CRISC Certified in Risk and Information Systems Control Questions and Answers

solution delivery.

resource utilization.

strategic alignment.

performance evaluation.

Percentage of unpatched IT assets

Percentage of IT assets without ownership

The number of IT assets securely disposed during the past year

The number of IT assets procured during the previous month

Validating employee social media accounts and passwords

Monitoring Internet usage on employee workstations

Disabling social media access from the organization's technology

Implementing training and awareness programs

The third party's IT operations manager

The organization's process owner

The third party's chief risk officer (CRO)

The organization's risk practitioner

Monitoring is only conducted between official hours of business

Employees are informed of how they are bong monitored

Reporting on nonproductive employees is sent to management on a scheduled basis

Multiple data monitoring sources are integrated into security incident response procedures

resources to monitor backups

restoration monitoring reports

backup recovery requests

recurring restore failures

Establishing an intellectual property agreement

Evaluating each of the data sources for vulnerabilities

Periodically reviewing big data strategies

Benchmarking to industry best practice

KRI design must precede definition of KCIs.

KCIs and KRIs are independent indicators and do not impact each other.

A decreasing trend of KRI readings will lead to changes to KCIs.

Both KRIs and KCIs provide insight to potential changes in the level of risk.

inadequate resource allocation

Data disruption

Unauthorized access

Inadequate retention schedules

Implement controls to bring the risk to a level within appetite and accept the residual risk.

Implement a key performance indicator (KPI) to monitor the existing control performance.

Accept the residual risk in its entirety and obtain executive management approval.

Separate the risk into multiple components and avoid the risk components that cannot be mitigated.

Perform a gap analysis.

Prioritize impact to the business units.

Perform a risk assessment.

Review the risk tolerance and appetite.

only approved changes are implemented

timely evaluation of change events

an audit trail exists.

that emergency changes are logged.

Internal and external information security incidents

The risk department's roles and responsibilities

Policy compliance requirements and exceptions process

The organization's information security risk profile

Sustained financial loss

Cost of remediation efforts

Duration of service outage

Average time to recovery

automation cannot be applied to the control

business benefits exceed the loss exposure.

the end-user license agreement has expired.

the control is difficult to enforce in practice.

Key performance indicators (KPIs)

Risk heat maps

Internal audit findings

Periodic penetration testing

Assessing risk with no controls in place

Showing projected residual risk

Providing peer benchmarking results

Assessing risk with current controls in place

Historical losses due to past risk events

Cost to reduce the impact and likelihood

Likelihood and impact of the risk scenario

Actor and threat type of the risk scenario

Migrate all data to another compliant service provider.

Analyze the impact of the provider's control weaknesses to the business.

Conduct a follow-up audit to verify the provider's control weaknesses.

Review the contract to determine if penalties should be levied against the provider.

Perform a post-implementation review.

Conduct user acceptance testing.

Review the key performance indicators (KPIs).

Interview process owners.

Conduct a comprehensive compliance review.

Develop incident response procedures for noncompliance.

Investigate the root cause of noncompliance.

Declare a security breach and Inform management.

help an organization identify emerging threats.

benchmark the organization's risk profile.

identify trends in the organization's vulnerabilities.

enable ongoing monitoring of emerging risk.

Percentage of job failures identified and resolved during the recovery process

Percentage of processes recovered within the recovery time and point objectives

Number of current test plans and procedures

Number of issues and action items resolved during the recovery test

Insufficient network isolation

impact on network performance

insecure data transmission protocols

Lack of interoperability between sensors

Risk manager

Data owner

End user

IT department

Enable data encryption in the test environment.

Prevent the use of production data in the test environment

De-identify data before being transferred to the test environment.

Enforce multi-factor authentication within the test environment.

Identify the regulatory bodies that may highlight this gap

Highlight news articles about data breaches

Evaluate the risk as a measure of probable loss

Verify if competitors comply with a similar policy

Nondisclosure agreements (NDAs)

Data anonymization

Data cleansing

Data encryption

Code review

Penetration test

Gap assessment

Business impact analysis (BIA)

Identify new risk entries to include in ERM.

Remove the risk entries from the ERM register.

Re-perform the risk assessment to confirm results.

Verify the adequacy of risk monitoring plans.

