CRISC Practice Questions

A.  

Segment the system on its own network.

B.  

Ensure regular backups take place.

C.  

Virtualize the system in the cloud.

D.  

Install antivirus software on the system.

A.  

Accuracy of risk tolerance levels

B.  

Consistency of risk process results

C.  

Participation of stakeholders

D.  

Maturity of the process

A.  

Database manager

B.  

Public relations manager

C.  

Data privacy manager

D.  

Business manager

A.  

Unknown vulnerabilities

B.  

Legacy technology systems

C.  

Network isolation

D.  

Overlapping threats

A.  

Failure to test the disaster recovery plan (DRP)

B.  

Lack of well-documented business impact analysis (BIA)

C.  

Lack of annual updates to the disaster recovery plan (DRP)

D.  

Significant changes in management personnel

A.  

current state of key processes to their desired state.

B.  

actual KPIs with target KPIs.

C.  

organization to industry best practices.

D.  

organization to peers.

A.  

Mitigation

B.  

Acceptance

C.  

Transfer

D.  

Avoidance

A.  

Policies and procedures

B.  

Structure and culture

C.  

Key risk indicators (KRIs) and thresholds

D.  

Known threats and vulnerabilities

A.  

The impact of the risk

B.  

The replacement cost of the business asset

C.  

The cost of risk mitigation controls

D.  

The classification of the business asset

A.  

Protect sensitive information with access controls.

B.  

Implement a data loss prevention (DLP) solution.

C.  

Re-communicate the data protection policy.

D.  

Implement a data encryption solution.

A.  

Obtaining logs m an easily readable format

B.  

Providing accurate logs m a timely manner

C.  

Collecting logs from the entire set of IT systems

D.  

implementing an automated log analysis tool

A.  

Countermeasures analysis

B.  

Best practice assessment

C.  

Gap analysis

D.  

Risk assessment

A.  

After user acceptance testing (UAT)

B.  

Upon release to production

C.  

During backlog scheduling

D.  

When reviewing functional requirements

A.  

Risk policy review

B.  

Business impact analysis (B1A)

C.  

Control catalog

D.  

Risk register

A.  

Control matrix documentation

B.  

Vendor security reports

C.  

Service Level Agreement (SLA)

D.  

An independent third-party audit

A.  

populate risk register entries and build a risk profile for management reporting.

B.  

prioritize IT-related actions by considering risk appetite and risk tolerance.

C.  

define the IT risk framework for the organization.

D.  

comply with the organization's IT risk and information security policies.

A.  

Feedback from end users

B.  

Results of a benchmark analysis

C.  

Recommendations from internal audit

D.  

Prioritization from business owners

A.  

line management.

B.  

the IT risk function.

C.  

enterprise compliance.

D.  

internal audit.

A.  

Evaluate current risk management alignment with relevant regulations

B.  

Determine if business continuity procedures are reviewed and updated on a regular basis

C.  

Conduct a benchmarking exercise against industry peers

D.  

Review the methodology used to conduct the business impact analysis (BIA)

A.  

Identifying additional risk scenarios

B.  

Updating the heat map

C.  

Assessing loss expectancy

D.  

Establishing a risk appetite

A.  

The risk owner who also owns the business service enabled by this infrastructure

B.  

The data center manager who is also employed under the managed hosting services contract

C.  

The site manager who is required to provide annual risk assessments under the contract

D.  

The chief information officer (CIO) who is responsible for the hosted services

A.  

Require users to select long passwords.

B.  

Implement a passwordless access mechanism.

C.  

Require users to change password as frequently as possible.

D.  

Block user sessions after short periods of inactivity.

A.  

Move redundant IT infrastructure to a closer location.

B.  

Obtain insurance and ensure sufficient funds are available for disaster recovery.

C.  

Review the business continuity plan (BCP) and align it with the new business needs.

D.  

Outsource disaster recovery services to a third-party IT service provider.

A.  

The results of the BIA quantify the BCP objectives and supporting technology for each operational area.

B.  

The BCP provides detailed information on alternative facilities to use in case of business interruptions.

C.  

The results of the BIA quantify the cost of the technology environment needed to restart each operational area.

D.  

The BCP provides the backup and restoration procedures to follow in case of business interruptions.

A.  

Device corruption

B.  

Data loss

C.  

Malicious users

D.  

User support

A.  

