CRISC Review
Governance answers what four Questions
1. Are we doing the right thing? 2. Are we doing them the right way? 3. Are we going them well? 4. Are we getting the benefits?
What are the SIX NIST Risk Management Framework Steps?
1. Categorize Information Systems 2. Select Security Controls 3. Implement Security Controls 4. Assess Security Controls 5. Authorize Information Systems 6. Monitor Security Control
What are the ELEMENTS of RISK?
1. Consequences associated with specific assets. 2. A threat to those assets, requiring both intent(motivation) and capability. 3. Vulnerability specify to the threat.
What are two forms of Likelihood?
1. Impact due to the loss or compromise of information. 2. Impact due to the loss or compromise of an information system.
What are the two principles of Confidentiality?
1. Need-to-Know 2. Least Privilege
Vulnerability Assessment
A careful examination of a target environment to discover any potential points of compromise or weakness.
What is risk factor?
A combination of several factors that interact to cause damage to assets of the organization
Non-repudiation
A positive guarantee that a give action was carried out by a given individual or process and is an important part of tracing responsibility and enforcing accountability.
Vulnerability Analysis
A process of identifying and classifying vulnerabilities.
Impact Assessment
A review of the possible consequences of a risk.
1.1.7 Which of the following describes a set of mandatory procedures or processes used by an organization? A. Standard B. Framework C. Practice D. Policy
A standard is a set of mandatory procedures or processes used by an organization.
Project Risk
A structured set of activities concerned with delivering a defined capability (that is necessary, but not sufficient, to achieve a required business outcome) to the enterprise, based on agreed-on schedule and budget.
Impact Analysis
A study to prioritize the criticality of information resources for enterprise based on cost (or consequences) of adverse events. In an impact analysis, threats are identified and potential business losses determined for different periods. This assessment us used to justify the extent of safeguards that are required and recovery time frames. This analysis is the basis for establishing the recovery strategy.
1.1.3 Which of the following terms DESCRIBES a weakness in a system? A. Threat B. Vulnerability C. Risk D. Threat Agent
A vulnerability is a weakness in a system
Vulnerability
A weakness in the design, implementation, operation or internal control of the process that could expose the system to adverse threats from threat events.
1.3 Shortly after preforming the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system. The risk practitioner should: A. analyze in detail how the law may affect the enterprise. B. ensure that necessary adjustments are implemented during the next review cycle. C. initiate the AD-HOC revision f the corporate policy. D. notify the system custodian to implement changes.
A. Assessing how the law may affect the enterprise is the best course of action. the analysis must also determine whether existing controls already address the new requirements.
What are the PCI Data Security Standard 12 requirements?
A. Build & Maintain a Secure Network & System 1. Install & maintain a firewall configuration to protect cardholder data 2. Do NOT use vendor -supplied defaults for system passwords & other security parameters B. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks C. Maintain a Vulnerability Management Program 5. Protect all systems against malware & regularly update anti-virus software or programs 6. Develop & maintain secure systems & applications D. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify & authenticate access to system components 9. Restrict physical access to cardholder data E. Regularly Maintain & test Networks 10. Track & monitor all access to network resources & cardholder data 11. Regularly test security systems & processes F. Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
2.6 Which of the following choices BEST helps identify information system control deficiencies? A. gap analysis B. the current IT risk profile C. the IT controls framework D. countermeasure analysis
A. Controls are deployed to achieve desired control objectives based on risk assessments and business requirements. The gap between desired control objectives and actual IS control design and operational effectiveness identifies IS control deficiencies.
1.5 Which of the following choices provides the BEST view of risk management? A. and interdisciplinary team B. a third-party risk assessment service provider C. The enterprise's IT department D. The enterprise's internal compliance department
A. Having an interdisciplinary team contributes to risk management ensures that all areas are adequately considered and included in the risk assessment process to support an enterprise view of risk.
1.7 It is MOST important that risk appetite is aligned with business objectives to ensure that: A. resources are directed toward areas of low risk tolerance. B. major risk is identified and eliminated. C. IT and business goals are aligned. D. the risk strategy is adequately communicated.
A. Risk appetite is the amount of risk that an enterprise is willing to take on in pursuit of value. Aligning it with business objectives allows an enterprise to evaluate and deploy valuable resources toward those objectives where the risk tolerance (for loss) is low.
2.5 Which of the following choices BEST assist a risk practitioner in measuring the existing level of development of risk management processes against their desired state? A. a capability maturity model (CMM) B. risk management audit reports C. a balanced scorecard (BSC) D. enterprise security architecture
A. The capability maturity model (CMM) grades processes on a scale of 0 to 5, based on their maturity. It is commonly used by entities to measure their existing state and them to determine the desired one.
