CRISC Practice Questions

A.  

Organizational risk appetite

B.  

Cross-business representation

C.  

Key risk indicators (KRIs)

D.  

Risk governance charter

A.  

Enroll the employee in additional security training.

B.  

Invoke the incident response plan.

C.  

Conduct an internal audit.

D.  

Instruct the vendor to delete the data.

A.  

Reviewing risk-related process documentation

B.  

Conducting periodic risk assessments

C.  

Performing a business impact analysis (BIA)

D.  

Performing frequent audits

A.  

Fault tree analysis

B.  

Historical trend analysis

C.  

Root cause analysis

D.  

Business impact analysis (BIA)

A.  

To reduce the likelihood of insider threat

B.  

To eliminate the possibility of insider threat

C.  

To enable rapid discovery of insider threat

D.  

To reduce the impact of insider threat

A.  

Update the risk register with the average of residual risk for both business units.

B.  

Review the assumptions of both risk scenarios to determine whether the variance is reasonable.

C.  

Update the risk register to ensure both risk scenarios have the highest residual risk.

D.  

Request that both business units conduct another review of the risk.

A.  

ensure that risk is mitigated by the control.

B.  

measure efficiency of the control process.

C.  

confirm control alignment with business objectives.

D.  

comply with the organization's policy.

A.  

improve accountability

B.  

improve consistency

C.  

help define risk tolerance

D.  

help develop risk scenarios.

A.  

Confirm the vulnerabilities with the third party

B.  

Identify procedures to mitigate the vulnerabilities.

C.  

Notify information security management.

D.  

Request IT to remove the system from the network.

A.  

A centralized computer security response team

B.  

Regular performance reviews and management check-ins

C.  

Code of ethics training for all employees

D.  

Communication of employee activity monitoring

A.  

To demonstrate alignment with industry best practices

B.  

To assure management that control ownership is assigned

C.  

To ensure management understands the current risk status

D.  

To align risk management with strategic objectives

A.  

Adherence to legal and compliance requirements

B.  

Reduction in the number of test cases in the acceptance phase

C.  

Establishment of digital forensic architectures

D.  

Consistent management of information assets

A.  

Escalate to senior management

B.  

Require a nondisclosure agreement.

C.  

Sanitize portions of the register

D.  

Determine the purpose of the request

A.  

comply with external and internal requirements.

B.  

enable well-informed decision making.

C.  

prioritize investment projects.

D.  

keep the risk register up-to-date.

A.  

Significant increases in risk mitigation budgets

B.  

Large fluctuations in risk ratings between assessments

C.  

A steady increase in the time to recover from incidents

D.  

A large number of control exceptions

A.  

The risk impact changes.

B.  

The risk classification changes.

C.  

The inherent risk changes.

D.  

The residual risk changes.

A.  

Ensure the IT governance framework is up to date.

B.  

Communicate the risk management strategy across the organization.

C.  

Gain a clear understanding of business risk and related ownership.

D.  

Ensure security policies and procedures are documented.

A.  

Level of risk impact

B.  

Cost-benefit analysis

C.  

Key control indicator (KCI) measures

D.  

Availability of other technical controls

A.  

communicate risk to senior management

B.  

assign risk ownership

C.  

facilitate internal audit

D.  

determine the appropriate level of control

A.  

invoke the established incident response plan.

B.  

Inform internal audit.

C.  

Perform a root cause analysis

D.  

Conduct an immediate risk assessment

A.  

Chief financial officer

B.  

Information security director

C.  

Internal audit director

D.  

Chief information officer

A.  

Risk mitigation

B.  

Risk avoidance

C.  

Risk acceptance

D.  

Risk transfer

A.  

Compensating

B.  

Detective

C.  

Deterrent

D.  

Corrective

A.  

A post-implementation review has been conducted by key personnel.

B.  

A qualified independent party assessed the new controls as effective.

C.  

Senior management has signed off on the design of the controls.

D.  

Robots have operated without human interference on a daily basis.

A.  

Transferring the risk

B.  

Introducing control procedures early in the life cycle

C.  

Updating the risk tolerance to include the new risk

D.  

Implementing IoT device monitoring software

A.  

Impact of the change on inherent risk

B.  

