CRISC Practice Questions

A.  

Review historical application down me and frequency

B.  

Assess the potential impact and cost of mitigation

C.  

identify other legacy systems within the organization

D.  

Explore the feasibility of replacing the legacy system

A.  

Classification of the data

B.  

Type of device

C.  

Remote management capabilities

D.  

Volume of data

A.  

User access may be restricted by additional security.

B.  

Unauthorized access may be gained to multiple systems.

C.  

Security administration may become more complex.

D.  

User privilege changes may not be recorded.

A.  

Internal email communications are not encrypted.

B.  

Data transmission within the corporate network is not encrypted.

C.  

Internally created documents are not automatically classified.

D.  

Data transmission across public networks is not encrypted.

A.  

Key risk indicator (KRI) thresholds

B.  

Risk trends

C.  

Key performance indicators (KPIs)

D.  

Risk objectives

A.  

identity early risk transfer strategies.

B.  

lessen the impact of realized risk.

C.  

analyze the chain of risk events.

D.  

identify the root cause of risk events.

A.  

It facilitates the use of a framework for risk management.

B.  

It establishes a means for senior management to formally approve risk practices.

C.  

It encourages risk-based decision making for stakeholders.

D.  

It provides a basis for benchmarking against industry standards.

A.  

mitigated

B.  

deferred

C.  

accepted.

D.  

transferred

A.  

Inherent risk is lower than risk tolerance.

B.  

Operational risk is higher than risk tolerance.

C.  

Accepted risk is higher than risk tolerance.

D.  

Residual risk is lower than risk tolerance.

A.  

Data validation

B.  

Identification

C.  

Authentication

D.  

Data integrity

A.  

Review the vendor selection process and vetting criteria.

B.  

Assess whether use of service falls within risk tolerance thresholds.

C.  

Establish service level agreements (SLAs) with the vendor.

D.  

Check the contract for appropriate security risk and control provisions.

A.  

It assigns numeric values to exposures of assets.

B.  

It requires more resources than other methods

C.  

It produces the results in numeric form.

D.  

It is based on impact analysis of information assets.

A.  

Implement targeted awareness training for new BYOD users.

B.  

Implement monitoring to detect control deterioration.

C.  

Identify log sources to monitor BYOD usage and risk impact.

D.  

Reduce the risk tolerance level.

A.  

The skill level required of a threat actor

B.  

The amount of personally identifiable information (PH) disclosed

C.  

The ability to detect and trace the threat action

D.  

The amount of data that might be exposed by a threat action

A.  

Communicate sanctions for policy violations to all staff.

B.  

Obtain signed acceptance of the new policy from employees.

C.  

Train all staff on relevant information security best practices.

D.  

Implement data loss prevention (DLP) within the corporate network.

A.  

Leading industry frameworks

B.  

Business context

C.  

Regulatory requirements

D.  

IT strategy

A.  

design of appropriate controls.

B.  

industry benchmarking of controls.

C.  

prioritization of response efforts.

D.  

classification of information assets.

A.  

Deleting the data from the file system

B.  

Cryptographically scrambling the data

C.  

Formatting the cloud storage at the block level

D.  

Degaussing the cloud storage media

A.  

Recovery Time Objective (RTO)

B.  

Mean Time to Recover (MTTR)

C.  

Mean Time Between Failures (MTBF)

D.  

Recovery Point Objective (RPO)

A.  

Approval of the control by senior management

B.  

Complete and accurate documentation of control objectives

C.  

Control owner attestation of control effectiveness

D.  

Internal audit review of control design

A.  

Mitigate

B.  

Accept

C.  

Transfer

D.  

Avoid

A.  

Ensuring the vendor does not know the encryption key

B.  

Engaging a third party to validate operational controls

C.  

Using the same cloud vendor as a competitor

D.  

Using field-level encryption with a vendor supplied key

A.  

An internal audit

B.  

Security operations center review

C.  

Internal penetration testing

D.  

A third-party audit

A.  

Application monitoring

B.  

Separation of duty

C.  

Least privilege

D.  

Nonrepudiation

A.  

Residual risk

B.  

Risk appetite

C.  

Mitigation cost

D.  

Inherent risk

A.  

Defined remediation plans

B.  

Management sign-off on the scope

C.  

Manual testing of device vulnerabilities

D.  

Visibility into all networked devices

A.  

