CRISC Review Flashcards
1
Q
Risk Assessment involves two specific requirements
A
–Risk Identification: Threat plus Vulnerability - Internal or External / Intentional or Unintentional
–Risk Analysis: Impact on system reliability, security and speed and consequence of failure to mitigate identified risks
2
Q
Risk Monitoring is the process that
A
systematically tracks and evaluates the performance of risk mitigation actions
3
Q
The Risk Management structure involves:
A
planning, assessment (identification-analysis), handling, monitoring and mitigation.
4
Q
Threats are characterized as those that are
A
Imminent; those that are Emerging; those that are Consistent and those that are Persistent.
5
Q
Delphi is
A
a security risk assessment and information gathering technique that uses the consensus of subject matter experts to determine mission risk
6
Q
Quantitative Risk Assessment is a process used to
A
analyze numerically the probability of each risk and its consequence on mission objectives
7
Q
Quantitative Risk Assessment Techniques include
A
interviewing, sensitivity analysis, decision tree analysis, and simulation
8
Q
Qualitative risk analysis is the process of
A
assessing the impact and likelihood of identified risks. What is the the probability and likelihood that the risk will occur and what is the consequence to mission objectives
9
Q
The focus of mission centric Risk Analysis should be based on
A
the economic balance between the impact of risks and the cost of protective measures
10
Q
Threat and vulnerability assessments typically evaluate
A
all elements of a business process for threats and vulnerabilities and identify the likelihood of occurrence and the business impact if the threats were to be realized
11
Q
While defining risk management strategies, the risk control professional needs to
A
analyze the organizations objectives and risk tolerance and define a risk management framework based on this analysis
12
Q
The risk assessment is used to
A
identify and evaluate the impact of failure on critical business processes and to determine time frames, priorities, resources and interdependencies
13
Q
Countermeasures are selected by
A
Risk Managers and can counter attacks, reduce inherent risks, resolve vulnerabilities and improve the state of security
14
Q
Determining manual or automated test and evaluation processes should be based on
A
organizational requirements
15
Q
Accepting the Residual Risk is central to
A
the accreditation authorities decision
16
Q
Security Features Assessment
A
Verify/Validate effectiveness of security controls (technical/non-technical)
17
Q
It is most important to paint a vision for
A
the future and then draw a road map from the starting point – this requires that the current state and desired future state be fully understood.
18
Q
Transferring risk involves
A
shifting some or all of the negative impact of a threat along with ownership to a third party
19
Q
Identifying the appropriate Risk Analysis tool requires
A
identifying the requirement, determination, determining data collection, identifying an analytical methodology and determining ROI
20
Q
Residual Risk can be mitigated by
A
eliminating or reducing the impact of system threat/vulnerability pair, adding targeted controls to reduce the capacity and motivation of a threat-source, reducing the magnitude of the adverse impact
21
Q
Risk Management focus on
A
stipulating Information protection security policy, standards and guidelines and helps to ensure System Security Policies are up-to-date to ensure all significant risks are addressed
22
Q
Information that is no longer required should be
A
analyzed under the retention policy to determine whether the organization is required to maintain the data for business, legal or regulatory reasons
23
Q
Laws and regulations of the country of origin may not be
A
enforceable in the foreign country
24
Q
the laws and regulations of a foreign outsourcer may
A
also impact the enterprise
25
Information security governance models are
highly dependent on the complexity of the organizational structure
26
Data owners are responsible for
assigning user entitlement changes and approving access to the systems for which they are responsible.
27
A data classification policy describes
the data classification categories; levels of protection; and roles and responsibilities of potential users including data owners
28
The primary benefit of classifying information assets is
to identify controls that are proportional to the risks
29
Risk is constantly changing. Evaluating risk
annually or when there is a significant change should take into consideration a reasonable time frame while allowing flexibility to address significant changes
30
Risk evaluation should take into consideration
the potential size and likelihood of the loss
31
A compliance-oriented BIA will
identify all of the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities.
