CRISC
Which of the following causes the GREATEST concern to a risk practitioner reviewing a corporate information security policy that is out of date? The policy: A. was not reviewed within the last three years. B. is missing newer technologies/platforms. C. was not updated to account for new locations. D. does not enforce control monitoring.
(A) A. Not reviewing the policy for three years and updating it as necessary does not follow best practices and is the greatest concern. B. Corporate information security policies are generally written at a level that does not require modification for specific, newer technologies and should not cause the greatest concern to the risk practitioner. C. Corporate information security policies are generally written at a level that incorporates multiple locations. Even if the new facilities are in different geographic locations, with potentially different legislatures, a well-written corporate information security policy should accommodate such changes in the enterprise's operating environment. D. Lack of control monitoring is a concern; however, the fact that the corporate information security policy itself was not reviewed on a regular basis is the greatest concern, particularly because policy reviews can be considered a part of continuous control monitoring at the highest level.
Which of the following information in the risk register BEST helps in developing proper risk scenarios? A list of: A. potential threats to assets. B. residual risk on individual assets. C. accepted risk. D. security incidents.
(A) A. Potential threats that may impact the various business assets will help in developing scenarios on how these threats can exploit vulnerabilities and cause a risk and therefore help in developing proper risk scenarios. B. Residual risk on individual assets does not help in developing a proper risk scenario. C. Accepted risk is generally a small subset of entries within the risk register. Accepted risk should be included in the risk register to ensure that events that may affect the current decision of the enterprise to accept the risk are monitored. D. Previous security incidents of the enterprise itself or entities with a similar profile may inspire similar risk scenarios to be included in the risk register. However, the best approach to create a meaningful risk register is to capture potential threats on tangible and intangible asset
Which of the following is the MOST important reason for conducting security awareness programs throughout an enterprise? A. Reducing the risk of a social engineering attack B. Training personnel in security incident response C. Informing business units about the security strategy D. Maintaining evidence of training records to ensure compliance
(A) A. Social engineering is the act of manipulating people into divulging confidential information or performing actions that allow an unauthorized individual to get access to sensitive information and/or systems. People are often considered the weakest link in security implementations and security awareness would help reduce the risk of successful social engineering attacks by informing and sensitizing employees about various security policies and security topics, thus ensuring compliance from each individual. B. Training individuals in security incident response targets is a corrective control action and not as important as proactively preventing an incident. C. Informing business units about the security strategy is best done through steering committee meetings or other forums. D. Maintaining evidence of training records to ensure compliance is an administrative, documentary task, but should not be the objective of training.
When leveraging a third party for the procurement of IT equipment, which of the following control practices is MOST closely associated with delivering value over time? A. Compare the cost and performance of current and alternate suppliers periodically. Incorrect B. Assign a relationship owner to the supplier and make him/her accountable. C. Monitor and review delivery to verify that the quality of service is acceptable. D. Establish service level agreements (SLAs) with clear financial penalties.
(A) A. Value is a function of cost and performance. Even if the current supplier is rigorously held to the standard established in an original contract and never raises prices, the value delivered by the contract over time will decline if competitors deliver better performance at lower prices over the same time frame. The only way to be sure that a current supplier continues to deliver value is to periodically compare its cost and performance to the cost and performance of alternate suppliers. B. Having a relationship owner who is accountable for performance is an excellent practice for holding the quality of performance in line with the agreed-on contract, but it cannot guarantee that the terms of that contract will deliver value over time. C. Monitoring and reviewing delivery to verify that the quality of service is acceptable is important to identify whether any penalties may be due under the terms of an established service level agreement (SLA), as well as to push for immediate corrective action. However, it cannot guarantee that the terms of the contract will deliver value over time. D. SLAs with clear financial penalties provide a mechanism for reimbursement of financial losses in the event that degraded performance has a financial cost, but this cannot guarantee that the terms of the contract will deliver value over time.
It is MOST important that risk appetite be aligned with business objectives to ensure that: A. resources are directed toward areas of low risk tolerance. B. major risk is identified and eliminated. C. IT and business goals are aligned. D. the risk strategy is adequately communicated.
