Framework |(ITAF)
c) |COBIT |5
d) |Risk |IT |- |correct |answer |c. |COBIT |5
What |are |the |3 |domains |of |ISACA's |Risk |IT |Framework? |- |correct |answer |Risk |Governance |
(RG), |Risk |Evaluation |(RE), |Risk |Response |(RR)
What |are |the |tenets |of |risk |management? |- |correct |answer |confidentiality, |integrity, |and |
availability
Which |legal |act |requires |U.S. |Federal |Govt |agencies |to |establish |an |information |security |
program? |- |correct |answer |Federal |Information |Security |Management |Act |(FISMA)
What |is |the |Gramm-Leach-Bliley |Act |(GLBA) |- |correct |answer |GLBA |requires |periodic |risk |
analysis |performed |on |processes |that |deal |with |nonpublic |financial |information |and |personal |
financial |data.
The |Risk |Governance |(RG) |domain |of |the |Risk |IT |framework |is |comprised |of |what |3 |processes?
|- |correct |answer |RG1: |Establish |and |maintain |a |common |risk |view
RG2: |Integrate |with |ERM
RG3: |Make |risk-aware |business |decisions
The |Risk |Evaluation |(RE) |domain |of |the |Risk |IT |framework |is |comprised |of |what |3 |processes? |- |
correct |answer |RE1: |Collect |Data
RE2: |Analyze |Risk
RE3: |Maintain |risk |profile
The |Risk |Response |(RR) |domain |of |the |Risk |IT |framework |is |comprised |of |what |3 |processes? |- |
correct |answer |RR1: |Articulate |risk
, RR2: |Manage |risk
RR3: |React |to |events
What |is |a |threat |agent? |- |correct |answer |The |entity |causing |or |enacting |a |threat |against |a |
vulnerability.
What |is |the |simple |risk |formula? |- |correct |answer |threats |x |vulnerabilities |= |risk
What |are |the |key |areas |of |concern |for |emerging |technologies? |- |correct |answer |
Interoperability |and |Compatibility
What |are |the |5 |components |of |a |risk |scenario? |- |correct |answer |1) |Threat |agent
2) |Threat
3) |Asset
4) |Vulnerability
5) |Time/location
Describe |the |bottom-up |approach |to |risk |scenario |generation |- |correct |answer |Look |at |all |
potential |scenarios |beginning |with |what |asset, |process, |or |area |of |concern |the |risk |scenarios |
might |affect.
Describe |the |top-down |approach |to |risk |scenario |generation |- |correct |answer |Develop |risk |
scenarios |from |a |specific |business |objective |perspective
What |document |would |list |the |different |risk |scenarios? |- |correct |answer |The |risk |register |
could |include:
Risk |factors
Threats |& |vulnerabilities
| | | |
What |is |the |difference |between |a |standard |and |a |policy? |- |correct |answer |Standard |= |A |
mandatory |action, |explicit |rules, |controls |or |configuration |settings |that |are |designed |to |
support |and |conform |to |a |policy. |A |standard |should |make |a |policy |more |meaningful |and |
effective |by |including |accepted |specifications |for |hardware, |software |or |behavior. |Standards |
should |always |point |to |the |policy |to |which |they |relate.
Policy |= |IT |policies |help |organizations |to |properly |articulate |the |organization's |desired |
behavior, |mitigate |risk |and |contribute |to |achieving |the |organization's |goals.
What |are |the |4 |risk |elements? |- |correct |answer |Threats, |Vulnerabilities, |Likelihood, |and |
Impact. |Threats |exploit |vulnerabilities |and |the |level |of |risk |is |based |on |likelihood |and |the |
impact |to |the |system.
Describe |risk |appetite |vs. |risk |tollerance |- |correct |answer |Risk |appetite |is |how |much |risk |an |
organization |is |willing |to |endure; |Risk |Tolerance |is |how |much |variation |from |that |amount |is |
acceptable.
Name |the |6 |steps |of |the |NIST |Risk |Management |Framework |(RMF) |- |correct |answer |1. |
Categorize |Information |Systems
2. |Select |Security |Controls
3. |Implement |Security |Controls
4. |Assess |Security |Controls
5. |Authorize |Information |Systems
6. |Monitor |Security |Controls
Which |framework |is |developed |by |ISACA |and |integrates |other |frameworks?
a) |(Val) |IT
,b) |IT |Assurance |Framework |(ITAF)
c) |COBIT |5
d) |Risk |IT |- |correct |answer |c. |COBIT |5
What |are |the |3 |domains |of |ISACA's |Risk |IT |Framework? |- |correct |answer |Risk |Governance |
(RG), |Risk |Evaluation |(RE), |Risk |Response |(RR)
What |are |the |tenets |of |risk |management? |- |correct |answer |confidentiality, |integrity, |and |
availability
Which |legal |act |requires |U.S. |Federal |Govt |agencies |to |establish |an |information |security |
program? |- |correct |answer |Federal |Information |Security |Management |Act |(FISMA)
What |is |the |Gramm-Leach-Bliley |Act |(GLBA) |- |correct |answer |GLBA |requires |periodic |risk |
analysis |performed |on |processes |that |deal |with |nonpublic |financial |information |and |personal |
financial |data.
The |Risk |Governance |(RG) |domain |of |the |Risk |IT |framework |is |comprised |of |what |3 |processes?
|- |correct |answer |RG1: |Establish |and |maintain |a |common |risk |view
RG2: |Integrate |with |ERM
RG3: |Make |risk-aware |business |decisions
The |Risk |Evaluation |(RE) |domain |of |the |Risk |IT |framework |is |comprised |of |what |3 |processes? |- |
correct |answer |RE1: |Collect |Data
RE2: |Analyze |Risk
RE3: |Maintain |risk |profile
The |Risk |Response |(RR) |domain |of |the |Risk |IT |framework |is |comprised |of |what |3 |processes? |- |
correct |answer |RR1: |Articulate |risk
, RR2: |Manage |risk
RR3: |React |to |events
What |is |a |threat |agent? |- |correct |answer |The |entity |causing |or |enacting |a |threat |against |a |
vulnerability.
What |is |the |simple |risk |formula? |- |correct |answer |threats |x |vulnerabilities |= |risk
What |are |the |key |areas |of |concern |for |emerging |technologies? |- |correct |answer |
Interoperability |and |Compatibility
What |are |the |5 |components |of |a |risk |scenario? |- |correct |answer |1) |Threat |agent
2) |Threat
3) |Asset
4) |Vulnerability
5) |Time/location
Describe |the |bottom-up |approach |to |risk |scenario |generation |- |correct |answer |Look |at |all |
potential |scenarios |beginning |with |what |asset, |process, |or |area |of |concern |the |risk |scenarios |
might |affect.
Describe |the |top-down |approach |to |risk |scenario |generation |- |correct |answer |Develop |risk |
scenarios |from |a |specific |business |objective |perspective
What |document |would |list |the |different |risk |scenarios? |- |correct |answer |The |risk |register |
could |include:
Risk |factors
Threats |& |vulnerabilities
