CRISC Practice Questions

A.  

The risk profile was not updated after a recent incident

B.  

The risk profile was developed without using industry standards.

C.  

The risk profile was last reviewed two years ago.

D.  

The risk profile does not contain historical loss data.

A.  

Hire consultants specializing m the new technology.

B.  

Review existing risk mitigation controls.

C.  

Conduct a gap analysis.

D.  

Perform a risk assessment.

A.  

Implement control monitoring.

B.  

Improve project management methodology.

C.  

Reassess the risk periodically.

D.  

Identify compensating controls.

A.  

Accepted risk scenarios with detailed plans for monitoring

B.  

Risk scenarios that have been shared with vendors and third parties

C.  

Accepted risk scenarios with impact exceeding the risk tolerance

D.  

Risk scenarios that have been identified, assessed, and responded to by the risk owners

A.  

develop a risk remediation plan overriding the client's decision

B.  

make a note for this item in the next audit explaining the situation

C.  

insist that the remediation occur for the benefit of other customers

D.  

ask the client to document the formal risk acceptance for the provider

A.  

facilitate resource availability.

B.  

help ensure objectives are met.

C.  

safeguard corporate assets.

D.  

help prevent operational losses.

A.  

Identify systems that are vulnerable to being exploited by the attack.

B.  

Confirm with the antivirus solution vendor whether the next update will detect the attack.

C.  

Verify the data backup process and confirm which backups are the most recent ones available.

D.  

Obtain approval for funding to purchase a cyber insurance plan.

A.  

Request a regulatory risk reporting methodology

B.  

Require critical success factors (CSFs) for IT risks.

C.  

Establish IT-specific compliance objectives

D.  

Communicate IT key risk indicators (KRIs) and triggers

A.  

To identify gaps in data protection controls

B.  

To develop a customer notification plan

C.  

To identify personally identifiable information (Pll)

D.  

To determine gaps in data identification processes

A.  

After the initial design

B.  

Before production rollout

C.  

After a few weeks in use

D.  

Before end-user testing

A.  

Data recovery testing of the backups

B.  

Physical security of the backups

C.  

Configuration of the backup solution

D.  

Retention policy for the backups

A.  

Business information security officer

B.  

Service level manager

C.  

Business process manager

D.  

Data center operations manager

A.  

The programming project leader solely reviews test results before approving the transfer to production.

B.  

Test and production programs are in distinct libraries.

C.  

Only operations personnel are authorized to access production libraries.

D.  

A synchronized migration of executable and source code from the test environment to the production environment is allowed.

A.  

record risk scenarios in the risk register for analysis.

B.  

validate the risk scenarios for business applicability.

C.  

reduce the number of risk scenarios to a manageable set.

D.  

perform a risk analysis on the risk scenarios.

A.  

evaluate the organization s ability and expertise to implement the solution.

B.  

evaluate the risk response of similar organizations.

C.  

address high risk factors that have efficient and effective solutions.

D.  

determine which risk factors have high remediation costs

A.  

Monitoring user activity using security logs

B.  

Revoking access for users changing roles

C.  

Granting access based on least privilege

D.  

Conducting periodic reviews of authorizations granted

A.  

Reassessing control effectiveness of the process

B.  

Conducting a post-implementation review to determine lessons learned

C.  

Reporting key performance indicators (KPIs) for core processes

D.  

Establishing escalation procedures for anomaly events

A.  

network operations.

B.  

the cybersecurity function.

C.  

application development.

D.  

the business function.

A.  

a threat.

B.  

a vulnerability.

C.  

an impact

D.  

a control.

A.  

Potential audit findings

B.  

Insufficient risk governance

C.  

Potential business impact

D.  

Inaccurate documentation

A.  

SWOT analysis

B.  

Business impact analysis (BIA)

C.  

Cost-benefit analysis

D.  

Root cause analysis

A.  

A technology review and approval process

B.  

An acceptable use policy

C.  

An automated network scanning solution

D.  

A bring your own device (BYOD) policy

A.  

It promotes a security-aware culture.

B.  

It enables vulnerability analysis.

C.  

It enhances internal risk reporting.

D.  

It provides risk information to auditors.

