CRISC Practice Exam Questions and Answers

A.  

Enforcing employees’ sanctions

B.  

Conducting phishing exercises

C.  

Enforcing segregation of dunes

D.  

Reviewing the organization's risk appetite

A.  

Likelihood rating

B.  

Control effectiveness

C.  

Assessment approach

D.  

Impact rating

A.  

Emphasis on multiple application testing cycles

B.  

Lack of an integrated development environment (IDE) tool

C.  

Introduction of requirements that have not been approved

D.  

Bypassing quality requirements before go-live

A.  

Percentage of endpoints that are not encrypted

B.  

Number of endpoints not compliant with patching policy

C.  

Ratio of undiscoverable endpoints to encrypted endpoints

D.  

Percentage of endpoints with outdated antivirus signatures

A.  

The number of users who can access sensitive data

B.  

A list of unencrypted databases which contain sensitive data

C.  

The reason some databases have not been encrypted

D.  

The cost required to enforce encryption

A.  

Several risk action plans have missed target completion dates.

B.  

Senior management has accepted more risk than usual.

C.  

Risk associated with many assets is only expressed in qualitative terms.

D.  

Many risk scenarios are owned by the same senior manager.

A.  

Skills matrix

B.  

Job descriptions

C.  

RACI chart

D.  

Organizational chart

A.  

Risk practitioner

B.  

Business manager

C.  

Risk owner

D.  

Control owner

A.  

Risk impact

B.  

Key risk indicator (KRI)

C.  

Risk appetite

D.  

Risk likelihood

A.  

Risk reporting

B.  

Risk classification

C.  

Risk monitoring

D.  

Risk identification

A.  

Compliance objectives

B.  

Risk appetite of the organization

C.  

Organizational objectives

D.  

Inherent and residual risk

A.  

A decrease in control layering effectiveness

B.  

An increase in inherent risk

C.  

An increase in control vulnerabilities

D.  

An increase in the level of residual risk

A.  

Escalate the issue to the service provider.

B.  

Re-certify the application access controls.

C.  

Remove the developer's access.

D.  

Review the results of pre-migration testing.

A.  

Internal email communications are not encrypted.

B.  

Data transmission within the corporate network is not encrypted.

C.  

Internally created documents are not automatically classified.

D.  

Data transmission across public networks is not encrypted.

A.  

Sensitivity of the data

B.  

Readability of test data

C.  

Security of the test environment

D.  

Availability of data to authorized staff

A.  

Internal auditor

B.  

Asset owner

C.  

Finance manager

D.  

Control owner

A.  

Business impact analysis (BIA)

B.  

Cost-benefit analysis

C.  

Attribute analysis

D.  

Root cause analysis

A.  

Modify the risk scenario to address stakeholder concerns.

B.  

Calculate the historical impact of risk occurring at industry peers.

C.  

Identify data that could be used to help quantify the risk.

D.  

Use the highest value of potential impact suggested by the stakeholders.

A.  

Establishing a risk management committee

B.  

Updating the organization's risk register to reflect the new threat

C.  

Communicating the results of the threat impact analysis

D.  

Establishing metrics to assess the effectiveness of the responses

A.  

Encrypted storage of data

B.  

Links to source data

C.  

Audit trails for updates and deletions

D.  

Check totals on data records and data fields

A.  

Number of security incidents

B.  

Reduction in control expenditures

C.  

Number of risk responses executed

D.  

Reduction in residual risk

A.  

Residual risk levels

B.  

Compensating controls

C.  

Details of vulnerabilities

D.  

Failed high-risk controls

A.  

Published vulnerabilities relevant to the business

B.  

Threat actors that can trigger events

C.  

Events that could potentially impact the business

D.  

IT assets requiring the greatest investment

A.  

automation cannot be applied to the control

B.  

business benefits exceed the loss exposure.

C.  

the end-user license agreement has expired.

D.  

the control is difficult to enforce in practice.

A.  

business process owners.

B.  

representative data sets.

C.  

industry benchmark data.

D.  

data automation systems.

A.  

Acceptance

B.  

Avoidance

C.  

Transfer

D.  

Reduction

A.  

the jurisdiction in which an organization has its principal headquarters

B.  

international law and a uniform set of regulations.

