CRISC Practice Exam Questions and Answers

A.  

Identify changes in risk factors and initiate risk reviews.

B.  

Engage an external consultant to redesign the risk management process.

C.  

Outsource the process for updating the risk register.

D.  

Implement a process improvement and replace the old risk register.

A.  

Business continuity manager (BCM)

B.  

Human resources manager (HRM)

C.  

Chief risk officer (CRO)

D.  

Chief information officer (CIO)

A.  

The application code has not been version controlled.

B.  

Knowledge of the applications is limited to few employees.

C.  

An IT project manager is not assigned to oversee development.

D.  

Controls are not applied to the applications.

A.  

Review historical application down me and frequency

B.  

Assess the potential impact and cost of mitigation

C.  

identify other legacy systems within the organization

D.  

Explore the feasibility of replacing the legacy system

A.  

To redefine the risk appetite and risk tolerance levels based on changes in risk factors

B.  

To update the risk register to reflect changes in levels of identified and new IT-related risk

C.  

To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance

D.  

To help identify root causes of incidents and recommend suitable long-term solutions

A.  

IT goals and objectives

B.  

Organizational goals and objectives

C.  

The organization's risk appetite statement

D.  

Legal and regulatory requirements

A.  

Stakeholder preferences

B.  

Contractual requirements

C.  

Regulatory requirements

D.  

Management assertions

A.  

Protecting the organization from negative publicity

B.  

Performing a root cause analysis to prevent incident recurrence

C.  

Containing the impact of the incident to affected customers

D.  

Preventing further dissemination of customer information

A.  

A risk roadmap

B.  

A balanced scorecard

C.  

A heat map

D.  

The risk register

A.  

Perform a return on investment analysis.

B.  

Review the risk register and risk scenarios.

C.  

Calculate annualized loss expectancy of risk scenarios.

D.  

Raise the maturity of organizational risk management.

A.  

Industry benchmarks

B.  

Risk tolerance

C.  

Risk appetite

D.  

Regulatory compliance

A.  

Percentage of changes having separation of duties in code deployment

B.  

Percentage of changes having completed post-implementation verification

C.  

Percentage of changes having user acceptance testing (UAT) sign-off

D.  

Percentage of changes having to invoke the rollback plan

A.  

The recovery time objective (RTO)

B.  

The likelihood of a recurring attack

C.  

The organization's risk tolerance

D.  

The business significance of the information

A.  

Assessing risk with no controls in place

B.  

Showing projected residual risk

C.  

Providing peer benchmarking results

D.  

Assessing risk with current controls in place

A.  

Senior management

B.  

Chief risk officer (CRO)

C.  

Vendor manager

D.  

Data owner

A.  

Hot backup site

B.  

Transaction limits

C.  

Scalable infrastructure

D.  

Website activity monitoring

A.  

Risk response plans are documented

B.  

Controls are mapped to key risk scenarios.

C.  

Key risk indicators are defined.

D.  

Risk ownership is assigned

A.  

Identification of controls gaps that may lead to noncompliance

B.  

Prioritization of risk action plans across departments

C.  

Early detection of emerging threats

D.  

Accurate measurement of loss impact

A.  

Risk practitioner

B.  

Business manager

C.  

Risk owner

D.  

Control owner

A.  

capability to implement the response

B.  

importance of IT risk within the enterprise

C.  

effectiveness of risk response options

D.  

alignment of response to industry standards

A.  

Data duplication processes

B.  

Data archival processes

C.  

Data anonymization processes

D.  

Data protection processes

A.  

Escalate the concern to senior management.

B.  

Document the reasons for the exception.

C.  

Include the application in IT risk assessments.

D.  

Propose that the application be transferred to IT.

A.  

Performing credit verification of third-party vendors prior to payment

B.  

Conducting system access reviews to ensure least privilege and appropriate access

C.  

Performing regular reconciliation of payments to the check registers

D.  

Enforcing segregation of duties between the vendor master file and invoicing

A.  

Apply data classification policy

B.  

Utilize encryption with logical access controls

C.  

Require logical separation of company data

D.  

Obtain the right to audit

A.  

Consistent forms to document risk acceptance rationales

B.  

Acceptable scenarios to override risk appetite or tolerance thresholds

C.  

Individuals or roles authorized to approve risk acceptance

D.  

Communication protocols when a risk is accepted

A.  

the cost associated with each control.

B.  

historical risk assessments.