A.  

Reputation impact

B.  

Ownership

C.  

Financial impact

D.  

Accountability

A.  

The effectiveness of compensating controls

B.  

The enterprise's capacity to absorb loss

C.  

The residual risk affected by preventive controls

D.  

The amount of inherent risk considered appropriate

A.  

Risk likelihood

B.  

Risk culture

C.  

Risk appetite

D.  

Risk capacity

A.  

The cost of the control relative to the value of risk mitigation

B.  

The effectiveness of the control at reducing residual risk levels

C.  

The likelihood of a successful attack based on current risk

D.  

assessments

E.  

The availabilitv of budgeted funds for risk mitigationMitination

A.  

A companion of risk assessment results to the desired state

B.  

A quantitative presentation of risk assessment results

C.  

An assessment of organizational maturity levels and readiness

D.  

A qualitative presentation of risk assessment results

A.  

Enforce password changes.

B.  

Enforce multi-factor authentication (MFA).

C.  

Enforce role-based authentication.

D.  

Enforce password encryption.

A.  

Organizational threats

B.  

Resource allocation plan

C.  

Competitor analysis

D.  

Cost-benefit analysis

A.  

Scheduling periodic audits

B.  

Assigning a data custodian

C.  

Implementing technical controls over the assets

D.  

Establishing a data loss prevention (DLP) solution

A.  

Ask the business to make a budget request to remediate the problem.

B.  

Build a business case to remediate the fix.

C.  

Research the types of attacks the threat can present.

D.  

Determine the impact of the missing threat.

A.  

Key risk indicator (KRI) thresholds

B.  

Inherent risk

C.  

Risk likelihood and impact

D.  

Risk velocity

A.  

Cost and benefit

B.  

Security and availability

C.  

Maintainability and reliability

D.  

Performance and productivity

A.  

The KRIs' source data lacks integrity.

B.  

The KRIs are not automated.

C.  

The KRIs are not quantitative.

D.  

The KRIs do not allow for trend analysis.

A.  

risk mitigation.

B.  

risk evaluation.

C.  

risk appetite.

D.  

risk tolerance.

A.  

mitigation.

B.  

avoidance.

C.  

transfer.

D.  

acceptance.

A.  

ensure suitable insurance coverage is purchased.

B.  

negotiate with the risk owner on control efficiency.

C.  

reassess the risk to confirm the impact.

D.  

obtain approval from senior management.

A.  

The type of shared data

B.  

The level of residual risk after data loss prevention (DLP) controls are implemented

C.  

The monetary value of the unique records that could be re-identified

D.  

The impact to affected stakeholders

A.  

involve IT leadership in the policy development process

B.  

Require business users to sign acknowledgment of the poises

C.  

involve business owners in the pokey development process

D.  

Provide policy owners with greater enforcement authority

A.  

IT security managers

B.  

IT control owners

C.  

IT auditors

D.  

IT risk owners

A.  

More complex test restores

B.  

Inadequate service level agreement (SLA) with the provider

C.  

More complex incident response procedures

D.  

Inadequate data encryption

A.  

Data controllers

B.  

Data custodians

C.  

Data analysts

D.  

Data owners

A.  

Percentage of standard supplier uptime

B.  

Average time to respond to incidents

C.  

Number of assets included in recovery processes

D.  

Number of key applications hosted

A.  

guidance of the risk practitioner.

B.  

competence of the staff involved.

C.  

approval of senior management.

D.  

maturity of its risk culture.

A.  

User authorization

B.  

User recertification

C.  

Change log review

D.  

Access log monitoring

A.  

Internal audit

B.  

Compliance committee

C.  

External audit

D.  

Operational managers

A.  

business owner

B.  

IT department

C.  

Risk manager

D.  

Third-party provider

A.  

Perform a risk assessment.

B.  

Accept the risk of not implementing.

C.  

Escalate to senior management.

D.  

Update the implementation plan.

A.  

To detect incompatibilities that might disrupt the operation

B.  

To provide assurance that deployed patches have been properly authorized

C.  

To understand how long it will take to deploy the patch

D.  

To support availability by authorizing the release of the patch at the appropriate time