×

Quiz Session - Attempts With Random Questions

ISACA CRISC Exam Questions

Page 3 of 25

41.

What is one reason that the need for information security awareness training has increased?

  • The number of people who use computers is orders of magnitude higher

  • Increased separation of computing resources from business to personal use

  • Average home computers are never as powerful as business computers

  • Consumers are using and storing less data

Correct answer: The number of people who use computers is orders of magnitude higher

There is a co-mingling of business and personal data on multiple devices. This increases the odds of a data breach incident, so awareness of security must be broadly increased.

The separation of computing resources from business to personal use has not been increasing, particularly with trends like BYOD (Bring Your Own Device).

Average home computers are often as powerful as business computers.

Consumers are using and storing more data.

42.

A car parts manufacturing company is evaluating the potential impacts of a cyber attack on its operations. As part of this evaluation, the management team uses the HARM model to assess the various consequences that could arise from a data breach. They are currently considering the financial implications of addressing the breach. 

Which aspect of the HARM model is the company focusing on in this scenario?

  • Response cost

  • Impaired growth

  • Productivity

  • Competitive advantage

Correct answer: Response cost

Response cost refers to the financial burden of responding to and recovering from a security incident. In this scenario, the company is evaluating the financial implications of a data breach, which aligns with the response cost aspect of the HARM model.

Productivity refers to the efficiency of the organization's operations and how they may be affected by a cyber incident rather than the costs incurred in response efforts.

Competitive advantage pertains to the benefits an organization gains over its competitors.

Impaired growth describes the potential negative impact on the company's ability to expand following an incident.

43.

Which cloud computing service model provides programming languages and tools for organizations to write their own applications?

  • PaaS

  • IaaS

  • SaaS

  • IoT

Correct answer: PaaS

Platform as a Service (PaaS) is the capability to deploy, run, and maintain applications that were developed in the cloud by the customer. The cloud provider handles the underlying infrastructure.

Infrastructure as a Service (IaaS) provides the fundamental computing resources, such as virtual machines, storage, and networking, on a pay-as-you-go basis.

Software as a Service (SaaS) delivers fully developed applications over the internet that are managed by the service provider. 

Internet of Things (IoT) refers to the network of physical devices connected to the internet, which can collect and exchange data.

44.

What type of plan is developed to enable a business to maintain its operations and services in the event of business disruption?

  • Business continuity

  • Service level agreement

  • Risk mitigation

  • Resilience plan

Correct answer: Business continuity

A business continuity plan enables a business to continue operating in the event of a disruptive event. This includes planning for events that can take place on a disastrous scale.

A risk mitigation plan is a strategic document that outlines the methods and actions to reduce the likelihood and impact of identified risks on a project or within an organization. 

A Service Level Agreement (SLA) is a formal document that defines the level of service expected by a customer, outlining the metrics by which that service is measured. 

A resilience plan is a strategic document aimed at long-term strength and the ability to navigate any number of disturbances and disruptions, whereas business continuity is focused on building processes and procedures to navigate a single disturbance.

45.

As it relates to risk management, there are three lines of defense. Which line of defense is concerned with the compliance function?

  • Second line

  • First line

  • Third line

  • All lines

Correct answer: Second line

The second line of defense is typically composed of risk management and compliance functions. The expectation of these functions is to ensure that the individual business functions are acting in compliance with the overall risk management program.

The first line of defense is operational management. Operational management includes implementing risk management policies and executing an effective internal control.

The third line of defense is the audit function. Auditing involves independent and objective review of the control environment.

46.

What risk analysis technique is used to identify conditions that may go undetected by traditional testing?

  • Sneak circuit analysis

  • Underrated analysis

  • Preliminary hazard

  • Event tree analysis

Correct answer: Sneak circuit analysis

Sneak circuit analysis is used to identify design errors or other conditions that are often undetected by system tests. It is important to conduct sneak circuit analysis to avoid improper operations, loss of availability, or injury to personnel.

Fault tree analysis is a deductive failure analysis method that focuses on identifying the root causes of a specific failure event. 

Preliminary hazard analysis is a risk analysis technique; it's not specifically designed to identify conditions that may go undetected by traditional testing.

Event tree analysis is used to identify potential consequences of an event, but it doesn't focus on identifying hidden or unexpected conditions.

47.

Which category of risk control uses automation and digital approaches to risk management?

