CRISC Practice Questions

A.  

reflective of the lowest organizational level.

B.  

a data feed taken directly from operational production systems.

C.  

reported to management the same day data is collected.

D.  

focused on providing a forward-looking view.

A.  

management.

B.  

tolerance.

C.  

culture.

D.  

analysis.

A.  

Historical data availability

B.  

Implementation and reporting effort

C.  

Ability to display trends

D.  

Sensitivity and reliability

A.  

Accept the residual risk due to the low likelihood of occurrence.

B.  

Implement additional mitigation measures.

C.  

Determine whether residual risk is within risk appetite.

D.  

Adopt a new risk assessment method to avoid the residual risk.

A.  

Ad hoc control reporting

B.  

Control self-assessment

C.  

Continuous monitoring

D.  

Predictive analytics

A.  

Al may result in less reliance on human intervention.

B.  

Malicious activity may inadvertently be classified as normal during baselining.

C.  

Risk assessments of heuristic security systems are more difficult.

D.  

Predefined patterns of malicious activity may quickly become outdated.

A.  

Conduct inoremental backups of data in the SaaS environment to a local data center.

B.  

Implement segregation of duties between multiple SaaS solution providers.

C.  

Codify availability requirements in the SaaS provider's contract.

D.  

Conduct performance benchmarking against other SaaS service providers.

A.  

An established process for project change management

B.  

Retention of test data and results for review purposes

C.  

Business managements review of functional requirements

D.  

Segregation between development, test, and production

A.  

The risk owner has validated outcomes.

B.  

The risk register has been updated.

C.  

The control objectives are mapped to risk objectives.

D.  

The requirements have been achieved.

A.  

data aggregation

B.  

data privacy

C.  

data quality

D.  

data validation

A.  

Additional mitigating controls should be identified.

B.  

The system should not be used until the application is changed

C.  

The organization's IT risk appetite should be adjusted.

D.  

The associated IT risk should be accepted by management.

A.  

Improved senior management communication

B.  

Optimized risk treatment decisions

C.  

Enhanced awareness of risk management

D.  

Improved collaboration among risk professionals

A.  

Implement privacy training

B.  

Normalize the personal data

C.  

Minimize the collection of data

D.  

Encrypt the personal data

A.  

Identify the extent of the approval limit violations.

B.  

Notify senior management of the system deficiency.

C.  

Update the risk register with higher risk likelihood of violation.

D.  

Remind users of the importance of adhering to approval limits.

A.  

Industry best practice review

B.  

Risk assessment

C.  

Cost-benefit analysis

D.  

Control-effectiveness evaluation

A.  

Facilitate a review of risk tolerance levels

B.  

Adjust the risk impact and likelihood scale

C.  

Revise key risk indicator (KRI) thresholds

D.  

Introduce the risk treatment process

A.  

Technical details

B.  

Target completion date

C.  

Treatment plan ownership

D.  

Treatment plan justification

A.  

Management approval

B.  

Annual review

C.  

Relevance

D.  

Automation

A.  

Implement continuous monitoring.

B.  

Require a second level of approval.

C.  

Implement separation of duties.

D.  

Require a code of ethics.

A.  

Conduct interviews with key stakeholders.

B.  

Conduct a tabletop exercise.

C.  

Conduct a disaster recovery exercise.

D.  

Conduct a full functional exercise.

A.  

Risk mitigation plans

B.  

heat map

C.  

Risk appetite statement

D.  

Key risk indicators (KRls)

A.  

Implement a new risk assessment process.

B.  

Revalidate the corporate risk appetite.

C.  

Review and adjust key risk indicators (KRIs).

D.  

Communicate the new risk profile.

A.  

Impact of risk occurrence

B.  

Frequency of risk occurrence

C.  

Cost of risk response

D.  

Legal aspects of risk realization

A.  

Unclear organizational risk appetite

B.  

Lack of senior management participation

C.  

Use of highly customized control frameworks

D.  

Reliance on qualitative analysis methods

A.  

Conduct penetration testing.

B.  

Interview IT operations personnel.

C.  

Conduct vulnerability scans.

D.  

Review change control board documentation.

A.  

Compliance objectives

B.  

Risk appetite of the organization

C.  