(A) A. Risk appetite is the amount of risk that an enterprise is willing to take on in pursuit of value. Aligning it with business objectives allows an enterprise to evaluate and deploy valuable resources toward those objectives where the risk tolerance (for loss) is low. B. There is no link between aligning risk appetite with business objectives and identification and elimination of major risk. Moreover, risk cannot be eliminated; it can be reduced to an acceptable level using various risk response options. C. Alignment of risk appetite with business objectives does converge IT and business goals to a point, but alignment is not limited to these two areas. Other areas include organizational, strategic and financial objectives, among other objectives. D. Communication of the risk strategy does not depend on aligning risk appetite with business objectives.
Which of the following examples of risk should be addressed during application design? A. A lack of skilled resources B. The risk of migration to a new system C. Incomplete technical specifications D. Third-party supplier risk
(A) A. A lack of skilled resources implies that the project is beyond the skills of the personnel involved and is associated with the design phase. B. Migration risk is typically associated with the implementation phase. C. Technical risk is introduced when the technical requirements may be beyond the scope of the project. D. Risk that a third-party supplier would not be able to deliver on time or to requirements is associated with the implementation phase.
Which of the following BEST describes the information needed for each risk on a risk register? A. Various risk scenarios with their date, description, impact, probability, risk score, mitigation action and owner B. Various risk scenarios with their date, description, risk score, cost to remediate, communication plan and owner C. Various risk scenarios with their date, description, impact, cost to remediate and owner D. Various activities leading to risk management planning
(A) A. This choice is the best answer because it contains the necessary elements of the risk register that are needed to make informed decisions. B. This choice contains some elements of a risk register, but misses some important and key elements of a risk register (impact, probability, mitigation action) that are needed to make informed decisions and this choice lists some items that should not be included in the register (communication plan). C. This choice misses some important and key elements of a risk register (probability, risk score, mitigation action) needed to make informed decisions. D. A risk register is a result of risk management planning, not the other way around.
A lack of adequate controls represents: A. a vulnerability. B. an impact. C. an asset. D. a threat.
(A) Vulnerability A. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties, etc. B. Impact is the measure of the financial loss that a threat event may have. C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of an unwanted incident.
When assessing strategic IT risk, the FIRST step is: A. summarizing IT project risk. B. understanding organizational strategy from senior executives. C. establishing enterprise architecture (EA) strategy. D. reviewing IT incident reports from service delivery.
(B) A. Summarizing project risk does not necessarily lead to an understanding of all risk, e.g., not realizing the benefits or impact of project risk on programs and portfolios or business or strategic objectives. Unintended consequences, reputation and brand risk, and strategic objectives need to be considered in order to assess strategic IT risk. B. Strategic IT risk is related to the strategy and strategic objectives of the organization. Once this is understood, a conversation with senior executives will provide an enterprise view of the dependencies and expectations for IT, which leads to an understanding of the potential risk. C. Enterprise architecture (EA) is fundamentally about producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there (preferably by optimizing resource risk while realizing benefits). This view of IT should demonstrate the linkage of IT to organizational objectives and produce a view of current risk, but the development of EA takes significant effort, resources and time. Enterprise architectures also benefit from being informed by an understanding of organizational strategy and the views of the senior executives, which change rapidly in the current business environment and, therefore, need to be regularly reviewed. D. Developing an understanding of current incidents will not directly provide a strategic view of the objectives of the organization and how the organization is dependent on IT to achieve those objectives.
Which of the following items is MOST important to consider in relation to a risk profile? A. A summary of regional loss events B. Aggregated risk to the enterprise C. A description of critical risk D. An analysis of historical loss events
(B) A. The risk profile will consider regional events that could impact the enterprise, and will also consider systemic and other risk. B. The risk profile is based on the aggregated risk to the enterprise, including historical risk, critical risk and emerging risk. C. The risk profile will consider all risk, not just critical risk. D. Analysis of historical loss events can assist in business continuity planning and risk assessment, but is incomplete for a risk profile.