32
For IT to be successful in delivering against business requirements, management should
develop an internal control system that will make a link to the business process
33
Contingency planning provides both
preventive and recovery controls
34
Program Risk Management is the ability
to assess security needs and capabilities, select appropriate safeguards, implement required controls, select adequate test controls, implement and manage changes and accept residual risk
35
Risk consequences place
people at risk, can place system continuity and information at risk, can place organizational mission at risk and can place organizational reputation at risk (difficult to quantify)
36
Risk Assessment performed as part of the contingency response must
consider all possible threats, must assess the potential impact of a loss, must evaluate critical organizational needs and must establish recovery priorities
37
Using a list of possible scenarios with threats and impacts will
better frame the range of risk and facilitate a more informed discussion and decision
38
A knowledge management platform with workflow and polling features will
automate the process of maintaining the risk register
39
The value of the server should be based on
its replacement cost; however, the financial impact to the enterprise may be much broader, based on the function that the server performs for the business and the value it brings to the enterprise
40
Social engineering is the act of
manipulating people into divulging confidential information or performing actions that allow an unauthorized individual to gain access to sensitive information and/or systems
41
What provides the best measure of the risk to an asset
The product of the probability and magnitude of the impact
42
Background screening is the most suitable method for
assuring the integrity of a prospective staff member
43
Without a policy defining who has the responsibility for granting access to specific data or systems there is
an increased risk that one could gain unauthorized access
44
Threat sources can originate from
Foreign (Nation) States with hostile intentions, terrorist threat groups, activists (Hacktivists) conducting publicity-seeking attacks, criminals engaged in electronic crime, hackers, crackers, virus writers and even Script Kiddies but the main source disgruntled employees (authorized users)
45
Attack avenues include attacks through
an internal LAN, attacks through a trust-relationship, attacks through physical access, attacks from the insider
46
The lack of adequate controls represents
A vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers
47
What's the objective of RM
Ensuring that all residual risk is maintained at a level acceptable to the business
48
Acceptance of a risk is an alternative to be considered
in the risk response process
49
After putting into place an effective risk management program, the remaining risk is called
residual risk
50
Residual risk is
any risk remaining after appropriate controls or countermeasures have been implemented to mitigate the target risk.
51
An enterprise may decide to accept a specific risk because
the protection would cost more than the potential loss
52
A risk assessment should be conducted to clarify
the risk whenever the company’s policies cannot be followed
53
The manager needs to base the proposed risk response on a
risk evaluation, the business need and the requirements for the enterprise
54
Risk should be reduced to a level
that an organization is willing to accept
55
Organizational requirements should determine
determine when a risk has been reduced to an acceptable level
56
Risk control professionals should use risk assessment techniques to
justify and implement a risk mitigation strategy as efficiently as possible
57
Effective risk management requires
participation, support and acceptance by all applicable members of the enterprise, beginning with the executive levels
58
Typically, when the probability of an incident is low, but the impact is high, risk is
transferred to another entity (e.g. insurance company)
59
The Total Cost of Ownership (TCO) is
the most relevant piece of information to be included in the CBA because it establishes a cost baseline that must be considered for the full life cycle of the control
60
When the cost of control is more that the cost of the potential impact, the risk should
be accepted
61
An insurance can compensate an enterprise for
an entire loss or financial risk
62
The primary reason for initiating a policy exception process is
when the risk is justified by the benefit
63
The risk register details
all identified risks, including description, category, cause, probability, impact, proposed responses, owners and current state
64
Risk is constantly changing, so a previously conducted risk assessment may not include
measured risk that has been introduced since the last assessment
65
Without identifying new risk, other procedures will
only be useful for a limited period
66
A network vulnerability assessment intends to identify
known vulnerabilities that are based on common misconfigurations and missing updates
67
Security design flaws require
a deeper level analysis
68
Accepted risk should be reviewed
regularly to ensure that the initial risk acceptance rationale is still valid within the current business context
69
What is the mose effective way to deal with risk
Implementing monitoring techniques that will detect and deal with potential fraud cases
70
A successful risk management practice minimizes
the residual risk to the enterprise
71
The enterprise should first assess the likelihood of a similar incident occurring based on
available information
72
Not reporting an intrusion is equivalent to
hiding a malicious intrusion
73
What is not a requirement and is dependent on the enterprise policy
Reporting to the public
74
What would make it impossible to locate a data warehouse containing customer information in another country.
Privacy laws prohibiting the cross-border flow of PII
75
What is the first step when developing a risk monitoring program
Conducting a capability assessment
76
End-user-developed applications may not be
subject to an independent outside review by systems analysts and, frequently, are not created in the context of a formal development methodology
77
What is a risk of allowing high-risk computers onto the enterprise’s network
a VPN implementation
78
Qualitative (impact) risk assessment methods include using
interviewing and the Delphi method
79
A risk register provides a report of
all current identified risk within an enterprise, including compliance risk, with the status of the corrective actions or exceptions that are associated with them
80
Risk reporting is the only activity that is part of
risk monitoring
81
An independent benchmark of capabilities will allow
an enterprise to understand its level of capability compared to other organizations within its industry
82
Capability maturity modeling allows an enterprise to
understand its level of maturity in its risk capabilities, which is an indicator of operational readiness and effectiveness
83
The most important factor when designing IS controls is that they
advance the interests of the business by addressing stakeholder requirements
84
Investments in risk management technologies should be based on
a value analysis and a sound business case
85
IT is more efficient to
establish a baseline standard and then develop additional standards for locations that must meet specific requirements
86
Recovery Time Objectives are a primary deliverable of a
BIA
87
The data owner is responsible for
applying the proper classification to the data
88
Privacy protection is necessary to ensure
that the receiving party has the appropriate level of protection for personal data
89
Establishing an Acceptable Use Policy (APU) is the best measure for
preventing data leakage
90
Role-Based-Access-Controls provide access according to
business needs and provide the most effective measure to protect against the insider threat
91
Periodic security reviews are the best way to ensure that contract programmers comply with
organizational security policies
92
A mail relay should normally be placed
within a DMZ to shield the internal network
93
Establishing predetermined, automatic expiration dates is the best way to enhance
the removal of system access for contractors and other temporary users
94
PKI
combines public key encryption with a trusted third party to publish and revoke digital certificates that contain the public key of the sender
95
What is the most effective way to prevent external security risks
Network address translation
96
What provides the most effective protection of data on mobile devices
Encryption
97
When configuring a biometric access control system that protects a high-security data center the system’s sensitivity level should be set to
a higher false reject rate.
