CRISC Review

Question 1

Risk Assessment involves two specific requirements

Answer 1

–Risk Identification: Threat plus Vulnerability - Internal or External / Intentional or Unintentional
–Risk Analysis: Impact on system reliability, security and speed and consequence of failure to mitigate identified risks

Question 2

Risk Monitoring is the process that

Answer 2

systematically tracks and evaluates the performance of risk mitigation actions

Question 3

The Risk Management structure involves:

Answer 3

planning, assessment (identification-analysis), handling, monitoring and mitigation.

Question 4

Threats are characterized as those that are

Answer 4

Imminent; those that are Emerging; those that are Consistent and those that are Persistent.

Question 5

Delphi is

Answer 5

a security risk assessment and information gathering technique that uses the consensus of subject matter experts to determine mission risk

Question 6

Quantitative Risk Assessment is a process used to

Answer 6

analyze numerically the probability of each risk and its consequence on mission objectives

Question 7

Quantitative Risk Assessment Techniques include

Answer 7

interviewing, sensitivity analysis, decision tree analysis, and simulation

Question 8

Qualitative risk analysis is the process of

Answer 8

assessing the impact and likelihood of identified risks. What is the the probability and likelihood that the risk will occur and what is the consequence to mission objectives

Question 9

The focus of mission centric Risk Analysis should be based on

Answer 9

the economic balance between the impact of risks and the cost of protective measures

Question 10

Threat and vulnerability assessments typically evaluate

Answer 10

all elements of a business process for threats and vulnerabilities and identify the likelihood of occurrence and the business impact if the threats were to be realized

Question 11

While defining risk management strategies, the risk control professional needs to

Answer 11

analyze the organizations objectives and risk tolerance and define a risk management framework based on this analysis

Question 12

The risk assessment is used to

Answer 12

identify and evaluate the impact of failure on critical business processes and to determine time frames, priorities, resources and interdependencies

Question 13

Countermeasures are selected by

Answer 13

Risk Managers and can counter attacks, reduce inherent risks, resolve vulnerabilities and improve the state of security

Question 14

Determining manual or automated test and evaluation processes should be based on

Answer 14

organizational requirements

Question 15

Accepting the Residual Risk is central to

Answer 15

the accreditation authorities decision

Question 16

Security Features Assessment

Answer 16

Verify/Validate effectiveness of security controls (technical/non-technical)

Question 17

It is most important to paint a vision for

Answer 17

the future and then draw a road map from the starting point – this requires that the current state and desired future state be fully understood.

Question 18

Transferring risk involves

Answer 18

shifting some or all of the negative impact of a threat along with ownership to a third party

Question 19

Identifying the appropriate Risk Analysis tool requires

Answer 19

identifying the requirement, determination, determining data collection, identifying an analytical methodology and determining ROI

Question 20

Residual Risk can be mitigated by

Answer 20

eliminating or reducing the impact of system threat/vulnerability pair, adding targeted controls to reduce the capacity and motivation of a threat-source, reducing the magnitude of the adverse impact

Question 21

Risk Management focus on

Answer 21

stipulating Information protection security policy, standards and guidelines and helps to ensure System Security Policies are up-to-date to ensure all significant risks are addressed

Question 22

Information that is no longer required should be

Answer 22

analyzed under the retention policy to determine whether the organization is required to maintain the data for business, legal or regulatory reasons

Question 23

Laws and regulations of the country of origin may not be

Answer 23

enforceable in the foreign country

Question 24

the laws and regulations of a foreign outsourcer may

Answer 24

also impact the enterprise

Question 25

Information security governance models are

Answer 25

highly dependent on the complexity of the organizational structure

Question 26

Data owners are responsible for

Answer 26

assigning user entitlement changes and approving access to the systems for which they are responsible.

Question 27

A data classification policy describes

Answer 27

the data classification categories; levels of protection; and roles and responsibilities of potential users including data owners

Question 28

The primary benefit of classifying information assets is

Answer 28

to identify controls that are proportional to the risks

Question 29

Risk is constantly changing. Evaluating risk

Answer 29

annually or when there is a significant change should take into consideration a reasonable time frame while allowing flexibility to address significant changes

Question 30

Risk evaluation should take into consideration

Answer 30

the potential size and likelihood of the loss

Question 31

A compliance-oriented BIA will

Answer 31

identify all of the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities.