Assess management's risk tolerance.

B.  

Recommend management accept the low-risk scenarios.

C.  

Propose mitigating controls

D.  

Re-evaluate the risk scenarios associated with the control

A.  

Destroy the hard drives.

B.  

Encrypt the backup.

C.  

Update the asset inventory.

D.  

Remove all user access.

A.  

The inherent risk is below the asset residual risk.

B.  

Remediation cost is below the asset business value

C.  

The risk tolerance threshold s above the asset residual

D.  

Remediation is completed within the asset recovery time objective (RTO)

A.  

Identified vulnerabilities

B.  

Business managers' concerns

C.  

Changes to residual risk

D.  

Risk strategies of peer organizations

A.  

Monthly trend of information security-related incidents

B.  

Average time to identify critical information security incidents

C.  

Frequency of information security incident response plan testing

D.  

Percentage of high-risk security incidents

A.  

IT service desk manager

B.  

Sales manager

C.  

Customer service manager

D.  

Access control manager

A.  

BCP testing is net in conjunction with the disaster recovery plan (DRP)

B.  

Recovery time objectives (RTOs) do not meet business requirements.

C.  

BCP is often tested using the walk-through method.

D.  

Each business location has separate, inconsistent BCPs.

A.  

Develop a risk action plan to address the findings.

B.  

Evaluate the impact of the vulnerabilities to the business application.

C.  

Escalate the findings to senior management and internal audit.

D.  

Conduct a penetration test to validate the vulnerabilities from the findings.

A.  

Trends in IT resource usage

B.  

Trends in IT maintenance costs

C.  

Increased resource availability

D.  

Increased number of incidents

A.  

assessing impact to the strategic plan.

B.  

aligning with industry best practices.

C.  

soliciting input from risk management experts.

D.  

evaluating the cost of risk response.

A.  

Acceptance

B.  

Avoidance

C.  

Transfer

D.  

Reduction

A.  

the cost of control exceeds the mitigation value

B.  

there are sufficient internal resources to implement the control

C.  

the mitigation measures create compounding effects

D.  

the control eliminates the risk

A.  

To gain stakeholder support for the implementation of controls

B.  

To comply with industry best practices by balancing multiple types of controls

C.  

To improve the effectiveness of controls that mitigate risk

D.  

To address multiple risk scenarios mitigated by technical controls

A.  

End user

B.  

Internal auditor

C.  

Data owner

D.  

Data custodian

A.  

A control framework

B.  

Industry standards

C.  

Capability maturity targets

D.  

Business processes

A.  

Objectives are confirmed with the business owner.

B.  

Control owners approve control changes.

C.  

End-user acceptance testing has been conducted.

D.  

Performance information in the log is encrypted.

A.  

Code review

B.  

Penetration test

C.  

Gap assessment

D.  

Business impact analysis (BIA)

A.  

create an action plan

B.  

assign ownership

C.  

review progress reports

D.  

perform regular audits.

A.  

Demonstration that the control is operating as designed

B.  

A successful walk-through of the associated risk assessment

C.  

Management attestation that the control is operating effectively

D.  

Automated data indicating that risk has been reduced

A.  

Percentage of staff turnover following five consecutive days of leave

B.  

Average number of consecutive days of leave per staff member

C.  

Number of suspected malicious activities reported since policy implementation

D.  

Financial loss incurred due to malicious activities since policy implementation

A.  

Determining which departments contribute most to risk

B.  

Allocating responsibility for risk factors equally to asset owners

C.  

Mapping identified risk factors to specific business processes

D.  

Determining resource dependency of assets

A.  

Business benefits of shadow IT

B.  

Application-related expresses

C.  

Classification of the data

D.  

Volume of data

A.  

An alert being reported by the security operations center.

B.  

Development of a project schedule for implementing a risk response

C.  

Completion of a project for implementing a new control

D.  

Engagement of a third party to conduct a vulnerability scan

A.  

The percentage of systems meeting recovery target times has increased.

B.  

The number of systems tested in the last year has increased.

C.  

The number of systems requiring a recovery plan has increased.

D.  

The percentage of systems with long recovery target times has decreased.

A.  

Collaborate with the risk owner to determine the risk response plan.

B.  

Document the gap in the risk register and report to senior management.

C.  

Include a right to audit clause in the service provider contract.

D.  

Advise the risk owner to accept the risk.