CRISC
An enterprise has just completed an information systems audit and a large number of findings have been generated. This list of findings is BEST addressed by: A. a risk mitigation plan. B. a business impact analysis (BIA). C. an incident management plan. D. revisions to information security procedures.
A
Due to changes in the IT environment, the disaster recovery plan of a large enterprise has been modified. What is the GREATEST benefit of testing the new plan? A. To ensure that the plan is complete 8. To ensure that the team is trained C. To ensure that all assets have been identified D. To ensure that the risk assessment was validated
A
During a risk management exercise, an analysis was conducted on the identified risk and mitigations were identified. Which choice BEST reflects residual risk? A. Risk left after the implementation of new or enhanced controls B. Risk mitigated as a result of the implementation of new or enhanced controls C. Risk identified prior to implementation of new or enhanced controls D. Risk classified as high after the implementation of new or enhanced controls
A
Management wants to ensure that IT is successful in delivering against business requirements. Which of the following BEST supports that effort? A. An internal control system or framework B. A cost-benefit analysis c. A return on investment (ROI) analysis D. A benchmark process
A
One way to determine control effectiveness is by determining: A. the test results of intended objectives. B. whether it is preventive, detective or compensatory. C. the capability of providing notification of failure. D. the evaluation and analysis of reliability.
A
Testing the compliance of a response and recovery plan should begin with conducting a: A. tabletop exercise. B. review of archived logs. C. penetration test. D. business impact analysis (BIA).
A
The risk action plan MUST include an appropriate resolution, a date for completion and: A. responsible personnel. B. mitigating factors. C. likelihood of occurrence. D. cost of completion.
A
What is the purpose of system accreditation? A. To ensure that risk associated with implementation has been identified and explicitly accepted by a senior manager 8. To review all technical and nontechnical controls to ensure that the security risk has been reduced to acceptable levels C. To ensure that changes to the security controls are properly authorized, tested and documented D. To require the training and certification of staff that will be responsible for working on a system
A
When would a risk professional ideally perform a complete enterprisewide threat analysis? A. On a yearly basis B. When malware is detected C. When regulatory requirements change D. Following a security incident
A
Which of the following BEST ensures that information systems control deficiencies are appropriately remediated? A. A risk mitigation plan B. Risk reassessment C. Control risk reevaluation D. Countermeasure analysis
A
Which of the following BEST helps identify information systems control deficiencies? A. Gap analysis B. The current IT risk profile C. The IT controls framework D. Countermeasure analysis
A
Which of the following BEST helps to respond to risk in a cost-effective manner? A. Prioritizing and addressing risk according to the risk management strategy B. Mitigating risk on the basis of risk likelihood and magnitude of impact C. Performing countermeasure analysis for each of the controls deployed D. Selecting controls that are at zero or near-zero costs
A
Which of the following BEST mitigates control risk? A. Continuous monitoring B. An effective security awareness program C. Effective change management procedures D. Senior management support for control implementation
A
Which of the following MUST be included when developing metrics to identify and monitor the control life cycle? A. Thresholds that identify when controls no longer provide the intended value B. Customized reports of the metrics for key stakeholders C. A description of the methods and practices used to develop the metrics D. Identification of a repository where metrics will be maintained and stored
A
Which of the following choices will BEST protect the enterprise from financial risk? A. Insuring against the risk B. Updating the IT risk registry C. Improving staff training in the risk area D. Outsourcing the process to a third party
A
Which of the following combinations of factors help quantify risk? A. Probability and consequence B. Impact and threat C. Threat and exposure D. Sensitivity and exposure
A
Which of the following criteria is MOST essential for the effectiveness of operational metrics? A. Relevance to the recipient B. Timeliness of the reporting C. Accuracy of the measurement D. Cost of obtaining the metrics
A
Which of the following examples of risk should be addressed during application design? A. A lack of skilled resources B. The risk of migration to a new system C. Incomplete technical specifications D. Third-party supplier risk
A
Which of the following factors determines the acceptable level of residual risk in an enterprise? A. Management discretion B. Regulatory requirements C. Risk assessment results D. Internal audit findings
A
Which of the following is BEST performed for business continuity management to meet external stakeholder expectations? A. Prioritize applications based on business criticality. B. Ensure that backup data are available to be restored. C. Disclose the crisis management strategy statement. D. Obtain risk assessment by an independent party.
