CRISC Practice Questions

A.  

Risk management treatment plan

B.  

Risk assessment results

C.  

Risk management framework

D.  

Risk register

A.  

Testing the transmission of credit card numbers

B.  

Reviewing logs for unauthorized data transfers

C.  

Configuring the DLP control to block credit card numbers

D.  

Testing the DLP rule change control process

A.  

Align business objectives with risk appetite.

B.  

Enable risk-based decision making.

C.  

Design and implement risk response action plans.

D.  

Update risk responses in the risk register

A.  

The industry's threat profile.

B.  

Incidents occurring at similar organizations.

C.  

System performance thresholds.

D.  

Organizational objectives.

A.  

Adopt the RTO defined in the BCR

B.  

Update the risk register to reflect the discrepancy.

C.  

Adopt the RTO defined in the DRP.

D.  

Communicate the discrepancy to the DR manager for follow-up.

A.  

The risk assessment team may be overly confident of its ability to identify issues.

B.  

The risk practitioner may be unfamiliar with recent application and process changes.

C.  

The risk practitioner may still have access rights to the financial system.

D.  

Participation in the risk assessment may constitute a conflict of interest.

A.  

Developing an ongoing awareness and training program

B.  

Creating policies and standards that are easy to comprehend

C.  

Embedding risk management into the organization

D.  

Completing annual risk assessments on critical resources

A.  

Risk self-assessment

B.  

Risk register

C.  

Risk dashboard

D.  

Risk map

A.  

To support regulatory requirements

B.  

To prevent the risk scenario in the current environment

C.  

To monitor for potential changes to the risk scenario

D.  

To track historical risk assessment results

A.  

Conduct a comprehensive compliance review.

B.  

Develop incident response procedures for noncompliance.

C.  

Investigate the root cause of noncompliance.

D.  

Declare a security breach and Inform management.

A.  

inadequate resource allocation

B.  

Data disruption

C.  

Unauthorized access

D.  

Inadequate retention schedules

A.  

Risk response plans

B.  

Risk and control ownership

C.  

Key controls

D.  

Impact and likelihood ratings

A.  

Audit reports

B.  

Industry benchmarks

C.  

Financial forecasts

D.  

Annual threat reports

A.  

Some IT risk scenarios have multi-year risk action plans.

B.  

Several IT risk scenarios are missing assigned owners.

C.  

Numerous IT risk scenarios have been granted risk acceptances.

D.  

Many IT risk scenarios are categorized as avoided.

A.  

Physical destruction

B.  

Degaussing

C.  

Data anonymization

D.  

Data deletion

A.  

the jurisdiction in which an organization has its principal headquarters

B.  

international law and a uniform set of regulations.

C.  

the laws and regulations of each individual country

D.  

international standard-setting bodies.

A.  

To achieve business objectives

B.  

To minimize business disruptions

C.  

To identify threats and vulnerabilities

D.  

To identify and analyze risk

A.  

Decrease in the time to move changes to production

B.  

Ratio of emergency fixes to total changes

C.  

Ratio of system changes to total changes

D.  

Decrease in number of changes without a fallback plan

A.  

threat vector.

B.  

critical success factor (CSF).

C.  

key performance indicator (KPI).

D.  

key risk indicator (KRI).

A.  

IT system owner

B.  

Chief financial officer

C.  

Chief risk officer

D.  

Business process owner

A.  

Review regular control testing results.

B.  

Recommend a penetration test.

C.  

Assess the risk to determine mitigation needed.

D.  

Analyze key performance indicators (KPIs).

A.  

Reducing the need for audit reviews

B.  

Facilitating continuous control monitoring

C.  

Improving control process efficiency

D.  

Complying with functional requirements

A.  

Scope of the control coverage

B.  

The number of exceptions granted

C.  

Number of steps necessary to operate process

D.  

Number of control deviations detected

A.  

determine data backup and recovery availability at an alternate site.

B.  

identify critical business functions and resources.

C.  

define roles and responsibilities for implementation.

D.  

identify recovery time objectives (RTOs) for critical business applications.