1.8 Weak passwords and transmission over unprotected communication likes are examples of: A. vulnerabilities. B. threats. C. probabilities. D. impacts.
A. Vulnerabilities represent characteristics of information resources that may be exploited by a threat.
The Types of IT-related Risk
Access Risk Availability Risk Infrastructure Risk Integrity Risk Investment/Expense Risk Project Ownership Risk Relevance Risk Schedule Risk
What types of risk are there with Big Data?
Amplified Technical Impact Privacy (Data Collection) Privacy (Re-Identification)
People
An asset that an organization considers as vulnerable to the loss of knowledge in a certain area or has has specific expertise.
Data
An asset that associates with the reputation and goodwill of the organization, that hold secrets, patents, trademarks and copyrights.
Technology
An asset that changes rapidly with new development and is vulnerable to the upgrades that are pushed.
Vulnerability Scanning
An automated process to proactively identify security weakness in a network or individual system.
Threat Analysis
An evaluation of the Type, Scope and Nature of event or actions that can result in adverse consequences, identification of the threat that exists against enterprise assets.
Threat
Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm.
2.2.1 For a negative event or action to materialize and cause risk to an organization or system, what other factor must be present? A. Risk Factor B. Vulnerability C. Threat Agent D. Threat
B. For a negative event or action (threat) to materialize and cause risk to an organization or system, a vulnerability must also be present
2.8 Which of the following reivew is BEST suted for the reivew of IT risk analysis results before the results are sent to management for approval and use in decision making? A. an internal audit review B. a peer review C. a compliance review D. a risk policy review
B. It is effective, efficient and good practice to preform a per review of IT risk analysis results before sending them to management
1.2 Which of the following Statements BEST describes the value of a risk register? A. It captures the Risk inventory. B. It drives the risk response plan. C. It is a risk reporting tool. D. It lists internal and external risk
B. Risk registers serve as the main reference for all risk-related information, supporting risk-related decisions such as risk response activities and their prioritization.
2.2 Risk scenarios are analyzes to determine: A. strength of control B. likelihood and impact C. current risk profile D. scenario root cause
B. Risk scenarios are descriptions of events that can lead to a business impact and are evaluated to determine the likelihood and impact should the risk occur.
2.3 The risk to an information system that supports a critical business process is owned by: A. the IT director B. senior management C. the risk management department D. the system user
B. Senior Management is responsible for the acceptance and mitigation of all risk.
1.6 Which of the following choices is a PRIMARY consideration when developing an IO risk awareness program? A. Why Technology risk is owned by IT B. How technology risk can impact each attendee's area of business C. How business process owners can transfer Technology risk D., Why technology risk is more difficult to manage compared to other risk
B. Stakeholders must understand how the IT-related risk impacts overall business.
Why is it important to have Senor Management Support?
Budget, Authority, Personnel Access and Information, and Legitimacy that will provide successful results.
1.4 An information system that processes weather forecasts for public consumption is MOST likely to place its highest priority on: A. non-repudiation B. confidentiality C. integrity D. availability
C. A system tat delivers weather forecasts is likely to place its highest priority on the integrity of the data. The risk practitioner should keep in mind that whether the forecast is turns out to be accurate in its prediction is distinct from whether the data is accurately represented.
2.4 Then PRIMARY reason risk assessments should be repeated are regular intervals is: A. omissions on earlier assessments cam be addressed B. periodic assessments allow various methodologies C. business threats are constantly changing D. they help raise risk awareness among staff
C. As business objectives and methods changes, the nature and relevance of threats also change. This is the primary reason to conduct periodic risk assessments.
2.7 Deriving the likelihood and impact of risk scenarios through statistical methods is MOST LIKELY to be associated with which type of risk analysis? A. risk scenario B. qualitative C. quantitative D. semiquantitative
C. The essence of quantitative risk assessment is to derive the likelihood and impact of risk scenarios based on statistical methods and data.
1.1 Which of the following business requirements BEST relates to the need for resilient business and information system processes? A. Effectiveness B. Confidentiality C. Integrity D. Availability
D. AVAILABILITY relates to information being available when required by the business process - now and in the future. Resilience is the ability to provide and maintain an acceptable level of service during disasters or when casing operational challenges.
2.1 The MOST significant drawback of using quantitative risk analysis instead of qualitative risk analysis is the: A. Lower objectivity B. Greater reliance on expertise C. Less management buy-in D. Higher cost
D. Quantitative risk analysis is generally more complex and , there fore, more costly than qualitative risk analysis
What are the risk factors for internal context?