A
Which of the following is MOST essential for a risk management program to be effective? A. New risk detection B. A sound risk baseline C. Accurate risk reporting D. A flexible security budget
A
Which of the following is the BEST way to verify that critical production servers are utilizing up-to-date antivirus signature files? A. Check a sample of servers. B. Verify the date that signature files were last pushed out. C. Use a recently identified benign virus to test whether it is quarantined. D. Research the most recent signature file, and compare it to the console.
A
Which of the following is the BIGGEST concern for a CISO regarding interconnections with systems outside of the enterprise? A. Requirements to comply with each other's contractual security requirements B. Uncertainty that the other system will be available as needed C. The ability to perform risk assessments on the other system D. Ensuring that communication between the two systems is encrypted through a VPN
A
Which of the following provides the MOST valuable input to incident response efforts? A. Qualitative analysis of threats B. The annual loss expectancy (ALE) total C. A vulnerability assessment D. Penetration testing
A
Which of the following reviews will provide the MOST insight into an enterprise's risk management capabilities? A. A capability maturity model (CMM) review B. A capability comparison with industry standards or regulations C. A self-assessment of capabilities D. An internal audit review of capabilities
A
Which of the following should be in place before a black box penetration test begins? A. A clearly stated definition of scope B. Previous test results C. Proper communication and awareness training D. An incident response plan
A
Which of the following would PRIMARILY help an enterprise select and prioritize risk responses? A. A cost-benefit analysis of available risk mitigation options B. The level of acceptable risk per risk appetite C. The potential to transfer or eliminate the risk D. The number of controls necessary to reduce the risk
A
An enterprise recently developed a breakthrough technology that could provide a significant competitive edge. Which of the following FIRST governs how this information is to be protected from within the enterprise? A. The data classification policy B. The acceptable use policy C. Encryption standards D. The access control policy
A. Data classification policy describes the data classification categories; levels of protection to be provided for each category of data; and roles and responsibilities of potential users, including data owners
The PRIMARY advantage of creating and maintaining a risk register is to: A. ensure than an inventory of potential risk is maintained B. record all risk scenarios considered during the risk identification process C. collect similar data on all risk identified within the organization D. run reports based on various risk scenarios
A. Once important assets and the risk that may impact these assets are identified, the risk register is used as an inventory of that risk. The risk register can help enterprises accelerate their risk decision making and establish accountability for specific risk
The board of directors of a one-year-old start-up company has asked their CIO to create all of the enterprise's IT policies and procedures. Which of the following should the CIO create FIRST? A. The strategic IT plan B. The data classification scheme C. The information architecture document D. The technology infrastructure plan
A. The strategic IT plan is the first policy to be created when setting up an enterprise's governance model
A BIA is primarily used to: A. estimate the resources required to resume and return to normal operations after a disruption B. evaluate the impact of a disruption to an enterprise's ability to operate over time C. calculate the likelihood and impact of known threats on specific functions D. evaluate high-level business requirements
B
A review of an enterprise's IT projects find that projects frequently go over time or budget by nearly 10 percent. On review, management advises the risk practitioner that a deviation of 15 percent is acceptable. This is an example of: A. risk avoidance B. risk tolerance C. risk acceptance D. risk mitigation
B
A risk professional has been asked to determine which factors were responsible for a loss event. Which of the following methods should be used? A. Key risk indicators (KRJs) B. Cause-and-effect analysis C. Business process modeling (BPM) D. Business impact analysis (BIA)
B
Faced with numerous risk, the prioritization of treatment options will be MOST effective when based on: A. the existence of identified threats and vulnerabilities. B. the likelihood of compromise and subsequent impact. C. the results of vulnerability scans and exposure. D. the exposure of corporate assets and operational risk.
