Exam (elaborations)
CRISC FULL – QUESTIONS AND CORRECT SOLUTIONS
- Course
- Institution
CRISC FULL – QUESTIONS AND CORRECT SOLUTIONS
[Show more]
Content preview
CRISC FULL – QUESTIONS AND CORRECT SOLUTIONSWhich of the following is the MOST important reason for conducting security
awareness programs throughout
an enterprise?
A. Reducing the risk of a social engineering attack
B. Training personnel in security incident response
C. Informing business units about the security strategy
D. Maintaining evidence of training records to ensure compliance Right Ans
-A
Which of the following is MOST important to determine when defining risk
management strategies?
A. Risk assessment criteria
B. IT architecture complexity
C. An enterprise disaster recovery plan (DRP)
D. Organizational objectives Right Ans - D
Which of the following is the MOST important information to include in a risk
management strategic plan?
A. Risk management staffing requirements
B. The risk management mission statement
C. Risk mitigation investment plans
D. The current state and desired future state Right Ans - D
Information that is no longer required to support the main purpose of the
business from an information security
perspective should be:
A. analyzed under the retention policy.
B. protected under the information classification policy.
C. analyzed under the backup policy.
D. protected under the business impact analysis (BIA). Right Ans - A
An enterprise has outsourced the majority of its IT department to a third
party whose servers are in a foreign
country. Which of the following is the MOST critical security consideration?
A. A security breach notification may get delayed due to the time difference.
B. Additional network intrusion detection sensors should be installed,
resulting in additional cost.
,C. The enterprise could be unable to monitor compliance with its internal
security and privacy guidelines.
D. Laws and regulations of the country of origin may not be enforceable in the
foreign country. Right Ans - D
An enterprise recently developed a breakthrough technology that could
provide a significant competitive edge.
Which of the following FIRST governs how this information is to be protected
from within the enterprise?
A. The data classification policy
B. The acceptable use policy
C. Encryption standards
D. The access control policy Right Ans - A
Malware has been detected that redirects users' computers to web sites
crafted specifically for the purpose of fraud.
The malware changes domain name system (DNS) server settings, redirecting
users to sites under the hackers'
control. This scenario BEST describes a: Right Ans - C
What is the MOST effective method to evaluate the potential impact of legal,
regulatory and contractual
requirements on business objectives?
A. A compliance-oriented gap analysis
B. Interviews with business process stakeholders
C. A mapping of compliance requirements to policies and procedures
D. A compliance-oriented business impact analysis (BIA) Right Ans - D
Which of the following is the BEST way to ensure that an accurate risk register
is maintained over time?
A. Monitor key risk indicators (KRJs), and record the findings in the risk
register.
B. Publish the risk register centrally with workflow features that periodically
poll risk assessors.
C. Distribute the risk register to business process owners for review and
updating.
D. Utilize audit personnel to perform regular audits and to maintain the risk
register. Right Ans - B
,Shortly after performing the annual review and revision of corporate policies,
a risk practitioner becomes aware that
a new law may affect security requirements for the human resources system.
The risk practitioner should:
A. analyze what systems and technology-related processes may be impacted.
B. ensure necessary adjustments are implemented during the next review
cycle.
C. initiate an ad hoc revision of the corporate policy.
D. notify the system custodian to implement changes. Right Ans - A
Which of the following is the PRIMARY objective of a risk management
program?
A. Maintain residual risk at an acceptable level
B. Implement preventive controls for every threat
C. Remove all inherent risk
D. Reduce inherent risk to zero Right Ans - A
Assessing information systems risk is BEST achieved by:
A. using the enterprise's past actual loss experience to determine current
exposure.
B. reviewing published loss statistics from comparable organizations.
C. evaluating threats associated with existing information systems assets and
information systems projects.
D. reviewing information systems control weaknesses identified in audit
reports. Right Ans - C
Which of the following is the MOST important requirement for setting up an
information security infrastructure for
a new system?
A. Performing a business impact analysis (BIA)
B. Considering personal devices as part of the security policy
C. Basing the information security infrastructure on a risk assessment
D. Initiating IT security training and familiarization Right Ans - C
The PRIMARY concern of a risk practitioner reviewing a formal data retention
policy is:
A. storage availability.
B. applicable organizational standards.
C. generally accepted industry best practices.
, D. business requirements. Right Ans - D
Which of the following areas is MOST susceptible to the introduction of an
information-security-related vulnerability?
A. Tape backup management
B. Database management
C. Configuration management
D. Incident response management Right Ans - C
Which of the following is the GREATEST risk of a policy that inadequately
defines data and system ownership?
A. Audit recommendations may not be implemented.
B. Users may have unauthorized access to originate, modify or delete data.
C. User management coordination does not exist.
D. Specific user accountability cannot be established. Right Ans - B
A lack of adequate controls represents:
A. a vulnerability.
B. an impact.
C. an asset.
D. a threat. Right Ans - A
The PRIMARY focus of managing IT-related business risk is to protect:
A. information.
B. hardware.
C. applications.
D. databases. Right Ans - A
Which of the following provides the BEST view of risk management?
A. An interdisciplinary team
B. A third-party risk assessment service provider
C. The enterprise's IT department
D. The enterprise's internal compliance department Right Ans - A
Which of the following approaches to corporate policy BEST supports an
enterprise's expansion to other regions,
where different local laws apply?
A. A global policy that does not contain content that might be disputed at a
local level
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Studyhall. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $29.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
75057 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now