  • Technical

  • Administrative

  • Physical

  • Compensating

Correct answer: Technical

Technical risk controls use digital technology, equipment, or devices. They are implemented by individuals with specific IT skills and can be automated to execute without intervention.

Administrative controls involve policies, procedures, and guidelines to manage risks, but they are typically manual in nature and do not focus on automation or digital tools.

Physical controls involve measures such as locks, fences, and security guards to protect physical assets but do not necessarily rely on automation or digital technology. 

Compensating controls are additional measures put in place to compensate for deficiencies in primary controls but do not inherently involve automation or digital approaches.

48.

What is the process of diagnosing the origins of an event?

  • Root cause analysis

  • Impact analysis

  • Vulnerability assessment

  • Risk due diligence

Correct answer: Root cause analysis

Root cause analysis digs deep into the problem to understand the origin of events. This detailed level of information addresses underlined conditions, which comprise the root of the problem versus addressing the symptoms.

An impact analysis assesses the potential effects of an event, not its origin. 

A vulnerability assessment is a systematic review of security weaknesses in an information system, identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. 

Risk due diligence is the process of systematically reviewing and assessing the potential risks associated with a business decision.

49.

Which threat model method creates an actor-asset-action matrix?

  • Trike

  • VAST

  • PnG

  • PASTA

Correct answer: Trike

Trike was created as a security audit framework that uses threat modeling as a technique. It builds models by identifying and understanding the actors, assets, and intended actions.

VAST is a threat modeling approach focused on integrating security practices into Agile development processes. 

Persona non Grata (PnG) focuses on the motivations and skills of human attackers. 

PASTA is a methodology for conducting application security risk assessments.

50.

Which personnel role within the risk management function is tasked with ensuring that the risk management functions are carried out?

  • Risk manager

  • Risk analyst

  • Risk steward

  • Subject matter expert

Correct answer: Risk manager

The risk manager manages and understands the overall risk management functions that need to be accomplished within the enterprise. This individual is responsible for ensuring that the risk management functions are carried out by the people in the department.

A risk analyst is responsible for analyzing, evaluating, and assessing threats.

A risk steward is responsible for the routine management and maintenance of controls.

A subject matter expert provides insights into specific areas.

51.

Configuration hardening disables unnecessary components. Which of the following is NOT one of those components?

  • Users

  • Ports

  • Services

  • Protocols

Correct answer: Users

Components are referred to as technical assets. Even though a configuration hardening locks down the technical components, the user community still needs access to the resources. Therefore, they cannot be restricted or disabled.

Ports are entry points on a system where network communication occurs. Unused or unnecessary ports can be potential avenues for attackers to exploit vulnerabilities. 

Services are software programs or processes that run in the background and provide specific functionality to users or other applications. Some services may not be necessary for the intended operation of the system and could introduce security risks if left enabled.  

Protocols define the rules and conventions for communication between devices or systems over a network. Certain protocols may have known security weaknesses or be susceptible to exploitation.

52.

A retail company is conducting an IT risk assessment to identify and visualize the potential risks associated with their new e-commerce platform. The management team wants to use a tool that helps them plot these risks based on their frequency and impact, making it easier to prioritize and address them. 

Which tool should the management team use to achieve this goal?

  • Risk map

  • Risk rankings

  • Risk register

  • Risk assessment

Correct answer: Risk map 

A risk map is a visual tool that allows organizations to plot risks based on their frequency and impact. This helps them to identify the most critical risks and prioritize them accordingly. 

Risk rankings are used to prioritize risks based on their likelihood and impact, but they do not provide a visual representation.

A risk register is a document that lists identified risks, their likelihood and impact, and any mitigation strategies in place, but not a visual representation.

A risk assessment is the overall process of identifying and evaluating potential risks.

53.

How are risk events different from threat events?

  • Risk events consider the impact to the organization

  • Threat events simply establish the potential for uncertainty

  • Threat events include the probability of an occurrence

  • Risk events and threat events are the same

Correct answer: Risk events consider the impact to the organization

Risk events consider the impact of events and describe uncertainty but do not elaborate on how the risk might be carried out. 

Threat events describe the actions or series of actions that could take place. 

Threat events are about potential actions or conditions, not directly about the probability of their occurrence.

Risk events and threat events are distinct concepts in risk management.

54.

