Study guides, Class notes & Summaries

What is the difference between a standard and a policy? - Answer- Standard = A mandatory action, explicit rules, controls or configuration settings that are designed to support and conform to a policy. A standard should make a policy more meaningful and effective by including accepted specifications for hardware, software or behavior. Standards should always point to the policy to which they relate. Policy = IT policies help organizations to properly articulate the organization's desired behav...

CRISC Exam (Domain 1) 2023...

CRISC EXAM 2023 WITH QUESTIONS AND ANSWERS...

An enterprise recently developed a breakthrough technology that could provide a significant competitive edge. Which of the following FIRST governs how this information is to be protected from within the enterprise? A. The data classification policy B. The acceptable use policy C. Encryption standards D. The access control policy - ANS - A. Data classification policy describes the data classification categories; levels of protection to be provided for each category of data; and roles and ...

What is the difference between a standard and a policy? - ANS - Standard = A mandatory action, explicit rules, controls or configuration settings that are designed to support and conform to a policy. A standard should make a policy more meaningful and effective by including accepted specifications for hardware, software or behavior. Standards should always point to the policy to which they relate. Policy = IT policies help organizations to properly articulate the organization's desired beh...

How many steps in NIST RMF? - ANS - 6 Name steps of the NIST RMF - ANS - 1) Categorize Info Systems 2) Select Security Controls 3) Implement Security Controls 4) Assess Security Controls 5) Authorize Info Systems 6) Monitor Security Controls What are the layers of COBIT? - ANS - Governance and Management What are the Management layers of COBIT? - ANS - 1) Align, Plan, and Organize 2) Build, Acquire, and Implement 3) Deliver, Service, and Support 4) Monitor, Evaluate, and Assess

R1-1 Which of the following is MOST important to determine when defining risk management strategies? A. Risk assessment criteria B. IT architecture complexity C. An enterprise disaster recovery plan D. Business objectives and operations - ANS - D is the correct answer. Justification: A. Information on the internal and external environment must be collected to define a strategy and identify its impact. Risk assessment criteria alone are not sufficient. B. IT architecture complexity is m...

Which of the following is the MOST important reason for conducting security awareness programs throughout an enterprise? A. Reducing the risk of a social engineering attack B. Training personnel in security incident response C. Informing business units about the security strategy D. Maintaining evidence of training records to ensure compliance - ANS - A Which of the following is MOST important to determine when defining risk management strategies? A. Risk assessment criteria B. IT arch...

What is the primary force for driving privacy? - ANS - Regulation What is Confidentiality? - ANS - Maintains the secrecy and privacy of data "need to know / least privilege" What is Integrity? - ANS - Guarding against improper information modification, exclusion, or destruction "authenticity" What is Availability? - ANS - Providing timely and reliable access to information What is the order of Information Security Risk Management Process steps? - ANS - 1) Context Establishment 2) Ri...