Question 32

For IT to be successful in delivering against business requirements, management should

Answer 32

develop an internal control system that will make a link to the business process

Question 33

Contingency planning provides both

Answer 33

preventive and recovery controls

Question 34

Program Risk Management is the ability

Answer 34

to assess security needs and capabilities, select appropriate safeguards, implement required controls, select adequate test controls, implement and manage changes and accept residual risk

Question 35

Risk consequences place

Answer 35

people at risk, can place system continuity and information at risk, can place organizational mission at risk and can place organizational reputation at risk (difficult to quantify)

Question 36

Risk Assessment performed as part of the contingency response must

Answer 36

consider all possible threats, must assess the potential impact of a loss, must evaluate critical organizational needs and must establish recovery priorities

Question 37

Using a list of possible scenarios with threats and impacts will

Answer 37

better frame the range of risk and facilitate a more informed discussion and decision

Question 38

A knowledge management platform with workflow and polling features will

Answer 38

automate the process of maintaining the risk register

Question 39

The value of the server should be based on

Answer 39

its replacement cost; however, the financial impact to the enterprise may be much broader, based on the function that the server performs for the business and the value it brings to the enterprise

Question 40

Social engineering is the act of

Answer 40

manipulating people into divulging confidential information or performing actions that allow an unauthorized individual to gain access to sensitive information and/or systems

Question 41

What provides the best measure of the risk to an asset

Answer 41

The product of the probability and magnitude of the impact

Question 42

Background screening is the most suitable method for

Answer 42

assuring the integrity of a prospective staff member

Question 43

Without a policy defining who has the responsibility for granting access to specific data or systems there is

Answer 43

an increased risk that one could gain unauthorized access

Question 44

Threat sources can originate from

Answer 44

Foreign (Nation) States with hostile intentions, terrorist threat groups, activists (Hacktivists) conducting publicity-seeking attacks, criminals engaged in electronic crime, hackers, crackers, virus writers and even Script Kiddies but the main source disgruntled employees (authorized users)

Question 45

Attack avenues include attacks through

Answer 45

an internal LAN, attacks through a trust-relationship, attacks through physical access, attacks from the insider

Question 46

The lack of adequate controls represents

Answer 46

A vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers

Question 47

What’s the objective of RM

Answer 47

Ensuring that all residual risk is maintained at a level acceptable to the business

Question 48

Acceptance of a risk is an alternative to be considered

Answer 48

in the risk response process

Question 49

After putting into place an effective risk management program, the remaining risk is called

Answer 49

residual risk

Question 50

Residual risk is

Answer 50

any risk remaining after appropriate controls or countermeasures have been implemented to mitigate the target risk.

Question 51

An enterprise may decide to accept a specific risk because

Answer 51

the protection would cost more than the potential loss

Question 52

A risk assessment should be conducted to clarify

Answer 52

the risk whenever the company’s policies cannot be followed

Question 53

The manager needs to base the proposed risk response on a

Answer 53

risk evaluation, the business need and the requirements for the enterprise

Question 54

Risk should be reduced to a level

Answer 54

that an organization is willing to accept

Question 55

Organizational requirements should determine

Answer 55

determine when a risk has been reduced to an acceptable level

Question 56

Risk control professionals should use risk assessment techniques to

Answer 56

justify and implement a risk mitigation strategy as efficiently as possible

Question 57

Effective risk management requires

Answer 57

participation, support and acceptance by all applicable members of the enterprise, beginning with the executive levels

Question 58

Typically, when the probability of an incident is low, but the impact is high, risk is

Answer 58

transferred to another entity (e.g. insurance company)

Question 59

The Total Cost of Ownership (TCO) is

Answer 59

the most relevant piece of information to be included in the CBA because it establishes a cost baseline that must be considered for the full life cycle of the control

Question 60

When the cost of control is more that the cost of the potential impact, the risk should

Answer 60

be accepted

Question 61

An insurance can compensate an enterprise for

Answer 61

an entire loss or financial risk

Question 62

The primary reason for initiating a policy exception process is

Answer 62

when the risk is justified by the benefit

Question 63

The risk register details

Answer 63

all identified risks, including description, category, cause, probability, impact, proposed responses, owners and current state

Question 64

Risk is constantly changing, so a previously conducted risk assessment may not include

Answer 64

measured risk that has been introduced since the last assessment

Question 65

Without identifying new risk, other procedures will

Answer 65

only be useful for a limited period

Question 66

A network vulnerability assessment intends to identify

Answer 66

known vulnerabilities that are based on common misconfigurations and missing updates