As it relates to risk management three lines of defense, which line of defense is responsible for monitoring and reporting the enterprise's current risk profile exposure to appropriate stakeholders?

  • Second line

  • First line

  • Third line

  • Fourth line

Correct answer: Second line

The second line of defense includes the portion of the organization that is responsible for monitoring the overall risk profile, posture, and exposure. Based upon this ongoing monitoring, the second line of defense is communication with stakeholders and executives on the steps of the program.

ISACA has three lines of defense in their governance section of the CRISC manual. The first line is operational management, the second line is risk and compliance functions, and the third is audits. There is no fourth line in this logic.

55.

After a risk has been determined by quantitative or qualitative measures, what method is used to review whether the risk level is within the boundaries of acceptable risk in the organization?

  • Risk map

  • Risk response

  • Risk register

  • Risk interview

Correct answer: Risk map

A risk map is used to correlate risk levels with the organization's risk tolerance levels. From there, a risk can be categorized and framed as an opportunity, an acceptable risk, or an unacceptable risk.

A risk response involves taking action to mitigate, transfer, accept, or avoid a risk after it has been assessed. 

A risk register is a tool for consolidating and tracking risks, but it does not visually assess whether the risk level is within acceptable boundaries.

A risk interview involves gathering information about risks from stakeholders.

56.

What type of assessment is done as a prerequisite to business continuity planning?

  • BIA

  • RTO

  • Risk assessment

  • Security assessment

Correct answer: BIA 

A Business Impact Assessment (BIA) identifies and prioritizes services. Based on their value to the organization, some services are deemed to be critical.

The recovery time objective (RTO) is a metric used to define the maximum allowable downtime for a process or system. 

A risk assessment is not specifically focused on the business impact and recovery needs required for business continuity planning.

A security assessment focuses on evaluating security controls and measures rather than the business impact of disruptions, which is needed for business continuity planning.

57.

What type of testing is done to establish the extent to which a vulnerability is a risk to the organization?

  • Penetration testing

  • Unit testing

  • Integration testing

  • Acceptance testing

Correct answer: Penetration testing

Penetration testing uses tools to perform tests against the identified attack vectors. The results of penetration testing inform the organization of the true extent of the risk of a vulnerability.

Unit testing focuses on individual components or functions of a program to ensure they work correctly.

Integration testing examines how different components or systems work together.

Acceptance testing validates whether a system meets the specified requirements and is ready for delivery.

58.

What is the responsibility of a risk owner as it relates to risk response?

  • Identify the best response to address a risk

  • Delegate risk decisions to lower management

  • Perform risk assessment

  • Identify all potential risks and categories

Correct answer: Identify the best response to address a risk

The risk owner is tasked with making the decision of what the best response is to the risk identified. This individual must be at a level within the organization where they are authorized to make decisions on behalf of the organization. The risk owner is held accountable for these decisions.

Delegating risk decisions to lower management is incorrect because risk owners are accountable for the risk and must make informed decisions or recommendations.

Risk assessment is typically conducted by risk managers or teams responsible for identifying, analyzing, and evaluating risks. 

Identifying all potential risks and categories is part of the risk identification process, which precedes the role of the risk owner in selecting the appropriate response.

59.

What is a major cause of employees inadvertently taking action and providing information that results in security breaches?

  • Lack of least privilege information policy

  • Strong separation of duty

  • Excessive encryption

  • Decreased network security

Correct answer: Lack of least privilege information policy

The least privilege information policy grants employees the minimum access and authorization to data that their job requires. This prevents inadvertent access to data and potential breaches. A lack of a least privilege information policy can result in security breaches.

Strong separation of duty is likely to reduce the risk of security breaches because it creates a separation between employees of different roles. 

Encryption helps protect data, not cause security breaches.

Decreased network security is not something that employees directly cause but a failure in system management.

60.

From an enterprise perspective, what term is used to describe "a challenge to achieving objectives"?

  • Risk

  • Governance

  • Threat

  • Vulnerability

Correct answer: Risk

Risk is a known challenge to achieving a stated outcome. In and of itself, it is not deemed to be positive or negative until analysis is complete.

Governance refers to the frameworks, policies, and processes that guide and control an organization’s operations and decision-making.

A threat is a potential event that could exploit vulnerabilities and cause harm to an organization.

A vulnerability is a weakness in a system that can be exploited by threats.

×