Which of the following items is MOST important to consider in relation to a risk profile? A. A summary of regional loss events B. Aggregated risk to the enterprise C. A description of critical risk D. An analysis of historical loss events
(B) A. The risk profile will consider regional events that could impact the enterprise, and will also consider systemic and other risk. B. The risk profile is based on the aggregated risk to the enterprise, including historical risk, critical risk and emerging risk. C. The risk profile will consider all risk, not just critical risk. D. Analysis of historical loss events can assist in business continuity planning and risk assessment, but is incomplete for a risk profile.
Which of the following is the BEST indicator of an effective information risk management program? A. The security policy is made widely available. B. Risk is considered before all decisions. C. Security procedures are updated annually. D. Risk assessments occur on an annual basis.
(B) A. Making the security policy widely available will assist in ensuring the success, but is not as critical as making risk-based business decisions. B. Ensuring that risk is considered and determined before business decisions are made best ensures that risk tolerance is kept at the level approved by the organization. C. Updating security procedures annually is only necessary if policy changes. D. Ensuring that risk assessments occur annually will assist in ensuring success, but is not as critical as making risk-based business decisions.
Which of the following controls can be used to reduce the potential scope of impact associated with a malicious hacker gaining access to an administrator account? A. Multifactor authentication B. Audit logging C. Least privilege D. Password policy
(C) A. Multifactor authentication safeguards against an account being accessed without authorization. If a malicious hacker has gained access to the account, this control has already been bypassed. B. Audit logging may be useful in identifying activities undertaken using an administrator account, but it is a lagging indicator unlikely to be effective in time to limit the scope of impact associated with a compromise. C. Privileged accounts, such as those used by administrators, are typically sought after by malicious hackers because of the perception that they will be exempt from most controls and have permission to do everything. However, except in the smallest organizations, administrators tend to be specialized in particular areas (e.g., specific servers, specific databases, firewalls, etc.). Although employing least privilege will not reduce the potential impact of a compromised account within the scope of its intended use, having specialized administrator accounts can greatly limit the impact to the organization as a whole. Even in small organizations where one person holds all roles, establishing specialized administrator accounts subject to least-privilege restrictions limits the potential impact of loss associated with an account compromise. D. A password policy requiring frequent changes can limit the reuse value of a compromised account, but it is unlikely that changes will be sufficiently restrictive to affect an account before it has been used by a malicious hacker who controls it.
The FIRST step in identifying and assessing IT risk is to: A. confirm the risk tolerance level of the enterprise. B. identify threats and vulnerabilities. C. gather information on the current and future environment. D. review past incident reports and response activity.
(C) A. A risk practitioner must understand the risk appetite of senior management and the associated risk tolerance level. This is not the first step because risk tolerance becomes relevant during risk response. B. Identification of relevant threats and vulnerabilities is important, but is limited in its view. C. The first step in any risk assessment is to gather information about the current state and pending internal and external changes to the enterprise's environment (scope, technology, incidents, modifications, etc.). D. While the review of past incident reports may be an input for the identification and assessment of IT risk, focusing on these factors is not prudent.
When a start-up company becomes popular, it suddenly is the target of hackers. This is considered: A. an emerging vulnerability. B. a vulnerability event. C. an emerging threat. D. an environmental risk factor.
(C) A. A vulnerability is a weakness in the design, implementation, operation or internal control of a process that can expose the system to adverse threats from threat events, which is not described in the question stem. B. A vulnerability event is any event from which a material increase in vulnerability results from changes in control conditions or from changes in threat capability/force. C. A threat is any event in which a threat element/actor acts against an asset in a manner that has the potential to directly result in harm. The stem describes the emerging threat of hackers attacking the start-up company. D. Environmental risk factors can be split into internal and external environmental risk factors. Internal environmental factors are, to a large extent, under the control of the enterprise, although they may not always be easy to change. External environmental
What is a PRIMARY advantage of performing a risk assessment on a consistent basis? A. It lowers the costs of assessing risk. B. It provides evidence of threats. C. It indicates trends in the risk profile. D. It eliminates the need for periodic audits.
