Download Risk Management CRISC Q&A Domain 1 and more Exams Risk Analysis in PDF only on Docsity!
CRISC Q&A Domain 1
Which of the following is MOST important to determine when defining risk management strategies? A. Risk assessment criteria B. IT architecture complexity C. An enterprise disaster recovery plan D. Business objectives and operations - ✔D is the correct answer. Justification: A. Information on the internal and external environment must be collected to define a strategy and identify its impact. Risk assessment criteria alone are not sufficient. B. IT architecture complexity is more directly related to assessing risk than defining strategies. C. An enterprise disaster recovery plan is more directly related to mitigating the risk. D. While defining risk management strategies, the risk practitioner needs to analyze the organization's objectives and risk tolerance and define a risk management framework based on this analysis. Some organizations may accept known risk, while others may invest in and apply mitigating controls to reduce risk. Which of the following is the MOST important information to include in a risk management strategic plan? A. Risk management staffing requirements B. The risk management mission statement C. Risk mitigation investment plans D. The current state and desired future state - ✔D is the correct answer. Justification: A. Risk management staffing requirements are generally driven by a robust understanding of the current and desired future state.
B. The risk management mission statement is important but is not an actionable part of a risk management strategic plan. C. Risk mitigation investment plans are generally driven by a robust understanding of the current and desired future state. D. It is most important to paint a vision for the future and then draw a road map from the starting point; therefore, this requires that the current state and desired future state be fully understood. Information that is no longer required to support the main purpose of the business from an information security perspective should be: A. analyzed under the retention policy. B. protected under the information classification policy. C. analyzed under the backup policy. D. protected under the business impact analysis. - ✔A is the correct answer. Justification: A. Information that is no longer required should be analyzed under the retention policy to determine whether the organization is required to maintain the data for business, legal or regulatory reasons. Keeping data that are no longer required unnecessarily consumes resources; may be in breach of legal and regulatory obligations regarding retention of data; and, in the case of sensitive personal information, can increase the risk of data compromise. B. The information classification policy should specify retention and destruction of information that is no longer of value to the core business, as applicable. C. The backup policy is generally based on recovery point objectives. The information classification policy should specify retention and destruction of backup media. D. A business impact analysis can help determine that this information does not support the main objective of the business, but does not indicate the action to take. An enterprise has outsourced the majority of its IT department to a third party whose servers are in a foreign country. Which of the following is the MOST critical security consideration? A. A security breach notification may get delayed due to the time difference. B. Additional network intrusion detection sensors should be installed, resulting in additional cost.
C. Mandated levels of protection, as defined by the data classification policy, should drive which levels of encryption will be in place. D. Mandated levels of protection, as defined by the data classification policy, should drive which access controls will be in place. Malware has been detected that redirects users' computers to websites crafted specifically for the purpose of fraud. The malware changes domain name system server settings, redirecting users to sites under the hackers' control. This scenario BEST describes a: A. man-in-the-middle attack. B. phishing attack. C. pharming attack. D. social-engineering attack. - ✔C is the correct answer. Justification: A. In a man-in-the-middle attack, the attacker intercepts the communication between two victims and then replaces the traffic between them with the intruder's own, eventually assuming control of the communication. B. A phishing attack is a type of email attack that attempts to convince a user that the originator is genuine but with the intention of obtaining information for use in social engineering. C. A pharming attack changes the pointers on a domain name system server and redirects a user's session to a masquerading website. D. A social-engineering attack deceives users or administrators at the target site into revealing confidential or sensitive information. They can be executed person-to-person, over the telephone or via email. What is the MOST effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objectives? A. A compliance-oriented gap analysis B. Interviews with business process stakeholders C. A mapping of compliance requirements to policies and procedures D. A compliance-oriented business impact analysis - ✔D is the correct answer.
