CRISC Exam Prep Study Guide

Document Content and Description Below

CRISC Exam Prep Study Guide What is the difference between a standard and a policy? - ANS - Standard = A mandatory action, explicit rules, controls or configuration settings that are designed to sup... port and conform to a policy. A standard should make a policy more meaningful and effective by including accepted specifications for hardware, software or behavior. Standards should always point to the policy to which they relate. Policy = IT policies help organizations to properly articulate the organization's desired behavior, mitigate risk and contribute to achieving the organization's goals. What are the 4 risk elements? - ANS - Threats, Vulnerabilities, Likelihood, and Impact. Threats exploit vulnerabilities and the level of risk is based on likelihood and the impact to the system. Describe risk appetite vs. risk tollerance - ANS - Risk appetite is how much risk an organization is willing to endure; Risk Tolerance is how much variation from that amount is acceptable. Name the 6 steps of the NIST Risk Management Framework (RMF) - ANS - 1. Categorize Information Systems 2. Select Security Controls 3. Implement Security Controls 4. Assess Security Controls 5. Authorize Information Systems 6. Monitor Security Controls Which framework is developed by ISACA and integrates other frameworks? a) (Val) IT b) IT Assurance Framework (ITAF) c) COBIT 5 d) Risk IT - ANS - c. COBIT 5 What are the 3 domains of ISACA's Risk IT Framework? - ANS - Risk Governance (RG), Risk Evaluation (RE), Risk Response (RR) What are the tenets of risk management? - ANS - confidentiality, integrity, and availability Which legal act requires U.S. Federal Govt agencies to establish an information security program? - ANS - Federal Information Security Management Act (FISMA) What is the Gramm-Leach-Bliley Act (GLBA) - ANS - GLBA requires periodic risk analysis performed on processes that deal with nonpublic financial information and personal financial data. The Risk Governance (RG) domain of the Risk IT framework is comprised of what 3 processes? - ANS - RG1: Establish and maintain a common risk view RG2: Integrate with ERM RG3: Make risk-aware business decisions The Risk Evaluation (RE) domain of the Risk IT framework is comprised of what 3 processes? - ANS - RE1: Collect Data RE2: Analyze Risk RE3: Maintain risk profile The Risk Response (RR) domain of the Risk IT framework is comprised of what 3 processes? - ANS - RR1: Articulate risk RR2: Manage risk RR3: React to events What is a threat agent? - ANS - The entity causing or enacting a threat against a vulnerability. What is the simple risk formula? - ANS - threats x vulnerabilities = risk What are the key areas of concern for emerging technologies? - ANS - Interoperability and Compatibility What are the 5 components of a risk scenario? - ANS - [Show More]

Last updated: 1 year ago

Preview 1 out of 14 pages