Data retention requirements

Data destruction requirements

Cloud storage architecture

Key management

develop a comprehensive risk mitigation strategy

develop understandable and realistic risk scenarios

identify root causes for relevant events

perform an aggregated cost-benefit analysis

Industry benchmarks

Risk tolerance

Risk appetite

Regulatory compliance

Time required for backup restoration testing

Change in size of data backed up

Successful completion of backup operations

Percentage of failed restore tests

Recommend the business change the application.

Recommend a risk treatment plan.

Include the risk in the next quarterly update to management.

Implement compensating controls.

Ensure compliance with the organization's internal policies

Cultivate long-term behavioral change.

Communicate IT risk policy to the participants.

Demonstrate regulatory compliance.

Enforce segregation of duties.

Disclose potential conflicts of interest.

Delegate responsibilities involving the acquaintance.

Notify the subsidiary's legal team.

business process objectives have been met.

control adheres to regulatory standards.

residual risk objectives have been achieved.

control process is designed effectively.

Verifying that project objectives are met

Identifying project cost overruns

Leveraging an independent review team

Reviewing the project initiation risk matrix

Accountability is established for risk treatment decisions

Stakeholders are consulted about risk treatment options

Risk owners are informed of risk treatment options

Responsibility is established for risk treatment decisions.

Management approval

Annual review

Relevance

Automation

Additional mitigating controls should be identified.

The system should not be used until the application is changed

The organization's IT risk appetite should be adjusted.

The associated IT risk should be accepted by management.

Insufficient risk tolerance

Optimized control management

Effective risk management

Over-controlled environment

An established process for project change management

Retention of test data and results for review purposes

Business managements review of functional requirements

Segregation between development, test, and production

Reviewing risk-related process documentation

Conducting periodic risk assessments

Performing a business impact analysis (BIA)

Performing frequent audits

Adopt the RTO defined in the BCR

Update the risk register to reflect the discrepancy.

Adopt the RTO defined in the DRP.

Communicate the discrepancy to the DR manager for follow-up.

determine the risk appetite.

determine the budget.

define key performance indicators (KPIs).

optimize resource utilization.

Increase in mitigating control costs

Increase in risk event impact

Increase in risk event likelihood

Increase in cybersecurity premium

Corrective

Detective

Deterrent

Preventative

Reduce internal threats

Reduce exposure to vulnerabilities

Eliminate risk associated with personnel

Ensure new hires have the required skills

Number of service level agreement (SLA) violations

Percentage of recovery issues identified during the exercise

Number of total systems recovered within tie recovery point objective (RPO)

Percentage of critical systems recovered within tie recovery time objective (RTO)

prepare a follow-up risk assessment.

recommend acceptance of the risk scenarios.

reconfirm risk tolerance levels.

analyze changes to aggregate risk.

Senior management

Chief risk officer (CRO)

Vendor manager

Data owner

define recovery time objectives (RTOs).

define the information classification policy

conduct a sensitivity analyse

Identify information custodians

Results of benchmarking studies

Results of risk assessments

Number of emergency change requests

Maturity model

The underutilization of the replicated Iink

The cost of recovering the data

The lack of integrity of data

The loss of data confidentiality

Conduct a gap analysis.

Terminate the outsourcing agreement.

Identify compensating controls.

Transfer risk to the third party.

Key risk indicators (KRIs)

Key performance indicators (KPIs)

Control self-assessment (CSA)

Risk heat map

revalidate current key risk indicators (KRIs).

revise risk management procedures.

review the data classification policy.

revalidate existing risk scenarios.

Risk practitioner

Business manager

Risk owner

Control owner

Incident reports

Cost-benefit analysis

Risk tolerance

Control objectives

Cost of implementation

Implementation of unproven applications

Disruption to business processes

Increase in attack surface area

Collaborate with the risk owner to determine the risk response plan.

Document the gap in the risk register and report to senior management.

Include a right to audit clause in the service provider contract.

Advise the risk owner to accept the risk.

The number of stakeholders involved in IT risk identification workshops

The percentage of corporate budget allocated to IT risk activities

The percentage of incidents presented to the board

The number of executives attending IT security awareness training

testing requirements

the implementation plan.

