CRISC: Certified in Risk & Information Systems Control Sample Questions
Question 1 – When it comes to outsourced service providers, what is the BEST way to ensure compliance with the enterprise’s information security policy?
- A. Penetration testing
- B. Service level monitoring
- C. Security awareness training
- D. Periodic audits
Correct Answer: D
Explanation: Performing periodic audits can help enterprises ensure that outsourced service providers comply with enterprise information security policies since audits can spot compliance gaps.
Question 2 – During the planning phase of the RFT project, you identify a risk that the enterprise’s IT system landscape will become so complex that any further expansion of capacity will be impossible and software maintenance will be very expensive within a few years. In order to mitigate this risk, the company re-architected its existing system and purchased a new integrated system. In which of the given risk prioritization options can this case be categorized?
- A. Deferrals
- B. Quick win
- C. Business case to be made
- D. Contagious risk
Correct Answer: C
Explanation: Due to the high project cost and the large investment required to implement this response, this is categorized as a Business Case to be made.
Question 3 – The best way to ensure a firewall is configured according to the enterprise’s security policy is by using which of the following?
- A. Interviewing the firewall administrator.
- B. Reviewing the actual procedures.
- C. Reviewing the device’s log file for recent attacks.
- D. Reviewing the parameter settings.
Correct Answer: D
Explanation: Reviewing the Parameter settings can provide reliable evidence to support the audit of the actual configuration against the security policy.
Question 4 – Which of the given options cannot be used for measuring the Critical Success Factors of the project?
- A. Productivity
- B. Quality
- C. Quantity
- D. Customer service
Correct Answer: C
Question 5 – Which of the given statements is FALSE regarding the risk management plan?
- A. It is an output of the Plan Risk Management process.
- B. It is an input to all the remaining risk-planning processes.
- C. It is inclusive of a description of the risk responses and triggers.
- D. It is inclusive of the thresholds, scoring and interpretation methods, responsible parties, and budgets.
Question 6 – You are the project manager of a project in Bluewell Inc. Your team and you have identified various risks in the project, completed risk analysis, and are considering the best risk management strategy. Which of the given tools can be used for choosing the appropriate risk response?
- A. Project network diagrams
- B. Cause-and-effect analysis
- C. Decision tree analysis
- D. Delphi Technique
Correct Answer: C
Explanation: An analysis of decision trees is a risk analysis technique that can assist project managers in determining the most effective risk response. The risk response selected can also be used to determine how the risk response will affect the probability and/or impact of the selected risk event based on probability, impact, and risk exposure. When resources are limited, they are most useful when deciding between various strategies, projects, or investment opportunities because they help to form a balanced picture of risks and opportunities. In decision trees, choices are represented by a tree-like graph that illustrates their potential consequences, including resource costs, event outcomes, and utility.
Question 7 – Risk officials in your enterprise do not consider risk credential information when taking important decisions. In addition, enterprise risk management is not integrated with external requirements for risk management. In which of the given risk management capability maturity levels will your enterprise exist?
- A. Level 1
- B. Level 0
- C. Level 5
- D. Level 4
Correct Answer: B
Question 8 – In establishing risk mitigation methods, which of the following should be the first priority?
- A. User entitlement changes
- B. Platform Security
- C. Intrusion detection
- D. Antivirus controls
Correct Answer: A
Explanation: The responsible of Data owners include assigning user entitlement changes and approving access to the systems.
Question 9 – Which of the given type of policy can be used by an organization for forbidding its employees from using organizational e-mail for personal use?
- A. Anti-harassment policy
- B. Acceptable use policy
- C. Intellectual property policy
- D. Privacy policy
Correct Answer: B
Explanation: A network, website or large computer system’s acceptable use policy is a set of rules that govern the way the site or system can be used. They come under the banner of information security policies and are an integral part of that framework.
Question 10 – During research, Wendy’s project team learns that a risk event that caused $75,000 of damage and had a 60% chance of occurring can actually be reduced to a mere $15,000 with a 10% chance of occurring. It will cost $25,000 to implement the proposed solution. Upon hearing the solution, Wendy agrees to pay $25,000 for it. Which of the following types of risk responses can this be?
