CRISC Review Questions with correct answers
| | | | |
R1-1 |Which |of |the |following |is |MOST |important |to |determine |when |defining |risk |management
|strategies?
A. |Risk |assessment |criteria
B. |IT |architecture |complexity
C. |An |enterprise |disaster |recovery |plan
D. |Business |objectives |and |operations |- |correct |answer |D |is |the |correct |answer.
Justification:
A. |Information |on |the |internal |and |external |environment |must |be |collected |to |define |a |
strategy |and |identify |its
impact. |Risk |assessment |criteria |alone |are |not |sufficient.
B. |IT |architecture |complexity |is |more |directly |related |to |assessing |risk |than |defining |strategies.
C. |An |enterprise |disaster |recovery |plan |is |more |directly |related |to |mitigating |the |risk.
D. |While |defining |risk |management |strategies, |the |risk |practitioner |needs |to |analyze |the |
organization's
objectives |and |risk |tolerance |and |define |a |risk |management |framework |based |on |this |analysis.
|Some
organizations |may |accept |known |risk, |while |others |may |invest |in |and |apply |mitigating |controls |
to
reduce |risk.
R1-2 |Which |of |the |following |is |the |MOST |important |information |to |include |in |a |risk |
management |strategic |plan?
A. |Risk |management |staffing |requirements
B. |The |risk |management |mission |statement
C. |Risk |mitigation |investment |plans
,D. |The |current |state |and |desired |future |state |- |correct |answer |D |is |the |correct |answer.
Justification:
A. |Risk |management |staffing |requirements |are |generally |driven |by |a |robust |understanding |of |
the |current |and
desired |future |state.
B. |The |risk |management |mission |statement |is |important |but |is |not |an |actionable |part |of |a |risk
|management
strategic |plan.
C. |Risk |mitigation |investment |plans |are |generally |driven |by |a |robust |understanding |of |the |
current |and |desired
future |state.
D. |It |is |most |important |to |paint |a |vision |for |the |future |and |then |draw |a |road |map |from |the |
starting |point;
therefore, |this |requires |that |the |current |state |and |desired |future |state |be |fully |understood.
R1-3 |Information |that |is |no |longer |required |to |support |the |main |purpose |of |the |business |from
|an |information |security
perspective |should |be:
A. |analyzed |under |the |retention |policy.
B. |protected |under |the |information |classification |policy.
C. |analyzed |under |the |backup |policy.
D. |protected |under |the |business |impact |analysis. |- |correct |answer |A |is |the |correct |answer.
Justification:
A. |Information |that |is |no |longer |required |should |be |analyzed |under |the |retention |policy |to |
determine
whether |the |organization |is |required |to |maintain |the |data |for |business, |legal |or |regulatory |
reasons.
Keeping |data |that |are |no |longer |required |unnecessarily |consumes |resources; |may |be |in |breach
|of
,legal |and |regulatory |obligations |regarding |retention |of |data; |and, |in |the |case |of |sensitive |
personal
information, |can |increase |the |risk |of |data |compromise.
B. |The |information |classification |policy |should |specify |retention |and |destruction |of |information
|that |is |no |longer
of |value |to |the |core |business, |as |applicable.
C. |The |backup |policy |is |generally |based |on |recovery |point |objectives. |The |information |
classification |policy
should |specify |retention |and |destruction |of |backup |media.
D. |A |business |impact |analysis |can |help |determine |that |this |information |does |not |support |the |
main |objective |of |the
business, |but |does |not |indicate |the |action |to |take.
R1-4 |An |enterprise |has |outsourced |the |majority |of |its |IT |department |to |a |third |party |whose |
servers |are |in |a |foreign
country. |Which |of |the |following |is |the |MOST |critical |security |consideration?
A. |A |security |breach |notification |may |get |delayed |due |to |the |time |difference.
B. |Additional |network |intrusion |detection |sensors |should |be |installed, |resulting |in |additional |
cost.
C. |The |enterprise |could |be |unable |to |monitor |compliance |with |its |internal |security |and |privacy
|guidelines.