Question 67

Security design flaws require

Answer 67

a deeper level analysis

Question 68

Accepted risk should be reviewed

Answer 68

regularly to ensure that the initial risk acceptance rationale is still valid within the current business context

Question 69

What is the mose effective way to deal with risk

Answer 69

Implementing monitoring techniques that will detect and deal with potential fraud cases

Question 70

A successful risk management practice minimizes

Answer 70

the residual risk to the enterprise

Question 71

The enterprise should first assess the likelihood of a similar incident occurring based on

Answer 71

available information

Question 72

Not reporting an intrusion is equivalent to

Answer 72

hiding a malicious intrusion

Question 73

What is not a requirement and is dependent on the enterprise policy

Answer 73

Reporting to the public

Question 74

What would make it impossible to locate a data warehouse containing customer information in another country.

Answer 74

Privacy laws prohibiting the cross-border flow of PII

Question 75

What is the first step when developing a risk monitoring program

Answer 75

Conducting a capability assessment

Question 76

End-user-developed applications may not be

Answer 76

subject to an independent outside review by systems analysts and, frequently, are not created in the context of a formal development methodology

Question 77

What is a risk of allowing high-risk computers onto the enterprise’s network

Answer 77

a VPN implementation

Question 78

Qualitative (impact) risk assessment methods include using

Answer 78

interviewing and the Delphi method

Question 79

A risk register provides a report of

Answer 79

all current identified risk within an enterprise, including compliance risk, with the status of the corrective actions or exceptions that are associated with them

Question 80

Risk reporting is the only activity that is part of

Answer 80

risk monitoring

Question 81

An independent benchmark of capabilities will allow

Answer 81

an enterprise to understand its level of capability compared to other organizations within its industry

Question 82

Capability maturity modeling allows an enterprise to

Answer 82

understand its level of maturity in its risk capabilities, which is an indicator of operational readiness and effectiveness

Question 83

The most important factor when designing IS controls is that they

Answer 83

advance the interests of the business by addressing stakeholder requirements

Question 84

Investments in risk management technologies should be based on

Answer 84

a value analysis and a sound business case

Question 85

IT is more efficient to

Answer 85

establish a baseline standard and then develop additional standards for locations that must meet specific requirements

Question 86

Recovery Time Objectives are a primary deliverable of a

Answer 86

BIA

Question 87

The data owner is responsible for

Answer 87

applying the proper classification to the data

Question 88

Privacy protection is necessary to ensure

Answer 88

that the receiving party has the appropriate level of protection for personal data

Question 89

Establishing an Acceptable Use Policy (APU) is the best measure for

Answer 89

preventing data leakage

Question 90

Role-Based-Access-Controls provide access according to

Answer 90

business needs and provide the most effective measure to protect against the insider threat

Question 91

Periodic security reviews are the best way to ensure that contract programmers comply with

Answer 91

organizational security policies

Question 92

A mail relay should normally be placed

Answer 92

within a DMZ to shield the internal network

Question 93

Establishing predetermined, automatic expiration dates is the best way to enhance

Answer 93

the removal of system access for contractors and other temporary users

Question 94

PKI

Answer 94

combines public key encryption with a trusted third party to publish and revoke digital certificates that contain the public key of the sender

Question 95

What is the most effective way to prevent external security risks

Answer 95

Network address translation

Question 96

What provides the most effective protection of data on mobile devices

Answer 96

Encryption

Question 97

When configuring a biometric access control system that protects a high-security data center the system’s sensitivity level should be set to

Answer 97

a higher false reject rate.

Question 98

Encryption of stored data will help ensure

Answer 98

the actual data cannot be recovered without the encryption key

Question 99

Understanding the security architecture is important in

Answer 99

managing complex information infrastructures

Question 100

Control effectiveness requires a process to

Answer 100

verify test results and intended objectives to verify that the control process works as intended

Question 101

In regards to Outsourced service providers, system auditing is an effective way to ensure

Answer 101

that outsourced service providers comply with the enterprise’s information security policy.

Question 102

What should be updated frequently as new software is released

Answer 102

Information security policies and procedures

Question 103

What is used to help verify change management is used to determine whether unauthorized modification were made to production programs.

Answer 103

Compliance testing

Question 104

Continuous monitoring is effective when

Answer 104

incidents have a high impact and frequency

Question 105

What is the most useful metric for monitoring violation logs.