B
How does an enterprise BEST ensure that developers do not have access to implement changes to production applications? A. The enterprise must ensure that development staff does not have access to executable code. B. The enterprise must have segregation of duties between application development and operations. C. The enterprise system development life cycle (SDLC) must be enforced to require segregation of duties. D. The enterprise's change management process must be enforced for all but emergency changes.
B
The MOST important reason for reporting control effectiveness as part of risk reporting is that it: A. enables audit reporting. B. affects the risk profile. C. requires mitigation. D. helps manage the control life cycle.
B
The PRIMARY benefit of using a maturity model to assess the enterprise's data management process is that it: A. can be used for benchmarking. B. helps identify gaps. C. provides goals and objectives. D. enforces continuous improvement.
B
The goal of IT risk analysis is to: A. enable the alignment of IT risk management with enterprise risk management (ERM). B. enable the prioritization of risk responses. C. satisfy legal and regulatory compliance requirements. D. identify known threats and vulnerabilities to information assets.
B
What is the MOST essential attribute of an effective key risk indicator (KRI)? A. The KRI is accurate and reliable. B. The KRI is predictive of a risk event. C. The KRI provides quantitative metrics. D. The KRI indicates required action.
B
What is the MOST important criterion when reviewing information security controls? A. To provide assurance to management of control monitoring B. To ensure that the controls are effectively addressing risk C. To review the impact of the controls on business operations and performance D. To establish a baseline as a benchmark for future tests
B
Where are key risk indicators (KRIs) MOST likely identified when initiating risk management across a range of projects? A. Risk governance B. Risk response C. Risk analysis D. Risk monitoring
B
Which of the following BEST describes the role of management in implementing a risk management strategy? A. Ensure that the planning, budgeting and performance of information security components are appropriate. B. Assess and incorporate the results of the risk management activity into the decision-making process. C. Identify, evaluate and minimize risk to IT systems that support the mission of the organization. D. Understand the risk management process so that appropriate training materials and programs can be developed.
B
Which of the following BEST helps the risk practitioner identify IS control deficiencies? A. An IT control framework B. Defined control objectives c. A countermeasure analysis D. A threat analysis
B
Which of the following can be expected when a key control is being maintained at an optimal level? A. The shortest lead time until the control breach comes to the surface B. Balance between control effectiveness and cost C. An adequate maturity level of the risk management process D. An accurate estimation of operational risk amounts
B
Which of the following choices is the MOST important part of any outsourcing contract? A. The right to audit the outsourcing provider B. Provisions to assess the compliance of the provider C. Procedures for dealing with incident notification D. Requirements to encrypt hosted data
B
Which of the following factors should be assessed after the likelihood of a loss event has been determined? A. Magnitude of impact B. Risk tolerance C. Residual risk D. Compensating controls
B
Which of the following is MOST important for determining what security measures to put in place for a critical information system? A. The number of threats to the system B. The level of acceptable risk to the enterprise C. The number of vulnerabilities in the system D. The existing security budget
B
Which of the following is MOST important in determining the risk mitigation strategy? A. Review vulnerability assessment results. B. Conduct a likelihood and impact ranking. C. Perform a business impact analysis (BIA). D. Align it with the security controls framework.
B
Which of the following is a PRIMARY role of the system owner during the accreditation process? The system owner; A. reviews and approves the security plan supporting the system. B. selects and documents the security controls for the system. C. assesses the security controls in accordance with the assessment procedures. D. determines whether the risk to the business is acceptable.