System requirements

The security policy

Recovery time objectives (RTOs)

Segregation of duties

Communication plan

Critical asset inventory

a identity conditions that may cause disruptions

Review incident response procedures

Evaluate the probability of risk events

Define metrics for restoring availability

Assigning a data owner

Implementing technical control over the assets

Implementing a data loss prevention (DLP) solution

Scheduling periodic audits

Communication

Risk analysis

Decision support

Benchmarking

Monitor risk controls.

Implement preventive measures.

Implement detective controls.

Transfer the risk.

The volume of risk scenarios is too large

Risk aggregation has not been completed

Risk scenarios are not applicable

The risk analysts for each scenario is incomplete

KRIs assist in the preparation of the organization's risk profile.

KRIs signal that a change in the control environment has occurred.

KRIs provide a basis to set the risk appetite for an organization

KRIs provide an early warning that a risk threshold is about to be reached.

The risk practitioner

The risk owner

The control owner

The audit manager

Accountability may not be clearly defined.

Risk ratings may be inconsistently applied.

Different risk taxonomies may be used.

Mitigation efforts may be duplicated.

Invoke the disaster recovery plan during an incident.

Prepare a cost-benefit analysis of alternatives available

Implement redundant infrastructure for the application.

Reduce the recovery time by strengthening the response team.

a function of the cost and effectiveness of controls.

the likelihood of a given threat.

a function of the likelihood and impact.

the magnitude of an impact.

Demonstration that the control is operating as designed

A successful walk-through of the associated risk assessment

Management attestation that the control is operating effectively

Automated data indicating that risk has been reduced

select a provider to standardize the disaster recovery plans.

outsource disaster recovery to an external provider.

centralize the risk response function at the enterprise level.

evaluate opportunities to combine disaster recovery plans.

Leveraging business risk professionals

Relying on generic IT risk scenarios

Describing IT risk in business terms

Using a common risk taxonomy

Confidentiality breach

Institutional knowledge loss

Intellectual property loss

Unauthorized access

Implementing a data toss prevention (DLP) solution

Assigning a data owner

Scheduling periodic audits

Implementing technical controls over the assets

Prepare a cost-benefit analysis to evaluate relocation.

Prepare a disaster recovery plan (DRP).

Conduct a business impact analysis (BIA) for an alternate location.

Develop a business continuity plan (BCP).

A control self-assessment

A third-party security assessment report

Internal audit reports from the vendor

Service level agreement monitoring

Maintain and review the classified data inventor.

Implement mandatory encryption on data

Conduct an awareness program for data owners and users.

Define and implement a data classification policy

reduce the risk to an acceptable level.

communicate the consequences for violations.

implement industry best practices.

reduce the organization's risk appetite

Business impact analysis

Risk analysis

Threat risk assessment

Vulnerability assessment

Information security managers

Internal auditors

Business process owners

Operational risk managers

Number of users that participated in the DRP testing

Number of issues identified during DRP testing

Percentage of applications that met the RTO during DRP testing

Percentage of issues resolved as a result of DRP testing

Escalate to senior management

Require a nondisclosure agreement.

Sanitize portions of the register

Determine the purpose of the request

Enforcing employees sanctions

Conducting phishing exercises

Enforcing segregation of dunes

Reviewing the organization's risk appetite

Reviewing database access rights

Reviewing database activity logs

Comparing data to input records

Reviewing changes to edit checks

transferred

mitigated.

accepted

avoided

buying an insurance policy.

acceptance of exposures

deployment of counter measures.

enterprise architecture implementation.

Perform their own risk assessment

Implement additional controls to address the risk.

Accept the risk based on the third party's risk assessment

Perform an independent audit of the third party.

minimize the number of risk scenarios for risk assessment.

aggregate risk scenarios identified across different business units.

build a threat profile of the organization for management review.

provide a current reference to stakeholders for risk-based decisions.

Logs and system events

Intrusion detection system (IDS) rules

Vulnerability assessment reports

Penetration test reports

Repeatable

Automated

Quantitative

Qualitative

Performing a benchmark analysis and evaluating gaps

Conducting risk assessments and implementing controls

Communicating components of risk and their acceptable levels

Participating in peer reviews and implementing best practices

A robust risk aggregation tool set

Clearly defined roles and responsibilities

A well-established risk management committee

Well-documented and communicated escalation procedures

The risk manager's expertise

Regulatory requirements

Board of directors' expertise

The organization's culture

The number of security incidents escalated to senior management

The number of resolved security incidents

The number of newly identified security incidents

The number of recurring security incidents

It compares performance levels of IT assets to value delivered.