C.  

the laws and regulations of each individual country

D.  

international standard-setting bodies.

A.  

serve as a basis for measuring risk appetite.

B.  

align with the organization's risk profile.

C.  

provide a warning of emerging high-risk conditions.

D.  

provide data for updating the risk register.

A.  

Review and evaluate the risk management program.

B.  

Ensure risks and controls are effectively managed.

C.  

Implement risk management policies regarding roles and responsibilities.

D.  

Act as the owner for any operational risk identified as part of the risk program.

A.  

Exposure of log data

B.  

Lack of governance

C.  

Increased number of firewall rules

D.  

Lack of agreed-upon standards

A.  

Implement a release and deployment plan

B.  

Conduct comprehensive regression testing.

C.  

Develop enterprise-wide key risk indicators (KRls)

D.  

Include business management on a weekly risk and issues report

A.  

Users may share accounts with business system analyst

B.  

Application may not capture a complete audit trail.

C.  

Users may be able to circumvent application controls.

D.  

Multiple connects to the database are used and slow the process

A.  

Ask the business to make a budget request to remediate the problem.

B.  

Build a business case to remediate the fix.

C.  

Research the types of attacks the threat can present.

D.  

Determine the impact of the missing threat.

A.  

the risk register change log.

B.  

evidence of risk acceptance.

C.  

control effectiveness test results.

D.  

control design documentation.

A.  

Cost-benefit analysis

B.  

Alignment of investment with risk appetite

C.  

Elimination of compensating controls

D.  

Reduction in personnel costs

A.  

Evaluating gaps in the on-premise and cloud security profiles

B.  

Establishing minimum cloud security requirements

C.  

Enforcing compliance with cloud security parameters

D.  

Educating IT staff on variances between on premise and cloud security

A.  

risk mitigation.

B.  

risk evaluation.

C.  

risk appetite.

D.  

risk tolerance.

A.  

Industry benchmarks

B.  

Risk assessment reports

C.  

External audit results

D.  

Tabletop exercises

A.  

The quantity of data logged by the attack control tools

B.  

Blocking the attack route immediately

C.  

The ability to trace the source of the attack

D.  

The timeliness of attack recognition

A.  

Risk owner

B.  

Business manager

C.  

Data owner

D.  

Risk manager

A.  

Key audit findings

B.  

Treatment plan status

C.  

Performance indicators

D.  

Risk scenario results

A.  

Re-evaluate current controls.

B.  

Revise the current risk action plan.

C.  

Escalate the risk to senior management.

D.  

Implement additional controls.

A.  

the cost associated with each control.

B.  

historical risk assessments.

C.  

key risk indicators (KRls).

D.  

information from the risk register.

A.  

Evaluate the organization's existing data protection controls.

B.  

Reassess the risk appetite and tolerance levels of the business.

C.  

Evaluate the sensitivity of data that the business needs to handle.

D.  

Review the organization’s data retention policy and regulatory requirements.

A.  

Customized regional training on local laws and regulations

B.  

Policies requiring central reporting of potential procedure exceptions

C.  

Ongoing awareness training to support a common risk culture

D.  

Zero-tolerance policies for risk taking by middle-level managers

A.  

To define effective enterprise IT risk appetite and tolerance levels

B.  

To execute the IT risk management strategy in support of business objectives

C.  

To establish business-aligned IT risk management organizational structures

D.  

To assess the capabilities and maturity of the organization’s IT risk management efforts

A.  

The organization may not have a sufficient number of skilled resources.

B.  

Application and data migration cost for backups may exceed budget.

C.  

Data may not be recoverable due to system failures.

D.  

The database system may not be scalable in the future.

A.  

Some risk remediation activities from the last assessment are still in progress.

B.  

The risk scenarios have never been updated.

C.  

The risk scenario development process was led by an external consultant.

D.  

The number of risk scenarios is very high.

A.  

There is potential for an increase in audit findings

B.  

Key performance indicators (KPIs) may not be reliable

C.  

The potential for risk realization is increased

D.  

Control inefficiencies may go undetected

A.  

Customer notification plans

B.  

Capacity management

C.  

Access management

D.  

Impacts on IT project delivery