B
Which of the following is the BEST indicator of an effective information risk management program? A. The security policy is made widely available B. Risk is considered before all decisions C. Security procedures are updated annually D. Risk assessments occur on an annual basis
B
Which of the following is the PRIMARY reason for conducting periodic risk assessments? A. Changes to the asset inventory B. Changes to the threat and vulnerability profile C. Changes in asset classification levels D. Changes in the risk appetite
B
Which of the following leads to the BEST optimal return on security investment? A. Deploying maximum security protection across all of the information assets B. Focusing on the most important information assets and then determining their protection C. Deploying minimum protection across all the information assets D. Investing only after a major security incident is reported to justify investment
B
Which of the following resources has the GREATEST risk of failure while implementing any security solution? A. Security hardware B. Security staff C. Security processes D. Security software
B
Which of the following will BEST prevent external security attacks? A. Securing and analyzing system access logs B. Network address translation C. Background checks for temporary employees D. Static Internet protocol (IP) addressing
B
Which of the following is the BEST way to ensure that an accurate risk register is maintained over time? A. Monitor KRIs and record findings in the risk register B. Publish the risk register centrally with workflow features that periodically poll risk assessors C. Distribute the risk register to business process owners for review and updating D. Utilize audit personnel to perform regular audits and to maintain the risk register
B. Centrally publishing the risk register and enabling periodic polling of risk assessors through workflow features will ensure accuracy of content. A knowledge management platform with workflow and polling features will automate the process of maintaining the risk register
Which of the following is the PRIMARY reason that a risk practitioner determines the security boundary prior to conducting a risk assessment? A. To determine which laws and regulations apply B. To determine the scope of the risk assessment C. To determine the business owner(s) of the system D. To decide between conducting a quantitative or qualitative analysis
B. The primary reason for determining the security boundary is to establish what systems and components are included in the risk assessment
Corporate information security policy development should PRIMARILY be based on: A. vulnerabilities B. threats C. assets D. impacts
C
During an internal assessment, an enterprise notes that only a couple dozen hard-coded individual transactions are being logged, which does not encompass what should be logged to meet regulatory requirements. The individual server log files use first in, first out (FIFO). Most files recycle in less than 24 hours. What is the MOST financially damaging vulnerability associated with the current logging practice? A. The log data stored recycles in less than 24 hours. B. The log files are stored on the originating servers. C. Regulation-related transactions may not be tracked. D. Transactions being logged are hard coded.
C
If risk has been identified, but not yet mitigated, the enterprise would: A. record and mitigate serious risk and disregard low-level risk B. obtain management commitment to mitigate all identified risk within a reasonable time frame C. document all risk in the risk register and maintain the status of the remediation D. conduct an annual risk assessment, but disregard previous assessments to prevent risk bias
C
Reliability of a key risk indicator (KRI) would indicate that the metric: A. performs within the appropriate thresholds. B. tests the target at predetermined intervals. c. flags exceptions every time they occur. D. initiates corrective action.
C
Risk scenarios should be created primarily based on which of the following: A. Input from senior management B. Previous security incidents C. Threats that the enterprise faces D. Results of the risk analysis
C
The MOST important task in system control verification is: A. monitoring password resets. B. detecting malware. C. managing alerts. D. performing log reviews.
C
What is the ULTIMATE goal of risk aggregation? A. To prevent attacks from exploiting a combination of low-level types of risk that individually have not been properly mitigated B. To address the threat of an exploit that attacks a system through a series of individual attacks C. To ensure that the combined value oflow-level risk is not overlooked in the risk management process D. To stop attackers from gaining low-level access and then escalating their attack through access aggregation
C
When assessing the capability of the risk management process, a regulatory body would place the GREATEST reliance on: A. a peer review. B. an internal review. C. an external review. D. a process capability review.
C
When transmitting personal information across networks, there MUST be adequate controls over: A. encrypting the personal information. B. obtaining consent to transfer personal information. C. ensuring the privacy of the personal information. D. change management.
C
Which of the following BEST determines compliance with the risk appetite of an enterprise? A. Balance between preventive and detective controls B. Inherent risk and acceptable risk level C. Residual risk level and acceptable risk level D. Balance between countermeasures and preventive controls
C
Which of the following BEST estimates the likelihood of significant events impacting an enterprise? A. Threat analysis B. Cost-benefit analysis C. Scenario analysis D. Countermeasure analysis
C
Which of the following actions is the BEST when a critical risk has been identified and the resources to mitigate are not immediately available? A. Log the risk in the risk register and review it with senior management on a regular basis. B. Capture the risk in the risk register once resources are available to address the risk. C. Escalate the risk report to senior management to obtain the resources to mitigate the risk. D. Review the risk level with senior management and determine whether the risk calculations are correct.