It facilitates the alignment of strategic IT objectives to business objectives.

It provides input to business managers when preparing a business case for new IT projects.

It helps assess the effects of IT decisions on risk exposure

Number of tickets for provisioning new accounts

Average time to provision user accounts

Password reset volume per month

Average account lockout time

Risk response plans are documented

Controls are mapped to key risk scenarios.

Key risk indicators are defined.

Risk ownership is assigned

identification.

treatment.

communication.

assessment

compensating controls are in place.

a control mitigation plan is in place.

risk management is effective.

residual risk is accepted.

risk assessment methodology.

risk appetite.

capabilities

asset value.

implement uniform controls for common risk scenarios.

ensure business unit risk is uniformly distributed.

build a risk profile for management review.

quantify the organization's risk appetite.

requirements of management.

specific risk analysis framework being used.

organizational risk tolerance

results of the risk assessment.

Preventive

Directive

Detective

Compensating

Evaluating the impact of removing existing controls

Evaluating existing controls against audit requirements

Reviewing system functionalities associated with business processes

Monitoring existing key risk indicators (KRIs)

Identification of controls gaps that may lead to noncompliance

Prioritization of risk action plans across departments

Early detection of emerging threats

Accurate measurement of loss impact

create an action plan

assign ownership

review progress reports

perform regular audits.

Alignment to risk responses

Alignment to management reports

Alerts when risk thresholds are reached

Identification of trends

a function of the likelihood and impact

the magnitude of an impact

a function of the cost and effectiveness of control.

the likelihood of a given threat

Ad hoc control reporting

Control self-assessment

Continuous monitoring

Predictive analytics

Percentage of systems included in recovery processes

Number of key systems hosted

Average response time to resolve system incidents

Percentage of system availability

Delayed removal of employee access

Authorized administrative access to HR files

Corruption of files due to malware

Server downtime due to a denial of service (DoS) attack

Risk tolerance is decreased.

Residual risk is increased.

Inherent risk is increased.

Risk appetite is decreased

Cost of offsite backup premises

Cost of downtime due to a disaster

Cost of testing the business continuity plan

Response time of the emergency action plan

for compliance with laws and regulations

as a basis for cost-benefit analysis.

as input foe decision-making

to measure organizational success.

Industry best practices

Placement on the risk map

Degree of variances in the risk

Cost of risk mitigation

map findings to objectives.

provide a quantified detailed analysts.

recommend risk tolerance thresholds.

quantify key risk indicators (KRls).

gain a better understanding of the control effectiveness in the organization

gain a better understanding of the risk in the organization

adjust the controls prior to an external audit

reduce the dependency on external audits

plan awareness programs for business managers.

evaluate maturity of the risk management process.

assist in the development of a risk profile.

maintain a risk register based on noncompliances.

Risk assessment results

A recently reviewed risk register

Key performance indicators (KPIs)

The organization's risk framework

Standard operating procedures

SWOT analysis

Industry benchmarking

Control gap analysis

Review of log-in attempts

Multi-level authorization

Periodic review of audit trails

Multi-factor authentication

To update risk ownership

To review the risk acceptance with new stakeholders

To ensure risk levels have not changed

To ensure controls are still operating effectively

risk map

cause-and-effect diagram

maturity model

technology strategy plan.

Determining which departments contribute most to risk

Allocating responsibility for risk factors equally to asset owners

Mapping identified risk factors to specific business processes

Determining resource dependency of assets

A strategic approach to risk including an established risk appetite

A risk-based internal audit plan for the organization

A control function within the risk management team

An organization-wide risk awareness training program

The risk register template uses an industry standard.

The risk register is regularly updated.

All fields in the risk register have been completed.

Controls are listed against risk entries in the register.

Organizational strategy

Cost-benefit analysis

Control self-assessment (CSA)

Business requirements

Application controls are manual.

Application development is outsourced.

Source code is escrowed.