(C) A. There may be some minor cost benefits to performing risk assessments on a consistent basis, but that is not the main benefit. B. A risk assessment provides evidence of risk; however, it is not intended to provide evidence of threats. C. Tracking trends in evolving risk is of significant benefit to managing risk and ensuring that appropriate controls are in place. D. The performance of risk assessment on a consistent basis does not preclude the requirement to perform periodic independent audits.
At the end of which phase of risk management would information about newly discovered risk be communicated to decision makers and relevant stakeholders? A. Risk identification B. Risk response and mitigation C. Risk assessment D. Risk and control monitoring and reporting
(C) A. The risk identification phase determines what could happen to cause a potential loss and to gain insight into how, where and why the loss might happen. Until the risk has been analyzed, the likelihood and impact are unknown. Risk analysis occurs after risk identification and prior to risk communication. B. In the risk response and mitigation phase, controls to reduce, retain, avoid or transfer risk should be selected, and a risk treatment plan should be defined. The risk analysis must be communicated to the risk owners for them to select the proper risk response. C. During the risk assessment phase, identified risk is being analyzed and evaluated for likelihood and impact. Risk-based decision making is enabled through communication of the results of the risk assessment. D. In the risk and control monitoring and reporting phase, risk should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture.
Which of the following is true about IT risk? A. IT risk cannot be assessed and measured quantitatively. B. IT risk should be calculated separately from business risk. C. IT risk management is the responsibility of the IT department. D. IT risk exists whether or not it is detected or recognized by an enterprise
(D) A. IT risk, like any business risk, can be assessed both quantitatively and qualitatively. It is very difficult and incomplete to measure risk quantitatively. B. IT risk is one type of business risk. C. IT risk is the responsibility of senior management, not just the IT department. D. The enterprise must identify, acknowledge and respond to risk; ignorance of risk is not acceptable.
Investments in risk management technologies should be based on:
(D) A. Basing decisions on audit recommendations is reactive in nature and may not comprehensively address the key business needs. B. Vulnerability assessments are useful, but they do not determine whether the cost is justified. C. Demonstrated value takes precedence over the current business climate because the climate is ever changing. D. Investments in risk management technologies should be based on a value analysis and sound business case.
When developing risk scenarios for an enterprise, which of the following is the BEST approach? A. The top-down approach for capital-intensive enterprises B. The top-down approach because it achieves automatic buy-in C. The bottom-up approach for unionized enterprises D. The top-down and the bottom-up approach because they are complementary
(D) A. Both risk scenario development approaches should be considered simultaneously, regardless of the industry. B. Both risk scenario development approaches should be considered simultaneously, regardless of the risk appetite. C. Both risk scenario development approaches should be considered simultaneously, regardless of the industry. D. The top-down and bottom-up risk scenario development approaches are complementary and should be used simultaneously. In a top-down approach, one starts from the overall business objectives and performs an analysis of the most relevant and probable risk scenarios impacting the business objectives. In a bottom-down approach, a list of generic risk scenarios is used to define a set of more concrete and customized scenarios, applied to the individual enterprise's situation.
Governance answers 4 questions
1. Are we doing the right things? 2. Are we doing them the right way? 3. Are we getting them done well 4. Are we getting the benefits?
4 main objectives of Risk Governance
1. Establish and maintain a common risk view 2. Integrate Risk Management into the enterprise 3. Make risk-aware business decisions 4. Ensure that risk management controls are implemented and operating correctly
The IT risk Management Life Cycle
1. Identification 2. Assessment 3. Response and Mitigation 4. Monitoring and Reporting
Ways to determine IT project failure
1. Over budget 2. over time allotted 3. failure to meet customer needs and expectations
Framework
A generally accepted business-process-oriented structure that established a common language and enables repeatable business processes.
Magnitude
A measure of the potential severity of loss or the potential gain from realized events/scenarios
Frequency
A measure of the rate by which events, occur over a certain period of time
Risk Analysis
A process by which the frequency and magnitude of risk scenarios are estimated
Risk Assessment
A process used to identify and evaluate risk and its potential effects.