A.  

provide an enterprise-wide view of risk

B.  

support risk response tracking

C.  

assign risk ownership

D.  

facilitate risk response decisions.

A.  

results of a business impact analysis (BIA).

B.  

the original risk response plan.

C.  

training program and user awareness documentation.

D.  

a post-implementation risk and control self-assessment (RCSA).

A.  

Maintaining a documented risk register

B.  

Establishing a risk awareness program

C.  

Rewarding employees for reporting security incidents

D.  

Allocating resources for risk remediation

A.  

They support compliance with regulations.

B.  

They provide evidence of risk assessment.

C.  

They facilitate communication of risk.

D.  

They enable the use of key risk indicators (KRls)

A.  

Include professional ethics in the corporate value statement.

B.  

Establish a channel for employees to report unethical behavior.

C.  

Include professional ethics criteria as part of performance appraisals.

D.  

Establish a code of conduct document for employees to sign.

A.  

Third-party software is used for data analytics.

B.  

Data usage exceeds individual consent.

C.  

Revenue generated is not disclosed to customers.

D.  

Use of a data analytics system is not disclosed to customers.

A.  

Authentication logs have been disabled.

B.  

An external vulnerability scan has been detected.

C.  

A brute force attack has been detected.

D.  

An increase in support requests has been observed.

A.  

Recovery time objective (RTO)

B.  

Cost-benefit analysis

C.  

Business impact analysis (BIA)

D.  

Cyber insurance coverage

A.  

highlight trends of developing risk.

B.  

ensure accurate and reliable monitoring.

C.  

take appropriate actions in a timely manner.

D.  

set different triggers for each stakeholder.

A.  

Ethics committees

B.  

Contingency scenarios

C.  

Awareness of consequences for violations

D.  

Routine changes in senior management

A.  

Responsible

B.  

Accountable

C.  

Informed

D.  

Consulted

A.  

inherent risk.

B.  

residual risk.

C.  

risk appetite

D.  

risk tolerance

A.  

Alerting operational management to emerging issues

B.  

Implementing corrective actions to address deficiencies

C.  

Owning risk scenarios and bearing the consequences of loss

D.  

Performing duties independently to provide assurance

A.  

Risk questionnaire

B.  

Risk register

C.  

Management assertion

D.  

Compliance manual

A.  

Create an asset valuation report.

B.  

Create key performance indicators (KPls).

C.  

Create key risk indicators (KRIs).

D.  

Create a risk volatility report.

A.  

Evaluate the security architecture maturity.

B.  

Map the new requirements to the existing control framework.

C.  

Charter a privacy steering committee.

D.  

Conduct a privacy impact assessment (PIA).

A.  

Average bandwidth usage

B.  

Peak bandwidth usage

C.  

Total bandwidth usage

D.  

Bandwidth used during business hours

A.  

Risk classification

B.  

Risk policy

C.  

Risk strategy

D.  

Risk appetite

A.  

Modeling a threat-based risk event

B.  

Calculating mean time between failures (MTBF)

C.  

Using a semi-quantitative approach

D.  

Calculating adjusted loss expectancy (ALE)

A.  

Risk Impact Rating

B.  

Risk Owner

C.  

Risk Likelihood Rating

D.  

Risk Exposure

A.  

Automated controls

B.  

Security awareness training

C.  

Multifactor authentication

D.  

Employee sanctions

A.  

provide clear evidence that the system is sufficiently secure.

B.  

determine the impact of potential threats.

C.  

test intrusion detection systems (IDS) and response procedures.

D.  

detect weaknesses that could lead to system compromise.

A.  

The controls may not be properly tested

B.  

The vendor will not ensure against control failure

C.  

The vendor will not achieve best practices

D.  

Lack of a risk-based approach to access control

A.  

IT risk manager

B.  

IT system owner

C.  

Information security manager

D.  

Business owner

A.  

Quantified risk triggers

B.  

Cost of controls

C.  

Regulatory requirements

D.  

Organizational goals

A.  

Changes in internal and external risk factors

B.  

Changes in internal and external auditors

C.  

Changes in risk appetite and risk tolerance

D.  

Changes in vulnerability assessment and penetration testing