CRISC FULL exam with correct answers
| | | | |
Which |of |the |following |is |the |MOST |important |reason |for |conducting |security |awareness |
programs |throughout
an |enterprise?
A. |Reducing |the |risk |of |a |social |engineering |attack
B. |Training |personnel |in |security |incident |response
C. |Informing |business |units |about |the |security |strategy
D. |Maintaining |evidence |of |training |records |to |ensure |compliance |- |correct |answer |A
Which |of |the |following |is |MOST |important |to |determine |when |defining |risk |management |
strategies?
A. |Risk |assessment |criteria
B. |IT |architecture |complexity
C. |An |enterprise |disaster |recovery |plan |(DRP)
D. |Organizational |objectives |- |correct |answer |D
Which |of |the |following |is |the |MOST |important |information |to |include |in |a |risk |management |
strategic |plan?
A. |Risk |management |staffing |requirements
B. |The |risk |management |mission |statement
C. |Risk |mitigation |investment |plans
D. |The |current |state |and |desired |future |state |- |correct |answer |D
Information |that |is |no |longer |required |to |support |the |main |purpose |of |the |business |from |an |
information |security
,perspective |should |be:
A. |analyzed |under |the |retention |policy.
B. |protected |under |the |information |classification |policy.
C. |analyzed |under |the |backup |policy.
D. |protected |under |the |business |impact |analysis |(BIA). |- |correct |answer |A
An |enterprise |has |outsourced |the |majority |of |its |IT |department |to |a |third |party |whose |servers
|are |in |a |foreign
country. |Which |of |the |following |is |the |MOST |critical |security |consideration?
A. |A |security |breach |notification |may |get |delayed |due |to |the |time |difference.
B. |Additional |network |intrusion |detection |sensors |should |be |installed, |resulting |in |additional |
cost.
C. |The |enterprise |could |be |unable |to |monitor |compliance |with |its |internal |security |and |privacy
|guidelines.
D. |Laws |and |regulations |of |the |country |of |origin |may |not |be |enforceable |in |the |foreign |
country. |- |correct |answer |D
An |enterprise |recently |developed |a |breakthrough |technology |that |could |provide |a |significant |
competitive |edge.
Which |of |the |following |FIRST |governs |how |this |information |is |to |be |protected |from |within |the |
enterprise?
A. |The |data |classification |policy
B. |The |acceptable |use |policy
C. |Encryption |standards
D. |The |access |control |policy |- |correct |answer |A
Malware |has |been |detected |that |redirects |users' |computers |to |web |sites |crafted |specifically |
for |the |purpose |of |fraud.
,The |malware |changes |domain |name |system |(DNS) |server |settings, |redirecting |users |to |sites |
under |the |hackers'
control. |This |scenario |BEST |describes |a: |- |correct |answer |C
What |is |the |MOST |effective |method |to |evaluate |the |potential |impact |of |legal, |regulatory |and |
contractual
requirements |on |business |objectives?
A. |A |compliance-oriented |gap |analysis
B. |Interviews |with |business |process |stakeholders
C. |A |mapping |of |compliance |requirements |to |policies |and |procedures
D. |A |compliance-oriented |business |impact |analysis |(BIA) |- |correct |answer |D
Which |of |the |following |is |the |BEST |way |to |ensure |that |an |accurate |risk |register |is |maintained |
over |time?
A. |Monitor |key |risk |indicators |(KRJs), |and |record |the |findings |in |the |risk |register.
B. |Publish |the |risk |register |centrally |with |workflow |features |that |periodically |poll |risk |
assessors.
C. |Distribute |the |risk |register |to |business |process |owners |for |review |and |updating.
D. |Utilize |audit |personnel |to |perform |regular |audits |and |to |maintain |the |risk |register. |- |correct |
answer |B
Shortly |after |performing |the |annual |review |and |revision |of |corporate |policies, |a |risk |
practitioner |becomes |aware |that
a |new |law |may |affect |security |requirements |for |the |human |resources |system. |The |risk |
practitioner |should:
A. |analyze |what |systems |and |technology-related |processes |may |be |impacted.
B. |ensure |necessary |adjustments |are |implemented |during |the |next |review |cycle.
C. |initiate |an |ad |hoc |revision |of |the |corporate |policy.
, D. |notify |the |system |custodian |to |implement |changes. |- |correct |answer |A
Which |of |the |following |is |the |PRIMARY |objective |of |a |risk |management |program?
A. |Maintain |residual |risk |at |an |acceptable |level
B. |Implement |preventive |controls |for |every |threat
C. |Remove |all |inherent |risk
D. |Reduce |inherent |risk |to |zero |- |correct |answer |A
Assessing |information |systems |risk |is |BEST |achieved |by:
A. |using |the |enterprise's |past |actual |loss |experience |to |determine |current |exposure.
B. |reviewing |published |loss |statistics |from |comparable |organizations.
C. |evaluating |threats |associated |with |existing |information |systems |assets |and |information |
systems |projects.
D. |reviewing |information |systems |control |weaknesses |identified |in |audit |reports. |- |correct |
answer |C
Which |of |the |following |is |the |MOST |important |requirement |for |setting |up |an |information |
security |infrastructure |for
a |new |system?
A. |Performing |a |business |impact |analysis |(BIA)
B. |Considering |personal |devices |as |part |of |the |security |policy
C. |Basing |the |information |security |infrastructure |on |a |risk |assessment
D. |Initiating |IT |security |training |and |familiarization |- |correct |answer |C
The |PRIMARY |concern |of |a |risk |practitioner |reviewing |a |formal |data |retention |policy |is:
A. |storage |availability.
B. |applicable |organizational |standards.
| | | | |
Which |of |the |following |is |the |MOST |important |reason |for |conducting |security |awareness |
programs |throughout
an |enterprise?
