CRISC Practice Questions

A.  

exceeding availability thresholds

B.  

experiencing hardware failures

C.  

exceeding current patching standards.

D.  

meeting the baseline for hardening.

A.  

Redesign key risk indicators (KRIs).

B.  

Update risk responses.

C.  

Conduct a SWOT analysis.

D.  

Perform a threat assessment.

A.  

minimize the number of risk scenarios for risk assessment.

B.  

aggregate risk scenarios identified across different business units.

C.  

build a threat profile of the organization for management review.

D.  

provide a current reference to stakeholders for risk-based decisions.

A.  

To assist with risk identification

B.  

To determine risk tolerance

C.  

To determine risk appetite

D.  

To assist in the development of risk responses

A.  

Relevant risk case studies

B.  

Internal audit findings

C.  

Risk assessment results

D.  

Penetration testing results

A.  

Monitoring is only conducted between official hours of business

B.  

Employees are informed of how they are bong monitored

C.  

Reporting on nonproductive employees is sent to management on a scheduled basis

D.  

Multiple data monitoring sources are integrated into security incident response procedures

A.  

Conduct an audit to determine the frequency of occurrence

B.  

Update the probability in the risk register

C.  

Create a noncompliance risk scenario

D.  

Weigh compliance against the cost-benefit

A.  

Technical event

B.  

Threat event

C.  

Vulnerability event

D.  

Loss event

A.  

Asset management metrics are aligned to industry benchmarks

B.  

Organizational information risk controls are continuously monitored

C.  

There are defined processes in place for onboarding assets

D.  

The asset management team is involved in the budgetary planning process

A.  

Gap analysis

B.  

Risk assessment

C.  

Heat map

D.  

Risk register

A.  

Conduct social engineering testing.

B.  

Audit security awareness training materials.

C.  

Administer an end-of-training quiz.

D.  

Perform a vulnerability assessment.

A.  

Key risk indicators (KRls)

B.  

Inherent risk

C.  

Residual risk

D.  

Risk appetite

A.  

Risk policy

B.  

Risk committee

C.  

Risk culture

D.  

Risk management plan

A.  

Security policies are being reviewed infrequently.

B.  

Controls are not operating efficiently.

C.  

Vulnerabilities are not being mitigated

D.  

Aggregate risk is approaching the tolerance threshold

A.  

Overseeing the execution of framework requirements

B.  

Implementing the framework requirements

C.  

Advising industry standard framework organizations

D.  

Auditing the execution of framework requirements

A.  

Well documented policies and procedures

B.  

Risk and issue tracking

C.  

An IT strategy committee

D.  

Change and release management

A.  

Develop a detailed risk profile.

B.  

Hire experienced and knowledgeable resources.

C.  

Schedule internal audits across the business.

D.  

Conduct risk assessments across the business.

A.  

assess effectiveness of different projects.

B.  

define the risk assessment methodology.

C.  

ensure assets have low residual risk.

D.  

account for identified key risk factors.

A.  

Risk owner

B.  

Business manager

C.  

Data owner

D.  

Risk manager

A.  

To provide input to the organization's risk appetite

B.  

To monitor the vendor's control effectiveness

C.  

To verify the vendor's ongoing financial viability

D.  

To assess the vendor's risk mitigation plans

A.  

The model could be hacked or exploited.

B.  

The model could be used to generate inaccurate content.

C.  

Staff could become overly reliant on the model.

D.  

It could lead to biased recommendations.

A.  

Aligned with risk management capabilities.

B.  

Based on industry trends.

C.  

Related to probable events.

D.  

Mapped to incident response plans.

A.  

Piloting courses with focus groups

B.  

Using reputable third-party training programs

C.  

Reviewing content with senior management

D.  

Creating modules for targeted audiences

A.  

Business resilience manager

B.  

Disaster recovery team lead

C.  

Application owner

D.  

IT operations manager

A.  

Prepare a skills matrix to illustrate tasks and required expertise.

B.  

Require periodic security assessments of the vendor within the contract.

C.  

Perform due diligence to enable holistic assessment of the vendor.

D.  

Plan a phased approach for the transition of processes to the vendor.

A.  

Assess generic risk scenarios with business users.