98
Encryption of stored data will help ensure
the actual data cannot be recovered without the encryption key
99
Understanding the security architecture is important in
managing complex information infrastructures
100
Control effectiveness requires a process to
verify test results and intended objectives to verify that the control process works as intended
101
In regards to Outsourced service providers, system auditing is an effective way to ensure
that outsourced service providers comply with the enterprise’s information security policy.
102
What should be updated frequently as new software is released
Information security policies and procedures
103
What is used to help verify change management is used to determine whether unauthorized modification were made to production programs.
Compliance testing
104
Continuous monitoring is effective when
incidents have a high impact and frequency
105
What is the most useful metric for monitoring violation logs.
Penetration attempts investigation
106
The optimum time to perform a penetration test is
after changes are made to the infrastructure because they may inadvertently introduce new exposures.
107
Performing regular penetration tests ensures
that a network is adequately secured against external attacks.
108
The effectiveness of organizational awareness programs is best measured by
a quantitative (impact) evaluation to ensure user comprehension
109
What ensures a proper understanding of risk and success criteria
A clearly stated definition of scope
110
A CMM can assist a risk manager in
measuring the existing level of risk processes against their desired state
111
Methodology illustrates
the process and formulates the basis to align expectations and the execution of the assessment
112
Conducting security code reviews for the entire SW application can
effectively identify software “back-doors”
113
What can be quickly identified by conducting an automated code comparison.
Unauthorized code modifications
114
By conducting a physical count of tape inventory provides
a substantive test of completeness.
115
System owners should be notified immediately when
a vulnerability within a trusted system or component is identified
116
What can be monitored through “honey-pots”
Hacker activity
117
Server sampling can verify
NAV signatures are current
118
Risk impact can be determined based on
- known risks (those that can be easily identified)
- known unknown (an identifiable uncertainty)
- unknown (risks that are known but do not know what their impact) and
- unknown unknown risks (existence has yet to be encountered).
119
Incident evaluation involves
identification, analysis, assessment, response, recovery, and reporting.
120
Risk Assessment performed as part of the contingency response. must consider
- all possible threats,
- must assess the potential impact a loss of CIA,
- must evaluate critical organizational needs and
- must establish recovery priorities.
121
Risk-Based Auditing requires
- identifying threats;
- identifying vulnerabilities;
- identifying assets; and
- identifying countermeasures
122
To asses IT risk what needs to be evaluated using what approaches
threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches
123
A properly configured information security infrastructure should be based on
a comprehensive risk assessment.
124
The primary concern of a comprehensive data retention policy should focus on
business requirements
125
Configuration Management provides the greatest likelihood of information security weaknesses through
misconfiguration and failure to update OS code correctly and on a timely basis.
126
BIA should include the examination of
risk, incidents and interdependencies as part of the activity to identify impact to business objectives.
127
What is the first step necessary to understand the impact and requirement of new regulations
Assessing whether existing controls meet requirements
128
The most useful metric is one that measures
the degree to which complete follow-through has taken place.
129
What are most likely to inadvertently introduce new exposures
Changes in the system infrastructure
130
To truly judge effectiveness of user awareness training some means of
measurable testing is necessary to confirm user comprehension
131
To correct the vulnerabilities, the system owner needs to
be notified quickly before an incident can take place.
132
What is the best choice to diverting a hacker away from critical files and altering security of the hackers presence
Honeypots
133
The only effective way to check the currency of signature files is to
look at a sample of servers.
134
Monitoring tools can focus on:
Transaction Data; Conditions; Changes; Process Integrity; Error management; and Continuous Monitoring.
135
Strategic Planning involves the annual evaluation of
the maturity of controls and provides a barometer of controls in their current state, a comparison to previous periods and the target maturity level.
136
Advanced Persistent Threat is
a Threat Source that has both the capability and the intent to persistently and effectively target a critical information infrastructure.
137
A Continuous Risk Management (CRM) process provides
a disciplined and documented approach to risk management throughout the system life cycle by facilitating Identification; Planning; Analysis; Tracking and Controlling risk activities.
138
Risk reporting content must be
clear; concise; useful; timely; target audience; and available based on need to know
139
Risk-Based Auditing Methodologies requires
preparation, assessment, mitigation, reporting and follow-up.
