Exam (elaborations)
CRISC Review Questions With Complete Solutions
- Course
- Institution
CRISC Review Questions With Complete Solutions
[Show more]
Content preview
CRISC Review Questions With Complete SolutionsR1-1 Which of the following is MOST important to determine
when defining risk management strategies?
Risk assessment criteria
IT architecture complexity
An enterprise disaster recovery plan
Business objectives and operations Correct Answer D is the
correct answer.
Justification:
Information on the internal and external environment must be
collected to define a strategy and identify its
impact. Risk assessment criteria alone are not sufficient.
IT architecture complexity is more directly related to
assessing risk than defining strategies.
An enterprise disaster recovery plan is more directly related to
mitigating the risk.
While defining risk management strategies, the risk
practitioner needs to analyze the organization's
objectives and risk tolerance and define a risk management
framework based on this analysis. Some
,organizations may accept known risk, while others may invest
in and apply mitigating controls to
reduce risk.
R1-2 Which of the following is the MOST important
information to include in a risk management strategic plan?
Risk management staffing requirements
The risk management mission statement
Risk mitigation investment plans
The current state and desired future state Correct Answer D
is the correct answer.
Justification:
Risk management staffing requirements are generally driven
by a robust understanding of the current and
desired future state.
The risk management mission statement is important but is
not an actionable part of a risk management
strategic plan.
Risk mitigation investment plans are generally driven by a
robust understanding of the current and desired
future state.
,It is most important to paint a vision for the future and then
draw a road map from the starting point;
therefore, this requires that the current state and desired future
state be fully understood.
R1-3 Information that is no longer required to support the
main purpose of the business from an information security
perspective should be:
analyzed under the retention policy.
protected under the information classification policy.
analyzed under the backup policy.
protected under the business impact analysis. Correct Answer
A is the correct answer.
Justification:
Information that is no longer required should be analyzed
under the retention policy to determine
whether the organization is required to maintain the data for
business, legal or regulatory reasons.
Keeping data that are no longer required unnecessarily
consumes resources; may be in breach of
, legal and regulatory obligations regarding retention of data;
and, in the case of sensitive personal
information, can increase the risk of data compromise.
The information classification policy should specify retention
and destruction of information that is no longer
of value to the core business, as applicable.
The backup policy is generally based on recovery point
objectives. The information classification policy
should specify retention and destruction of backup media.
A business impact analysis can help determine that this
information does not support the main objective of the
business, but does not indicate the action to take.
R1-4 An enterprise has outsourced the majority of its IT
department to a third party whose servers are in a foreign
country. Which of the following is the MOST critical security
consideration?
A security breach notification may get delayed due to the time
difference.
Additional network intrusion detection sensors should be
installed, resulting in additional cost.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Classroom. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $22.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
75759 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now