A. |Reducing |the |risk |of |a |social |engineering |attack
B. |Training |personnel |in |security |incident |response
C. |Informing |business |units |about |the |security |strategy
D. |Maintaining |evidence |of |training |records |to |ensure |compliance |- |correct |answer |A
Which |of |the |following |is |MOST |important |to |determine |when |defining |risk |management |
strategies?
A. |Risk |assessment |criteria
B. |IT |architecture |complexity
C. |An |enterprise |disaster |recovery |plan |(DRP)
D. |Organizational |objectives |- |correct |answer |D
Which |of |the |following |is |the |MOST |important |information |to |include |in |a |risk |management |
strategic |plan?
A. |Risk |management |staffing |requirements
B. |The |risk |management |mission |statement
C. |Risk |mitigation |investment |plans
D. |The |current |state |and |desired |future |state |- |correct |answer |D
Information |that |is |no |longer |required |to |support |the |main |purpose |of |the |business |from |an |
information |security
,perspective |should |be:
A. |analyzed |under |the |retention |policy.
B. |protected |under |the |information |classification |policy.
C. |analyzed |under |the |backup |policy.
D. |protected |under |the |business |impact |analysis |(BIA). |- |correct |answer |A
An |enterprise |has |outsourced |the |majority |of |its |IT |department |to |a |third |party |whose |servers
|are |in |a |foreign
country. |Which |of |the |following |is |the |MOST |critical |security |consideration?
A. |A |security |breach |notification |may |get |delayed |due |to |the |time |difference.
B. |Additional |network |intrusion |detection |sensors |should |be |installed, |resulting |in |additional |
cost.
C. |The |enterprise |could |be |unable |to |monitor |compliance |with |its |internal |security |and |privacy
|guidelines.
D. |Laws |and |regulations |of |the |country |of |origin |may |not |be |enforceable |in |the |foreign |
country. |- |correct |answer |D
An |enterprise |recently |developed |a |breakthrough |technology |that |could |provide |a |significant |
competitive |edge.
Which |of |the |following |FIRST |governs |how |this |information |is |to |be |protected |from |within |the |
enterprise?
A. |The |data |classification |policy
B. |The |acceptable |use |policy
C. |Encryption |standards
D. |The |access |control |policy |- |correct |answer |A
Malware |has |been |detected |that |redirects |users' |computers |to |web |sites |crafted |specifically |
for |the |purpose |of |fraud.
,The |malware |changes |domain |name |system |(DNS) |server |settings, |redirecting |users |to |sites |
under |the |hackers'
control. |This |scenario |BEST |describes |a: |- |correct |answer |C
What |is |the |MOST |effective |method |to |evaluate |the |potential |impact |of |legal, |regulatory |and |
contractual
requirements |on |business |objectives?
A. |A |compliance-oriented |gap |analysis
B. |Interviews |with |business |process |stakeholders
C. |A |mapping |of |compliance |requirements |to |policies |and |procedures
D. |A |compliance-oriented |business |impact |analysis |(BIA) |- |correct |answer |D
Which |of |the |following |is |the |BEST |way |to |ensure |that |an |accurate |risk |register |is |maintained |
over |time?
A. |Monitor |key |risk |indicators |(KRJs), |and |record |the |findings |in |the |risk |register.
B. |Publish |the |risk |register |centrally |with |workflow |features |that |periodically |poll |risk |
assessors.
C. |Distribute |the |risk |register |to |business |process |owners |for |review |and |updating.
D. |Utilize |audit |personnel |to |perform |regular |audits |and |to |maintain |the |risk |register. |- |correct |
answer |B
Shortly |after |performing |the |annual |review |and |revision |of |corporate |policies, |a |risk |
practitioner |becomes |aware |that
a |new |law |may |affect |security |requirements |for |the |human |resources |system. |The |risk |
practitioner |should:
A. |analyze |what |systems |and |technology-related |processes |may |be |impacted.
B. |ensure |necessary |adjustments |are |implemented |during |the |next |review |cycle.
C. |initiate |an |ad |hoc |revision |of |the |corporate |policy.
, D. |notify |the |system |custodian |to |implement |changes. |- |correct |answer |A
Which |of |the |following |is |the |PRIMARY |objective |of |a |risk |management |program?
A. |Maintain |residual |risk |at |an |acceptable |level
B. |Implement |preventive |controls |for |every |threat
C. |Remove |all |inherent |risk
D. |Reduce |inherent |risk |to |zero |- |correct |answer |A
Assessing |information |systems |risk |is |BEST |achieved |by:
A. |using |the |enterprise's |past |actual |loss |experience |to |determine |current |exposure.
B. |reviewing |published |loss |statistics |from |comparable |organizations.
C. |evaluating |threats |associated |with |existing |information |systems |assets |and |information |
systems |projects.
D. |reviewing |information |systems |control |weaknesses |identified |in |audit |reports. |- |correct |
answer |C
Which |of |the |following |is |the |MOST |important |requirement |for |setting |up |an |information |
security |infrastructure |for
a |new |system?
A. |Performing |a |business |impact |analysis |(BIA)
B. |Considering |personal |devices |as |part |of |the |security |policy
C. |Basing |the |information |security |infrastructure |on |a |risk |assessment
D. |Initiating |IT |security |training |and |familiarization |- |correct |answer |C
The |PRIMARY |concern |of |a |risk |practitioner |reviewing |a |formal |data |retention |policy |is:
A. |storage |availability.
B. |applicable |organizational |standards.