Justification: A. A gap analysis will only identify the gaps in compliance to current requirements and will not identify impacts to business objectives or activities. B. Interviews with key business process stakeholders will identify business objectives but will not necessarily account for the compliance requirements that must be met. C. Mapping requirements to policies and procedures will identify how compliance is being achieved but will not identify business impact. D. A compliance-oriented business impact analysis will identify compliance requirements to which the enterprise is subject and will assess their effect on business objectives and activities. Which of the following is the BEST way to ensure that an accurate risk register is maintained over time? A. Monitor key risk indicators and record the findings in the risk register. B. Publish the risk register centrally with workflow features that periodically poll risk assessors. C. Distribute the risk register to business process owners for review and updating. D. Use audit personnel to perform regular audits and to maintain the risk register. - ✔B is the correct answer. Justification: A. Monitoring key risk indicators will only provide insights to known and identified risk and will not account for risk that has yet to be identified. B. Centrally publishing the risk register and enabling periodic polling of risk assessors through workflow features will ensure accuracy of content. A knowledge management platform with workflow and polling features will automate the process of maintaining the risk register. C. Business process owners typically cannot effectively identify risk to their business processes. They may not have the ability to be unbiased in their review and may not have the appropriate skills or tools to effectively evaluate risk. D. Audit personnel may not have the appropriate business knowledge or training in risk assessment to appropriately identify risk. Regular audits of business processes can also be a hindrance to business activities and most likely will not be allowed by business leadership. Shortly after performing the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system. The risk practitioner should:
C. A risk management program is not intended to remove every identified risk. D. Inherent risk—the risk level of an activity, business process or entity without taking into account the actions that management has taken or may take—is always greater than zero. Assessing information systems risk is BEST achieved by: A. using the enterprise's past actual loss experience to determine current exposure. B. reviewing published loss statistics from comparable organizations. C. evaluating threats associated with existing information systems assets and information systems projects. D. reviewing information systems control weaknesses identified in audit reports. - ✔C is the correct answer. Justification: A. Past actual loss experience is potentially useful input to the risk assessment process, but it does not address realistic risk scenarios that have not occurred in the past. B. Published loss statistics from comparable organizations are a potentially useful input to the risk assessment process but do not address enterprise-specific risk scenarios or those that have not occurred in the past. C. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. D. Control weaknesses and other vulnerabilities are an important input to the risk assessment process, but by themselves are not useful. Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system? A. Performing a business impact analysis B. Considering personal devices as part of the security policy C. Basing the information security infrastructure on a risk assessment D. Initiating IT security training and familiarization - ✔C is the correct answer. Justification:
A. Typically, a business impact analysis is carried out to prioritize business processes as part of a business continuity plan. B. While personal devices should be considered as part of the security policy, they are not the most important requirement. C. The information security infrastructure should be based on a risk assessment. D. Initiating IT security training may not be important for the information security infrastructure. The PRIMARY concern of a risk practitioner reviewing a formal data retention policy is: A. storage availability. B. applicable organizational standards. C. generally accepted industry good practices. D. regulatory and business requirements. - ✔D is the correct answer. Justification: A. Storage is not of primary importance because whatever is needed must be provided. B. Applicable organizational standards support the policy but do not dictate it. C. Good practices may suggest useful guidance but are not a primary concern. D. In determining the retention policy, the regulatory requirements are of primary importance along with the business requirements. Without business requirements, a company can keep records indefinitely regardless of available storage or business needs at a tremendous cost. Which of the following areas is MOST likely to introduce vulnerability related to information security? A. Tape backup management B. Database management C. Configuration management D. Incident response management - ✔C is the correct answer. Justification:
B. Users may have unauthorized access to originate, modify or delete data. C. User management coordination does not exist. D. Specific user accountability cannot be established. - ✔B is the correct answer. Justification: A. A policy that inadequately defines data and system ownership generally does not affect the implementation of audit recommendations, particularly because audit reports assign remediation owners. B. Without a policy defining who grants access to specific data or systems, risk increases that employees receive system access without justified business purpose. Business objectives are best supported when authority to grant access is assigned to specific individuals. C. While a policy that inadequately defines data and system ownership may affect user management coordination, the greatest risk would be granting user access inappropriately. D. User accountability is established by assigning unique user IDs and tracking transactions. A lack of adequate controls represents: A. a vulnerability. B. an impact. C. an asset. D. a threat. - ✔A is the correct answer. Justification: A. Lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties, etc. B. Impact is the measure of financial loss incurred by a threat or incident. C. Assets have tangible or intangible value worth protecting and include people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of a security incident. The PRIMARY focus of managing IT-related business risk is to protect:
A. information. B. hardware. C. applications. D. databases. - ✔A is the correct answer. Justification: A. The primary objective for any enterprise is to protect mission-critical information based on a risk assessment. B. While many enterprises spend large amounts protecting IT hardware, doing so without first assessing risk to mission-critical data is not advisable. Hardware may become a focus if it stores, processes or transfers mission-critical data. C. Applications become a focus only if they process mission-critical data. D. Databases become a focus only if they store mission-critical data. Which of the following can provide the BEST perspective of risk management to an enterprise's employees and stockholders? A. An interdisciplinary team within the enterprise B. A third-party risk assessment service provider C. The enterprise's IT department D. The enterprise's internal compliance department - ✔A is the correct answer. Justification: A. Assembling an interdisciplinary team to manage risk ensures that all areas are adequately considered in risk assessment and helps provide an enterprisewide perspective on risk. B. Engaging a third party to perform a risk assessment may provide additional expertise; but without internal knowledge, third parties lack judgment to determine the adequacy of risk assessment. C. A risk assessment performed by the enterprise's IT department is unlikely to reflect the view of the entire enterprise.