Developers have access to production environment.

the risk strategy is appropriate

KRIs and KPIs are aligned

performance of controls is adequate

the risk monitoring process has been established

Security training for systems development staff

\Well-documented business cases

Security architecture principles

Secure coding practices

Cost of controls

Annual loss expectancy (ALE)

Inherent risk

Residual risk

The audit plan for the upcoming period

Spend to date on mitigating control implementation

A report of deficiencies noted during controls testing

A status report of control deployment

Customer database manager

Customer data custodian

Data privacy officer

Audit committee

Implementing risk treatment plans

Validating the status of risk mitigation efforts

Establishing risk policies and standards

Conducting independent reviews of risk assessment results

Develop a business impact analysis (BIA).

Define recovery time objectives (RTO).

Analyze capability maturity model gaps.

Simulate a disaster recovery.

Defining expectations in the enterprise risk policy

Increasing organizational resources to mitigate risks

Communicating external audit results

Avoiding risks that could materialize into substantial losses

Implement compensating controls to reduce residual risk

Escalate the issue to senior management

Discuss risk mitigation options with the risk owner.

Certify the control after documenting the concern.

Identifying additional risk scenarios

Updating the heat map

Assessing loss expectancy

Establishing a risk appetite

cost-benefit analysis.

risk appetite.

regulatory guidelines

control efficiency

Chief information officer (CIO)

Executive management team

Audit committee

Business process owner

Management intervention

Risk appetite

Board commentary

Escalation triggers

Results of current and past risk assessments

Organizational strategy and objectives

Lessons learned from materialized risk scenarios

Internal and external audit findings

risk appetite.

security policies

process maps.

risk tolerance level

Risk policy review

Business impact analysis (B1A)

Control catalog

Risk register

Likelihood rating

Control effectiveness

Assessment approach

Impact rating

Management has not determined a final implementation date.

Management has not completed an early mitigation milestone.

Management has not secured resources for mitigation activities.

Management has not begun the implementation.

Collect data of past incidents and lessons learned.

Conduct a high-level risk assessment based on the nature of business.

Identify the risk appetite of the organization.

Assess the goals and culture of the organization.

Third-party data custodian

Data custodian

Regional office executive

Data owner

An IT tactical plan

Disaster recovery and continuity testing

Assigned roles and responsibilities

A business impact analysis

Audit findings

Risk appetite

Key risk indicators

Industry best practices

The cost associated with incident response activities

The composition and number of records in the information asset

The maximum levels of applicable regulatory fines

The length of time between identification and containment of the incident

business process owner.

database administrator.

chief information officer.

systems administrator.

To enhance compliance with standards

To minimize subjectivity of assessments

To increase consensus among peers

To provide assessments for benchmarking

Changes to the risk register

Changes in risk appetite or tolerance

Modification to risk categories

Knowledge of new and emerging threats

An internal audit

Security operations center review

Internal penetration testing

A third-party audit

Number of days taken to remove access after staff separation dates

Number of days taken for IT to remove access after receipt of HR instructions

Number of termination requests processed per reporting period

Number of days taken for HR to provide instructions to IT after staff separation dates

maximum tolerable downtime.

maximum tolerable loss of data.

need of each business unit.

type of business.

External audit findings

Feedback from focus groups

Self-assessment reports

Changes in senior management

Unencrypted data

Lack of redundant circuits

Low bandwidth connections

Data integrity

Loss expectancy information

Control performance predictions

IT service level agreements (SLAs)

Remediation activity progress

Develop a risk action plan to address the findings.

Evaluate the impact of the vulnerabilities to the business application.

Escalate the findings to senior management and internal audit.

Conduct a penetration test to validate the vulnerabilities from the findings.

Business management approval of change requests

Separation of development and production environments

Requirement of an implementation rollback plan

IT management review of implemented changes

mitigated

accepted

avoided

deferred

Background checks

Awareness training

User access

Policy management

using the same scales in assessing risk

utilizing industry benchmarks

using reliable qualitative data for risk Hems

including primarily low level risk factors

Number of users who have signed a BYOD acceptable use policy

Number of incidents originating from BYOD devices

Budget allocated to the BYOD program security controls

Number of devices enrolled in the BYOD program

Review risk tolerance levels

Maintain the current controls.

Analyze the effectiveness of controls.

Execute the risk response plan

Total cost of ownership

Resource dependency analysis

Cost-benefit analysis

Business impact analysis

A third-party assessment report of control environment effectiveness must be provided at least annually.

Incidents related to data toss must be reported to the organization immediately after they occur.

Risk assessment results must be provided to the organization at least annually.

A cyber insurance policy must be purchased to cover data loss events.