CRISC Review Flashcards

1
Q

Risk Assessment involves two specific requirements

A

–Risk Identification: Threat plus Vulnerability - Internal or External / Intentional or Unintentional
–Risk Analysis: Impact on system reliability, security and speed and consequence of failure to mitigate identified risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk Monitoring is the process that

A

systematically tracks and evaluates the performance of risk mitigation actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The Risk Management structure involves:

A

planning, assessment (identification-analysis), handling, monitoring and mitigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Threats are characterized as those that are

A

Imminent; those that are Emerging; those that are Consistent and those that are Persistent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Delphi is

A

a security risk assessment and information gathering technique that uses the consensus of subject matter experts to determine mission risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Quantitative Risk Assessment is a process used to

A

analyze numerically the probability of each risk and its consequence on mission objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Quantitative Risk Assessment Techniques include

A

interviewing, sensitivity analysis, decision tree analysis, and simulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Qualitative risk analysis is the process of

A

assessing the impact and likelihood of identified risks. What is the the probability and likelihood that the risk will occur and what is the consequence to mission objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The focus of mission centric Risk Analysis should be based on

A

the economic balance between the impact of risks and the cost of protective measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Threat and vulnerability assessments typically evaluate

A

all elements of a business process for threats and vulnerabilities and identify the likelihood of occurrence and the business impact if the threats were to be realized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

While defining risk management strategies, the risk control professional needs to

A

analyze the organizations objectives and risk tolerance and define a risk management framework based on this analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The risk assessment is used to

A

identify and evaluate the impact of failure on critical business processes and to determine time frames, priorities, resources and interdependencies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Countermeasures are selected by

A

Risk Managers and can counter attacks, reduce inherent risks, resolve vulnerabilities and improve the state of security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Determining manual or automated test and evaluation processes should be based on

A

organizational requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Accepting the Residual Risk is central to

A

the accreditation authorities decision

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Security Features Assessment

A

Verify/Validate effectiveness of security controls (technical/non-technical)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

It is most important to paint a vision for

A

the future and then draw a road map from the starting point – this requires that the current state and desired future state be fully understood.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Transferring risk involves

A

shifting some or all of the negative impact of a threat along with ownership to a third party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Identifying the appropriate Risk Analysis tool requires

A

identifying the requirement, determination, determining data collection, identifying an analytical methodology and determining ROI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Residual Risk can be mitigated by

A

eliminating or reducing the impact of system threat/vulnerability pair, adding targeted controls to reduce the capacity and motivation of a threat-source, reducing the magnitude of the adverse impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk Management focus on

A

stipulating Information protection security policy, standards and guidelines and helps to ensure System Security Policies are up-to-date to ensure all significant risks are addressed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Information that is no longer required should be

A

analyzed under the retention policy to determine whether the organization is required to maintain the data for business, legal or regulatory reasons

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Laws and regulations of the country of origin may not be

A

enforceable in the foreign country

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

the laws and regulations of a foreign outsourcer may

A

also impact the enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Information security governance models are

A

highly dependent on the complexity of the organizational structure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Data owners are responsible for

A

assigning user entitlement changes and approving access to the systems for which they are responsible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

A data classification policy describes

A

the data classification categories; levels of protection; and roles and responsibilities of potential users including data owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

The primary benefit of classifying information assets is

A

to identify controls that are proportional to the risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Risk is constantly changing. Evaluating risk

A

annually or when there is a significant change should take into consideration a reasonable time frame while allowing flexibility to address significant changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Risk evaluation should take into consideration

A

the potential size and likelihood of the loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A compliance-oriented BIA will

A

identify all of the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

For IT to be successful in delivering against business requirements, management should

A

develop an internal control system that will make a link to the business process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Contingency planning provides both

A

preventive and recovery controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Program Risk Management is the ability

