CRISC Practice Questions

A.  

Impact analysis

B.  

Control analysis

C.  

Root cause analysis

D.  

Threat analysis

A.  

Encrypt the data while in transit lo the supplier

B.  

Contractually obligate the supplier to follow privacy laws.

C.  

Require independent audits of the supplier's control environment

D.  

Utilize blockchain during the data transfer

A.  

requirements of management.

B.  

specific risk analysis framework being used.

C.  

organizational risk tolerance

D.  

results of the risk assessment.

A.  

Use of a non-production environment

B.  

Adequate vendor support

C.  

Third-party management plan

D.  

Regular security updates

A.  

The security team is unaware of the implementation.

B.  

The organization may lose institutional knowledge.

C.  

The robots may fail to work effectively.

D.  

Virtual clients are used for implementation.

A.  

Updating multi-factor authentication

B.  

Monitoring key access control performance indicators

C.  

Analyzing access control logs for suspicious activity

D.  

Revising the service level agreement (SLA)

A.  

Archiving sensitive information

B.  

Understanding the incident management process

C.  

Identifying social engineering attacks

D.  

Understanding the importance of using a secure password

A.  

amount of risk reduced by compensating controls.

B.  

amount of risk present in the organization.

C.  

variance against objectives.

D.  

number of incidents.

A.  

Escalate the issue to the service provider.

B.  

Re-certify the application access controls.

C.  

Remove the developer's access.

D.  

Review the results of pre-migration testing.

A.  

Establish database activity monitoring

B.  

Report the incident to the chief privacy officer (CPO)

C.  

Invoke the incident response plan

D.  

Escalate the issue to the data owner

A.  

Risk register

B.  

Risk action plan

C.  

Risk management strategy

D.  

Business continuity plan (BCP)

A.  

implement code reviews and Quality assurance on a regular basis

B.  

Verity me software agreement indemnifies the company from losses

C.  

Review the source coda and error reporting of the application

D.  

Update the software with the latest patches and updates

A.  

Communication

B.  

Risk analysis

C.  

Decision support

D.  

Benchmarking

A.  

The policy lacks specifics on how to secure the organization's systems from cyberattacks.

B.  

The policy has gaps against relevant cybersecurity standards and frameworks.

C.  

The policy has not been reviewed by the cybersecurity team in over a year.

D.  

The policy has not been approved by the organization's board.

A.  

capability to implement new processes

B.  

evolution of process improvements

C.  

degree of compliance with policies and procedures

D.  

control requirements.

A.  

develop a comprehensive risk mitigation strategy

B.  

develop understandable and realistic risk scenarios

C.  

identify root causes for relevant events

D.  

perform an aggregated cost-benefit analysis

A.  

reduce subjectivity in risk management.

B.  

comply with regulatory requirements.

C.  

demonstrate best industry practice.

D.  

improve visibility of overall risk exposure.

A.  

risk classification methods

B.  

risk-based capital allocation

C.  

risk portfolio

D.  

risk culture

A.  

Perform a business impact analysis (BIA).

B.  

Perform a cost-benefit analysis.

C.  

Review industry best practice.

D.  

Review risk governance policies.

A.  

Data protection officer

B.  

Chief information officer (CIO)

C.  

Information asset custodian

D.  

Information asset owner

A.  

Key control owner

B.  

Operational risk manager

C.  

Business process owner

D.  

Chief information security officer (CISO)

A.  

Establishing employee awareness training

B.  

Assigning accountability to risk owners

C.  

Selling target dates to complete actions

D.  

Contracting to third parties

A.  

Information security officer

B.  

IT risk manager

C.  

Business owner

D.  

Chief risk officer (CRO)

A.  

Data security

B.  

Recovery costs

C.  

Business disruption

D.  

Recovery resource availability

A.  

Recommend avoiding the risk.

B.  

Validate the risk response with internal audit.

C.  

Update the risk register.

D.  

Evaluate outsourcing the process.

A.  

Sufficient resources are not assigned to IT development projects.

B.  

Customer support help desk staff does not have adequate training.

C.  

