CRISC CERTIFICATION EXAM LATEST ACTUAL
EXAM QUESTIONS AND DETAILED CORRECT
ANSWERS (VERIFIED ANSWERS) | GUARANTEED
PASS
Which of the following is the PRIMARY reason that a risk practitioner determines
the security boundary prior to conducting a risk assessment?
A. To determine which laws and regulations apply
B. To determine the scope of the risk assessment
C. To determine the business owner(s) of the system
D. To decide between conducting a quantitative or qualitative analysis - ANS -B.
The primary reason for determining the security boundary is to establish what
systems and components are included in the risk assessment
The PRIMARY advantage of creating and maintaining a risk register is to:
A. ensure than an inventory of potential risk is maintained
B. record all risk scenarios considered during the risk identification process
C. collect similar data on all risk identified within the organization
D. run reports based on various risk scenarios
- ANS -A. Once important assets and the risk that may impact these assets are
identified, the risk register is used as an inventory of that risk. The risk register
can help enterprises accelerate their risk decision making and establish
accountability for specific risk
The board of directors of a one-year-old start-up company has asked their CIO to
create all of the enterprise's IT policies and procedures. Which of the following
should the CIO create FIRST?
A. The strategic IT plan
B. The data classification scheme
C. The information architecture document
D. The technology infrastructure plan
- ANS -A. The strategic IT plan is the first policy to be created when setting up an
enterprise's governance model
,A BIA is primarily used to:
A. estimate the resources required to resume and return to normal operations
after a disruption
B. evaluate the impact of a disruption to an enterprise's ability to operate over
time
C. calculate the likelihood and impact of known threats on specific functions
D. evaluate high-level business requirements - ANS -B
Which of the following is the BIGGEST concern for a CISO regarding
interconnections with systems outside of the enterprise?
A. Requirements to comply with each other's contractual security requirements
B. Uncertainty that the other system will be available as needed
C. The ability to perform risk assessments on the other system
D. Ensuring that communication between the two systems is encrypted through a
VPN
- ANS -A
Which of the following BEST determines compliance with the risk appetite of an
enterprise?
A. Balance between preventive and detective controls
B. Inherent risk and acceptable risk level
C. Residual risk level and acceptable risk level
D. Balance between countermeasures and preventive controls
- ANS -C
Risk scenarios should be created primarily based on which of the following:
A. Input from senior management
B. Previous security incidents
C. Threats that the enterprise faces
D. Results of the risk analysis - ANS -C
,Which of the following is the BEST indicator of an effective information risk
management program?
A. The security policy is made widely available
B. Risk is considered before all decisions
C. Security procedures are updated annually
D. Risk assessments occur on an annual basis
- ANS -B
A review of an enterprise's IT projects find that projects frequently go over time
or budget by nearly 10 percent. On review, management advises the risk
practitioner that a deviation of 15 percent is acceptable. This is an example of:
A. risk avoidance
B. risk tolerance
C. risk acceptance
D. risk mitigation
- ANS -B
Which of the following is a MAJOR risk associated with the use of governance, risk
and compliance (GRC) tools?
A. Misinterpretation of the dashboard's output
B. Poor authentication mechanism
C. Obsolescence of content
D. Complex integration of the diverse requirements
- ANS -C
Which of the following examples of risk should be addressed during application
design?
A. A lack of skilled resources
B. The risk of migration to a new system
C. Incomplete technical specifications
D. Third-party supplier risk
- ANS -A
, If risk has been identified, but not yet mitigated, the enterprise would:
A. record and mitigate serious risk and disregard low-level risk
B. obtain management commitment to mitigate all identified risk within a
reasonable time frame
C. document all risk in the risk register and maintain the status of the remediation
D. conduct an annual risk assessment, but disregard previous assessments to
prevent risk bias
- ANS -C
Corporate information security policy development should PRIMARILY be based
on:
A. vulnerabilities
B. threats
C. assets
D. impacts
- ANS -C
Which of the following combinations of factors help quantify risk?
A. Probability and consequence
B. Impact and threat
C. Threat and exposure
D. Sensitivity and exposure
- ANS -A
Which of the following choices is the MOST important part of any outsourcing
contract?
A. The right to audit the outsourcing provider
B. Provisions to assess the compliance of the provider
C. Procedures for dealing with incident notification
D. Requirements to encrypt hosted data
- ANS -B
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Essiekarimi. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $11.49. You're not tied to anything after your purchase.
