CRISC Practice Exam Questions and Answers

A.  

To redefine the risk appetite and risk tolerance levels based on changes in risk factors

B.  

To update the risk register to reflect changes in levels of identified and new IT-related risk

C.  

To ensure risk levels are within acceptable limits of the organization's risk appetite and risk tolerance

D.  

To help identify root causes of incidents and recommend suitable long-term solutions

A.  

Residual risk

B.  

Risk appetite

C.  

Mitigation cost

D.  

Inherent risk

A.  

Self-assessment questionnaires completed by management

B.  

Review of internal audit and third-party reports

C.  

Management review and sign-off on system documentation

D.  

First-hand direct observation of the controls in operation

A.  

Develop a mechanism for monitoring residual risk.

B.  

Update the risk register with the results.

C.  

Prepare a business case for the response options.

D.  

Identify resources for implementing responses.

A.  

Performing a vulnerability assessment on the loT devices

B.  

Designing loT architecture with IT security controls from the start

C.  

Implementing key risk indicators (KRIs) for loT devices

D.  

To ensure risk trend data is collected and reported

A.  

Define metrics for restoring availability.

B.  

Identify conditions that may cause disruptions.

C.  

Review incident response procedures.

D.  

Evaluate the probability of risk events.

A.  

ratio of disabled to active user accounts.

B.  

percentage of users with multiple user accounts.

C.  

average number of access entitlements per user account.

D.  

average time between user transfers and access updates.

A.  

Data protection officer

B.  

Chief information officer (CIO)

C.  

Information asset custodian

D.  

Information asset owner

A.  

Piloting courses with focus groups

B.  

Using reputable third-party training programs

C.  

Reviewing content with senior management

D.  

Creating modules for targeted audiences

A.  

Ensure compliance with the organization's internal policies

B.  

Cultivate long-term behavioral change.

C.  

Communicate IT risk policy to the participants.

D.  

Demonstrate regulatory compliance.

A.  

Perform a cost-benefit analysis.

B.  

Identify critical data.

C.  

Establish a data inventory.

D.  

Conduct a risk analysis.

A.  

organizational risk appetite.

B.  

business sector best practices.

C.  

business process requirements.

D.  

availability of automated solutions

A.  

The sum of residual risk levels for each scenario

B.  

The loss expectancy for aggregated risk scenarios

C.  

The highest loss expectancy among the risk scenarios

D.  

The average of anticipated residual risk levels

A.  

Third line of defense

B.  

Line of defense subject matter experts

C.  

Second line of defense

D.  

First line of defense

A.  

Process ownership

B.  

Risk appetite statement

C.  

Risk tolerance levels

D.  

Risk response options

A.  

data logging and monitoring

B.  

data mining and analytics

C.  

data classification and labeling

D.  

data retention and destruction

A.  

Data encryption has not been applied to all sensitive data across the organization.

B.  

There are many data assets across the organization that need to be classified.

C.  

Changes to information handling procedures are not documented.

D.  

Changes to data sensitivity during the data life cycle have not been considered.

A.  

Report the findings to executive management to enable treatment decisions.

B.  

Reassess each vulnerability to evaluate the risk profile of the application.

C.  

Conduct a penetration test to determine how to mitigate the vulnerabilities.

D.  

Prepare a risk response that is aligned to the organization's risk tolerance.

A.  

Qualitative measures require less ongoing monitoring.

B.  

Qualitative measures are better aligned to regulatory requirements.

C.  

Qualitative measures are better able to incorporate expert judgment.

D.  

Qualitative measures are easier to update.

A.  

Key performance indicators (KPIs)

B.  

Risk heat maps

C.  

Internal audit findings

D.  

Periodic penetration testing

A.  

The third-party risk manager

B.  

The application vendor

C.  

The business process owner

D.  

The information security manager

A.  

conduct an audit of files stored offsite.

B.  

interview employees to compare actual with expected procedures.

C.  

inspect a selection of audit trails and backup logs.

D.  

demonstrate a successful recovery from backup files.

A.  

insurance could be acquired for the risk associated with the outsourced process.

B.  

service accountability remains with the cloud service provider.

C.  

a risk owner must be designated within the cloud service provider.

D.  

accountability for the risk will remain with the organization.

A.  

obtain the appropriate stakeholders' commitment.

B.  

align the project with the IT risk framework.

C.  

obtain approval from business process owners.

D.  

update the risk register on a regular basis.

A.  

Approval of the control by senior management

B.  

Complete and accurate documentation of control objectives

C.  