B. Increased reporting of incidents in general is a good indicator of user awareness, but increased reporting of valid incidents is the best indicator because it shows that users are aware of security rules and know how to report incidents. It is the responsibility of the IT function to assess the information provided, identify false-positives, educate end users, and respond to potential problems. C. A decrease in the number of password resets is not an indicator of security awareness training. D. An increase in the number of system vulnerabilities is not an indicator of security awareness training. Which of the following factors will have the GREATEST impact on the type of information security governance model that an enterprise adopts? A. The number of employees B. The enterprise's budget C. The organizational structure D. The type of technology that the enterprise uses - ✔C is the correct answer. Justification: A. The number of employees in an enterprise does not primarily affect the choice of an information security governance model; well-defined processes provide the proper governance. B. Organizational budget does not dictate the choice of information security governance model. C. Information security governance models depend significantly on the overall organizational structure. D. Technology in an enterprise does not primarily affect the choice of an information security governance model; well-defined processes provide the proper governance. An enterprise learns of a security breach at another entity using similar network technology. The MOST important action for a risk practitioner is to: A. assess the likelihood of the incident occurring at the risk practitioner's enterprise. B. discontinue the use of the vulnerable technology. C. report to senior management that the enterprise is not affected. D. remind staff that no similar security breaches have taken place. - ✔A is the correct answer.
Justification: A. The risk practitioner should first assess the likelihood of a similar incident at his/her enterprise, based on available information. B. Discontinuing vulnerable technology is not necessarily required; furthermore, the technology is likely to be needed to support the enterprise. C. Reporting to senior management that the enterprise is not affected is premature until the risk practitioner assesses the likelihood of a similar incident. D. Pending further research, the risk practitioner cannot be certain that no similar security breaches have taken place. Which of the following is the GREATEST benefit of a risk-aware culture? A. Issues are escalated when suspicious activity is noticed. B. Controls are double-checked to anticipate any issues. C. Individuals communicate with peers for knowledge sharing. D. Employees are self-motivated to learn about costs and benefits. - ✔A is the correct answer. Justification: A. Management benefits most from an escalation process because risk and/or incidents are reported in a timely manner. Escalation posture among employees is best developed through training and awareness programs. B. Double-checking controls is a thorough business practice. It is a basic business stance, so benefit for management may be limited. C. Knowledge sharing is an important theme and should be encouraged through awareness programs. However, its benefit to risk management may be indirect. D. Encouraging employees to learn is desirable. However, management may not expect awareness programs to emphasize assessment of cost and benefit. The MAIN objective of IT risk management is to: A. prevent loss of IT assets. B. provide timely management reports. C. ensure regulatory compliance.
C. Senior management D. IT security administrators - ✔C is the correct answer. Justification: A. IT auditors performing risk assessment may contribute to a risk management plan, but they are not authorized to give final sign-off. B. Business process owners may contribute to a risk management plan, but they do not have authority to give final sign-off. C. Senior management understands performance metrics and indicators that measure the enterprise and its subsystems; they approved the policies and standards that govern the enterprise; and they have final responsibility for risks associated with audit findings and recommendations. D. IT security administrators may contribute to a risk management plan, but they do not have the authority to give final sign-off. Which of the following is the PRIMARY reason that a risk practitioner determines the security boundary prior to conducting a risk assessment? A. To decide which laws and regulations apply B. To identify the scope of the risk assessment C. To identify the business owner(s) of the system D. To decide whether a quantitative or qualitative analysis is appropriate - ✔B is the correct answer. Justification: A. The risk assessment itself must consider what laws and regulations apply. B. Identifying the security boundary establishes the fundamental scope of inquiry, including what systems and components are subject to assessment as well as those not subject to assessment. The boundary subsequently informs what laws and regulations apply, what business owners to consult, etc. C. Identifying business owners is secondary to determining the scope. D. Security boundaries will not directly inform criteria for selecting a quantitative or qualitative risk analysis. Which of the following BEST describes the information needed for each risk on a risk register?
