CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free CRISC Exam Braindumps (page: 95)

Page 94 of 451
PDF with 1871 Questions

Which of the following come under the management class of controls? Each correct answer represents a complete solution. (Choose two.)

  1. Risk assessment control
  2. Audit and accountability control
  3. Program management control
  4. Identification and authentication control

Answer(s): A,C

Explanation:

The Management class of controls includes five families. These families include over 40 individual controls. Following is a list of each of the families in the Management class:
Certification, Accreditation, and Security Assessment (CA): This family of controls addresses steps to implement a security and assessment program. It includes controls to ensure only authorized systems are allowed on a network. It includes details on important security concepts, such as continuous monitoring and a plan of action and milestones.
Planning (PL): The PL family focuses on security plans for systems. It also covers Rules of Behaviour for users. Rules of Behaviour are also called an acceptable use policy.
Risk Assessment (RA): This family of controls provides details on risk assessments and vulnerability scanning.
System and Services Acquisition (SA): The SA family includes any controls related to the purchase of products and services. It also includes controls related to software usage and user installed software. Program Management (PM): This family is driven by the Federal Information Security Management Act (FISMA). It provides controls to ensure compliance with FISMA. These controls complement other controls. They don't replace them.

Incorrect Answers:
B, D: Identification and authentication, and audit and accountability control are technical class of controls.



Which of the following parameters are considered for the selection of risk indicators? Each correct answer represents a part of the solution. Choose three.

  1. Size and complexity of the enterprise
  2. Type of market in which the enterprise operates
  3. Risk appetite and risk tolerance
  4. Strategy focus of the enterprise

Answer(s): A,B,D

Explanation:

Risk indicators are placed at control points within the enterprise and are used to collect data. These collected data are used to measure the risk levels at that point. They also track events or incidents that may indicate a potentially harmful situation.

Risk indicators can be in form of logs, alarms and reports. Risk indicators are selected depending on a number of parameters in the internal and external environment, such as:
Size and complexity of the enterprise
Type of market in which the enterprise operates Strategy focus of the enterprise

Incorrect Answers:
C: Risk appetite and risk tolerance are considered when applying various risk responses.



David is the project manager of HRC project. He concluded while HRC project is in process that if he adopts e- commerce, his project can be more fruitful. But he did not engage in electronic commerce (e-commerce) so that he would escape from risk associated with that line of business. What type of risk response had he adopted?

  1. Acceptance
  2. Avoidance
  3. Exploit
  4. Enhance

Answer(s): B

Explanation:

As David did not engage in e-commerce in order to avoid risk, hence he is following risk avoidance strategy.



Which of the following is the final step in the policy development process?

  1. Management approval
  2. Continued awareness activities
  3. Communication to employees
  4. Maintenance and review

Answer(s): D

Explanation:

Organizations should create a structured ISG document development process. A formal process gives many areas the opportunity to comment on a policy. This is very important for high-level policies that apply to the whole organization. A formal process also makes sure that final policies are communicated to employees. It also provides organizations with a way to make sure that policies are reviewed regularly.

In general, a policy development process should include the following steps:
1. Development
2. Stakeholder review
3. Management approval
4. Communication to employees
5. Documentation of compliance or exceptions
6. Continued awareness activities
7. Maintenance and review

Incorrect Answers:
A, B, C: These are the earlier phases in policy development process.






Post your Comments and Discuss ISACA CRISC exam with other Community members:

CRISC Discussions & Posts