CRISC Practice Questions

A.  

risk response.

B.  

control monitoring.

C.  

risk identification.

D.  

risk ownership.

A.  

The service provider

B.  

Vendor risk manager

C.  

Legal counsel

D.  

Business process owner

A.  

Conduct an abbreviated version of the assessment.

B.  

Report the business unit manager for a possible ethics violation.

C.  

Perform the assessment as it would normally be done.

D.  

Recommend an internal auditor perform the review.

A.  

Schedule periodic reviews of the compensating controls' effectiveness.

B.  

Report the use of compensating controls to senior management.

C.  

Recommend additional IT controls to further reduce residual risk.

D.  

Request that ownership of the compensating controls is reassigned to IT

A.  

Re-evaluate the organization's risk appetite.

B.  

Outsource the cybersecurity function.

C.  

Purchase cybersecurity insurance.

D.  

Review cybersecurity incident response procedures.

A.  

Implement a fraud detection and prevention framework.

B.  

Ensure the alignment of the organization's policies and standards to the defined risk appetite.

C.  

Establish an enterprise-wide ethics training and awareness program.

D.  

Perform a comprehensive review of all applicable legislative frameworks and requirements.

A.  

Data loss prevention (DLP)

B.  

Intrusion detection system (IDS)

C.  

Multi-factor authentication (MFA)

D.  

Intrusion prevention system (IPS)

A.  

Industry benchmarks

B.  

Risk assessment reports

C.  

External audit results

D.  

Tabletop exercises

A.  

Access policies

B.  

Industry benchmarks

C.  

Network compatibility

D.  

Encryption algorithms

A.  

Risk registers

B.  

Risk analysis

C.  

Risk scenarios

D.  

Risk responses

A.  

Securing the network from attacks

B.  

Providing acknowledgments from receiver to sender

C.  

Digitally signing individual messages

D.  

Encrypting data-in-transit

A.  

Creating metrics to track remote connections

B.  

Updating the organizational policy for remote access

C.  

Updating remote desktop software

D.  

Implementing multi-factor authentication

A.  

obtain management approval for policy exception.

B.  

develop an improved password software routine.

C.  

select another application with strong password controls.

D.  

continue the implementation with no changes.

A.  

Complexity of the IT infrastructure

B.  

Value of information assets

C.  

Management culture

D.  

Threats and vulnerabilities

A.  

plan awareness programs for business managers.

B.  

evaluate maturity of the risk management process.

C.  

assist in the development of a risk profile.

D.  

maintain a risk register based on noncompliance.

A.  

Risk action plans are approved by senior management.

B.  

Residual risk is within the organizational risk appetite

C.  

Mitigating controls are designed and implemented.

D.  

Risk is recorded and tracked in the risk register

A.  

Adequate resources are allocated to perform the control.

B.  

Responsibilities for control execution are properly defined.

C.  

Risk is at an acceptable level after the control is in place.

D.  

Key risk indicators (KRIs) for the control are properly defined.

A.  

Use the severity rating to calculate risk.

B.  

Classify the risk scenario as low-probability.

C.  

Use the highest likelihood identified by risk management.

D.  

Rely on range-based estimates provided by subject-matter experts.

A.  

Connecting a laptop to a free, open, wireless access point (hotspot)

B.  

Visitors not signing in as per policy

C.  

Storing corporate data in unencrypted form on a laptop

D.  

A virus transmitted on a USB thumb drive

A.  

The volume of risk scenarios is too large

B.  

Risk aggregation has not been completed

C.  

Risk scenarios are not applicable

D.  

The risk analysts for each scenario is incomplete

A.  

Verify that existing controls continue to properly mitigate defined risk

B.  

Test approval process controls once the project is completed

C.  

Update the existing controls for changes in approval processes from this project

D.  

Perform a gap analysis of the impacted control processes

A.  

Closed management action plans from the previous audit

B.  

Annual risk assessment results

C.  

An updated vulnerability management report

D.  

A list of identified generic risk scenarios

A.  

Top-down analysis

B.  

Event tree analysis

C.  

Control gap analysis

D.  

Bottom-up analysis

A.  

Data encryption

B.  

Continuous log monitoring

C.  

Right to audit

D.  

Data obfuscation

A.  

Data custodian

B.  

Risk owner

C.  

System owner

D.  

IT manager

A.  

To make risk-based decisions and own losses

B.  

To ensure implemented controls mitigate risk

C.  