Answer 105

Penetration attempts investigation

Question 106

The optimum time to perform a penetration test is

Answer 106

after changes are made to the infrastructure because they may inadvertently introduce new exposures.

Question 107

Performing regular penetration tests ensures

Answer 107

that a network is adequately secured against external attacks.

Question 108

The effectiveness of organizational awareness programs is best measured by

Answer 108

a quantitative (impact) evaluation to ensure user comprehension

Question 109

What ensures a proper understanding of risk and success criteria

Answer 109

A clearly stated definition of scope

Question 110

A CMM can assist a risk manager in

Answer 110

measuring the existing level of risk processes against their desired state

Question 111

Methodology illustrates

Answer 111

the process and formulates the basis to align expectations and the execution of the assessment

Question 112

Conducting security code reviews for the entire SW application can

Answer 112

effectively identify software “back-doors”

Question 113

What can be quickly identified by conducting an automated code comparison.

Answer 113

Unauthorized code modifications

Question 114

By conducting a physical count of tape inventory provides

Answer 114

a substantive test of completeness.

Question 115

System owners should be notified immediately when

Answer 115

a vulnerability within a trusted system or component is identified

Question 116

What can be monitored through “honey-pots”

Answer 116

Hacker activity

Question 117

Server sampling can verify

Answer 117

NAV signatures are current

Question 118

Risk impact can be determined based on

Answer 118

• known risks (those that can be easily identified)
• known unknown (an identifiable uncertainty)
• unknown (risks that are known but do not know what their impact) and
• unknown unknown risks (existence has yet to be encountered).

Question 119

Incident evaluation involves

Answer 119

identification, analysis, assessment, response, recovery, and reporting.

Question 120

Risk Assessment performed as part of the contingency response. must consider

Answer 120

• all possible threats,
• must assess the potential impact a loss of CIA,
• must evaluate critical organizational needs and
• must establish recovery priorities.

Question 121

Risk-Based Auditing requires

Answer 121

• identifying threats;
• identifying vulnerabilities;
• identifying assets; and
• identifying countermeasures

Question 122

To asses IT risk what needs to be evaluated using what approaches

Answer 122

threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches

Question 123

A properly configured information security infrastructure should be based on

Answer 123

a comprehensive risk assessment.

Question 124

The primary concern of a comprehensive data retention policy should focus on

Answer 124

business requirements

Question 125

Configuration Management provides the greatest likelihood of information security weaknesses through

Answer 125

misconfiguration and failure to update OS code correctly and on a timely basis.

Question 126

BIA should include the examination of

Answer 126

risk, incidents and interdependencies as part of the activity to identify impact to business objectives.

Question 127

What is the first step necessary to understand the impact and requirement of new regulations

Answer 127

Assessing whether existing controls meet requirements

Question 128

The most useful metric is one that measures

Answer 128

the degree to which complete follow-through has taken place.

Question 129

What are most likely to inadvertently introduce new exposures

Answer 129

Changes in the system infrastructure

Question 130

To truly judge effectiveness of user awareness training some means of

Answer 130

measurable testing is necessary to confirm user comprehension

Question 131

To correct the vulnerabilities, the system owner needs to

Answer 131

be notified quickly before an incident can take place.

Question 132

What is the best choice to diverting a hacker away from critical files and altering security of the hackers presence

Answer 132

Honeypots

Question 133

The only effective way to check the currency of signature files is to

Answer 133

look at a sample of servers.

Question 134

Monitoring tools can focus on:

Answer 134

Transaction Data; Conditions; Changes; Process Integrity; Error management; and Continuous Monitoring.

Question 135

Strategic Planning involves the annual evaluation of

Answer 135

the maturity of controls and provides a barometer of controls in their current state, a comparison to previous periods and the target maturity level.

Question 136

Advanced Persistent Threat is

Answer 136

a Threat Source that has both the capability and the intent to persistently and effectively target a critical information infrastructure.

Question 137

A Continuous Risk Management (CRM) process provides

Answer 137

a disciplined and documented approach to risk management throughout the system life cycle by facilitating Identification; Planning; Analysis; Tracking and Controlling risk activities.

Question 138

Risk reporting content must be

Answer 138

clear; concise; useful; timely; target audience; and available based on need to know

Question 139

Risk-Based Auditing Methodologies requires

Answer 139

preparation, assessment, mitigation, reporting and follow-up.