Free CRISC Practice Quiz

Which of the following is MOST important to determine when defining risk management strategies?

1. Risk assessment criteria

   Information on the internal and external environments must be collected to define a strategy and identify its impact. Risk assessment criteria alone are not sufficient.

2. IT architecture complexity

   IT architecture complexity is more directly related to assessing risk than defining strategies.

3. Enterprise disaster recovery plan.

   An enterprise disaster recovery plan is more directly related to mitigating the risk.

4. Business objectives and operations

   While defining risk management strategies, the risk practitioner needs to analyze the enterprise’s objectives and risk tolerance and define a risk management framework based on this analysis. Some enterprises may accept known risk, while others may invest in and apply mitigating controls to reduce risk.

The GREATEST risk posed by an absence of strategic planning is:

1. increase in the number of licensing violations.

   Licensing violations can lead to fines and penalties from software companies; however, absence of strategic planning does not necessarily entail an increase in licensing violations.

2. increase in the number of obsolete systems.

   The number of obsolete systems can increase if strategic planning lapses; however, improper or negligent oversight of IT investment is the more fundamental direct risk, as investment informs the execution of future strategy and ensures that new systems align with business objectives.

3. improper oversight of IT investment.

   Improper oversight of IT investment is the greatest risk. Without proper oversight from management, IT investment may fail to align with business strategy, and IT expenditures may not support business objectives.

4. unresolved current and past problems.

   Strategic planning is future-oriented, whereas unresolved current and past problems are tactical in nature.

Which of the following risk management roles is part of first line of defense?

1. Chief risk officer.

   The chief risk officer holds a supervisory position and, therefore, is part of the second line of defense.

2. Risk steering committee.

   The risk steering committee supervises operations, which is a function of the second line of defense.

3. Risk owner.

   The first line of defense is operational management, and risk owners are part of operational management.

4. Board of directors.

   The board of directors provides direction and gets feedback for monitoring. It does not take an active role in the three lines of defense because all three lines report to it.

According to the three lines of defense model, where would the data ethics function MOST likely reside in an enterprise?

1. The first line of defense

   The first line of defense is the operations function and may or may not play a role in data ethics.

2. The second line of defense

   The second line of defense includes compliance, ethics and risk management and is intended to provide guidance.

3. The third line of defense

   Internal audit is the third line of defense and is responsible for providing independent verification and assurance that controls are in place and operating effectively.

4. The board of directors.

   The board of directors is responsible for setting the tone at the top; overseeing management; and ensuring that risk management, regulatory, compliance and ethics obligations are met. It may or may not play a role in data ethics.

Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?

1. The approved budget of the project

   The approved budget of the project may have no bearing on what the project may actually cost.

2. The frequency of incidents

   The frequency of security incidents can help measure the benefit but the relationship is indirect because not all security incidents may be mitigated by implementing a two-factor authentication system.

3. The annual loss expectancy of security incidents

   The ALE of incidents can help measure the benefit but the relationship is indirect because not all incidents may be mitigated by implementing a two-factor authentication system.

4. The total cost of ownership

   Total cost of ownership is the most relevant piece of information to be included in the cost-benefit analysis because it establishes a cost baseline that must be considered for the full life cycle of the control.

Which of the following BEST ensures that appropriate mitigation occurs on identified information systems vulnerabilities?

1. Presenting root cause analysis to the management of the enterprise.

   Presenting findings to management will increase management awareness; however, it does not ensure that action will be taken by the staff.

2. Implementing software to input the action points.

   Software can help in monitoring the progress of mitigations, but it will not ensure that the mitigation will be completed.

3. Incorporating the findings into the annual report to shareholders.

   Reporting to shareholders does not ensure that the mitigation will be completed.

4. Assigning action plans with deadlines to responsible personnel.

   Assigning mitigation to personnel establishes responsibility for its completion within the deadline.

What is the MOST important control that should be in place to safeguard against the misuse of the corporate social media account?

1. Social media account monitoring

   Social media account monitoring is a detective control that identifies violations after the fact, as opposed to a proactive measure, such as two-factor authentication.

2. Two-factor authentication

   Use of two-factor authentication will proactively protect the account from unauthorized access.

3. Awareness training

   Awareness training may be effective with legitimate users; however, two-factor authentication is a preventive control as opposed to a deterrent control.

4. Strong passwords

   Using strong passwords will help prevent unauthorized access; however, two-factor authentication provides a proactive control in case the password is compromised.

A business case developed to support risk mitigation efforts for a complex application development project should be retained until:

1. the project is approved.

   The business case should be retained even after project approval to justify audit, project review or project scope change.

2. user acceptance of the application.

   The business case should be retained even after user acceptance to validate the return on investment.

3. the application is deployed.

   The application may be updated and modified; the business case should be retained because updates may involve new risk.

4. the application’s end of life.

   All documentation related to the system should be updated and retained until the system is no longer in service. Documentation may be retained longer to meet the enterprise's record retention period requirement.

Which of the following factors should be assessed after the likelihood of a loss event has been determined?

1. Risk tolerance

   Risk tolerance reflects acceptable deviation from acceptable risk. Risk tolerance requires quantification of risk, which in turn requires determining the magnitude of impact.

2. Magnitude of impact

   Once likelihood has been determined, the next step is to determine magnitude of impact.

3. Residual risk

   Residual risk is the risk that remains after management implements a risk response. It cannot be calculated until controls are selected.

4. Compensating controls

   Compensating controls are internal controls that reduce the risk of an existing or potential control weakness that can result in errors and omissions. They would not be assessed directly in conjunction with assessing the likelihood of a loss event.

If risk has been identified, but not yet mitigated, the enterprise would?

1. record and mitigate serious risk and disregard low-level risk.

   All levels of risk identified should be documented in the risk register. It is important to be able to identify where low-level risk can be aggregated within the register.

2. obtain management commitment to mitigate all identified risk within a reasonable time frame.

   Not all identified risk will necessarily be mitigated. The enterprise will conduct a cost-benefit analysis before determining the appropriate risk response.

3. document identified risk in the risk register and maintain the remediation status.

   All identified risk should be included in the risk register. The register should capture the proposed remediation plan, the risk owner, and the anticipated date of completion.

4. conduct an annual risk assessment, but disregard previous assessments to prevent risk bias.

   Annual risk assessments should consider previous risk assessments.