D. |Laws |and |regulations |of |the |country |of |origin |may |not |be |enforceable |in |the |foreign |
country. |- |correct |answer |D |is |the |correct |answer.
Justification:
A. |Security |breach |notification |is |not |a |problem. |Time |difference |does |not |play |a |role |in |a |24/7
|environment.
Mobile |devices |(smartphones, |tablets, |etc.) |are |usually |available |to |communicate |a |
notification.
B. |The |need |for |additional |network |intrusion |sensors |is |a |manageable |problem |that |requires |
additional |funding,
, but |can |be |addressed.
C. |Outsourcing |does |not |remove |the |enterprise's |responsibility |regarding |internal |
requirements.
D. |Laws |and |regulations |of |the |country |of |origin |may |not |be |enforceable |in |the |foreign |
country.
Conversely, |the |laws |and |regulations |of |the |foreign |vendor |may |also |affect |the |enterprise. |
Potential
violation |of |local |laws |applicable |to |the |enterprise |or |the |vendor |may |not |be |recognized |or |
remedied |due
to |the |lack |of |knowledge |of |local |laws |and/or |inability |to |enforce |them.
R1-5 |An |enterprise |recently |developed |a |breakthrough |technology |that |could |provide |a |
significant |competitive |edge.
Which |of |the |following |FIRST |governs |how |this |information |is |to |be |protected |from |within |the |
enterprise?
A. |The |data |classification |policy
B. |The |acceptable |use |policy
C. |Encryption |standards
D. |The |access |control |policy |- |correct |answer |A |is |the |correct |answer.
Justification:
A. |A |data |classification |policy |describes |the |data |classification |categories, |level |of |protection |to
|be |provided
for |each |category |of |data |and |roles |and |responsibilities |of |potential |users, |including |data |
owners.
B. |An |acceptable |use |policy |is |oriented |more |toward |the |end |user |and, |therefore, |does |not |
specifically |address
which |controls |should |be |in |place |to |adequately |protect |information.
C. |Mandated |levels |of |protection, |as |defined |by |the |data |classification |policy, |should |drive |
which |levels |of
| | | | |
R1-1 |Which |of |the |following |is |MOST |important |to |determine |when |defining |risk |management
|strategies?
A. |Risk |assessment |criteria
B. |IT |architecture |complexity
C. |An |enterprise |disaster |recovery |plan
D. |Business |objectives |and |operations |- |correct |answer |D |is |the |correct |answer.
Justification:
A. |Information |on |the |internal |and |external |environment |must |be |collected |to |define |a |
strategy |and |identify |its
impact. |Risk |assessment |criteria |alone |are |not |sufficient.
B. |IT |architecture |complexity |is |more |directly |related |to |assessing |risk |than |defining |strategies.
C. |An |enterprise |disaster |recovery |plan |is |more |directly |related |to |mitigating |the |risk.
D. |While |defining |risk |management |strategies, |the |risk |practitioner |needs |to |analyze |the |
organization's
objectives |and |risk |tolerance |and |define |a |risk |management |framework |based |on |this |analysis.
|Some
organizations |may |accept |known |risk, |while |others |may |invest |in |and |apply |mitigating |controls |
to
reduce |risk.
R1-2 |Which |of |the |following |is |the |MOST |important |information |to |include |in |a |risk |
management |strategic |plan?
A. |Risk |management |staffing |requirements
B. |The |risk |management |mission |statement
C. |Risk |mitigation |investment |plans
,D. |The |current |state |and |desired |future |state |- |correct |answer |D |is |the |correct |answer.
Justification:
A. |Risk |management |staffing |requirements |are |generally |driven |by |a |robust |understanding |of |
the |current |and
desired |future |state.
B. |The |risk |management |mission |statement |is |important |but |is |not |an |actionable |part |of |a |risk
|management
strategic |plan.
C. |Risk |mitigation |investment |plans |are |generally |driven |by |a |robust |understanding |of |the |
current |and |desired
future |state.
D. |It |is |most |important |to |paint |a |vision |for |the |future |and |then |draw |a |road |map |from |the |
starting |point;
therefore, |this |requires |that |the |current |state |and |desired |future |state |be |fully |understood.