A

to assess security needs and capabilities, select appropriate safeguards, implement required controls, select adequate test controls, implement and manage changes and accept residual risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Risk consequences place

A

people at risk, can place system continuity and information at risk, can place organizational mission at risk and can place organizational reputation at risk (difficult to quantify)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Risk Assessment performed as part of the contingency response must

A

consider all possible threats, must assess the potential impact of a loss, must evaluate critical organizational needs and must establish recovery priorities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Using a list of possible scenarios with threats and impacts will

A

better frame the range of risk and facilitate a more informed discussion and decision

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

A knowledge management platform with workflow and polling features will

A

automate the process of maintaining the risk register

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

The value of the server should be based on

A

its replacement cost; however, the financial impact to the enterprise may be much broader, based on the function that the server performs for the business and the value it brings to the enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Social engineering is the act of

A

manipulating people into divulging confidential information or performing actions that allow an unauthorized individual to gain access to sensitive information and/or systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What provides the best measure of the risk to an asset

A

The product of the probability and magnitude of the impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Background screening is the most suitable method for

A

assuring the integrity of a prospective staff member

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Without a policy defining who has the responsibility for granting access to specific data or systems there is

A

an increased risk that one could gain unauthorized access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Threat sources can originate from

A

Foreign (Nation) States with hostile intentions, terrorist threat groups, activists (Hacktivists) conducting publicity-seeking attacks, criminals engaged in electronic crime, hackers, crackers, virus writers and even Script Kiddies but the main source disgruntled employees (authorized users)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Attack avenues include attacks through

A

an internal LAN, attacks through a trust-relationship, attacks through physical access, attacks from the insider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

The lack of adequate controls represents

A

A vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What’s the objective of RM

A

Ensuring that all residual risk is maintained at a level acceptable to the business

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Acceptance of a risk is an alternative to be considered

A

in the risk response process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

After putting into place an effective risk management program, the remaining risk is called

A

residual risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Residual risk is

A

any risk remaining after appropriate controls or countermeasures have been implemented to mitigate the target risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

An enterprise may decide to accept a specific risk because

A

the protection would cost more than the potential loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

A risk assessment should be conducted to clarify

A

the risk whenever the company’s policies cannot be followed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

The manager needs to base the proposed risk response on a

A

risk evaluation, the business need and the requirements for the enterprise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Risk should be reduced to a level

A

that an organization is willing to accept

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Organizational requirements should determine

A

determine when a risk has been reduced to an acceptable level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Risk control professionals should use risk assessment techniques to

A

justify and implement a risk mitigation strategy as efficiently as possible

57
Q

Effective risk management requires

A

participation, support and acceptance by all applicable members of the enterprise, beginning with the executive levels

58
Q

Typically, when the probability of an incident is low, but the impact is high, risk is

A

transferred to another entity (e.g. insurance company)

59
Q

The Total Cost of Ownership (TCO) is

A

the most relevant piece of information to be included in the CBA because it establishes a cost baseline that must be considered for the full life cycle of the control

60
Q

When the cost of control is more that the cost of the potential impact, the risk should

A

be accepted

61
Q

An insurance can compensate an enterprise for

A

an entire loss or financial risk

62
Q

The primary reason for initiating a policy exception process is

A

when the risk is justified by the benefit

63
Q

The risk register details

A

all identified risks, including description, category, cause, probability, impact, proposed responses, owners and current state

64
Q

Risk is constantly changing, so a previously conducted risk assessment may not include

A

measured risk that has been introduced since the last assessment

65
Q

Without identifying new risk, other procedures will

A

only be useful for a limited period

66
Q

A network vulnerability assessment intends to identify

A

known vulnerabilities that are based on common misconfigurations and missing updates

67
Q

Security design flaws require

A

a deeper level analysis

68
Q

Accepted risk should be reviewed

A

regularly to ensure that the initial risk acceptance rationale is still valid within the current business context

69
Q

What is the mose effective way to deal with risk

A

Implementing monitoring techniques that will detect and deal with potential fraud cases

70
Q

A successful risk management practice minimizes

A

the residual risk to the enterprise

71
Q

The enterprise should first assess the likelihood of a similar incident occurring based on

A

available information

72
Q

Not reporting an intrusion is equivalent to

A

hiding a malicious intrusion

73
Q

What is not a requirement and is dependent on the enterprise policy

A

Reporting to the public

74
Q

What would make it impossible to locate a data warehouse containing customer information in another country.

