×

Quiz Session - Attempts With Random Questions

ISACA CRISC Exam Questions

Page 4 of 25

61.

What type of control is designed to prevent an incident before it occurs?

  • Preventive

  • Detective

  • Corrective

  • Compensating

Correct answer: Preventive 

Preventive controls proactively identify and reduce potential risks by implementing measures that stop incidents from occurring, making them the appropriate response for incident prevention.

Detective controls are designed to identify and detect incidents after they occur rather than preventing them. 

Corrective controls focus on addressing and remedying incidents post-occurrence to restore normal operations. 

Compensating controls are not suitable because they provide alternative measures when primary controls are inadequate but do not specifically prevent incidents before they happen.

62.

Which of the following is NOT a risk factor in using a phased changeover approach?

  • Project ending early

  • Maintaining two sets of infrastructure

  • Managing data consistency

  • Monitoring two systems

Correct answer: Project ending early 

A phased changeover approach runs both the old and new systems at the same time. As a component is tested and deemed reliable and stable, it is placed into production. The old component is then decommissioned. Running two systems simultaneously requires extra time to maintain and very often, project overruns occur.

Phased changeover requires running both the old and new systems in parallel for a period, increasing complexity and costs.

Ensuring data remains consistent between the old and new systems is critical and can be difficult to manage during a phased changeover.

With both systems active, the organization needs to monitor both, which increases the workload and introduces potential risks related to missed issues.

63.

What type of risk response BEST describes the scenario in which an organization implements a disaster recovery plan?

  • Risk mitigation

  • Risk acknowledgment

  • Risk acceptance

  • Risk avoidance

Correct answer: Risk mitigation

Risk mitigation refers to actions that the organization takes to reduce risk. By putting a disaster recovery plan in place, the organization acknowledges that there is a likelihood such an event could take place. The disaster recovery plan seeks to lessen the impact.

Risk acknowledgment involves recognizing the existence of a risk but not taking any specific action to address it. 

Risk acceptance means that the organization acknowledges the risk but decides to take no action to mitigate it, while implementing a disaster recovery plan is an active response to reduce the potential impact, not a passive acceptance of the risk.

Risk avoidance involves taking actions to completely eliminate a risk or avoid its occurrence.

64.

A risk practitioner is examining a security information and event management tool. What source for threat information are they analyzing?

  • Logs

  • Media reports

  • Interviews

  • Self-assessments

Correct answer: Logs

A security information and event management (SIEM) tool collects and analyzes logs from various sources, such as servers and firewalls. These logs provide critical information about security events.

Media reports can provide general information about security incidents or trends but are not specific to the organization's internal systems.

Interviews may offer insights into perceived risks or vulnerabilities but are not a source of real-time threat data.

Self-assessments involve evaluating an organization’s security posture or compliance.

65.

In your data environment, the range of valid values is extremely broad and only a few known values should be prohibited. 

What data protection approach is appropriate?

  • Blacklist

  • Whitelist

  • Null list

  • Default list

Correct answer: Blacklist

The blacklist approach to data protection identifies data that must not be allowed into the organization. The blacklist approach is challenging to maintain due to the increase in potentially vulnerable data sources.

A whitelist specifies which values are allowed, blocking everything else, which is not suitable for this scenario.

A null list is not a recognized data protection approach and doesn't apply to this scenario.

A default list does not fit the context of restricting or allowing specific values.

66.

What emerging trend in technology has to do with the analysis of vast amounts of raw input?

  • Big data

  • BYOD

  • IoT

  • Deepfaking

Correct answer: Big data

Big data is technology that deals with data that has the four Vs: Volume, Variety, Velocity, and Veracity. The decreasing cost of technology and increasing storage capacity have allowed enormous amounts of data to be stored and processed for analytics and business intelligence.

BYOD, which stands for Bring Your Own Device, is related to personal devices being used for business use. 

IoT, or Internet of Things, refers to internet-connected products such as smart televisions or smart refrigerators. 

A deepfake is a video of an individual in which their face or body has been altered digitally to appear to be someone else, typically used to spread false information.

67.

As it relates to third-party risk management, what framework defines the relationship between an outsourcing provider and the enterprise?