- A. Mitigation
- B. Avoidance
- C. Transference
- D. Enhancing
Correct Answer: A
Explanation: By reducing the probability and/or impact of adverse risk events to within acceptable threshold limits, risk mitigation implies reducing the probability and/or impact of an adverse risk event, and early actions to reduce the probability and/or impact of such events are usually more effective than attempting to repair the damage afterward.
Question 11 – Which of the following processes prioritizes risks, organizes resources and activities into the budget, and schedules the project management plan?
- A. Monitor and Control Risk
- B. Plan risk response
- C. Identify Risks
- D. Qualitative Risk Analysis
Correct Answer: B
Question 12 – Which of the given risk responses can be used for negative risk events?
- A. Share
- B. Enhance
- C. Exploit
- D. Accept
Correct Answer: D
Question 13 – The probability of an actual return on investment is lower than the investor’s expectations can refer to by which of the given risks?
- A. Integrity risk
- B. Project ownership risk
- C. Relevance risk
- D. Expense risk
Correct Answer: D
Explanation: All investments have some level of risk associated with them due to the unpredictability of the market’s direction and the possibility of a lower return than expected. Investment risk or expense risk results from the probability of the actual return on investment being lower than expected. Consideration of the overall IT investment portfolio is also included.
Question 14 – Which two of the given requirements are the PRIMARY requirements for developing risk scenarios?
- A. Potential threats and vulnerabilities that could lead to lose events
- B. Determining the value of an asset at risk
- C. Determining the actors that have the potential to generate risk
- D. Determining the threat type
Correct Answer: AB
Explanation: In order to create a scenario, it is necessary to determine the value of the asset or business process at risk, along with potential threats and vulnerabilities.
Question 15 – Which two of the following come under the responsibilities of the CRO?
- A. Managing the risk assessment process
- B. Implement corrective actions
- C. Advising Board of Directors
- D. Managing the supporting risk management function
Correct Answer: ABD
Question 16 – Which of the given reasons is the MOST important reason for maintaining the key risk indicators (KRIs)?
- A.For avoiding risk
- B. Complex metrics require fine-tuning
- C. Risk reports need to be timely
- D. Threats and vulnerabilities change over time
Correct Answer: D
Explanation: It is vital to maintain KRIs in order to ensure that they continue to capture threats and vulnerabilities as they change over time. Due to the dynamic nature of the enterprise’s internal and external environments, the set of KRIs needs to be revised over time to account for changes in vulnerabilities and threats.
Question 17 – Suppose you are the project manager on the GHT project and have identified a risk event that if it occurs would decrease project costs by $100,000. Which of the given statements BEST describes this risk event?
- A. It is important to mitigate this risk event in order to maximize savings.
- B. Risk events like this should be accepted because the rewards far outweigh the risks.
- C. This risk event should be avoided to take full advantage of the potential savings.
- D. This risk event is an opportunity for the project and should be exploited.
Correct Answer: D
Explanation: In this case, the risk event is an opportunity for saving money on project costs, so the appropriate strategy is to exploit the event. Exploiting is one strategy to negate risks or threats that arise during a project. An organization may choose this strategy when it wishes to maximize the potential of positive risks. Risk events can provide opportunities for a positive impact on a project if they are exploited. An exploit response involves assigning more talented resources to the project so that it can be completed sooner.
Question 18 – Bluewell Inc is looking for a risk official, who will prioritize several risks that need to be addressed. What Risk Priority Number (RPN) would you give to a risk that has a rating as 4, 5, and 6 for occurrence, severity, and detection respectively.?
- A. 120
- B. 100
- C. 15
- D. 30
Correct Answer: A
Question 19 – Which of the following is the MOST important use of KRIs?
- A. backward-looking view on risk events that have occurred
- B. early warning signal
- C. indication of the enterprise’s risk appetite and tolerance
- D. Enabling the documentation and analysis of trends
Correct Answer: B
Question 20 – Which of the following are the requirements for creating risk scenarios?
- A. Determining the cause and effect
- B. Determining the value of business process at risk
- C. Potential threats and vulnerabilities that could cause loss
- D. Determining the value of an asset
Correct Answer: BCD