Governance
Addresses the oversight of the business risk management strategy of the enterprise. The domain of senior management and the shareholders of the enterprise. They establish the enterprise's risk culture and determine the acceptable level's of risk; set up the management framework, and ensure that the risk management function is operating effectively to identify, manage, monitor, and report on current and a potential risk facing the enterprise.
Which of the following is the BEST indicator that incident response training is effective? A. Decreased reporting of security incidents to the incident response team B. Increased reporting of security incidents to the incident response team C. Decreased number of password resets D. Increased number of identified system vulnerabilities
B. Increased reporting of incidents is a good indicator of user awareness, but increased reporting of valid incidents is the best indicator because it is a sign that users are aware of the security rules and know how to report incidents. It is the responsibility of the IT function to assess the information provided, identify false-positives, educate end users, and respond to potential problems.
Value creation, the main objective of risk governance consists of
Benefits realization Risk optimization Resource optimization
Which of the following is MOST effective in assessing business risk? A. A use case analysis B. A business case analysis C. Risk scenarios D. A risk plan
C. Risk scenarios are the most effective technique in assessing business risk.
Overall business risk for a particular threat can be expressed as the: A. magnitude of the impact should a threat source successfully exploit the vulnerability. B. likelihood of a given threat source exploiting a given vulnerability. C. product of the probability and magnitude of the impact if a threat exploits a vulnerability. D. collective judgment of the risk assessment team.
C. The product of the probability and magnitude of the impact provides the best measure of the risk to an asset.
To be effective, risk management should be applied to: A. those elements identified by a risk assessment. B. any area that exceeds acceptable risk levels. C. all organizational activities. D. only those areas that have potential impact.
C. While not all organizational activities will pose an unacceptable risk, the practice of risk management is ideally applied to all organizational activities.
CSF stands for
Critical Success Factor, such as the relationship between the Business Unit and Information Technology
The MOST important external factors that should be considered in a risk assessment effort are: A. proposed new security tools and technologies. B. the number of viruses and other malware being developed. C. international crime statistics and political unrest. D. supply chain and market conditions.
D. A. It is always good to watch for new technologies and tools that can help the enterprise, especially ones that staff may want to bring into the office. But a risk assessment should not be based on proposed new products. B. The number of new malware types being developed is something worth watching, but it is not a factor that the risk professional can use in the calculation of risk for a risk assessment report. C. International crime statistics and political unrest may cause problems, but these are not the most important factors to be considered in a risk assessment effort. D. Risk assessment should consider both internal and external factors, including supply chain and market conditions. Supply chain problems (e.g., lack of raw material, strikes at a transportation company or supplier) can severely interrupt operations. A new competitor in the market or even a new company opening up in the area may affect availability of trained staff or pose a risk to growth and profitability.
Assessing an organization's context (environment) includes
Evaluating the intent and capability of threats The relative value of, and trust required in, assets (or resources) The respective relationship of vulnerabilities and threats could exploit to intercept, interrupt, modify, or fabricate data in information assets. The dependency on a supply chain financing debt partners vulnerability to changes in economic or political data Changes to market trends and patterns Emergence of new competition impact of new legislation existence of potential natural disaster constraints caused by legacy systems and antiquated technology strained labor relations and inflexible management
Top Down/Bottom Up Risk Approaches
In a top-down approach, one starts from the overall business objectives and performs an analysis of the most relevant and probable risk scenarios impacting the business objectives. In a bottom-down approach, a list of generic risk scenarios is used to define a set of more concrete and customized scenarios, applied to the individual enterprise's situation.
What is Due Care
In the field of information security, the following statements are useful: "Due care are steps that are taken to show that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees." And, "continual activities that make sure the protection mechanisms are continually maintained and operational." (Source: Harris, Shon; All-in-one CISSP Certification Exam Guide, 2nd Edition, McGraw-Hill/Osborne, USA, 2003.) Stockholders, customers, business partners and governments have the expectation that corporate officers will run the business in accordance with accepted business practices and in compliance with laws and other regulatory requirements. So while no entity can protect themselves completely from security incidents, in case of legal action, by demonstrating due care, these entities can make a case that they are actually doing things to monitor and maintain the protection mechanisms and that these activities are ongoing.
