CRISC Practice Exam Questions and Answers

A.  

align with audit results.

B.  

benchmark with competitor s actions.

C.  

reference best practice.

D.  

focus on the business drivers

A.  

Escalate the non-cooperation to management

B.  

Exclude applicable controls from the assessment.

C.  

Review the supplier's contractual obligations.

D.  

Request risk acceptance from the business process owner.

A.  

Risk questionnaire

B.  

Risk register

C.  

Management assertion

D.  

Compliance manual

A.  

Perform a background check on the vendor.

B.  

Require the vendor to sign a nondisclosure agreement.

C.  

Require the vendor to have liability insurance.

D.  

Clearly define the project scope

A.  

minimize senior management's risk tolerance.

B.  

manage risk within the organization's risk appetite.

C.  

reduce the thresholds of key risk indicators (KRIs).

D.  

are cost-effective to implement

A.  

Encrypted storage of data

B.  

Links to source data

C.  

Audit trails for updates and deletions

D.  

Check totals on data records and data fields

A.  

Implementing record retention tools and techniques

B.  

Establishing e-discovery and data loss prevention (DLP)

C.  

Sending notifications when near storage quota

D.  

Implementing a bring your own device 1BVOD) policy

A.  

Percentage of mitigated risk scenarios

B.  

Annual loss expectancy (ALE) changes

C.  

Resource expenditure against budget

D.  

An up-to-date risk register

A.  

Report the gap to senior management

B.  

Consult with the IT department to update the RTO

C.  

Complete a risk exception form.

D.  

Consult with the business owner to update the BCP

A.  

Ensuring availability of resources for log analysis

B.  

Implementing log analysis tools to automate controls

C.  

Ensuring the control is proportional to the risk

D.  

Building correlations between logs collected from different sources

A.  

Logs and system events

B.  

Intrusion detection system (IDS) rules

C.  

Vulnerability assessment reports

D.  

Penetration test reports

A.  

IT security managers

B.  

IT control owners

C.  

IT auditors

D.  

IT risk owners

A.  

Determine whether risk responses are still adequate.

B.  

Analyze and update control assessments with the new processes.

C.  

Analyze the risk and update the risk register as needed.

D.  

Conduct testing of the control that mitigate the existing risk.

A.  

Control owner

B.  

Risk owner

C.  

Internal auditor

D.  

Compliance manager

A.  

Report the issue to internal audit.

B.  

Submit a request to change management.

C.  

Conduct a risk assessment.

D.  

Review the business impact assessment.

A.  

Cost of controls

B.  

Risk tolerance

C.  

Risk appetite

D.  

Probability definition

A.  

Number of projects going live without a security review

B.  

Number of employees completing project-specific security training

C.  

Number of security projects started in core departments

D.  

Number of security-related status reports submitted by project managers

A.  

a identity conditions that may cause disruptions

B.  

Review incident response procedures

C.  

Evaluate the probability of risk events

D.  

Define metrics for restoring availability

A.  

Mapping threats to organizational objectives

B.  

Reviewing past audits

C.  

Analyzing key risk indicators (KRIs)

D.  

Identifying potential sources of risk

A.  

Percentage of unpatched IT assets

B.  

Percentage of IT assets without ownership

C.  

The number of IT assets securely disposed during the past year

D.  

The number of IT assets procured during the previous month

A.  

Level of residual risk

B.  

The results of a gap analysis

C.  

IT alignment to business objectives

D.  

Key risk indicators (KRIs)

A.  

ratio of disabled to active user accounts.

B.  

percentage of users with multiple user accounts.

C.  

average number of access entitlements per user account.

D.  

average time between user transfers and access updates.

A.  

a lack of mitigating actions for identified risk

B.  

decreased threat levels

C.  

ineffective service delivery

D.  

ineffective IT governance

A.  

Evaluating the impact of removing existing controls

B.  

Evaluating existing controls against audit requirements

C.  

Reviewing system functionalities associated with business processes

D.  

Monitoring existing key risk indicators (KRIs)

A.  

Repeatable

B.  

Automated

C.  

Quantitative

D.  

Qualitative

A.  

Obtaining management sign-off

B.  

Demonstrating effective risk mitigation

C.  

Justifying return on investment

D.  

Providing accurate risk reporting

A.  

Completeness of system documentation

B.  

Results of end user acceptance testing

C.  