Email infrastructure does not have proper rollback plans.

D.  

The corporate email system does not identify and store phishing emails.

A.  

Reliance on qualitative analysis methods.

B.  

Lack of a governance, risk, and compliance (GRC) tool.

C.  

Lack of senior management involvement.

D.  

Use of multiple risk registers.

A.  

The number of incidents has decreased over time

B.  

Industry benchmarking is performed on an annual basis

C.  

Risk management practices are audited on an annual basis

D.  

Risk management practices are incorporated into business processes

A.  

Determining possible losses due to downtime during the changes

B.  

Updating control procedures and documentation

C.  

Approving the proposed changes based on impact analysis

D.  

Notifying owners of affected systems after the changes are implemented

A.  

Risk tolerance is decreased.

B.  

Residual risk is increased.

C.  

Inherent risk is increased.

D.  

Risk appetite is decreased

A.  

Industry trends in Al

B.  

Expected algorithm outputs

C.  

Data feeds

D.  

Alert functionality

A.  

Risk and control ownership

B.  

Senior management participation

C.  

Business unit support

D.  

Risk nomenclature and taxonomy

A.  

Reduce retention periods for Pll data.

B.  

Move Pll to a highly-secured outsourced site.

C.  

Modify business processes to stop collecting Pll.

D.  

Implement strong encryption for Pll.

A.  

The balanced scorecard

B.  

A cost-benefit analysis

C.  

The risk management frameworkD, A roadmap of IT strategic planning

A.  

Process ownership

B.  

Risk appetite statement

C.  

Risk tolerance levels

D.  

Risk response options

A.  

Approval by senior management

B.  

Low cost of development and maintenance

C.  

Sensitivity to changes in risk levels

D.  

Use of industry risk data sources

A.  

To provide insight into the effectiveness of the internal control environment

B.  

To provide a basis for determining the criticality of risk mitigation controls

C.  

To provide benchmarks for assessing control design effectiveness against industry peers

D.  

To provide early warning signs of a potential change in risk level

A.  

Percentage of endpoints that are not encrypted

B.  

Number of endpoints not compliant with patching policy

C.  

Ratio of undiscoverable endpoints to encrypted endpoints

D.  

Percentage of endpoints with outdated antivirus signatures

A.  

The risk practitioner

B.  

The business process owner

C.  

The risk owner

D.  

The control owner

A.  

Relative positions on the risk map

B.  

Risk treatment options

C.  

Capability of enterprise to implement

D.  

The multiple risk factors addressed by a chosen response

A.  

Business impact analysis (BIA)

B.  

Cost-benefit analysis

C.  

Attribute analysis

D.  

Root cause analysis

A.  

Percentage of high-risk vulnerabilities missed

B.  

Number of high-risk vulnerabilities outstanding

C.  

Defined thresholds for high-risk vulnerabilities

D.  

Percentage of high-risk vulnerabilities addressed

A.  

Review assignments of data ownership for key assets.

B.  

Identify staff who have access to the organization’s sensitive data.

C.  

Identify recent and historical incidents involving data loss.

D.  

Review the organization's data inventory.

A.  

risk levels.

B.  

risk budgets.

C.  

risk appetite.

D.  

risk capacity.

A.  

Risk taxonomy

B.  

Risk response

C.  

Risk appetite

D.  

Risk ranking

A.  

corrective control.

B.  

preventive control.

C.  

administrative control.

D.  

deterrent control.

A.  

a function of the cost and effectiveness of controls.

B.  

the likelihood of a given threat.

C.  

a function of the likelihood and impact.

D.  

the magnitude of an impact.

A.  

The risk is shared by both organizations.

B.  

The liability for the risk is owned by the cloud provider.

C.  

The risk is transferred to the cloud provider.

D.  

The liability for the risk is owned by the sales department.

A.  

system architecture in target areas.

B.  

IT management policies and procedures.

C.  

business objectives of the organization.

D.  

defined roles and responsibilities.

A.  

Digital signatures

B.  

Encrypted passwords

C.  

One-time passwords

D.  

Digital certificates