C
Which of the following compensating controls should management implement when a segregation of duties conflict exists because an enterprise has a small IT department? A. Independent analysis of IT incidents B. Entitlement reviews C. Independent review of audit logs D. Tighter controls over user provisioning
C
Which of the following factors should be analyzed to help management select an appropriate risk response? A. The impact on the control environment B. The likelihood of a given threat C. The costs and benefits of the controls D. The severity of the vulnerabilities
C
Which of the following is MOST important during the quantitative risk analysis process? A. Statistical analysis B. Decision trees C. Expected monetary value (EMV) D. Net present value (NPV)
C
Which of the following is MOST important when mitigating or managing risk? A. Vulnerability assessment results B. A business impact analysis (BIA) C. The risk tolerance level D. A security controls framework
C
Which of the following is a MAJOR risk associated with the use of governance, risk and compliance (GRC) tools? A. Misinterpretation of the dashboard's output B. Poor authentication mechanism C. Obsolescence of content D. Complex integration of the diverse requirements
C
Which of the following is the BEST approach when malicious code from a spear phishing attack resides on the network and the finance department is concerned that scanning the network will slow down work and delay quarter-end reporting? A. Instruct finance to finalize quarter-end reporting, and then perform a scan of the entire network. B. Block all outgoing traffic to avoid outbound communication to the expecting command host. C. Scan network devices that are not supporting financial reporting, and then scan the critical finance drives at night. D. Perform a staff survey and ask staff to report if they are aware of the enterprise being a target of a spear phishing attack.
C
Which of the following is the MOST effective way to treat a risk such as a natural disaster that has a low probability and a high impact level? A. Eliminate the risk. B. Accept the risk. C. Transfer the risk. D. Implement countermeasures.
C
Which of the following processes is CRITICAL for deciding prioritization of actions in a business continuity plan (BCP)? A. Risk assessment B. Vulnerability assessment C. A business impact analysis (BlA) D. Business process mapping
C
Which of the following should management use to allocate resources for risk response? A. Audit report findings S. Penetration test results C. Risk analysis results D. Vulnerability test results
C
Which organizational function is accountable for risk policies, guidelines and standards? A. Operations B. IT C. Management D. Legal
C
Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system? A. Performing a BIA B. Considering personal devices as part of the security policy C. Basing the information security infrastructure on a risk assessment D. Initiating IT security training and familiarization
C. The information security infrastructure should be based on a risk assessment
A risk practitioner has collected several IT-related key risk indicators (KRls) related for the core financial application. These would MOST likely be reported to: A. stakeholders. B. the IT administrator group. C. the finance department. D. senior management.
D
An enterprise is implementing controls to protect its product price list from being exposed to unauthorized individuals. The internal control requirements will come from: A. the risk management team. B. internal audit. C. IT management. D. process owners.
D
Control objectives are useful to risk professionals because they provide the basis for understanding the: A. techniques for securing information for a given risk. B. information security policies, procedures and standards. C. control best practices relevant to a specific entity. D. desired outcome of implementing specific control procedures.
D
Monitoring has flagged a security exception. What is the MOST appropriate action? A. Escalate the exception. B. Update the risk register. C. Activate the risk response plan. D. Validate the exception.
D
Risk management programs are designed to reduce risk to: A. the point at which the benefit exceeds the expense. B. a level that is too small to be measurable. C. a rate of return that equals the current cost of capital. D. a level that the enterprise is willing to accept.
D
The MAIN benefit of information classification is that it helps: A. determine how information can be further labeled. B. establish the access control matrices. C. determine the risk tolerance level. D. select security measures that are proportional to risk.