C.  

key risk indicators (KRls).

D.  

information from the risk register.

A.  

Conduct inoremental backups of data in the SaaS environment to a local data center.

B.  

Implement segregation of duties between multiple SaaS solution providers.

C.  

Codify availability requirements in the SaaS provider's contract.

D.  

Conduct performance benchmarking against other SaaS service providers.

A.  

Benchmark of industry standards

B.  

Internal and external risk reports

C.  

Recommendations from IT risk experts

D.  

Outcome of control self-assessments

A.  

use of consultants to ensure completeness.

B.  

communications to users of the target systems.

C.  

changes to target data to prove the attack was successful.

D.  

advance approval from system owners.

A.  

populate risk register entries and build a risk profile for management reporting.

B.  

prioritize IT-related actions by considering risk appetite and risk tolerance.

C.  

define the IT risk framework for the organization.

D.  

comply with the organization's IT risk and information security policies.

A.  

risk is treated appropriately

B.  

mitigating actions are prioritized

C.  

risk entries are regularly updated

D.  

risk exposure is minimized.

A.  

Creating a data classification scheme

B.  

Identifying events impacting continuity of operations

C.  

Analyzing previous risk assessment results

D.  

Identifying critical information assets

A.  

Single loss expectancy (SLE)

B.  

Cost of the information system

C.  

Availability of additional compensating controls

D.  

Potential business impacts are within acceptable levels

A.  

Estimate the residual risk.

B.  

Establish key risk indicators (KRIs).

C.  

Design control improvements.

D.  

Identify the risk owner.

A.  

only approved changes are implemented

B.  

timely evaluation of change events

C.  

an audit trail exists.

D.  

that emergency changes are logged.

A.  

A reduction in the number of help desk calls

B.  

An increase in the number of identified system flaws

C.  

A reduction in the number of user access resets

D.  

An increase in the number of incidents reported

A.  

recommend a program that minimizes the concerns of that production system.

B.  

inform the process owner of the concerns and propose measures to reduce them.

C.  

inform the IT manager of the concerns and propose measures to reduce them.

D.  

inform the development team of the concerns and together formulate risk reduction measures.

A.  

provide clear evidence that the system is sufficiently secure.

B.  

determine the impact of potential threats.

C.  

test intrusion detection systems (IDS) and response procedures.

D.  

detect weaknesses that could lead to system compromise.

A.  

Customized regional training on local laws and regulations

B.  

Policies requiring central reporting of potential procedure exceptions

C.  

Ongoing awareness training to support a common risk culture

D.  

Zero-tolerance policies for risk taking by middle-level managers

A.  

Ongoing availability of data

B.  

Ability to aggregate data

C.  

Ability to predict trends

D.  

Availability of automated reporting systems

A.  

Verbal majority acceptance of risk by committee

B.  

List of compensating controls

C.  

IT audit follow-up responses

D.  

A memo indicating risk acceptance

A.  

Well documented policies and procedures

B.  

Risk and issue tracking

C.  

An IT strategy committee

D.  

Change and release management

A.  

To reduce incident response times defined in SLAs

B.  

To satisfy senior management expectations for incident response

C.  

To ensure risk has been reduced to acceptable levels

D.  

To minimize the likelihood of future occurrences

A.  

Perform an m-depth code review with an expert

B.  

Validate functionality by running in a test environment

C.  

Implement a service level agreement.

D.  

Utilize the change management process.

A.  

Record the problem as a new issue in the risk management system

B.  

Record a new issue but backdate it to the original risk assessment date

C.  

Report the vulnerability to the asset owner's manager

D.  

Document the issue during the next risk assessment

A.  

Aligning IT with short-term and long-term goals of the organization

B.  

Ensuring the IT budget and resources focus on risk management

C.  

Ensuring senior management's primary focus is on the impact of identified risk

D.  

Prioritizing internal departments that provide service to customers

A.  

Business case documentation

B.  

Organizational risk appetite statement

C.  

Enterprise architecture (EA) documentation

D.  

Organizational hierarchy

A.  

Customer database manager

B.  

Customer data custodian

C.  

Data privacy officer

D.  

Audit committee

A.  

The head of enterprise architecture (EA)

B.  

The IT risk manager

C.  

The information security manager

D.  

The product owner

A.  

Sustained financial loss

B.  

Cost of remediation efforts

C.  

Duration of service outage

D.  

Average time to recovery