Organizational objectives

D.  

Inherent and residual risk

A.  

Senior management support of cloud adoption strategies

B.  

Creation of a cloud access risk management policy

C.  

Adoption of a cloud access security broker (CASB) solution

D.  

Expansion of security information and event management (SIEM) to cloud services

A.  

Derive scenarios from IT risk policies and standards.

B.  

Map scenarios to a recognized risk management framework.

C.  

Gather scenarios from senior management.

D.  

Benchmark scenarios against industry peers.

A.  

Results of the latest risk assessment

B.  

Results of a risk forecasting analysis

C.  

A review of compliance regulations

D.  

Findings of the most recent audit

A.  

Percentage of applications subject to disaster recovery tests

B.  

Number of personnel dedicated to the disaster recovery program

C.  

Number of disaster recovery tests performed per year

D.  

Percentage of systems meeting defined recovery objectives

A.  

To gain stakeholder support for the implementation of controls

B.  

To address multiple risk scenarios mitigated by technical controls

C.  

To comply with industry best practices by balancing multiple types of controls

D.  

To improve the effectiveness of controls that mitigate risk

A.  

Use of a non-production environment

B.  

Regular security updates

C.  

Third-party management plan

D.  

Adequate vendor support

A.  

Obtain objective assessment of the control environment.

B.  

Ensure the risk profile is defined and communicated.

C.  

Validate the threat management process.

D.  

Obtain an objective view of process gaps and systemic errors.

A.  

Scenarios with the highest number of open audit issues

B.  

Scenarios with the highest frequency of incidents

C.  

Scenarios with the largest budget allocation for risk mitigation

D.  

Scenarios with the highest risk impact to the business

A.  

Flexibility and adaptability

B.  

Measurability and consistency

C.  

Robustness and resilience

D.  

Optimal cost and benefit

A.  

Industry benchmarks

B.  

Risk tolerance

C.  

Risk appetite

D.  

Regulatory compliance

A.  

Perform a penetration test.

B.  

Review security logs.

C.  

Conduct a threat analysis.

D.  

Perform a root cause analysis.

A.  

Key risk indicators (KRIs).

B.  

Risk velocity.

C.  

Risk response plans and owners.

D.  

Risk impact and likelihood.

A.  

Operating controls for risk mitigation

B.  

Testing the effectiveness and efficiency of internal controls

C.  

Providing assurance on risk management processes

D.  

Recommending risk treatment options

A.  

Key audit findings

B.  

Treatment plan status

C.  

Performance indicators

D.  

Risk scenario results

A.  

Implement additional controls to address the risk

B.  

Accept the risk based on the provider's risk assessment

C.  

Review the provider's independent audit results

D.  

Ensure the contract includes breach notification requirements

A.  

Lack of access verification for systems on the internal network

B.  

Identification and authentication failures for users

C.  

Poorly configured firewall rules introducing security breaches

D.  

Ineffective load balancing on network devices

A.  

Risk register

B.  

Risk assessment

C.  

Key risk indicator (KRI)

D.  

Key performance indicator (KPI)

A.  

Request a policy exception from senior management.

B.  

Comply with the organizational policy.

C.  

Report the noncompliance to the local regulatory agency.

D.  

Request an exception from the local regulatory agency.

A.  

An antivirus program

B.  

Database activity monitoring

C.  

Firewall log monitoring

D.  

File integrity monitoring

A.  

mitigated

B.  

accepted

C.  

avoided

D.  

deferred

A.  

Implement additional controls to further mitigate risk

B.  

Review performance results with the control owner

C.  

Redefine performance criteria based on control monitoring results

D.  

Recommend a tool to meet the performance requirements

A.  

Mapping threats to organizational objectives

B.  

Reviewing past audits

C.  

Analyzing key risk indicators (KRIs)

D.  

Identifying potential sources of risk

A.  

A risk and control self-assessment

B.  

Senior management's attestation

C.  

A system-generated testing report

D.  

detailed process walk-through

A.  

To increase familiarity and understanding of potential security incidents

B.  

To ensure compliance with risk management policies and procedures

C.  

To reduce the risk of insider threats that could compromise security practices

D.  

To lower the organization's risk appetite and tolerance levels