A

Privacy laws prohibiting the cross-border flow of PII

75
Q

What is the first step when developing a risk monitoring program

A

Conducting a capability assessment

76
Q

End-user-developed applications may not be

A

subject to an independent outside review by systems analysts and, frequently, are not created in the context of a formal development methodology

77
Q

What is a risk of allowing high-risk computers onto the enterprise’s network

A

a VPN implementation

78
Q

Qualitative (impact) risk assessment methods include using

A

interviewing and the Delphi method

79
Q

A risk register provides a report of

A

all current identified risk within an enterprise, including compliance risk, with the status of the corrective actions or exceptions that are associated with them

80
Q

Risk reporting is the only activity that is part of

A

risk monitoring

81
Q

An independent benchmark of capabilities will allow

A

an enterprise to understand its level of capability compared to other organizations within its industry

82
Q

Capability maturity modeling allows an enterprise to

A

understand its level of maturity in its risk capabilities, which is an indicator of operational readiness and effectiveness

83
Q

The most important factor when designing IS controls is that they

A

advance the interests of the business by addressing stakeholder requirements

84
Q

Investments in risk management technologies should be based on

A

a value analysis and a sound business case

85
Q

IT is more efficient to

A

establish a baseline standard and then develop additional standards for locations that must meet specific requirements

86
Q

Recovery Time Objectives are a primary deliverable of a

A

BIA

87
Q

The data owner is responsible for

A

applying the proper classification to the data

88
Q

Privacy protection is necessary to ensure

A

that the receiving party has the appropriate level of protection for personal data

89
Q

Establishing an Acceptable Use Policy (APU) is the best measure for

A

preventing data leakage

90
Q

Role-Based-Access-Controls provide access according to

A

business needs and provide the most effective measure to protect against the insider threat

91
Q

Periodic security reviews are the best way to ensure that contract programmers comply with

A

organizational security policies

92
Q

A mail relay should normally be placed

A

within a DMZ to shield the internal network

93
Q

Establishing predetermined, automatic expiration dates is the best way to enhance

A

the removal of system access for contractors and other temporary users

94
Q

PKI

A

combines public key encryption with a trusted third party to publish and revoke digital certificates that contain the public key of the sender

95
Q

What is the most effective way to prevent external security risks

A

Network address translation

96
Q

What provides the most effective protection of data on mobile devices

A

Encryption

97
Q

When configuring a biometric access control system that protects a high-security data center the system’s sensitivity level should be set to

A

a higher false reject rate.

98
Q

Encryption of stored data will help ensure

A

the actual data cannot be recovered without the encryption key

99
Q

Understanding the security architecture is important in

A

managing complex information infrastructures

100
Q

Control effectiveness requires a process to

A

verify test results and intended objectives to verify that the control process works as intended

101
Q

In regards to Outsourced service providers, system auditing is an effective way to ensure

A

that outsourced service providers comply with the enterprise’s information security policy.

102
Q

What should be updated frequently as new software is released

A

Information security policies and procedures

103
Q

What is used to help verify change management is used to determine whether unauthorized modification were made to production programs.

A

Compliance testing

104
Q

Continuous monitoring is effective when

A

incidents have a high impact and frequency

105
Q

What is the most useful metric for monitoring violation logs.

A

Penetration attempts investigation

106
Q

The optimum time to perform a penetration test is

A

after changes are made to the infrastructure because they may inadvertently introduce new exposures.