R1-3 |Information |that |is |no |longer |required |to |support |the |main |purpose |of |the |business |from
|an |information |security
perspective |should |be:
A. |analyzed |under |the |retention |policy.
B. |protected |under |the |information |classification |policy.
C. |analyzed |under |the |backup |policy.
D. |protected |under |the |business |impact |analysis. |- |correct |answer |A |is |the |correct |answer.
Justification:
A. |Information |that |is |no |longer |required |should |be |analyzed |under |the |retention |policy |to |
determine
whether |the |organization |is |required |to |maintain |the |data |for |business, |legal |or |regulatory |
reasons.
Keeping |data |that |are |no |longer |required |unnecessarily |consumes |resources; |may |be |in |breach
|of
,legal |and |regulatory |obligations |regarding |retention |of |data; |and, |in |the |case |of |sensitive |
personal
information, |can |increase |the |risk |of |data |compromise.
B. |The |information |classification |policy |should |specify |retention |and |destruction |of |information
|that |is |no |longer
of |value |to |the |core |business, |as |applicable.
C. |The |backup |policy |is |generally |based |on |recovery |point |objectives. |The |information |
classification |policy
should |specify |retention |and |destruction |of |backup |media.
D. |A |business |impact |analysis |can |help |determine |that |this |information |does |not |support |the |
main |objective |of |the
business, |but |does |not |indicate |the |action |to |take.
R1-4 |An |enterprise |has |outsourced |the |majority |of |its |IT |department |to |a |third |party |whose |
servers |are |in |a |foreign
country. |Which |of |the |following |is |the |MOST |critical |security |consideration?
A. |A |security |breach |notification |may |get |delayed |due |to |the |time |difference.
B. |Additional |network |intrusion |detection |sensors |should |be |installed, |resulting |in |additional |
cost.
C. |The |enterprise |could |be |unable |to |monitor |compliance |with |its |internal |security |and |privacy
|guidelines.
D. |Laws |and |regulations |of |the |country |of |origin |may |not |be |enforceable |in |the |foreign |
country. |- |correct |answer |D |is |the |correct |answer.
Justification:
A. |Security |breach |notification |is |not |a |problem. |Time |difference |does |not |play |a |role |in |a |24/7
|environment.
Mobile |devices |(smartphones, |tablets, |etc.) |are |usually |available |to |communicate |a |
notification.
B. |The |need |for |additional |network |intrusion |sensors |is |a |manageable |problem |that |requires |
additional |funding,
, but |can |be |addressed.
C. |Outsourcing |does |not |remove |the |enterprise's |responsibility |regarding |internal |
requirements.
D. |Laws |and |regulations |of |the |country |of |origin |may |not |be |enforceable |in |the |foreign |
country.
Conversely, |the |laws |and |regulations |of |the |foreign |vendor |may |also |affect |the |enterprise. |
Potential
violation |of |local |laws |applicable |to |the |enterprise |or |the |vendor |may |not |be |recognized |or |
remedied |due
to |the |lack |of |knowledge |of |local |laws |and/or |inability |to |enforce |them.
R1-5 |An |enterprise |recently |developed |a |breakthrough |technology |that |could |provide |a |
significant |competitive |edge.
Which |of |the |following |FIRST |governs |how |this |information |is |to |be |protected |from |within |the |
enterprise?
A. |The |data |classification |policy
B. |The |acceptable |use |policy
C. |Encryption |standards
D. |The |access |control |policy |- |correct |answer |A |is |the |correct |answer.
Justification:
A. |A |data |classification |policy |describes |the |data |classification |categories, |level |of |protection |to
|be |provided
for |each |category |of |data |and |roles |and |responsibilities |of |potential |users, |including |data |
owners.
B. |An |acceptable |use |policy |is |oriented |more |toward |the |end |user |and, |therefore, |does |not |
specifically |address
which |controls |should |be |in |place |to |adequately |protect |information.
C. |Mandated |levels |of |protection, |as |defined |by |the |data |classification |policy, |should |drive |
which |levels |of