Enterprise goals and objectives strategic importance of IT for the business Complexity of IT Complexity of the entity and degree of change Change management capability Operation model Strategic priorities Culture of the enterprise Financial capacity
What are some of the forms of External Threats?
Espionage Theft Sabotage Terrorism Criminal acts Software errors Hardware flaws Mechanical failures Loss of assets Data corruption Facility Flaws (freezing pipes/pipe burst) Fire Supply Chain interruption Industry accidents Disease (epidemic) Seismic activity Flooding Power surge/Utility failure Server storms
What are the risk factors for IT-related capability?
Evaluation, direct monitor (EDM) Align, plan and organise (APO) Build, acquire and implement (BAI) Deliver, service and support (DSS) Monitor, evaluate and assess (MEA)
What are considered as a risk factor?
External context Internal context Risk management capability IT-related capability
What are the contributing factors for calculating asset value?
Financial penalties for legal non-compliance Impact on business processes Damage to reputation Additional Cost for repair/replacement Effect on third parties and business partners Injury to staff or other personnel Violations of privacy Breach of contracts Loss of Competitive advantage Legal costs
What are the Risk Management controls to be implemented and operating correctly?
For oversight and due diligence. For mitigating risk and ensuring the protection of the organization with the implemented and monitoring controls that are effective.
Policy
Generally, a document that records a high-level principle of course of action that had been decided on The intended purpose is to influence & guide both present and future decision making to be in line with the philosophy, objectives, and Strategic plans established by he Enterprise's management teams
Integrity
Guarding against improper modification, exclusion or destruction of information, which requires the protection of information from improper modification by unauthorized users and processes or activities operating on the system.
What is the process of he Risk Management Life Cycle?
IT Risk Identification IT Risk Assessment Risk Response & Mitigation Risk & Control Monitoring & Report
Risk & Business Continuity
If the BCP (Business Continuity Plan) is inadequate or inaccurate, the organization/enterprise may not meet their goals for recovery after an incident. This is where the IT Risk Management connections with Business Continuity. IT Risk Management and the Business ensure that all functions are organized and are meeting the firms missions and goals to reduces risk to an acceptable level and mitigate any failures that occur in timely fashion.
Business Processes
Inefficient or outdated business processes may pose a risk by making organizations un-competitive. Business processes should be flexible enough to adapt to changes in the market or technology.
What is Need to Know?
Information that is accessed only to preform a specific duty/job function.
What are the phases of the SDLC model?
Initiation Requirements Design Development/Acquisition Implementation Disposal/Retirement
Intellectual Property
Intangible assets that belong to an enterprise for its exclusive use.
1.1.1 Which of the following security goals is concerned with ensuring that data has not been modified or altered during transmission? A. Confidentiality B. Availability C. Integrity D. Non-repudiation
Integrity is concerned with ensuring that data has not been modified or altered during transmission or storage.
Impact
Magnitude of loss resulting from a threat exploiting a Vulnerability.
What are the risk factors for external context?
Market and economy factors Rate of change in the market/production life cycle Industry and competition Geopolitical solution Regulatory environment Technology status and evolution Threat landscape
Threat Agent
Methods and things used to exploit a vulnerability, such as determination, capability, motive and resources.
What some types of Vulnerabilities?
Network Physical Application & Web-facing Services Utilities Supply Chain Processes Equipment Cloud Computing Big Data
1.1.2 Which of the following is MOST concerned with ensuring that users cannot deny that they took action? A. Accountability B. Non-repudiation C. Auditing D. Authorization
Non-repudiation is concerned with ensuring that users cannot deny that they took particular action.
What is PCI DSS?
Payment Card Industry Data Security Standard
What types of Cloud Computing is there?
Private Public Community Hybrid
Availability
Providing timely and reliable access information.
RACI
Responsible - Individuals tasked with getting the job done, preforming the actual work effort to meet stated objectives. Accountable - Single person liable or answerable for the completion of the task, who oversees and manages the person(s) responsible for performing the work effort, who may also play a role in the project. Consulted - Individuals who provide input data, advise, feedback, or approvals. Informed - Individuals who are informed of the status, achievement and/or deliverables of the task by who are often not directly responsible for the work effort
1.1.6 Which of the following terms describes the acceptable variations in risk that an organization is willing to deal with for a particular effort? A. Risk Acceptance B. Risk Appetite C. Risk Culture D. Risk Tolerance
Risk Tolerance is the acceptable variation in risk that an organization is willing to deal with for a particular effort.