107
Q

Performing regular penetration tests ensures

A

that a network is adequately secured against external attacks.

108
Q

The effectiveness of organizational awareness programs is best measured by

A

a quantitative (impact) evaluation to ensure user comprehension

109
Q

What ensures a proper understanding of risk and success criteria

A

A clearly stated definition of scope

110
Q

A CMM can assist a risk manager in

A

measuring the existing level of risk processes against their desired state

111
Q

Methodology illustrates

A

the process and formulates the basis to align expectations and the execution of the assessment

112
Q

Conducting security code reviews for the entire SW application can

A

effectively identify software “back-doors”

113
Q

What can be quickly identified by conducting an automated code comparison.

A

Unauthorized code modifications

114
Q

By conducting a physical count of tape inventory provides

A

a substantive test of completeness.

115
Q

System owners should be notified immediately when

A

a vulnerability within a trusted system or component is identified

116
Q

What can be monitored through “honey-pots”

A

Hacker activity

117
Q

Server sampling can verify

A

NAV signatures are current

118
Q

Risk impact can be determined based on

A
  • known risks (those that can be easily identified)
  • known unknown (an identifiable uncertainty)
  • unknown (risks that are known but do not know what their impact) and
  • unknown unknown risks (existence has yet to be encountered).
119
Q

Incident evaluation involves

A

identification, analysis, assessment, response, recovery, and reporting.

120
Q

Risk Assessment performed as part of the contingency response. must consider

A
  • all possible threats,
  • must assess the potential impact a loss of CIA,
  • must evaluate critical organizational needs and
  • must establish recovery priorities.
121
Q

Risk-Based Auditing requires

A
  • identifying threats;
  • identifying vulnerabilities;
  • identifying assets; and
  • identifying countermeasures
122
Q

To asses IT risk what needs to be evaluated using what approaches

A

threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches

123
Q

A properly configured information security infrastructure should be based on

A

a comprehensive risk assessment.

124
Q

The primary concern of a comprehensive data retention policy should focus on

A

business requirements

125
Q

Configuration Management provides the greatest likelihood of information security weaknesses through

A

misconfiguration and failure to update OS code correctly and on a timely basis.

126
Q

BIA should include the examination of

A

risk, incidents and interdependencies as part of the activity to identify impact to business objectives.

127
Q

What is the first step necessary to understand the impact and requirement of new regulations

A

Assessing whether existing controls meet requirements

128
Q

The most useful metric is one that measures

A

the degree to which complete follow-through has taken place.

129
Q

What are most likely to inadvertently introduce new exposures

A

Changes in the system infrastructure

130
Q

To truly judge effectiveness of user awareness training some means of

A

measurable testing is necessary to confirm user comprehension

131
Q

To correct the vulnerabilities, the system owner needs to

A

be notified quickly before an incident can take place.

132
Q

What is the best choice to diverting a hacker away from critical files and altering security of the hackers presence

A

Honeypots

133
Q

The only effective way to check the currency of signature files is to

A

look at a sample of servers.

134
Q

Monitoring tools can focus on:

A

Transaction Data; Conditions; Changes; Process Integrity; Error management; and Continuous Monitoring.

135
Q

Strategic Planning involves the annual evaluation of

A

the maturity of controls and provides a barometer of controls in their current state, a comparison to previous periods and the target maturity level.

136
Q

Advanced Persistent Threat is

A

a Threat Source that has both the capability and the intent to persistently and effectively target a critical information infrastructure.

137
Q

A Continuous Risk Management (CRM) process provides

A

a disciplined and documented approach to risk management throughout the system life cycle by facilitating Identification; Planning; Analysis; Tracking and Controlling risk activities.

138
Q

Risk reporting content must be

A

clear; concise; useful; timely; target audience; and available based on need to know

139
Q

Risk-Based Auditing Methodologies requires

A

preparation, assessment, mitigation, reporting and follow-up.