Control owner attestation of control effectiveness

D.  

Internal audit review of control design

A.  

Creating a risk register

B.  

Interviewing management

C.  

Conducting a risk assessment

D.  

Researching industry standards

A.  

Including trend analysis of risk metrics

B.  

Using an aggregated view of organizational risk

C.  

Relying on key risk indicator (KRI) data

D.  

Ensuring relevance to organizational goals

A.  

mitigation plans for threat events should be prepared in the current planning period.

B.  

this risk scenario is equivalent to more frequent but lower impact risk scenarios.

C.  

the current level of risk is within tolerance.

D.  

an increase in threat events could cause a loss sooner than anticipated.

A.  

The program has not decreased threat counts.

B.  

The program has not considered business impact.

C.  

The program has been significantly revised

D.  

The program uses non-customized training modules.

A.  

Performing a benchmark analysis and evaluating gaps

B.  

Conducting risk assessments and implementing controls

C.  

Communicating components of risk and their acceptable levels

D.  

Participating in peer reviews and implementing best practices

A.  

Escalate the non-cooperation to management

B.  

Exclude applicable controls from the assessment.

C.  

Review the supplier's contractual obligations.

D.  

Request risk acceptance from the business process owner.

A.  

Volume of exceptions

B.  

Lack of technical resources

C.  

Cost of noncompliance

D.  

Time required to implement controls

A.  

Ask the business to make a budget request to remediate the problem.

B.  

Build a business case to remediate the fix.

C.  

Research the types of attacks the threat can present.

D.  

Determine the impact of the missing threat.

A.  

Insufficient network isolation

B.  

impact on network performance

C.  

insecure data transmission protocols

D.  

Lack of interoperability between sensors

A.  

Clear understanding of the risk

B.  

Comparable industry risk trends

C.  

Appropriate resources

D.  

Detailed standards and procedures

A.  

Single loss expectancy (SLE)

B.  

Cost of the information system

C.  

Availability of additional compensating controls

D.  

Potential business impacts are within acceptable levels

A.  

include detailed deviations from industry benchmarks,

B.  

include a summary linking information to stakeholder needs,

C.  

include a roadmap to achieve operational excellence,

D.  

publish the report on-demand for stakeholders.

A.  

results of a business impact analysis (BIA).

B.  

the original risk response plan.

C.  

training program and user awareness documentation.

D.  

a post-implementation risk and control self-assessment (RCSA).

A.  

Enforce sanctions for noncompliance with security procedures.

B.  

Conduct organization-w>de phishing simulations.

C.  

Require training on the data handling policy.

D.  

Require regular testing of the data breach response plan.

A.  

Establishing employee awareness training

B.  

Assigning accountability to risk owners

C.  

Selling target dates to complete actions

D.  

Contracting to third parties

A.  

Accept the risk with management sign-off.

B.  

Ignore the risk until the regulatory body conducts a compliance check.

C.  

Mitigate the risk with the identified control.

D.  

Transfer the risk by buying insurance.

A.  

Communicate the decision to the risk owner for approval

B.  

Seek approval from the previous action plan manager.

C.  

Identify an owner for the new control.

D.  

Modify the action plan in the risk register.

A.  

Regulatory restrictions for cross-border data transfer

B.  

Service level objectives in the vendor contract

C.  

Organizational culture differences between each country

D.  

Management practices within each company

A.  

Transferring the risk

B.  

Introducing control procedures early in the life cycle

C.  

Updating the risk tolerance to include the new risk

D.  

Implementing IoT device monitoring software

A.  

Calculating the cost

B.  

Analyzing cost-effectiveness

C.  

Determining the stakeholders

D.  

Identifying the objectives

A.  

Provide risk management feedback to key stakeholders.

B.  

Collect and analyze risk data for report generation.

C.  

Monitor and prioritize risk data according to the heat map.

D.  

Engage key stakeholders in risk management practices.

A.  

mitigated

B.  

accepted

C.  

avoided

D.  

deferred

A.  

Identifying key risk indicators (KRIs)

B.  

Evaluating the return on investment (ROI)

C.  

Evaluating the residual risk level

D.  

Performing a cost-benefit analysis

A.  

ensure suitable insurance coverage is purchased.

B.  

negotiate with the risk owner on control efficiency.

C.  

reassess the risk to confirm the impact.

D.  

obtain approval from senior management.

A.  

before system development begins.

B.  

at system development.

C.  

at each stage of the system development life cycle (SDLC).

D.  

during the development of the business case.