CRISC Exam Questions Compilation

Document Content and Description Below

CRISC Exam Questions Compilation Which of the following is the MOST important reason for conducting security awareness programs throughout an enterprise? A. Reducing the risk of a social engineeri... ng attack B. Training personnel in security incident response C. Informing business units about the security strategy D. Maintaining evidence of training records to ensure compliance - ANS - A Which of the following is MOST important to determine when defining risk management strategies? A. Risk assessment criteria B. IT architecture complexity C. An enterprise disaster recovery plan (DRP) D. Organizational objectives - ANS - D Which of the following is the MOST important information to include in a risk management strategic plan? A. Risk management staffing requirements B. The risk management mission statement C. Risk mitigation investment plans D. The current state and desired future state - ANS - D Information that is no longer required to support the main purpose of the business from an information security perspective should be: A. analyzed under the retention policy. B. protected under the information classification policy. C. analyzed under the backup policy. D. protected under the business impact analysis (BIA). - ANS - A An enterprise has outsourced the majority of its IT department to a third party whose servers are in a foreign country. Which of the following is the MOST critical security consideration? A. A security breach notification may get delayed due to the time difference. B. Additional network intrusion detection sensors should be installed, resulting in additional cost. C. The enterprise could be unable to monitor compliance with its internal security and privacy guidelines. D. Laws and regulations of the country of origin may not be enforceable in the foreign country. - ANS - D An enterprise recently developed a breakthrough technology that could provide a significant competitive edge. Which of the following FIRST governs how this information is to be protected from within the enterprise? A. The data classification policy B. The acceptable use policy C. Encryption standards D. The access control policy - ANS - A Malware has been detected that redirects users' computers to web sites crafted specifically for the purpose of fraud. The malware changes domain name system (DNS) server settings, redirecting users to sites under the hackers' control. This scenario BEST describes a: - ANS - C What is the MOST effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objectives? A. A compliance-oriented gap analysis B. Interviews with business process stakeholders C. A mapping of compliance requirements to policies and procedures D. A compliance-oriented business impact analysis (BIA) - ANS - D Which of the following is the BEST way to ensure that an accurate risk register is maintained over time? A. Monitor key risk indicators (KRJs), and record the findings in the risk register. B. Publish the risk register centrally with workflow features that periodically poll risk assessors. C. Distribute the risk register to business process owners for review and updating. D. Utilize audit personnel to perform regular audits and to maintain the risk register. - ANS - B Shortly after performing the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system. The risk practitioner should: A. analyze what systems and technology-related processes may be impacted. B. ensure necessary adjustments are implemented during the next review cycle. C. initiate an ad hoc revision of the corporate policy. D. notify the system custodian to implement changes. - ANS - A Which of the following is the PRIMARY objective of a risk management program? A. Maintain residual risk at an acceptable level B. Implement preventive controls for every threat C. Remove all inherent risk D. Reduce inherent risk to zero - ANS - A Assessing information systems risk is BEST achieved by: A. using the enterprise's past actual loss experience to determine current exposure. B. reviewing published loss statistics from comparable organizations. C. evaluating threats associated with existing information systems assets and information systems projects. D. reviewing information systems control weaknesses identified in audit reports. - ANS - C Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system? A. Performing a business impact analysis (BIA) B. Considering personal devices as part of the security policy C. Basing the information security infrastructure on a risk assessment D. Initiating IT security training and familiarization - ANS - C The PRIMARY concern of a risk practitioner reviewing a formal data retention policy is: A. storage availability. B. applicable organizational standards. C. generally accepted industry best practices. D. business requirements. - ANS - D Which of the following areas is MOST susceptible to the introduction of an informationsecurity-related vulnerability? A. Tape backup management B. Database management C. Configuration management D. Incident response management - ANS - C Which of the following is the GREATEST risk of a policy that inadequately defines data and system ownership? A. Audit recommendations may not be implemented. [Show More]

Last updated: 2 years ago

Preview 1 out of 100 pages