CRISC Practice Questions

A.  

testing requirements

B.  

the implementation plan.

C.  

System requirements

D.  

The security policy

A.  

Business owners have the ability to effectively manage risk.

B.  

Business owners have authority to approve control implementation.

C.  

Business owners understand the residual risk of competitors.

D.  

Business owners are able to assess the impact.

A.  

Conduct a risk analysis.

B.  

Initiate a remote data wipe.

C.  

Invoke the incident response plan

D.  

Disable the user account.

A.  

Al requires entirely new risk management processes.

B.  

Al potentially introduces new types of risk.

C.  

Al will result in changes to business processes.

D.  

Third-party Al solutions increase regulatory obligations.

A.  

Key risk indicators (KRIs)

B.  

Documented procedures

C.  

Information security policies

D.  

Information security standards

A.  

Adopting a common risk taxonomy

B.  

Using key performance indicators (KPIs)

C.  

Creating a risk communication policy

D.  

Using key risk indicators (KRIs)

A.  

Assess the loss impact if the information is inadvertently disclosed.

B.  

Calculate the overhead required to keep the information secure throughout its life cycle.

C.  

Calculate the replacement cost of obtaining the information from alternate sources.

D.  

Assess the market value offered by consumers of the information.

A.  

An increase in the number of high-risk audit findings

B.  

An increase in the number of security incidents

C.  

An increase in the percentage of turnover in IT personnel

D.  

An increase in the number of infrastructure changes

A.  

Create an IT security policy.

B.  

Implement corrective measures.

C.  

Implement detective controls.

D.  

Leverage existing technology

A.  

Performing credit verification of third-party vendors prior to payment

B.  

Conducting system access reviews to ensure least privilege and appropriate access

C.  

Performing regular reconciliation of payments to the check registers

D.  

Enforcing segregation of duties between the vendor master file and invoicing

A.  

The head of enterprise architecture (EA)

B.  

The IT risk manager

C.  

The information security manager

D.  

The product owner

A.  

Reviewing and testing service providers' business continuity plans (BCPs)

B.  

Ensuring service providers comply with laws and regulations

C.  

Implementing and reviewing data sharing controls

D.  

Requiring service providers to report privacy breaches

A.  

Business continuity manager

B.  

Chief risk officer (CRO)

C.  

IT infrastructure manager

D.  

Business application owner

A.  

Responding promptly to control exceptions

B.  

Implementing compensating controls

C.  

Testing controls periodically

D.  

Automating manual controls

A.  

The underlying data source for the KRI is using inaccurate data and needs to be corrected.

B.  

The KRI is not providing useful information and should be removed from the KRI inventory.

C.  

The KRI threshold needs to be revised to better align with the organization s risk appetite

D.  

Senior management does not understand the KRI and should undergo risk training.

A.  

Implement role-based access control

B.  

Implement a data masking process

C.  

Include sanctions in nondisclosure agreements (NDAs)

D.  

Install a data loss prevention (DLP) tool

A.  

It decreases the amount of organizational loss if risk events occur.

B.  

It justifies the acceptance of risk associated with cyber theft events.

C.  

It transfers risk ownership along with associated liabilities to a third party.

D.  

It decreases the likelihood of risk events occurring.

A.  

To identify threats introduced by business processes

B.  

To identify risk when personal information is collected

C.  

To ensure senior management has approved the use of personal information

D.  

To ensure compliance with data privacy laws and regulations

A.  

implement uniform controls for common risk scenarios.

B.  

ensure business unit risk is uniformly distributed.

C.  

build a risk profile for management review.

D.  

quantify the organization's risk appetite.

A.  

Identify risk response options.

B.  

Implement compensating controls.

C.  

Invoke the incident response plan.

D.  

Document the penalties for noncompliance.

A.  

Conduct a gap analysis.

B.  

Terminate the outsourcing agreement.

C.  

Identify compensating controls.

D.  

Transfer risk to the third party.

A.  

Not providing capability for employees to work remotely

B.  

Outsourcing the IT activities and infrastructure

C.  

Enforcing change and configuration management processes

D.  

Taking out insurance coverage for IT-related incidents

A.  

Comparing risk rating against appetite

B.  

Obtaining input from business units

C.  

Determining cost of controls to mitigate risk

D.  

Ranking the risk based on likelihood of occurrence

A.  

Gap analysis

B.  

Current control attestation

C.  

