CRISC Exam Question with correct
Answers Latest 2022
What is the difference between a standard and a policy? - ANSWER Standard = A
mandatory action, explicit rules, controls or configuration settings that are designed to
support and conform to a policy. A standard should make a policy more meaningful and
effective by including accepted specifications for hardware, software or behavior.
Standards should always point to the policy to which they relate.
Policy = IT policies help organizations to properly articulate the organization's desired
behavior, mitigate risk and contribute to achieving the organization's goals.
What are the 4 risk elements? - ANSWER Threats, Vulnerabilities, Likelihood, and
Impact. Threats exploit vulnerabilities and the level of risk is based on likelihood and the
impact to the system.
Describe risk appetite vs. risk tollerance - ANSWER Risk appetite is how much risk an
organization is willing to endure; Risk Tolerance is how much variation from that amount
is acceptable.
Name the 6 steps of the NIST Risk Management Framework (RMF) - ANSWER 1.
Categorize Information Systems
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize Information Systems
6. Monitor Security Controls
Which framework is developed by ISACA and integrates other frameworks?
a) (Val) IT
b) IT Assurance Framework (ITAF)
c) COBIT 5
d) Risk IT - ANSWER c. COBIT 5
What are the 3 domains of ISACA's Risk IT Framework? - ANSWER Risk Governance
(RG), Risk Evaluation (RE), Risk Response (RR)
What are the tenets of risk management? - ANSWER confidentiality, integrity, and
availability
Which legal act requires U.S. Federal Govt agencies to establish an information security
program? - ANSWER Federal Information Security Management Act (FISMA)
, What is the Gramm-Leach-Bliley Act (GLBA) - ANSWER GLBA requires periodic risk
analysis performed on processes that deal with nonpublic financial information and
personal financial data.
The Risk Governance (RG) domain of the Risk IT framework is comprised of what 3
processes? - ANSWER RG1: Establish and maintain a common risk view
RG2: Integrate with ERM
RG3: Make risk-aware business decisions
The Risk Evaluation (RE) domain of the Risk IT framework is comprised of what 3
processes? - ANSWER RE1: Collect Data
RE2: Analyze Risk
RE3: Maintain risk profile
The Risk Response (RR) domain of the Risk IT framework is comprised of what 3
processes? - ANSWER RR1: Articulate risk
RR2: Manage risk
RR3: React to events
What is a threat agent? - ANSWER The entity causing or enacting a threat against a
vulnerability.
What is the simple risk formula? - ANSWER threats x vulnerabilities = risk
What are the key areas of concern for emerging technologies? - ANSWER
Interoperability and Compatibility
What are the 5 components of a risk scenario? - ANSWER 1) Threat agent
2) Threat
3) Asset
4) Vulnerability
5) Time/location
Describe the bottom-up approach to risk scenario generation - ANSWER Look at all
potential scenarios beginning with what asset, process, or area of concern the risk
scenarios might affect.
Describe the top-down approach to risk scenario generation - ANSWER Develop risk
scenarios from a specific business objective perspective
What document would list the different risk scenarios? - ANSWER The risk register
could include:
Risk factors
Threats & vulnerabilities
Scenarios
Severity or Priority
Answers Latest 2022
What is the difference between a standard and a policy? - ANSWER Standard = A
mandatory action, explicit rules, controls or configuration settings that are designed to
support and conform to a policy. A standard should make a policy more meaningful and
effective by including accepted specifications for hardware, software or behavior.
Standards should always point to the policy to which they relate.
Policy = IT policies help organizations to properly articulate the organization's desired
behavior, mitigate risk and contribute to achieving the organization's goals.
What are the 4 risk elements? - ANSWER Threats, Vulnerabilities, Likelihood, and
Impact. Threats exploit vulnerabilities and the level of risk is based on likelihood and the
impact to the system.
Describe risk appetite vs. risk tollerance - ANSWER Risk appetite is how much risk an
organization is willing to endure; Risk Tolerance is how much variation from that amount
is acceptable.
Name the 6 steps of the NIST Risk Management Framework (RMF) - ANSWER 1.
Categorize Information Systems
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize Information Systems
6. Monitor Security Controls
Which framework is developed by ISACA and integrates other frameworks?
a) (Val) IT
b) IT Assurance Framework (ITAF)
c) COBIT 5
d) Risk IT - ANSWER c. COBIT 5
What are the 3 domains of ISACA's Risk IT Framework? - ANSWER Risk Governance
(RG), Risk Evaluation (RE), Risk Response (RR)
What are the tenets of risk management? - ANSWER confidentiality, integrity, and
availability
Which legal act requires U.S. Federal Govt agencies to establish an information security
program? - ANSWER Federal Information Security Management Act (FISMA)
, What is the Gramm-Leach-Bliley Act (GLBA) - ANSWER GLBA requires periodic risk
analysis performed on processes that deal with nonpublic financial information and
personal financial data.
The Risk Governance (RG) domain of the Risk IT framework is comprised of what 3
processes? - ANSWER RG1: Establish and maintain a common risk view
RG2: Integrate with ERM
RG3: Make risk-aware business decisions
The Risk Evaluation (RE) domain of the Risk IT framework is comprised of what 3
processes? - ANSWER RE1: Collect Data
RE2: Analyze Risk
RE3: Maintain risk profile
The Risk Response (RR) domain of the Risk IT framework is comprised of what 3
processes? - ANSWER RR1: Articulate risk
RR2: Manage risk
RR3: React to events
What is a threat agent? - ANSWER The entity causing or enacting a threat against a
vulnerability.
What is the simple risk formula? - ANSWER threats x vulnerabilities = risk
What are the key areas of concern for emerging technologies? - ANSWER
Interoperability and Compatibility
What are the 5 components of a risk scenario? - ANSWER 1) Threat agent
2) Threat
3) Asset
4) Vulnerability
5) Time/location
Describe the bottom-up approach to risk scenario generation - ANSWER Look at all
potential scenarios beginning with what asset, process, or area of concern the risk
scenarios might affect.
Describe the top-down approach to risk scenario generation - ANSWER Develop risk
scenarios from a specific business objective perspective
What document would list the different risk scenarios? - ANSWER The risk register
could include:
Risk factors
Threats & vulnerabilities
Scenarios
Severity or Priority