Approval for the change by the risk owner

C.  

Business rationale for the change

D.  

Risk to the mitigation effort due to the change

A.  

Implement a tool to create and distribute violation reports

B.  

Raise awareness of encryption requirements for sensitive data.

C.  

Block unencrypted outgoing emails which contain sensitive data.

D.  

Implement a progressive disciplinary process for email violations.

A.  

Costs and benefits

B.  

Local laws and regulations

C.  

Security features and support

D.  

Business strategies and needs

A.  

Recommend risk remediation

B.  

Change the level of risk appetite

C.  

Document formal acceptance of the risk

D.  

Reject the business initiative

A.  

Most recent IT audit report results

B.  

Replacement cost of IT assets

C.  

Current annualized loss expectancy report

D.  

Cyber insurance industry benchmarking report

A.  

An effective enterprise-wide risk awareness program

B.  

Senior management approval of risk appetite and tolerance

C.  

Stage gate reviews throughout the risk management process

D.  

Incorporation of industry best practice benchmarks and standards

A.  

Low software quality

B.  

Lack of access controls

C.  

Data breaches

D.  

Data bias

A.  

Recovery Time Objective (RTO)

B.  

Key Risk Indicator (KRI)

C.  

Recovery Point Objective (RPO)

D.  

Key Performance Indicator (KPI)

A.  

Internet of Things (IoT)

B.  

Quantum computing

C.  

Virtual reality (VR)

D.  

Machine learning

A.  

Methods of attack progression

B.  

Losses incurred by industry peers

C.  

Most recent antivirus scan reports

D.  

Potential impact of events

A.  

Provide risk management feedback to key stakeholders.

B.  

Collect and analyze risk data for report generation.

C.  

Monitor and prioritize risk data according to the heat map.

D.  

Engage key stakeholders in risk management practices.

A.  

Public relations manager

B.  

Data privacy manager

C.  

Business manager

D.  

Database manager

A.  

To measure business exposure to risk

B.  

To identify control vulnerabilities

C.  

To monitor the achievement of set objectives

D.  

To raise awareness of operational issues

A.  

Validating whether IT risk control systems are operational

B.  

Monitoring IT security policy compliance

C.  

Calculating phishing attack key risk indicators (KRIs)

D.  

Appropriately configuring the web application firewall (WAF)

A.  

Lack of cross-functional risk assessment workshops within the organization

B.  

Lack of common understanding of the organization's risk culture

C.  

Lack of quantitative methods to aggregate the total risk exposure

D.  

Lack of an integrated risk management system to aggregate risk scenarios

A.  

Update the KRI threshold.

B.  

Recommend additional controls.

C.  

Review incident handling procedures.

D.  

Perform a root cause analysis.

A.  

Satisfactory audit results

B.  

Risk tolerance being set too low

C.  

Inaccurate risk ratings

D.  

Lack of preventive controls

A.  

Ensuring time synchronization of log sources.

B.  

Ensuring the inclusion of external threat intelligence log sources.

C.  

Ensuring the inclusion of all computing resources as log sources.

D.  

Ensuring read-write access to all log sources

A.  

Preventive control

B.  

Administrative control

C.  

Corrective control

D.  

Deterrent control

A.  

Key stakeholders are enrolled as members

B.  

Approved minutes ate forwarded to senior management

C.  

Committee meets at least quarterly

D.  

Functional overlap across the business is minimized

A.  

Latency of the alternate site

B.  

Amount of acceptable data loss

C.  

Time and resources for offsite backups

D.  

Cost of testing the business continuity plan (BCP)

A.  

Verify authorization by senior management.

B.  

Increase the risk appetite to align with the current risk level

C.  

Ensure the acceptance is set to expire over lime

D.  

Update the risk response in the risk register.

A.  

Risk strategy

B.  

Risk register

C.  

Gap analysis

D.  

Business impact analysis (BIA)

A.  

take necessary precautions for claims and losses.

B.  

achieve acceptable residual risk levels.

C.  

avoid risk for business and IT assets.

D.  

achieve compliance with legal requirements.

A.  

Assessment of organizational risk appetite

B.  

Compliance with best practice

C.  

Accountability for loss events

D.  

Accuracy of risk profiles