Key risk indicators (KRls) are developed for key IT risk scenarios

B.  

IT risk scenarios are assessed by the enterprise risk management team

C.  

Risk appetites for IT risk scenarios are approved by key business stakeholders.

D.  

IT risk scenarios are developed in the context of organizational objectives.

A.  

the organization's risk culture

B.  

benchmarking results against similar organizations

C.  

industry-specific regulatory requirements

D.  

expertise available within the IT department

A.  

Confirming the adequacy of recovery plans.

B.  

Improving compliance with control standards.

C.  

Providing early detection of control degradation.

D.  

Reducing the number of incidents.

A.  

Informed consent

B.  

Cross border controls

C.  

Business impact analysis (BIA)

D.  

Data breach protection

A.  

Conduct a comprehensive review of access management processes.

B.  

Declare a security incident and engage the incident response team.

C.  

Conduct a comprehensive awareness session for system administrators.

D.  

Evaluate system administrators' technical skills to identify if training is required.

A.  

IT management

B.  

Internal audit

C.  

Process owners

D.  

Senior management

A.  

A comparison of the costs of notice and consent control options

B.  

Examples of regulatory fines incurred by industry peers for noncompliance

C.  

A report of critical controls showing the importance of notice and consent

D.  

A cost-benefit analysis of the control versus probable legal action

A.  

Conduct a risk assessment with stakeholders.

B.  

Conduct third-party resilience tests.

C.  

Update the risk register with the process changes.

D.  

Review risk related to standards and regulations.

A.  

Sections of the policy that may justify not implementing the requirement

B.  

Risk associated with the inability to implement the requirement

C.  

Budget justification to implement the new requirement during the current year

D.  

Industry best practices with respect to implementation of the proposed control

A.  

Initiate a retest of the full control

B.  

Retest the control using the new application as the only sample.

C.  

Review the corresponding change control documentation

D.  

Re-evaluate the control during (he next assessment

A.  

Enhance the security awareness program.

B.  

Increase the frequency of incident reporting.

C.  

Purchase cyber insurance from a third party.

D.  

Conduct a control assessment.

A.  

Several risk action plans have missed target completion dates.

B.  

Senior management has accepted more risk than usual.

C.  

Risk associated with many assets is only expressed in qualitative terms.

D.  

Many risk scenarios are owned by the same senior manager.

A.  

Software version

B.  

Assigned software manager

C.  

Software support contract expiration

D.  

Software licensing information

A.  

Report the findings to executive management to enable treatment decisions.

B.  

Reassess each vulnerability to evaluate the risk profile of the application.

C.  

Conduct a penetration test to determine how to mitigate the vulnerabilities.

D.  

Prepare a risk response that is aligned to the organization's risk tolerance.

A.  

identify an alternative location to host operations.

B.  

identify a geographically dispersed disaster recovery site.

C.  

prioritize critical services to be restored.

D.  

develop a multi-channel communication plan.

A.  

Technology subject matter experts

B.  

Business process owners

C.  

Business users of IT systems

D.  

Risk management consultants

A.  

Implement new controls.

B.  

Recalibrate the key performance indicator (KPI).

C.  

Redesign the process.

D.  

Re-evaluate the existing control design.

A.  

Conduct targeted risk assessments.

B.  

Recommend management accept the low risk scenarios.

C.  

Assess management's risk tolerance.

D.  

Propose mitigating controls.

A.  

Avoidance

B.  

Acceptance

C.  

Mitigation

D.  

Transfer

A.  

vulnerability scans.

B.  

recurring vulnerabilities.

C.  

vulnerabilities remediated,

D.  

new vulnerabilities identified.

A.  

Percentage of projects with key risk accepted by the project steering committee

B.  

Reduction in risk policy noncompliance findings

C.  

Percentage of projects with developed controls on scope creep

D.  

Reduction in audits involving external risk consultants

A.  

Aggregate risk of the organization

B.  

Number of identified system vulnerabilities

C.  

Number of exception requests processed in the past 90 days

D.  

Number of attacks against the organization's website

A.  

Maintaining effective internal controls

B.  

Providing oversight and governance

C.  

Conducting independent audits

D.  

Establishing the organization’s risk appetite

A.  

Current vulnerabilities

B.  

Recovery time objectives (RTOs)

C.  

Critical business processes

D.  

A suitable alternate site