CRISC Certified in Risk and Information Systems Control - Practice Questions

Question 7 (Volume D)

Which of the following come under the management class of controls?

Each correct answer represents a complete solution. (Choose two.)

Select all that apply, then click Submit answer.

○
Risk assessment control
○
Audit and accountability control
○
Program management control
○
Identification and authentication control

Reference / correct answer:

Risk assessment control

Program management control

The Management class of controls includes five families. These families include over 40 individual controls. Following is a list of each of the families in the Management class:

Certification, Accreditation, and Security Assessment (CA): This family of controls addresses steps to implement a security and assessment program. It includes controls to ensure only authorized systems are allowed on a network. It includes details on important security concepts, such as continuous monitoring and a plan of action and milestones.

Planning (PL): The PL family focuses on security plans for systems. It also covers Rules of Behaviour for users. Rules of Behaviour are also called an acceptable use policy.

Risk Assessment (RA): This family of controls provides details on risk assessments and vulnerability scanning.

System and Services Acquisition (SA): The SA family includes any controls related to the purchase of products and services. It also includes controls related to software usage and user installed software.

Program Management (PM): This family is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA. These controls complement other controls. They don't replace them.

Incorrect Answers:

B, D: Identification and authentication, and audit and accountability control are technical class of controls.

Question 8 (Volume B)

Which of the following role carriers are responsible for setting up the risk governance process, establishing and maintaining a common risk view, making risk-aware business decisions, and setting the enterprise's risk culture?

Each correct answer represents a complete solution. (Choose two.)

Select all that apply, then click Submit answer.

○
Senior management
○
Chief financial officer (CFO)
○
Human resources (HR)
○
Board of directors

Question 9 (Volume D)

Qualitative risk assessment uses which of the following terms for evaluating risk level?

Each correct answer represents a part of the solution. (Choose two.)

Select all that apply, then click Submit answer.

○
Impact
○
Annual rate of occurrence
○
Probability
○
Single loss expectancy

Reference / correct answer:

Impact

Probability

Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values. Rather, it determines risk's level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts.

Probability- establishing the likelihood of occurrence and reoccurrence of specific risks, independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90% to high.

Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100. Risk level = Probability * Impact

Incorrect Answers:

B, D: These are used for calculating Annual loss expectancy (ALE) in quantitative risk assessment. Formula is given as follows: ALE= SLE * ARO

CRISC – Certified in Risk and Information Systems Control