  • Contract

  • Indemnity clause

  • Memorandum of understanding

  • Appendix schedule

Correct answer: Contract

A contract is a legally binding document that defines the relationship between an outsourcing provider and the enterprise. It outlines the terms, conditions, roles, and responsibilities of both parties involved in the outsourcing arrangement. The contract sets the foundation for third-party risk management by clearly defining expectations and how risks should be managed.

An indemnity clause is a provision within the contract that requires one party to compensate the other for specific damages or losses. 

A memorandum of understanding is a preliminary agreement that lacks the binding legal authority of a contract.

An appendix schedule is an additional document attached to the main contract, providing further details about specific terms, SLAs, or deliverables.

68.

What is the common susceptibility that heat maps and scorecards share when it comes to reporting on risk controls?

  • Biases in data

  • Unavailable data sources

  • Lack of data analyst skills

  • Complex calculations

Correct answer: Biases in data

Heat maps and scorecards both rely on qualitative data. Qualitative data inherently has biases that must be taken into consideration when used for decision-making.

Unavailable data sources can be an issue, but is not specific to heat maps and scorecards. It is a broader issue.

Lack of data analyst skills could affect any type of data reporting or analysis but is not a common susceptibility inherent to heat maps and scorecards.

Complex calculations are not a common issue for these tools because heat maps and scorecards typically aim to simplify the presentation of data and risk controls.

69.

Key risk indicators support numerous aspects of risk management. Which aspect has to do with meeting legal requirements?

  • Regulatory compliance

  • Risk measurement

  • Risk culture

  • Risk governance

Correct answer: Regulatory compliance

Many organizations are governed by regulatory, industry, or government guidelines. Risk compliance seeks to align with these guidelines when developing the risk control program.

Risk measurement is about quantifying risks, not about meeting legal requirements.

Risk culture refers to how an organization approaches risk, but it doesn't specifically address legal compliance.

Risk governance involves the overall framework and processes for managing risk but is not focused solely on meeting legal requirements.

70.

A company is conducting a comprehensive review of its risk management practices. They want to understand the overall level of risk the organization is currently exposed to, including the types of risks, their likelihood, and potential impact. 

What are they trying to define?

  • Risk profile

  • Risk appetite

  • Risk posture

  • Risk capacity

Correct answer: Risk profile

A risk profile is a comprehensive assessment of an organization's risk exposure, including the types of risks, their likelihood, and potential impact. It helps an organization understand its risk exposure and make informed decisions.

Risk appetite is the level of risk an organization is willing to accept.

Risk posture is the current state of an organization's risk management practices.

Risk capacity is the maximum amount of risk an organization can absorb without facing financial distress.

71.

As it relates to control design, what type of control decreases the impact of risk when detected?

  • Corrective

  • Expansive

  • Decisive

  • Passive

Correct answer: Corrective

A corrective control takes action on a risk incident taking place. Its goal is to lessen the impact.

Expansive, decisive, and passive are not risk control types.

72.

An organizational asset is something of either tangible or intangible value that is worth protecting. 

What type of asset represents all the equipment, devices, and systems components that are the critical foundation for an organization to deliver sustained performance?

  • Technology

  • Software

  • Data

  • Network

Correct answer: Technology

Technology is a broad asset that includes hardware and software. This includes equipment that is critical to running the business but is not computer-related. For technology to be most effective, it must be maintained, patched and upgraded, refreshed, and well-documented. Not staying on top of these requirements introduces risk.

Software does not include the physical component.

Data represents information but is not tied to equipment or devices.

Network involves the infrastructure for communications but is a subset of technology.

73.

What is the major goal of security awareness and training programs?

  • Make humans resilient to threat actor tactics

  • Follow corporate guidelines

  • Write detailed security reports

  • Design secure networks

Correct answer: Make humans resilient to threat actor tactics

Security awareness and training expands the knowledge of potential threats and explains how users can put measures in place to reduce risk. Understanding how to prevent attacks in the first place increases user resilience.

Simply following guidelines is not the core goal.

Writing reports is more about documentation, not awareness and resilience.

Network design is for IT specialists, whereas awareness programs focus on everyday user behavior.

74.

Which of the following is NOT considered to be a form of project failure?

  • Under budget

  • Unexpected cancellation

  • Non-delivery of outcomes

  • Lack of expected value

Correct answer: Under budget 

One of the completion metrics for a project is compliance to its budget. Coming in under budget is considered to be project success only if the deliverables were completed as well.