D
What control focuses directly on preventing the risk of collusion? A. Mandatory access control B. Principle of least privilege C. Discretionary access control D. Mandatory job rotation
D
Which of the following BEST assists in the proper design of an effective key risk indicator (KRI)? A. Generating the frequency of reporting cycles to report on the risk B. Preparing a business case that includes the measurement criteria for the risk C. Conducting a risk assessment to provide an overview of the key risk D. Documenting the operational flow of the business from beginning to end
D
Which of the following BEST ensures the overall effectiveness of a risk management program? A. Obtaining feedback from all end users B. Assigning a dedicated risk manager to run the program C. Applying quantitative risk methodologies D. Participating relevant stakeholders
D
Which of the following MOST effectively ensures that service provider controls are within the guidelines set forth in the organization's information security policy? A. Service level monitoring B. Penetration testing C. Security awareness training D. Periodic auditing
D
Which of the following activities is an example of risk sharing? A. Moving a function to another department B. Selling a product or service to another company C. Deploying redundant firewalls D. Contracting with a third party
D
Which of the following capability dimensions is MOST important when using a maturity model for assessing the risk management process? A. Effectiveness B. Efficiency C. Profitability D. Performance
D
Which of the following choices is the MOST important critical success factor (CSF) of implementing a risk-based approach to the system development life cycle (SDLC)? A. Existence of a risk management framework B. Defined risk mitigation strategies C. Compliance with the change management process D. Adequate involvement of business representatives
D
Which of the following considerations is MOST important when implementing key risk indicators (KRIs)? A. The metric is easy to measure. B. The metric is easy to aggregate. C. The metric is easy to interpret. D. The metric links to a specific risk.
D
Which of the following environments typically represents the GREATEST risk to organizational security? A. An enterprise data warehouse B. A load-balanced, web server cluster C. A centrally managed data switch D. A locally managed file server
D
Which of the following is MOST useful in developing a series of recovery time objectives (RTOs)? A. Regression analysis B. Risk analysis C. Gap analysis D. Business impact analysis (BIA)
D
Which of the following is responsible for evaluating the effectiveness of existing internal information security (IS) controls within an enterprise? A. The data owner B. Senior management C. End users D. The system auditor
D
Which of the following is the BEST metric to manage the information security program? A. The number of systems that are subject to intrusion detection B. The amount of downtime caused by security incidents C. The time lag between detection, reporting and acting on security incidents D. The number of recorded exceptions from the minimum information security requirements
D
Which of the following is the FIRST step when developing a risk monitoring program? A. Developing key indicators to monitor outcomes B. Gathering baseline data on indicators C. Analyzing and reporting findings D. Conducting a capability assessment
D
Which of the following is the MOST appropriate metric to measure how well the information security function is managing the administration of user access? A. Elapsed time to suspend accounts of terminated users B. Elapsed time to suspend accounts of users transferring C. Ratio of actual accounts to actual end users D. Percent of accounts with configurations in compliance
D
Which of the following is the MOST effective way to ensure that third-party providers comply with the enterprise's information security policy? A. Security awareness training B. Penetration testing c. Service level monitoring D. Periodic auditing
D
Which of the following is the MOST prevalent risk in the development of end-user computing (EUC) applications? A. Increased development and maintenance costs B. Increased application development time C. Impaired decision making due to diminished responsiveness to requests for information D. Applications not subjected to testing and IT general controls
D
Which of the following objectives is the PRIMARY reason risk professionals conduct risk assessments? A. To maintain the enterprise's risk register B. To enable management to choose the right risk response C. To provide assurance on the risk management process D. To identify risk with the highest business impact
D
Which of the following practices is MOST closely associated with risk monitoring? A. Assessment B. Mitigation c. Analysis D. Reporting
D
Which of the following risk assessment outputs is MOST suitable to help justify an organizational information security program? A. An inventory of risk that may impact the enterprise B. Documented threats to the enterprise C. Evaluation of the consequences D. A list of appropriate controls for addressing risk
D
Which of the following would BEST help an enterprise select an appropriate risk response? A. The degree of change in the risk environment B. An analysis of risk that can be transferred were it not eliminated C. The likelihood and impact of various risk scenarios D. An analysis of control costs and benefits
D
The MAIN objective of IT risk management is to: A. prevent loss of IT assets B. provide timely management reports C. ensure regulatory compliance D. enable risk-aware business decisions
D. IT risk management should be conducted as part of enterprise risk management (ERM), the ultimate objective of which is to enable risk-aware business decisions