CRISC Practice Study Questions
How many steps in NIST RMF? - ANS - 6
Name steps of the NIST RMF - ANS - 1) Categorize Info Systems
2) Select Security Controls
3) Implement Security Controls
4) Assess Security Contro
...
CRISC Practice Study Questions
How many steps in NIST RMF? - ANS - 6
Name steps of the NIST RMF - ANS - 1) Categorize Info Systems
2) Select Security Controls
3) Implement Security Controls
4) Assess Security Controls
5) Authorize Info Systems
6) Monitor Security Controls
What are the layers of COBIT? - ANS - Governance and Management
What are the Management layers of COBIT? - ANS - 1) Align, Plan, and Organize
2) Build, Acquire, and Implement
3) Deliver, Service, and Support
4) Monitor, Evaluate, and Assess
What are the layers of ISACA Risk IT Framework? - ANS - 1) Risk Governance
2) Risk Evaluation
3) Risk Response
What are the levels of SDLC? - ANS - 1) Initiation
2) Requirements
3) Design
4) Development/Acquisition
5) Implementation
6) Operations/Maintenance
7) Disposal/Retirement
What does SDLC stand for? - ANS - Software Development Life Cycle
What is the NIST Business Continuity Document? - ANS - 800-34 "Contingency Planning Guide
for Federal Information Systems"
What components of risk do Risk Scenarios include? - ANS - 1) Asset
2)Threat
3) Threat Agent
4) Vulnerability
5) Time/Location
They leave off likelihood and impact
What elements should a Risk Register include? - ANS - 1) Risk factors
2) Threat agents, threats, and vulnerabilities
3) Risk scenarios
4) Criticality, severity, or priority of risk
5) Asset information
6) Impact of the risk on an asset
7) Likelihood of the threat exploiting the vulnerability
8) Current status of risk response actions
9) Resources that may be committed to respond to risk
10) Risk ownership information
11) Planned milestones toward risk response
Which publication contains the NIST RMF? - ANS - 800-37
What are the distinctive processes of the NIST RMF? - ANS - 1) Prepare for assessment
2) Conduct assessment
3) Communicate results
4) Maintain assessment
Who developed the OCTAVE Methodology? - ANS - Carnegie Mellon University
What is special about OCTAVE? - ANS - Designed for big businesses
What sets OCTAVE Allegro apart? - ANS - Includes more business-centered and operation risk
approaches
What sets OCTAVE-S apart? - ANS - Designed for smaller organizations
What is ISO/IEC 27005:2011? - ANS - It is a basic risk management standard that is totally
geared towards Information Security
What is ISO 31000:2009? - ANS - Risk Management - Principles and Guidelines
What is IEC 31010:2009 - ANS - The meat of the risk management part of ISO 31000:2009
What are the three areas of the Risk Evaluation portion of the ISACA Risk IT Framework, and
what is a key component of the last one? - ANS - RE1: Collect Data
RE2: Analyze Risk
RE3: Maintain Risk Profile
Should develop KRI's in RE3
What are a few methods of data collection? - ANS - 1) Conducting Interviews
2) Documentation Reviews
3) System Observation and Verification
4) System Testing
SLE - ANS - Single Loss Expectancy
ARO - ANS - Annualized Rate of Occurence
AV - ANS - Asset Value
EF - ANS - Exposure Factor (Percentage loss of an asset with a given risk event)
ALE - ANS - Annual Loss Expectancy (SLE x ARO)
Fault Tree Analysis - ANS - Start with a risk event, and branch out to all of the possible causes
(Top-Down)
Event Tree Analysis - ANS - Start with an event, and branch to all of the possible consequences
(Bottom-Up)
Bow-Tie Analysis - ANS - Begins with an event and branches one direction to causes, and the
other direction to consequences
What are the required components of a control analysis? - ANS - 1) Identify controls
2) Determine their required function
3) Determine effectiveness
4) Determine gaps
What are the necessities when suggesting new or modified controls? - ANS - 1) Try to leverage
existing controls
2) Look for quick wins
3) Prioritize control recommendations with risk
4) Be realistic in your recommendations
5) Provide alternatives
What is the Deming Cycle? - ANS - Plan-Do-Check-Act
[Show More]
