Tag - CRISC exam

Which of the following controls do NOT come under technical class of control? A. Program management control B. System and Communications Protection control C. Identification and Authentication control D. Access ControlView AnswerAnswer: A Explanation: Program Management control comes under management class of controls, not technical. Program Management control is driven...

Which of the following is the MOST effective inhibitor of relevant and efficient communication?A . A false sense of confidence at the top on the degree of actual exposure related to IT and lack of a well-understood direction for risk management from the top downB . The perception that the...

What are the responsibilities of the CRO? Each correct answer represents a complete solution. Choose three.A . Managing the risk assessment processB . Implement corrective actionsC . Advising Board of DirectorsD . Managing the supporting risk management functionView AnswerAnswer: ABD Explanation: Chief Risk Officer is the executive-level manager in an...

Which of the following is NOT true for risk management capability maturity level 1?A . There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT riskB . Decisions involving risk...

Which of the following is the first MOST step in the risk assessment process?A . Identification of assetsB . Identification of threatsC . Identification of threat sourcesD . Identification of vulnerabilitiesView AnswerAnswer: A Explanation: Asset identification is the most crucial and first step in the risk assessment process. Risk identification,...

Wendy has identified a risk event in her project that has an impact of $75,000 and a 60 percent chance of happening. Through research, her project team learns that the risk impact can actually be reduced to just $15,000 with only a ten percent chance of occurring. The proposed solution...

Which of the following represents lack of adequate controls?A . VulnerabilityB . ThreatC . AssetD . ImpactView AnswerAnswer: A Explanation: Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware, operating...

Which of the following should be PRIMARILY considered while designing information systems controls?A . The IT strategic planB . The existing IT environmentC . The organizational strategic planD . The present IT budgetView AnswerAnswer: C Explanation: Review of the enterprise's strategic plan is the first step in designing effective IS...

What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?A . Anti-harassment policyB . Acceptable use policyC . Intellectual property policyD . Privacy policyView AnswerAnswer: B Explanation: An acceptable use policy is a set of rules applied by the owner/manager of...

What are the requirements for creating risk scenarios? Each correct answer represents a part of the solution. Choose three.A . Determination of cause and effectB . Determination of the value of business process at riskC . Potential threats and vulnerabilities that could cause lossD . Determination of the value of...