×

Quiz Session - Attempts With Random Questions

ISACA CRISC Exam Questions

Page 5 of 25

81.

As it relates to third-party risk management, if an organization is in the healthcare industry, what is a standard regulation that must be adhered to by their outsourcer?

  • HITECH

  • FERPA

  • HAZOP

  • FAIR

Correct answer: HITECH

The HITECH Act was enacted to promote the use of information technology in healthcare, specifically related to electronic healthcare records. HITECH also includes information privacy and security guidelines. If an outsourcer is managing healthcare data, they must be compliant with HITECH guidelines.

The Family Educational Rights and Privacy Act (FERPA) is a regulation that applies to educational institutions and protects the privacy of student education records. 

A hazard and operability study (HAZOP) is a systematic technique used for risk management in engineering and industrial processes, particularly in identifying potential hazards in chemical plants.

Factor Analysis of Information Risk (FAIR) is a risk management framework used to quantify information risk.

82.

What project management risk response addresses project bottlenecks?

  • Reorganizing resources

  • Reducing supplier fees

  • Doubling the time

  • Invoking change control

Correct answer: Reorganizing resources

Project bottlenecks occur when an activity is waiting for the completion of one or more others. This often happens due to resource constraints. Therefore, organizing resources in an optimum way addresses project bottlenecks.

Reducing supplier fees doesn't address bottlenecks directly; it's more related to cost management.

Doubling the time is not an efficient solution and doesn’t directly address the cause of the bottleneck.

Change control manages alterations to the project but doesn’t specifically focus on resolving bottlenecks.

83.

As it relates to the risk register, which metric reflects the number of times per year the risk can present itself?

  • Frequency of scenario

  • Impact level

  • Risk tolerance

  • Risk exposure

Correct answer: Frequency of scenario

Frequency has to do with the number of times risk could potentially occur. This is an important metric to understand because it informs the likelihood of the risk happening and appropriate response options.

Impact level measures the severity or consequences of a risk if it occurs, not how often it might occur.

Risk tolerance reflects the acceptable level of risk for an organization but does not specify the frequency of risk events.

Risk exposure measures the potential impact of a risk considering its probability but does not address the frequency of occurrence.

84.

As a relates to modeling potential threats, which of the following is NOT an example of an emerging threat that should be monitored?

  • Strong system performance

  • Repeated alarms

  • Unusual activity on a system

  • Excessive log activity

Correct answer: Strong system performance

Strong system performance indicates that the system is functioning well, which is not inherently a threat. In fact, it signifies that systems are working efficiently and effectively. 

Excessive log activity can signal potential security incidents like brute force attacks or attempts to gain unauthorized access. 

Repeated alarms often indicate persistent attempts to exploit vulnerabilities or trigger security controls, pointing to a potentially ongoing threat that needs to be investigated. 

Unusual activity on a system, such as unexpected traffic patterns, unusual process behavior, or strange file changes, can indicate malicious activity.

85.

A large corporation has been hit by major attacks. They have determined that they need to add a new tool to their network, a Database Activity Monitor, as one of their actions to combat this new attack type they have experienced. 

Which step in the risk management lifecycle are they in?

  • Risk response and mitigation

  • Risk identification

  • Risk assessment

  • Risk monitoring and reporting

Correct answer: Risk response and mitigation

Once a risk has been assessed and categorized, its potential impact can be understood in more detail. At this point, risk response and mitigation activities are put in place to reduce the impact of the risk to the enterprise. This is where there are four options: risk avoidance, risk acceptance, risk transfer, and risk reduction. Adding a tool to the network is a type of risk reduction.

Risk identification is the step in which risks are recognized or identified. The risk assessment step involves evaluating the risks' likelihood and potential impact on the organization and prioritizing them based on their severity. The risk monitoring step in the risk management lifecycle involves continuously observing and analyzing the risk landscape to identify new risks and evaluate the effectiveness of implemented risk mitigation strategies.

86.

Technical complexity creates risk for an organization. Standardizing system configuration can greatly reduce complexity. 

Which of the following is NOT a configuration activity?

  • Acquiring

  • Testing

  • Implementation

  • Maintenance

Correct answer: Acquiring

System configuration has to do with the lifecycle of operating and maintaining an asset after it has been acquired. Acquiring refers to the process of obtaining systems rather than configuring them.

Testing is a configuration activity that involves verifying that the system configuration works as intended and meets specifications.

Implementation involves applying the system configuration to ensure that it is set up correctly and integrated into the environment.

Maintenance is a configuration activity related to updating and managing the system configuration over time to ensure continued functionality and security.

87.

Business continuity planning is done at the enterprise level as well as what other level?