B.  

Validate the generic risk scenarios for relevance.

C.  

Select the maximum possible risk scenarios from the list.

D.  

Identify common threats causing generic risk scenarios

A.  

Lack of alignment to best practices

B.  

Lack of risk assessment

C.  

Lack of risk and control procedures

D.  

Lack of management approval

A.  

Business objectives

B.  

Risk tolerance level

C.  

Data access requirements

D.  

Data classification

A.  

Control standard operating procedures

B.  

Latest security assessment

C.  

Current security threat report

D.  

Updated risk register

A.  

Assigning identification dates for risk scenarios in the risk register

B.  

Updating impact assessments for risk scenario

C.  

Verifying whether risk action plans have been completed

D.  

Reviewing key risk indicators (KRIS)

A.  

Assessing risk with no controls in place

B.  

Showing projected residual risk

C.  

Providing peer benchmarking results

D.  

Assessing risk with current controls in place

A.  

operates as intended.

B.  

is being monitored.

C.  

meets regulatory requirements.

D.  

operates efficiently.

A.  

priority in the risk register.

B.  

business process owner.

C.  

enterprise risk profile.

D.  

appropriate level of protection.

A.  

To ensure completion of the risk assessment cycle

B.  

To ensure controls arc operating effectively

C.  

To ensure residual risk Is at an acceptable level

D.  

To ensure control costs do not exceed benefits

A.  

An experienced and certified disaster recovery team

B.  

A record of quarterly disaster recovery tests

C.  

A comprehensive list of critical applications

D.  

A defined recovery point objective (RPO)

A.  

The audit had a broader scope than the CS

A.  

B.  

The CSA was not sample-based.

C.  

The CSA did not test control effectiveness.

D.  

The CSA was compliance-based, while the audit was risk-based.

A.  

An annual contract review

B.  

A service level agreement (SLA)

C.  

A requirement to adopt an established risk management framework

D.  

A requirement to provide an independent audit report

A.  

IT infrastructure head

B.  

Human resources head

C.  

Supplier management head

D.  

Application development head

A.  

Do not collect or retain data that is not needed.

B.  

Redact data where possible.

C.  

Limit access to the personal data.

D.  

Ensure all data is encrypted at rest and during transit.

A.  

Utilizing data loss prevention (DLP) technology

B.  

Monitoring the enterprise's use of the Internet

C.  

Scanning the Internet to search for unauthorized usage

D.  

Developing training and awareness campaigns

A.  

There is potential for an increase in audit findings

B.  

Key performance indicators (KPIs) may not be reliable

C.  

The potential for risk realization is increased

D.  

Control inefficiencies may go undetected

A.  

Directives from legal and regulatory authorities

B.  

Audit reports from internal information systems audits

C.  

Automated logs collected from different systems

D.  

Trend analysis of external risk factors

A.  

overall effectiveness of risk management

B.  

consequences of risk materializing

C.  

necessity of developing a risk strategy,

D.  

organization s risk threshold.

A.  

Identify new threats resorting from the new business strategy

B.  

Update risk awareness training to reflect current levels of risk appetite and tolerance

C.  

Inform the board of potential risk scenarios associated with aggressive business strategies

D.  

Increase the scale for measuring impact due to threat materialization

A.  

Risk appetite statement

B.  

Enterprise risk management framework

C.  

Risk management policies

D.  

Risk register

A.  

Ensure compliance.

B.  

Identify trends.

C.  

Promote a risk-aware culture.

D.  

Optimize resources needed for controls

A.  

Assisting in continually optimizing risk governance

B.  

Enabling the documentation and analysis of trends

C.  

Ensuring compliance with regulatory requirements

D.  

Providing an early warning to take proactive actions

A.  

Business continuity director

B.  

Disaster recovery manager

C.  

Business application owner

D.  

Data center manager

A.  

Number of users who have signed a BYOD acceptable use policy

B.  

Number of incidents originating from BYOD devices

C.  

Budget allocated to the BYOD program security controls

D.  

Number of devices enrolled in the BYOD program

A.  

who owns the business process.

B.  

the amount of residual risk.

C.  

who is responsible for risk mitigation.

D.  

the total cost of risk treatment.