CRISC Practice Study Questions

Document Content and Description Below

CRISC Practice Study Questions How many steps in NIST RMF? - ANS - 6 Name steps of the NIST RMF - ANS - 1) Categorize Info Systems 2) Select Security Controls 3) Implement Security Controls 4) As ... sess Security Controls 5) Authorize Info Systems 6) Monitor Security Controls What are the layers of COBIT? - ANS - Governance and Management What are the Management layers of COBIT? - ANS - 1) Align, Plan, and Organize 2) Build, Acquire, and Implement 3) Deliver, Service, and Support 4) Monitor, Evaluate, and Assess What are the layers of ISACA Risk IT Framework? - ANS - 1) Risk Governance 2) Risk Evaluation 3) Risk Response What are the levels of SDLC? - ANS - 1) Initiation 2) Requirements 3) Design 4) Development/Acquisition 5) Implementation 6) Operations/Maintenance 7) Disposal/Retirement What does SDLC stand for? - ANS - Software Development Life Cycle What is the NIST Business Continuity Document? - ANS - 800-34 "Contingency Planning Guide for Federal Information Systems" What components of risk do Risk Scenarios include? - ANS - 1) Asset 2)Threat 3) Threat Agent 4) Vulnerability 5) Time/Location They leave off likelihood and impact What elements should a Risk Register include? - ANS - 1) Risk factors 2) Threat agents, threats, and vulnerabilities 3) Risk scenarios 4) Criticality, severity, or priority of risk 5) Asset information 6) Impact of the risk on an asset 7) Likelihood of the threat exploiting the vulnerability 8) Current status of risk response actions 9) Resources that may be committed to respond to risk 10) Risk ownership information 11) Planned milestones toward risk response Which publication contains the NIST RMF? - ANS - 800-37 What are the distinctive processes of the NIST RMF? - ANS - 1) Prepare for assessment 2) Conduct assessment 3) Communicate results 4) Maintain assessment Who developed the OCTAVE Methodology? - ANS - Carnegie Mellon University What is special about OCTAVE? - ANS - Designed for big businesses What sets OCTAVE Allegro apart? - ANS - Includes more business-centered and operation risk approaches What sets OCTAVE-S apart? - ANS - Designed for smaller organizations What is ISO/IEC 27005:2011? - ANS - It is a basic risk management standard that is totally geared towards Information Security What is ISO 31000:2009? - ANS - Risk Management - Principles and Guidelines What is IEC 31010:2009 - ANS - The meat of the risk management part of ISO 31000:2009 What are the three areas of the Risk Evaluation portion of the ISACA Risk IT Framework, and what is a key component of the last one? - ANS - RE1: Collect Data RE2: Analyze Risk RE3: Maintain Risk Profile Should develop KRI's in RE3 What are a few methods of data collection? - ANS - 1) Conducting Interviews 2) Documentation Reviews 3) System Observation and Verification 4) System Testing SLE - ANS - Single Loss Expectancy ARO - ANS - Annualized Rate of Occurence AV - ANS - Asset Value EF - ANS - Exposure Factor (Percentage loss of an asset with a given risk event) ALE - ANS - Annual Loss Expectancy (SLE x ARO) Fault Tree Analysis - ANS - Start with a risk event, and branch out to all of the possible causes (Top-Down) Event Tree Analysis - ANS - Start with an event, and branch to all of the possible consequences (Bottom-Up) Bow-Tie Analysis - ANS - Begins with an event and branches one direction to causes, and the other direction to consequences What are the required components of a control analysis? - ANS - 1) Identify controls 2) Determine their required function 3) Determine effectiveness 4) Determine gaps What are the necessities when suggesting new or modified controls? - ANS - 1) Try to leverage existing controls 2) Look for quick wins 3) Prioritize control recommendations with risk 4) Be realistic in your recommendations 5) Provide alternatives What is the Deming Cycle? - ANS - Plan-Do-Check-Act [Show More]

Last updated: 3 years ago

Preview 1 out of 17 pages