CRISC Exam Questions and Answers
How many steps in NIST RMF? - ✅ 6
Name steps of the NIST RMF - ✅ 1) Categorize Info Systems
2) Select Security Controls
3) Implement Security Controls
4) Assess Security Controls
5) Authorize Info Systems
6) Monitor Security Controls
What are the layers of COBIT? - ✅ Governance and Management
What are the Management layers of COBIT? - ✅ 1) Align, Plan, and Organize
2) Build, Acquire, and Implement
3) Deliver, Service, and Support
4) Monitor, Evaluate, and Assess
What are the layers of ISACA Risk IT Framework? - ✅ 1) Risk Governance
2) Risk Evaluation
3) Risk Response
What are the levels of SDLC? - ✅ 1) Initiation
2) Requirements
3) Design
4) Development/Acquisition
5) Implementation
6) Operations/Maintenance
7) Disposal/Retirement
What does SDLC stand for? - ✅ Software Development Life Cycle
What is the NIST Business Continuity Document? - ✅ 800-34 "Contingency Planning
Guide for Federal Information Systems"
What components of risk do Risk Scenarios include? - ✅ 1) Asset
2)Threat
3) Threat Agent
4) Vulnerability
5) Time/Location
They leave off likelihood and impact
What elements should a Risk Register include? - ✅ 1) Risk factors
2) Threat agents, threats, and vulnerabilities
, 3) Risk scenarios
4) Criticality, severity, or priority of risk
5) Asset information
6) Impact of the risk on an asset
7) Likelihood of the threat exploiting the vulnerability
8) Current status of risk response actions
9) Resources that may be committed to respond to risk
10) Risk ownership information
11) Planned milestones toward risk response
Which publication contains the NIST RMF? - ✅ 800-37
What are the distinctive processes of the NIST RMF? - ✅ 1) Prepare for assessment
2) Conduct assessment
3) Communicate results
4) Maintain assessment
Who developed the OCTAVE Methodology? - ✅ Carnegie Mellon University
What is special about OCTAVE? - ✅ Designed for big businesses
What sets OCTAVE Allegro apart? - ✅ Includes more business-centered and operation
risk approaches
What sets OCTAVE-S apart? - ✅ Designed for smaller organizations
What is ISO/IEC 27005:2011? - ✅ It is a basic risk management standard that is totally
geared towards Information Security
What is ISO 31000:2009? - ✅ Risk Management - Principles and Guidelines
What is IEC 31010:2009 - ✅ The meat of the risk management part of ISO 31000:2009
What are the three areas of the Risk Evaluation portion of the ISACA Risk IT
Framework, and what is a key component of the last one? - ✅ RE1: Collect Data
RE2: Analyze Risk
RE3: Maintain Risk Profile
Should develop KRI's in RE3
What are a few methods of data collection? - ✅ 1) Conducting Interviews
2) Documentation Reviews
3) System Observation and Verification
4) System Testing
SLE - ✅ Single Loss Expectancy
How many steps in NIST RMF? - ✅ 6
Name steps of the NIST RMF - ✅ 1) Categorize Info Systems
2) Select Security Controls
3) Implement Security Controls
4) Assess Security Controls
5) Authorize Info Systems
6) Monitor Security Controls
What are the layers of COBIT? - ✅ Governance and Management
What are the Management layers of COBIT? - ✅ 1) Align, Plan, and Organize
2) Build, Acquire, and Implement
3) Deliver, Service, and Support
4) Monitor, Evaluate, and Assess
What are the layers of ISACA Risk IT Framework? - ✅ 1) Risk Governance
2) Risk Evaluation
3) Risk Response
What are the levels of SDLC? - ✅ 1) Initiation
2) Requirements
3) Design
4) Development/Acquisition
5) Implementation
6) Operations/Maintenance
7) Disposal/Retirement
What does SDLC stand for? - ✅ Software Development Life Cycle
What is the NIST Business Continuity Document? - ✅ 800-34 "Contingency Planning
Guide for Federal Information Systems"
What components of risk do Risk Scenarios include? - ✅ 1) Asset
2)Threat
3) Threat Agent
4) Vulnerability
5) Time/Location
They leave off likelihood and impact
What elements should a Risk Register include? - ✅ 1) Risk factors
2) Threat agents, threats, and vulnerabilities
, 3) Risk scenarios
4) Criticality, severity, or priority of risk
5) Asset information
6) Impact of the risk on an asset
7) Likelihood of the threat exploiting the vulnerability
8) Current status of risk response actions
9) Resources that may be committed to respond to risk
10) Risk ownership information
11) Planned milestones toward risk response
Which publication contains the NIST RMF? - ✅ 800-37
What are the distinctive processes of the NIST RMF? - ✅ 1) Prepare for assessment
2) Conduct assessment
3) Communicate results
4) Maintain assessment
Who developed the OCTAVE Methodology? - ✅ Carnegie Mellon University
What is special about OCTAVE? - ✅ Designed for big businesses
What sets OCTAVE Allegro apart? - ✅ Includes more business-centered and operation
risk approaches
What sets OCTAVE-S apart? - ✅ Designed for smaller organizations
What is ISO/IEC 27005:2011? - ✅ It is a basic risk management standard that is totally
geared towards Information Security
What is ISO 31000:2009? - ✅ Risk Management - Principles and Guidelines
What is IEC 31010:2009 - ✅ The meat of the risk management part of ISO 31000:2009
What are the three areas of the Risk Evaluation portion of the ISACA Risk IT
Framework, and what is a key component of the last one? - ✅ RE1: Collect Data
RE2: Analyze Risk
RE3: Maintain Risk Profile
Should develop KRI's in RE3
What are a few methods of data collection? - ✅ 1) Conducting Interviews
2) Documentation Reviews
3) System Observation and Verification
4) System Testing
SLE - ✅ Single Loss Expectancy
