CRISC Practice Questions

A.  

Increasing senior management's understanding of IT operations

B.  

Increasing the frequency of data backups

C.  

Minimizing complexity of IT infrastructure

D.  

Decentralizing IT infrastructure

A.  

The risk owner

B.  

The person who identified the risk

C.  

The control owner

D.  

The risk response owner

A.  

Activity logging and monitoring

B.  

Periodic access review

C.  

Two-factor authentication

D.  

Awareness training and background checks

A.  

Add a digital certificate

B.  

Apply multi-factor authentication

C.  

Add a hash to the message

D.  

Add a secret key

A.  

Training and awareness of employees for increased vigilance

B.  

Increased monitoring of executive accounts

C.  

Subscription to data breach monitoring sites

D.  

Suspension and takedown of malicious domains or accounts

A.  

Number of malicious activities occurring during staff members leave

B.  

Percentage of staff members seeking exception to the policy

C.  

Percentage of staff members taking leave according to the policy

D.  

Financial loss incurred due to malicious activities during staff members' leave

A.  

Patch the operating system immediately

B.  

Determine whether any active attacks are exploiting the vulnerability

C.  

Invoke the organization's incident response plan

D.  

Evaluate the threat in the context of the organization's IT environment

A.  

To verify that budget for the project is managed effectively

B.  

To confirm compliance with project management methodology

C.  

To ensure the risk is managed to an acceptable level

D.  

To ensure audit findings are addressed in a timely manner

A.  

Number of disaster recovery scenarios identified

B.  

Percentage of employees involved in the disaster recovery exercise

C.  

Number of total systems recovered within the recovery point objective (RPO)

D.  

Percentage of critical systems recovered within the recovery time objective (RTO)

A.  

Single sign-on

B.  

Data integrity checking

C.  

Strong authentication

D.  

Intrusion detection system

A.  

Quantitative analysis might not be possible.

B.  

Risk factors might not be relevant to the organization

C.  

Implementation costs might increase.

D.  

Inherent risk might not be considered.

A.  

determine control ownership.

B.  

evaluate the risk response of similar sized organizations.

C.  

evaluate the organization's ability to implement the solution.

D.  

determine the remediation timeline.

A.  

Ensure compliance with the organization's internal policies

B.  

Cultivate long-term behavioral change.

C.  

Communicate IT risk policy to the participants.

D.  

Demonstrate regulatory compliance.

A.  

Risk action plans and associated owners

B.  

Recent audit and self-assessment results

C.  

Potential losses compared to treatment cost

D.  

A list of assets exposed to the highest risk

A.  

it is more cost-effective to determine controls in the early design phase.

B.  

structured analysis techniques exclude identification of controls.

C.  

structured programming techniques require that controls be designed before coding begins.

D.  

technical specifications are defined during this phase.

A.  

Record the problem as a new issue in the risk management system

B.  

Record a new issue but backdate it to the original risk assessment date

C.  

Report the vulnerability to the asset owner's manager

D.  

Document the issue during the next risk assessment

A.  

Regulatory requirements may differ in each country.

B.  

Data sampling may be impacted by various industry restrictions.

C.  

Business advertising will need to be tailored by country.

D.  

The data analysis may be ineffective in achieving objectives.

A.  

vendors providing risk assessments on time.

B.  

vendor contracts reviewed in the past year.

C.  

vendor risk mitigation action items completed on time.

D.  

vendors that have reported control-related incidents.

A.  

Lack of expertise to implement single sign-on (SSO)

B.  

Cloud access security vendor selection

C.  

Inadequate key management policies

D.  

Inconsistently applied security policies

A.  

A privacy impact assessment has not been completed.

B.  

Data encryption methods apply to a subset of Pll obtained.

C.  

The data privacy officer was not consulted.

D.  

Insufficient access controls are used on the loT devices.

A.  

Management wants to increase the number of controls.

B.  

A vulnerability is identified.

C.  

Existing controls are inadequate.

D.  

A key control is already in place and operating effectively.

A.  

Update residual risk levels to reflect the expected risk impact.

B.  

Adjust inherent risk levels upward.

C.  

Include it on the next enterprise risk committee agenda.

D.  

Include it in the risk register for ongoing monitoring.

A.  

Requiring two-factor authentication

B.  

Conducting security awareness training

C.  

Implementing phishing simulations

D.  

Updating the information security policy

A.  

Configuration validation

B.  

Control attestation

C.  

Penetration testing

D.  

Internal audit review

A.  