A. Risk scenario including date, description, impact, probability, risk score, mitigation action and owner B. Risk scenario including date, description, risk score, cost to remediate, communication plan and owner C. Risk scenario including date, description, impact, cost to remediate and owner D. Various activities leading to risk management planning - ✔A is the correct answer. Justification: A. Information required for each risk in a risk register includes date, description, impact, probability, risk score, mitigation action and owner. B. This answer includes some elements of a risk register necessary to facilitate informed decisions, but misses others (impact, probability, mitigation action). It includes items that should be omitted from the register (communication plan). C. This answer misses some key elements of a risk register (probability, risk score, mitigation action) needed to make informed decisions. D. A risk register results from risk management planning, not the other way around. The GREATEST advantage in performing a business impact analysis is that it: A. does not have to be updated because the impact will not change. B. promotes continuity awareness in the enterprise. C. requires only qualitative estimates. D. eliminates the need for risk analysis. - ✔B is the correct answer. Justification: A. A business impact analysis (BIA) should be updated periodically because existing environments, systems, risks and applications change and new systems are added. B. A BIA raises awareness of risk to business recovery and continuity enterprisewide. C. A BIA should use both qualitative and quantitative estimates; however, the analysis can be completed and estimates determined with or without minimum historical data.
C. Risk scenarios are the most effective technique in assessing business risk. Scenarios help determine the likelihood and impact of an identified risk. D. A risk plan is the output from the risk assessment. The board of directors of a one-year-old start-up company asked their chief information officer (CIO) to create all the enterprise's IT policies and procedures. Which of the following should the CIO create FIRST? A. The strategic IT plan B. The data classification scheme C. The information architecture document D. The technology infrastructure plan - ✔A is the correct answer. Justification: A. The strategic IT plan is the first policy to create when developing an enterprise's governance model. B. The strategic IT plan is created before the data classification scheme. The data classification scheme distinguishes data by factors such as criticality, sensitivity and ownership. C. The strategic IT plan is created before the information architecture is defined. The information architecture is one component of the IT architecture (together with applications and technology). The IT architecture describes the fundamental underlying design of IT components; the relationships among them; and their support for the organization's objectives. D. The strategic IT plan is created before the technology infrastructure plan is developed. The technology infrastructure plan maps out the technology, human resources and facilities that enable current and future applications and processes. The preparation of a risk register begins in which risk management process? A. Risk response planning B. Risk monitoring and control C. Risk management planning D. Risk identification - ✔D is the correct answer.
Justification: A. In the risk response planning process, appropriate responses are determined by consensus and included in the risk register. B. Risk monitoring and control often require identification of new risk and reassessment of known risk. Outcomes of risk reassessments, risk audits and periodic risk reviews trigger updates to the risk register. C. Risk management planning describes how risk management will be structured and performed. D. The risk register details all identified risk, including description, category, cause, probability of occurring, impact(s) on objectives, proposed responses, owners and current status. The primary outputs from risk identification are the initial entries into the risk register. A business impact analysis is PRIMARILY used to: A. estimate the resources required to resume normal operations after a disruption. B. evaluate the impact of disruption on an enterprise's ability to operate over time. C. calculate the likelihood and impact of known threats on specific functions. D. evaluate high-level business requirements. - ✔B is the correct answer. Justification: A. Determining the resource requirements to resume normal operations is part of business continuity planning. B. A business impact analysis (BIA) is primarily intended to evaluate the impact of disruption over time to an enterprise's ability to operate. It determines the urgency of each business activity. Key deliverables include recovery time objectives and recovery point objectives. C. Likelihood and impact are calculated during risk analysis. D. High-level business requirements are defined during the early phases of a system development life cycle, not as part of a BIA. Which of the following provides the GREATEST level of information security awareness? A. Job descriptions B. A security manual C. Security training