Risk profile update

D.  

Business impact analysis (BIA)

A.  

To update risk ownership

B.  

To review the risk acceptance with new stakeholders

C.  

To ensure risk levels have not changed

D.  

To ensure controls are still operating effectively

A.  

Board of directors

B.  

Vendors

C.  

Regulators

D.  

Legal team

A.  

Obtain the risk owner's approval.

B.  

Record the risk as accepted in the risk register.

C.  

Inform senior management.

D.  

update the risk response plan.

A.  

Emphasizing risk in the risk profile that is related to critical business activities

B.  

Customizing the presentation of the risk profile to the intended audience

C.  

Including details of risk with high deviation from the risk appetite

D.  

Providing information on the efficiency of controls for risk mitigation

A.  

Senior management

B.  

Project manager

C.  

Project sponsor

D.  

IT risk manager

A.  

Providing risk awareness training for business units

B.  

Obtaining input from business management

C.  

Understanding the business controls currently in place

D.  

Conducting a business impact analysis (BIA)

A.  

Risk register

B.  

Risk appetite

C.  

Threat landscape

D.  

Risk metrics

A.  

Replace the action owner with a more experienced individual.

B.  

Implement compensating controls until the preferred action can be completed.

C.  

Change the risk response strategy of the relevant risk to risk avoidance.

D.  

Develop additional key risk indicators (KRIs) until the preferred action can be completed.

A.  

An updated risk register

B.  

Risk assessment results

C.  

Technical control validation

D.  

Control testing results

A.  

A decrease in control layering effectiveness

B.  

An increase in inherent risk

C.  

An increase in control vulnerabilities

D.  

An increase in the level of residual risk

A.  

Better understanding of the risk appetite

B.  

Improving audit results

C.  

Enabling risk-based decision making

D.  

Increasing process control efficiencies

A.  

Develop new key risk indicators (KRIs).

B.  

Perform a root cause analysis.

C.  

Recommend the purchase of cyber insurance.

D.  

Review the incident response plan.

A.  

Contracting to third parties

B.  

Establishing employee awareness training

C.  

Setting target dates to complete actions

D.  

Assigning accountability to risk owners

A.  

Adjust the original thresholds for the KRI for future reporting periods

B.  

Initiate corrective actions with the accountable risk owner

C.  

Implement forward-looking risk metrics to compare results

D.  

Continue monitoring the KRI for changes in subsequent reporting periods

A.  

Perform an audit.

B.  

Conduct a risk analysis.

C.  

Develop risk scenarios.

D.  

Perform a cost-benefit analysis.

A.  

Privacy risk awareness training has not been conducted across the organization.

B.  

The organization has not incorporated privacy into its risk management framework.

C.  

The organization allows staff with access to personal data to work remotely.

D.  

Personal data processing occurs in an offshore location with a data sharing agreement.

A.  

Average time to implement patches after vendor release

B.  

Number of patches tested prior to deployment

C.  

Increase in the frequency of patches deployed into production

D.  

Percent of patches implemented within established timeframe

A.  

Implement compensating controls to deter fraud attempts.

B.  

Share the concern through a whistleblower communication channel.

C.  

Monitor the activity to collect evidence.

D.  

Determine whether the system environment has flaws that may motivate fraud attempts.

A.  

Compliance manager

B.  

Data architect

C.  

Data owner

D.  

Chief information officer (CIO)

A.  

risk score

B.  

risk impact

C.  

risk response

D.  

risk likelihood.

A.  

Communicate potential impact to decision makers.

B.  

Research the root cause of similar incidents.

C.  

Verify the response plan is adequate.

D.  

Increase human resources to respond in the interim.

A.  

A high number of approved exceptions exist with compensating controls.

B.  

Successive assessments have the same recurring vulnerabilities.

C.  

Redundant compensating controls are in place.

D.  

Asset custodians are responsible for defining controls instead of asset owners.

A.  

Risk ownership is recorded.

B.  

Vulnerabilities have separate entries.

C.  

Control ownership is recorded.

D.  

Residual risk is less than inherent risk.

A.  

identification.

B.  

treatment.

C.  

communication.

D.  

assessment

A.  

Chief information security officer

B.  

Business process owner

C.  

Chief risk officer

D.  

IT controls manager

A.  

Risk management resources

B.  

Risk tolerance

C.  

Cyberattack threats

D.  

Risk trends