  • By department

  • By job title

  • By continent

  • By data center

Correct answer: By department

Business continuity planning is usually divided into multiple annexes. Each annex details specific department-level processes and activities that must be carried out to continue operations.

By job title is incorrect because planning is typically broader, focusing on department or role groups rather than individual job titles.

By continent is incorrect because business continuity is not organized strictly by geographic location.

By data center is incorrect because while data centers may have disaster recovery plans, business continuity planning involves the entire organization's operations, not just IT infrastructure.

88.

Your organization wants to examine its effectiveness and efficiency in responding to risk. 

What type of review should you recommend?

  • Business process review

  • Risk tolerance review

  • Risk taxonomy review

  • Risk communication review

Correct answer: Business process review

A business process review examines in detail all the steps that an organization is taking when dealing with risks. This includes the entire end-to-end process, starting with risk identification all the way through addressing the risk and monitoring the results.

A risk tolerance review focuses on assessing the level of risk an organization is willing to accept.

A risk taxonomy review involves categorizing and classifying risks to ensure a common understanding across the organization.

A risk communication review examines how risk-related information is communicated within the organization.

89.

All EA frameworks provide structured guidance across key topics. 

Which topic provides guidance on the goals, inputs, actions, and outputs that occur in building and architecture?

  • Process

  • Documentation

  • Notation

  • Organization

Correct answer: Process

An EA framework provides a methodology or step-by-step guidance on how to build out the architecture. This includes advising on what data to collect, how it should be processed or transformed, and what the resulting artifact or deliverable is.

Documentation focuses on recording and preserving information about the architecture rather than guiding the process of its development.

Notation refers to the symbols and diagrams used to represent architectural components and relationships, but it doesn't define the process itself.

Organization deals with the structure of teams or roles in enterprise architecture but does not directly guide the steps in building it.

90.

What type of control is a safeguard?

  • Proactive

  • Reactive

  • Corrective

  • Physical

Correct answer: Proactive 

Proactive controls are put in place for high-risk events. High-risk events compromise the financial and operational safety of an organization.

Reactive controls respond to issues after they have occurred, rather than preventing them in advance.

Corrective controls fix problems after they have occurred, while safeguards are meant to prevent them.

Physical controls are tangible safeguards like locks or fences, but not all safeguards are physical.

91.

If an organization is global, how can the risk program be structured to handle the laws and regulations of the various jurisdictions they operate in from a single point of accountability?

  • Centralized global program

  • Decentralized regional program

  • Outsourced risk management program

  • Decentralized global program

Correct answer: Centralized global program

To drive consistency and set the expectation that risk must be managed across the enterprise, the best practice for global organizations is to centralize the risk management program at the enterprise level. Global policies can be implemented for each jurisdiction and specific regional guidelines can be incorporated.

A decentralized regional program can suffer from a lack of a central vision for risk management.

An outsourced risk management program could stray too far from the organization's central plan.

A decentralized global program would give each branch its own authority to define its program.

92.

Which personnel role in the risk management function has detailed knowledge of specific risk areas in an organization?

  • Subject matter expert

  • Risk manager

  • Risk analyst

  • Risk executive

Correct answer: Subject matter expert

A subject matter expert has focus and knowledge and insight into specific areas within an organization. They understand and can identify threats and risks. They are a very valuable resource to other members of the risk management function.

A risk manager is responsible for ensuring risk functions are carried out.

A risk analyst is responsible for analyzing, evaluating, and assessing threats.

A risk owner is accountable for making risk-based decisions.

93.

A risk practitioner has been working through the process of assessing and managing risk. What is the correct order of the IT risk management life cycle? 

  • IT risk identification, IT risk assessment, Risk response and mitigation, Risk and control monitoring and reporting

  • IT risk assessment, IT risk identification, Risk response and mitigation, Risk and control monitoring and reporting

  • IT risk identification, IT risk assessment, Risk and control monitoring and reporting, Risk response and mitigation

  • IT risk identification, Risk response and mitigation, IT risk assessment, Risk and control monitoring and reporting

Correct answer: IT risk identification, IT risk assessment, Risk response and mitigation, Risk and control monitoring and reporting

Risk management is the framework and set of ongoing activities that predicts challenges, analyzes them, and takes action to lower the chance of a risk taking place. If it does, risk management mitigates the impact.

The first step is to identify the potential IT risks the organization may face. Once risks are identified, an assessment can then be performed. This would include quantitative and qualitative methods. Once the potential cost or the amount of damage is identified, the risk can then be mitigated. The mitigation is the response to the potential risk. This includes the four options of risk avoidance, risk transfer, risk reduction, and then, risk acceptance. It is necessary to continue monitoring the IT environment. Threats and attackers can change on a daily basis.