Threat landscape

B.  

Risk appetite

C.  

Risk register

D.  

Risk metrics

A.  

The organization's structure has not been updated

B.  

Unnecessary access permissions have not been removed.

C.  

Company equipment has not been retained by IT

D.  

Job knowledge was not transferred to employees m the former department

A.  

An email from the user accepting the account

B.  

Notification from human resources that the account is active

C.  

User privileges matching the request form

D.  

Formal approval of the account by the user's manager

A.  

Users may share accounts with business system analyst

B.  

Application may not capture a complete audit trail.

C.  

Users may be able to circumvent application controls.

D.  

Multiple connects to the database are used and slow the process

A.  

Describe IT risk scenarios in terms of business risk.

B.  

Recommend the formation of an executive risk council to oversee IT risk.

C.  

Provide an estimate of IT system downtime if IT risk materializes.

D.  

Educate business executives on IT risk concepts.

A.  

A list of organizational threats

B.  

A high-level risk map

C.  

Specialized risk publications

D.  

A list of organizational vulnerabilities

A.  

The vendor must provide periodic independent assurance reports.

B.  

The vendor must host data in a specific geographic location.

C.  

The vendor must be held liable for regulatory fines for failure to protect data.

D.  

The vendor must participate in an annual vendor performance review.

A.  

Cost versus benefit of additional mitigating controls

B.  

Annualized loss expectancy (ALE) for the system

C.  

Frequency of business impact

D.  

Cost of the Information control system

A.  

identifying risk scenarios.

B.  

determining the risk strategy.

C.  

calculating impact and likelihood.

D.  

completing the controls catalog.

A.  

Optimize the control environment.

B.  

Realign risk appetite to the current risk level.

C.  

Decrease the number of related risk scenarios.

D.  

Reduce the risk management budget.

A.  

A decrease in the number of critical assets covered by risk thresholds

B.  

An Increase In the number of risk threshold exceptions

C.  

An increase in the number of change events pending management review

D.  

A decrease In the number of key performance indicators (KPls)

A.  

The third party's IT operations manager

B.  

The organization's process owner

C.  

The third party's chief risk officer (CRO)

D.  

The organization's risk practitioner

A.  

cost-benefit analysis.

B.  

risk appetite.

C.  

regulatory guidelines

D.  

control efficiency

A.  

Educating employees on what needs to be kept confidential

B.  

Implementing a data loss prevention (DLP) solution

C.  

Taking punitive action against employees who expose confidential data

D.  

Requiring employees to sign nondisclosure agreements

A.  

Level of residual risk

B.  

The results of a gap analysis

C.  

IT alignment to business objectives

D.  

Key risk indicators (KRIs)

A.  

Aggregated risk may exceed the enterprise's risk appetite and tolerance.

B.  

Duplicate resources may be used to manage risk registers.

C.  

Standardization of risk management practices may be difficult to enforce.

D.  

Risk analysis may be inconsistent due to non-uniform impact and likelihood scales.

A.  

Time between backups for critical data

B.  

Sensitivity of business data involved

C.  

Cost of downtime due to a disaster

D.  

Maximum tolerable data loss after an incident

A.  

Establish a cyber response plan

B.  

Implement data loss prevention (DLP) tools.

C.  

Implement network segregation.

D.  

Strengthen vulnerability remediation efforts.

A.  

Conduct a risk assessment.

B.  

Update the security strategy.

C.  

Implement additional controls.

D.  

Update the risk register.

A.  

Report the gap to senior management

B.  

Consult with the IT department to update the RTO

C.  

Complete a risk exception form.

D.  

Consult with the business owner to update the BCP

A.  

Accountable

B.  

Informed

C.  

Responsible

D.  

Consulted

A.  

perform a business impact analysis.

B.  

identify potential sources of risk.

C.  

establish risk guidelines.

D.  

understand control design.

A.  

Number of customer records held

B.  

Number of databases that host customer data

C.  

Number of encrypted customer databases

D.  

Number of staff members having access to customer data

A.  

User provisioning

B.  

Role-based access controls

C.  

Security log monitoring

D.  

Entitlement reviews

A.  

Evaluating the impact of removing existing controls

B.  

Evaluating existing controls against audit requirements

C.  

Reviewing system functionalities associated with business processes

D.  

Monitoring existing key risk indicators (KRIs)

A.  

Requiring a printer access code for each user

B.  

Using physical controls to access the printer room

C.  

Using video surveillance in the printer room

D.  

Ensuring printer parameters are properly configured