Variances between planned and actual cost

D.  

availability of in-house resources

A.  

Ad hoc control reporting

B.  

Control self-assessment

C.  

Continuous monitoring

D.  

Predictive analytics

A.  

Organization's industry sector

B.  

Long-term organizational goals

C.  

Concerns of the business process owners

D.  

History of risk events

A.  

Risk Impact Rating

B.  

Risk Owner

C.  

Risk Likelihood Rating

D.  

Risk Exposure

A.  

The manager responsible for IT operations that will support the risk mitigation efforts

B.  

The individual with authority to commit organizational resources to mitigate the risk

C.  

A project manager capable of prioritizing the risk remediation efforts

D.  

The individual with the most IT risk-related subject matter knowledge

A.  

Number of service level agreement (SLA) violations

B.  

Percentage of recovery issues identified during the exercise

C.  

Number of total systems recovered within tie recovery point objective (RPO)

D.  

Percentage of critical systems recovered within tie recovery time objective (RTO)

A.  

Reassessing control effectiveness of the process

B.  

Conducting a post-implementation review to determine lessons learned

C.  

Reporting key performance indicators (KPIs) for core processes

D.  

Establishing escalation procedures for anomaly events

A.  

An increase in attempted distributed denial of service (DDoS) attacks

B.  

An increase in attempted website phishing attacks

C.  

A decrease in achievement of service level agreements (SLAs)

D.  

A decrease in remediated web security vulnerabilities

A.  

Analyzing intrusion detection system (IDS) logs

B.  

Analyzing server logs

C.  

Using a third-party monitoring provider

D.  

Coordinating events with appropriate agencies

A.  

Results of the last risk assessment of the vendor

B.  

Inherent risk of the business process supported by the vendor

C.  

Risk tolerance of the vendor

D.  

Length of time since the last risk assessment of the vendor

A.  

Perform a risk assessment.

B.  

Perform root cause analysis.

C.  

Initiate disciplinary action.

D.  

Update the incident response plan.

A.  

Ensuring that database changes are correctly applied

B.  

Enforcing that changes are authorized

C.  

Deterring illicit actions of database administrators

D.  

Preventing system developers from accessing production data

A.  

Key risk indicators (KRls) are developed for key IT risk scenarios

B.  

IT risk scenarios are assessed by the enterprise risk management team

C.  

Risk appetites for IT risk scenarios are approved by key business stakeholders.

D.  

IT risk scenarios are developed in the context of organizational objectives.

A.  

improve accountability

B.  

improve consistency

C.  

help define risk tolerance

D.  

help develop risk scenarios.

A.  

It assigns numeric values to exposures of assets.

B.  

It requires more resources than other methods

C.  

It produces the results in numeric form.

D.  

It is based on impact analysis of information assets.

A.  

Requiring a printer access code for each user

B.  

Using physical controls to access the printer room

C.  

Using video surveillance in the printer room

D.  

Ensuring printer parameters are properly configured

A.  

detected incidents.

B.  

residual risk.

C.  

vulnerabilities.

D.  

inherent risk.

A.  

Update the risk register with the average of residual risk for both business units.

B.  

Review the assumptions of both risk scenarios to determine whether the variance is reasonable.

C.  

Update the risk register to ensure both risk scenarios have the highest residual risk.

D.  

Request that both business units conduct another review of the risk.

A.  

Introducing an approved IT governance framework

B.  

Integrating the results of top-down risk scenario analyses

C.  

Performing a business impact analysis (BlA)

D.  

Implementing a risk classification system

A.  

Ongoing availability of data

B.  

Ability to aggregate data

C.  

Ability to predict trends

D.  

Availability of automated reporting systems

A.  

External audit

B.  

Internal audit

C.  

Vendor performance scorecard

D.  

Regulatory examination

A.  

continuously monitor the environment.

B.  

develop key performance indicators (KPIs).

C.  

maintain a risk matrix.

D.  

maintain a risk register.

A.  

A comparison of the costs of notice and consent control options

B.  

Examples of regulatory fines incurred by industry peers for noncompliance

C.  

A report of critical controls showing the importance of notice and consent

D.  

A cost-benefit analysis of the control versus probable legal action

A.  

Encrypt the data while in transit lo the supplier

B.  

Contractually obligate the supplier to follow privacy laws.

C.  

Require independent audits of the supplier's control environment

D.  

Utilize blockchain during the data transfer