To approve deviations from controls

D.  

To design controls that will eliminate risk

A.  

Project Charlie

B.  

Project Bravo

C.  

Project Alpha

D.  

Project Delta

A.  

Internal auditor

B.  

Asset owner

C.  

Finance manager

D.  

Control owner

A.  

Provide incentives for whistleblowers to report unethical actions

B.  

Communicate sanctions and penalties for unethical actions

C.  

Develop company-wide training on business ethics

D.  

Create a policy regarding ethical behavior

A.  

align IT processes with business objectives.

B.  

communicate the enterprise risk management policy.

C.  

stay current with existing control status.

D.  

understand the organizational risk profile.

A.  

reduce the likelihood of future events

B.  

restore availability

C.  

reduce the impact of future events

D.  

address the root cause

A.  

It ensures compliance with the risk management framework.

B.  

It ensures an effective risk aggregation process.

C.  

It ensures decisions are risk-informed.

D.  

It ensures a consistent approach for risk assessments.

A.  

Obtain necessary resources to address regulatory requirements

B.  

Develop a policy framework that addresses regulatory requirements

C.  

Perform a gap analysis against regulatory requirements.

D.  

Employ IT solutions that meet regulatory requirements.

A.  

communicate risk trends to stakeholders.

B.  

assign ownership of emerging risk scenarios.

C.  

highlight noncompliance with the risk policy

D.  

identify threats to emerging technologies.

A.  

Benchmark against peer organizations.

B.  

Identify appropriate controls within business processes.

C.  

Assess compliance with global standards.

D.  

Identify risk owners related to business processes.

A.  

communicated to business management

B.  

tested by business owners.

C.  

approved by the business owner.

D.  

initiated by business users.

A.  

Document IT inventory management procedures.

B.  

Conduct annual reviews of license expiration dates.

C.  

Perform automated vulnerability scans.

D.  

Implement automated IT asset management controls.

A.  

Confidentiality

B.  

Accountability

C.  

Availability

D.  

Integrity

A.  

A control self-assessment

B.  

A third-party security assessment report

C.  

Internal audit reports from the vendor

D.  

Service level agreement monitoring

A.  

To ensure emerging risk is identified and monitored

B.  

To establish the maturity level of risk assessment processes

C.  

To promote a risk-aware culture among staff

D.  

To ensure risk trend data is collected and reported

A.  

The team that performed the risk assessment

B.  

An assigned risk manager to provide oversight

C.  

Action plans to address risk scenarios requiring treatment

D.  

The methodology used to perform the risk assessment

A.  

Reject the risk acceptance and require mitigating controls.

B.  

Monitor the residual risk level of the accepted risk.

C.  

Escalate the risk decision to the project sponsor for review.

D.  

Document the risk decision in the project risk register.

A.  

Refer to industry standard scenarios.

B.  

Use a top-down approach.

C.  

Consider relevant business activities.

D.  

Use a bottom-up approach.

A.  

Average the ransomware attack frequencies together

B.  

Revise the threat frequency for ransomware attack types

C.  

Adjust impact amounts based on the average ransom

D.  

Use the new frequency as the maximum value in a Monte Carlo simulation

A.  

Verifying that project objectives are met

B.  

Identifying project cost overruns

C.  

Leveraging an independent review team

D.  

Reviewing the project initiation risk matrix

A.  

Impact of threats to the process

B.  

Resource requirements of the process

C.  

Recovery time objective (RTO)

D.  

Recovery point objective (RPO)

A.  

It provides assurance of timely business process response and effectiveness.

B.  

It supports effective use of resources and provides reasonable confidence of recoverability.

C.  

It enables effective BCP maintenance and updates to reflect organizational changes.

D.  

It decreases the risk of downtime and operational losses in the event of a disruption.

A.  

Individuals outside IT are managing action plans for the risk scenarios.

B.  

Target dates for completion are missing from some action plans.

C.  

Senior management approved multiple changes to several action plans.

D.  

Many action plans were discontinued after senior management accepted the risk.

A.  

Identify changes in risk factors and initiate risk reviews.

B.  

Engage an external consultant to redesign the risk management process.

C.  

Outsource the process for updating the risk register.

D.  

Implement a process improvement and replace the old risk register.

A.  

Average time to complete software test cases

B.  

Percentage of applications with defined business cases

C.  

Number of incidents resulting from software changes

D.  

Percentage of staff completing software development training