Leading Practice
Optimally applying knowledge
What is the MAIN objective of risk identification?
Risk identification is the process of determining and documenting the risk that an enterprise faces. The identification of risk is based on the recognition of threats, vulnerabilities, assets and controls in the enterprise's operational environment.
Risk Tolerance
The ACCEPTABLE level of variation that management is willing to allow for any particular risk as the enterprise pursues its business objective.
Risk Appetite
The amount of risk, on a broad level, that an entity is willing to accept in pursuit of its mission (or vision)
IT RISK
The business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise.
Risk Evaluation
The process of comparing the estimated risk against given risk criteria to determine the significance of the risk
Risk Identification
The process of determining and documenting the risk that an enterprise faces. The identification of risk is based on the recognition of threats, vulnerabilities, assets, and controls in the enterprise's operational environment.
Risk Aggregation
The process of integrating risk assessments at a corporate level to obtain a complete view of the overall risk for the enterprise
Risk Culture
The shared values and beliefs that govern the attitudes and behaviors toward risk taking, care and integrity, and determines how openly risk and losses are reported and discussed.
Responsibility for Risk Governance
Ultimately the responsibility of the board of directors and senior management. They establish the enterprise's risk culture and acceptable levels of risk; set up the management framework; and ensure that the risk management function is operating effectively to identify, manage, monitor, and report on current and potential risk facing the enterprise.
Risk Management starts with
Understanding the organization which serves the environment or context in which it operates.
A risk register contains
Various risk scenarios with their date, description, impact, probability, risk score, mitigation action and owner
what is wardriving
Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA).
Scope Creep
also called requirement creep, refers to uncontrolled changes in a project's scope. Unless the scope of the project is controlled, its duration and budget cannot be effectively held to account, resulting in a high probability that the project will go over budget as it seeks to meet changing requirements.
Cross site scripting
an injection attack in which malicious scripts are injected into otherwise benign and trusted web sites. XSS results from insufficient input validation where a user can add malicious content to a web application.
Relevance Risk
composite form of business risk, requiring both integrity and availability to be addressed in order for it to be reasonably controlled. Transmitting information to the necessary recipients in a timely manner also creates tension with access (security) risk by increasing the potential for unintended release of information to unauthorized third parties.
IT risk drives the selection of ____ and justitifies the choice and operation of a _________.
control(s)
NIST states that an organization must provide risk-based cost effective ...
controls
IS audit is an important part of
corporate governance
A Statement of work (SOW) defines what
governance terms and conditions for a third-party engagement and contains language that delineates the IP ownership of anything developed under the contract. An organization that fails to include adequate language regarding IP may find that it has paid for the labor to develop an application only to have limited rights to the resulting product (or even none at all). Therefore, reviewing this language for sufficiency under the circumstances of the engagement rather than relying on boilerplate clauses at the corporate level is an important part of assessing the vulnerability associated with a third-party engagement.
Problem management
part of the Information Technology Information Library (ITIL) and is a process that is used to minimize the impact of problems in an enterprise. Metrics, known errors and incidents are all tracked to minimize problems.
risk assessment
process used to identify and evaluate risk and its potential effects. It includes assessing the critical functions necessary for an enterprise to continue business operations, defining the controls in place to reduce enterprise exposure and evaluating the cost for such controls.
the role of IT is to
serve the business
The success of the IT risk management effort is usually based on having an organization wide perspective of risk following a ________________________
structured methodology and gathering correct information
RISK MANAGEMENT is...
the coordinated activities to direct and control an enterprise with regard to risk
automated code comparison
the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure.
Control failure is
when a control is not operating correctly, is the wrong control, is configured incorrectly, or inadequate to address new threats.
Business continuity starts
where risk management ends