A project that is canceled unexpectedly is a clear form of failure as it does not reach completion.

If the project does not deliver the intended results or products, it is considered a failure.

If a project is completed but does not provide the expected benefits or value, it can be considered a failure.

75.

Which state in the United States enacted a privacy law similar in intent to GDPR?

  • California

  • New York

  • Florida

  • Texas

Correct answer: California

California enacted a consumer privacy law called CPRA. It permits consumers to prevent businesses from sharing personal information.

While New York has privacy-related laws, it has not enacted one as comprehensive as California's CPRA.

Florida has some privacy protections, but not at the same level as California’s CPRA.

Texas has privacy laws like the Texas Privacy Protection Act, but it is not as extensive or similar to GDPR as California's CPRA.

76.

If the control fails to meet a business requirement or is poorly implemented, what is a potential risk event that could occur?

  • Security breach

  • Financial overrun

  • End-user unhappiness

  • Compromised brand

Correct answer: Security breach 

Controls are intended to prevent threats from taking place by monitoring and acting upon indicators that a risk event may take place. A poorly implemented control can actually create an environment for the increased likelihood of a risk event such as a security breach.

Financial overrun refers to exceeding budget limits, which is usually a result of poor financial management rather than a control failure.

End-user unhappiness could result from various operational failures; it is not a major risk event tied directly to poor control implementation unless the failure directly impacts user experience.

A compromised brand can be the result of a security breach, but it is not the direct risk event.

77.

A consumer goods company is experiencing data quality issues in a customer database. They have noticed that there are several records with invalid age values, such as negative ages or ages greater than 150. 

Which data validation technique could be used to prevent such errors in the future?

  • Range checks

  • Format checks

  • Special character checks

  • Likelihood checks

Correct answer: Range checks

Range checks are used to verify that a data value falls within a specified range. In this case, the range for age values could be set from 0 to 150. By implementing range checks, the system can prevent the entry of invalid age values that are outside the expected range.

Format checks are used to verify that data is entered in the correct format, such as a date, time, or number.

Special character checks are used to verify that data does not contain any prohibited characters, such as symbols or special characters.

Likelihood is a statistical concept that can be used to assess the probability of data being a certain way.

78.

What project management risk response ensures optimal resource utilization?

  • Prioritizing critical tasks

  • Cutting back on resources

  • Doubling up on project managers

  • Reducing supplier fees

Correct answer: Prioritizing critical tasks

By prioritizing critical tasks, resources will be directed to the activities that deliver the most value and are critical. This increases the likelihood of successful project completion.

Cutting back on resources can lead to under-resourcing key areas, which may negatively impact project quality and timelines rather than optimizing utilization.

Doubling up on project managers can lead to confusion and redundancy in leadership, ultimately wasting resources instead of utilizing them optimally.

Reducing supplier fees might save costs but does not directly address how resources are utilized within the project.

79.

The goal of a business continuity plan is to provide a sufficient level of operating functionality. 

Which of the following alternate recovery processes is an option if a data center is completely destroyed?

  • Alternate facilities

  • Temporary staff

  • Outsourced support

  • Cloud storage

Correct answer: Alternate facilities

During business continuity planning, the organization should identify physical locations that could be used to run business operations in the event its own facilities are inoperable. Details such as space, capacity, and power are documented in the business continuity plan.

Adding temporary staff would not resolve the need for a functioning data center.

Outsourcing support might help with certain functions, but it would not be a direct solution for the destruction of the entire data center, as the core infrastructure still needs to be restored.

Cloud storage can help recover data, but it doesn’t provide an immediate recovery location or infrastructure for running the systems.

80.

Which of the following is NOT part of an effective change control model?

  • Stakeholders do not need to be advised

  • The change request includes test, implementation, and rollback plans

  • The change is formally requested in documentation

  • Changes can be scheduled at times that are convenient for the IT department

Correct answer: Stakeholders do not need to be advised

In an effective change control model, changes are sent to the change advisory board ahead of time. This is a group of stakeholders who will review and approve changes.

The change request, including test, implementation, and rollback plans, ensures that risk is reduced.

Formal documentation is critical for tracking, transparency, and accountability in the change control process.

Scheduling changes at the department's discretion allows changes to be implemented at convenient times.

×