94.

Which of the following is NOT a risk monitoring and evaluation process?

  • Hiring the risk team

  • Collecting, validating, and evaluating business goals and metrics

  • Monitoring processes to ensure they are in compliance with established metrics

  • Providing reports that are systematic and timely

Correct answer: Hiring the risk team

Risk monitoring and evaluation are operational processes. Hiring the risk team is a step in a set of processes that take place before implementing the risk monitoring and evaluation framework.

Risk monitoring and evaluation are processes that are designed and performed to do the following: 

  • Collect, validate, and evaluate business goals and metrics
  • Monitor processes to ensure they are in compliance with established metrics
  • Provide reports that are systematic and timely

95.

What is a risk event?

  • A discrete, specific occurrence

  • An ongoing series of actions

  • A potential future event

  • A calculated risk scenario

Correct answer: A discrete, specific occurrence

A risk event is a finite and specific occurrence that could impact the organization. Risk represents uncertainty and, therefore, can present both upside and downside impact.

An ongoing series of actions is a process or a set of continuous activities rather than a single, specific occurrence.

A potential future event is a risk that could happen but is not a risk event that does happen.

A calculated risk scenario is a hypothetical situation used in risk analysis, not an actual risk event.

96.

As it relates to risk analysis methodologies, which type of assessment leverages numerical calculations and mathematical models?

  • Quantitative

  • Qualitative

  • Anecdotal

  • Hybrid

Correct answer: Quantitative 

Quantitative risk assessment leverages scenarios that represent outcomes in numbers or monetary value. Quantitative methods are suitable for cost-benefit analysis as well as budgeting.

Qualitative relies heavily on experience and expert knowledge, making it subjective. 

Hybrid approaches combine qualitative and quantitative. 

Anecdotal is not a type of defined risk assessment or risk analysis.

97.

A data analytics company has recently experienced a major system failure that resulted in significant downtime. The IT team needs to determine the maximum amount of data loss that can be tolerated before the system is restored to full functionality. 

Which recovery objective should they focus on?

  • RPO

  • RTO

  • MTBF

  • MTTF

Correct answer: RPO

The recovery point objective (RPO) is the maximum amount of data loss that can be tolerated before a system is restored. It defines how far back in time data recovery should go after a system failure, focusing on minimizing the impact of data loss on business operations.

The recovery time objective (RTO) is the maximum acceptable time it takes to restore the system to normal operations after a failure.

The mean time between failures (MTBF) measures the average time between system failures.

The mean time to failure (MTTF) is the expected lifespan of a system or component before it fails.

98.

Which threat model method depicts potential attacks on the system using a root and leaves approach?

  • Attack trees

  • Vulnerability hierarchy

  • STRIDE

  • PASTA decomposition

Correct answer: Attack trees

Attack trees are diagrams that represent potential attacks on the system in tree form. The tree root is the goal for the attack and the leaves represent the various ways to achieve the attack goal.

Vulnerability hierarchies can be used in threat modeling, but they do not use a root and leaves approach.

STRIDE is a threat modeling methodology that focuses on identifying specific types of threats.

PASTA decomposition is a threat modeling framework that uses a structured approach to identify and assess threats.

99.

As it relates to risk response, which option is the MOST appropriate when the current exposure level is deemed unacceptable by management and cannot be brought into alignment with the organization's tolerance?

  • Risk avoidance

  • Risk mitigation

  • Risk acceptance

  • Risk sharing

Correct answer: Risk avoidance

Risk avoidance is the best strategy when it is impractical or even technically impossible to bring the risk of an activity into alignment. This means exiting the activities or conditions that would create the risk in the first place.

Risk mitigation involves taking steps to reduce the likelihood or impact of a risk. 

Risk acceptance involves acknowledging the risk and deciding to retain it without taking further action, typically because it falls within the organization’s risk tolerance. 

Risk sharing involves transferring or sharing the risk with another party, such as through insurance or outsourcing.

100.

As it relates to control design and implementation, which type of control occurs the MOST early on in an incident timeline to prevent an incident?

  • Deterrent

  • Passive

  • Corrective

  • Compensating

Correct answer: Deterrent

A deterrent control is implemented before an incident takes place. Its goal is to prevent the incident from taking place at all. Therefore, it is the most early type of control that is implemented.

Passive controls are not intended to actively prevent incidents, but rather to observe and record information, such as logging or monitoring.

Corrective controls are implemented after an incident has occurred to mitigate the impact.

Compensating controls are alternative measures put in place to mitigate a risk when the primary control is not feasible.

×