Risk & Audit
Risk associates with Audit to ensure that the effectiveness of the Control Framework. This helps with Legislation, Government oversight and Media scrutiny. All IS (information systems) auditors are required to be: objective, skilled, and independent. They should be able to assess, identify, document and provide recommendations for risks, vulnerabilities and addressed issues.
What are the risk factors for risk management capabilities?
Risk governance Risk management
Change Risk
Risk that is not static, changes in the technology, regulations, business processes, functionality, architecture, users and other variables that affect the business and technical environments of the organization may affect the levels of risk associated with system operations.
Asset
Something of either tangible or intangible value that is worth protecting, including people, information, infrastructure, finances and reputation.
Velocity
Speed of onset, a measure of how much prior warning and preparation time an organization may have between the event's occurrence and impact, which itself can be split into speed of reaction and speed of recovery.
What does SDLC stand for?
System Development Life Cycle
Penetration Testing
Testing that is conducted by internal or external team, and rules can range from full knowledge of the infrastructure to a zero-based knowledge test. This will include several types of tests to ensure that as many attack vectors as possible have been tested and a report is generated to the risk practitioner can use the process of risk identification.
Skill
The ability brought to bear by the perpetrator of an active/sentient threat relative to other perpetrators
Risk Appetite
The amount of risk, on a board level, that an entity is willing to accept in pursuit of its mission
Interdependence
The degree to which materialization of two or more types of risk might impact the organization differently, depending on whether the events occur simultaneously or consecutively.
Visibility
The extent to which a vulnerability is known, which can make it a more likely target of attack.
Motivation
The extent to which the perpetrator of the threat wants to succeed, which may result in higher chances of success.
What is Least Privilege?
The level of data access afforded to individuals or processes that are minimal to preform the job functions.
1.1.5 The likelihood of a Threat exploiting a vulnerability, causing an impact on an asset, describes which of the following terms? A. Impact B. Threat Agent C. Exploit D. Risk
The likelihood of a threat exploiting a vulnerability, causing an impact to an asset, describes risk.
Risk Communication
The method and openness of communication of risk plays a key role in defining and understanding the risk culture of the organization. Communication removes uncertainty and doubts concerning risk management.
Threat Vector
The path or route use by the adversary to gain access to the target.
Likelihood
The probability of something happening.
Asset Valuation
The protection of the assets within the organization that is paying more than the net worth in protection than the asset is worth. Base on the impact of loss of confidentiality, integrity and availability (CIA).
Control Risk
The risk that a material error exists that would not be prevented or detected on a timely basis by the system of internal control.
Risk Culture
The set of shared values and beliefs that governs attitudes toward risk-taking, are and integrity, and determines how openly risk and losses are reported and discussed.
Proximity
The time from the event occurring and the impact on the organization.
Emerging Threats
This any threat that may include unusual activity on the system, repeated alarms, slow systems or network performance, or new or excessive activity in logs.
Risk & Information Security
This drives the selection of controls and justifies the initial and continued operations. Every control should be traceable back to specific risk that the control is designed to mitigate. Types of risk: Control, Project & Change
Why should you integrate risk management into the Enterprise?
This enforces holistic ERM (Enterprise Risk Management) approach. This includes: all departments, functions, systems and GEO locations. This is the authority that is required for all business processes that undergo analysis or when a change is made whether internal or external.
Establish and Maintain a common risk view is for what and why?
This is done for the Enterprise to determine the controls needed to mitigate risk and integrate in the the business process. This sets the tone of the business regarding how to determine and accepted level of tolerance. This is the life cycle for regular reporting and review process and oversees the operations of risk management
1.1.4 Which of the following are BOTH necessary for risk to exist and are often paired together? (Choose Two) A. Impact B. Threat C. Vulnerability D.v Likelihood
Threat and Vulnerabilities are both necessary for risk and are often paired together in assessments since you cannot have risk if you have one without the other.
Why do you make risk aware business decisions?
To ensure the full function of governance and range of opportunities with the consequences for each decision that will impact the enterprise or the environment.
What is intellectual property?
Trademark Copyright Patent Trade Secret
Volatility
Unpredictability, also referred to as dynamic range; the degree to which conditions vary from once moment to another, making projections difficult.
What the factors that affect Likelihood?
Volatility Velocity Proximity Interdependence Motivation Skill Visibility
Asset Value
What the organization or another party would pay to take possession of an asset or deny access to it by others. Assets are typically valued on monetary basis.
Risk Tolerance
the acceptable level of variation that management is willing to allow for any particular risk as the enterprise pursues its objective.
Risk Capacity
the objective amount of loss an enterprise can tolerate without its continued existence being called into question.
