CRISC Exam -Questions with Correct Answers/ Latest Update/ 100% Pass
What is the difference between a standard and a policy? - ✔✔Standard = A mandatory
action, explicit rules, controls or configuration settings that are designed to support and
conform to a policy. A standard should make a policy more meaningful and effective by
including accepted specifications for hardware, software or behavior. Standards should
always point to the policy to which they relate.
Policy = IT policies help organizations to properly articulate the organization's desired
behavior, mitigate risk and contribute to achieving the organization's goals.
What are the 4 risk elements? - ✔✔Threats, Vulnerabilities, Likelihood, and Impact. Threats
exploit vulnerabilities and the level of risk is based on likelihood and the impact to the
system.
Describe risk appetite vs. risk tollerance - ✔✔Risk appetite is how much risk an organization
is willing to endure; Risk Tolerance is how much variation from that amount is acceptable.
Name the 6 steps of the NIST Risk Management Framework (RMF) - ✔✔1. Categorize
Information Systems
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize Information Systems
6. Monitor Security Controls
Which framework is developed by ISACA and integrates other frameworks?
a) (Val) IT
b) IT Assurance Framework (ITAF)
c) COBIT 5
d) Risk IT - ✔✔c. COBIT 5
What are the 3 domains of ISACA's Risk IT Framework? - ✔✔Risk Governance (RG), Risk
Evaluation (RE), Risk Response (RR)
, What are the tenets of risk management? - ✔✔confidentiality, integrity, and availability
Which legal act requires U.S. Federal Govt agencies to establish an information security
program? - ✔✔Federal Information Security Management Act (FISMA)
What is the Gramm-Leach-Bliley Act (GLBA) - ✔✔GLBA requires periodic risk analysis
performed on processes that deal with nonpublic financial information and personal
financial data.
The Risk Governance (RG) domain of the Risk IT framework is comprised of what 3
processes? - ✔✔RG1: Establish and maintain a common risk view
RG2: Integrate with ERM
RG3: Make risk-aware business decisions
The Risk Evaluation (RE) domain of the Risk IT framework is comprised of what 3 processes?
- ✔✔RE1: Collect Data
RE2: Analyze Risk
RE3: Maintain risk profile
The Risk Response (RR) domain of the Risk IT framework is comprised of what 3 processes? -
✔✔RR1: Articulate risk
RR2: Manage risk
RR3: React to events
What is a threat agent? - ✔✔The entity causing or enacting a threat against a vulnerability.
What is the simple risk formula? - ✔✔threats x vulnerabilities = risk
What are the key areas of concern for emerging technologies? - ✔✔Interoperability and
Compatibility
What is the difference between a standard and a policy? - ✔✔Standard = A mandatory
action, explicit rules, controls or configuration settings that are designed to support and
conform to a policy. A standard should make a policy more meaningful and effective by
including accepted specifications for hardware, software or behavior. Standards should
always point to the policy to which they relate.
Policy = IT policies help organizations to properly articulate the organization's desired
behavior, mitigate risk and contribute to achieving the organization's goals.
What are the 4 risk elements? - ✔✔Threats, Vulnerabilities, Likelihood, and Impact. Threats
exploit vulnerabilities and the level of risk is based on likelihood and the impact to the
system.
Describe risk appetite vs. risk tollerance - ✔✔Risk appetite is how much risk an organization
is willing to endure; Risk Tolerance is how much variation from that amount is acceptable.
Name the 6 steps of the NIST Risk Management Framework (RMF) - ✔✔1. Categorize
Information Systems
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize Information Systems
6. Monitor Security Controls
Which framework is developed by ISACA and integrates other frameworks?
a) (Val) IT
b) IT Assurance Framework (ITAF)
c) COBIT 5
d) Risk IT - ✔✔c. COBIT 5
What are the 3 domains of ISACA's Risk IT Framework? - ✔✔Risk Governance (RG), Risk
Evaluation (RE), Risk Response (RR)
, What are the tenets of risk management? - ✔✔confidentiality, integrity, and availability
Which legal act requires U.S. Federal Govt agencies to establish an information security
program? - ✔✔Federal Information Security Management Act (FISMA)
What is the Gramm-Leach-Bliley Act (GLBA) - ✔✔GLBA requires periodic risk analysis
performed on processes that deal with nonpublic financial information and personal
financial data.
The Risk Governance (RG) domain of the Risk IT framework is comprised of what 3
processes? - ✔✔RG1: Establish and maintain a common risk view
RG2: Integrate with ERM
RG3: Make risk-aware business decisions
The Risk Evaluation (RE) domain of the Risk IT framework is comprised of what 3 processes?
- ✔✔RE1: Collect Data
RE2: Analyze Risk
RE3: Maintain risk profile
The Risk Response (RR) domain of the Risk IT framework is comprised of what 3 processes? -
✔✔RR1: Articulate risk
RR2: Manage risk
RR3: React to events
What is a threat agent? - ✔✔The entity causing or enacting a threat against a vulnerability.
What is the simple risk formula? - ✔✔threats x vulnerabilities = risk
What are the key areas of concern for emerging technologies? - ✔✔Interoperability and
Compatibility
