ISACA CRISC Exam Questions

Correct answer: Corrective

A corrective control is the ability to fix the issue once it has been detected. Corrective controls typically have built-in logic that allows them to act upon the system or environment to make the corrections.

Detective controls are designed to identify and detect errors, irregularities, or incidents after they occur. They provide alerts or logs for further investigation and response but do not directly fix or remediate issues. 

Preventive controls are designed to stop errors or incidents from occurring. They minimize the likelihood of risk events by proactively safeguarding systems. 

Compensating controls are alternative measures designed to achieve the same security objective as a primary control that may not be feasible or practical in a given situation. They are not intended to fix an issue after it is detected like a corrective control.

Correct answer: Enable an enterprise to survive during an adverse event

Business continuity is defined as the uninterrupted operations of an organization. The business continuity function is responsible for developing and testing plans to simulate business and external events that could interrupt business operations. For example, if a natural disaster occurs and takes out a data center, business continuity ensures that the business is able to continue normal operations out of an alternate facility. 

Enabling an enterprise to function after a merger is an issue related to change management and integration planning.

Enabling an enterprise to return to normal operations after an incident is an issue related to disaster recovery.

Enabling an enterprise to revert to an earlier system after a failed upgrade is an issue related to change management.

Correct answer: As a challenge to achieving objectives

Risk represents uncertainty and unknowns. This is why risk creates a challenge to achieving objectives because the path to completion is not clear. Risk is not necessarily bad. It is defined as a challenge and an unknown, which can ultimately turn into an enabler.

Impact is a magnitude of loss resulting from a threat exploiting a vulnerability.

Governance is a method to achieving objectives.

An incident is a violation or imminent violation of computer security policies.

Correct answer: Build, acquire, and implement (BAI)

Build, acquire, and implement (BAI) refers to the ability of an organization to develop, acquire, and implement new technologies and solutions. This is the risk factor that the company is assessing in this scenario.

Evaluate, direct, and monitor (EDM) refers to the ability of an organization to effectively manage and oversee its IT operations.

Deliver, service, and support (DSS) refers to the ability of an organization to provide effective IT services and support to its users.

Monitor, evaluate, and assess (MEA) refers to the ability of an organization to monitor and assess its IT performance and security.

Correct answer: Audio broadcast

The audio broadcast consists of electronic data that is transmitting voice. Voice is unstructured data, which means that it is of indeterminate size and volume that cannot always be predicted.

A paper report is a physical format and not electronic.

Payroll data exists in structured formats like spreadsheets or databases, which are organized and easy to analyze.

Online forms are structured electronic formats, as they require specific fields for data input and are organized in a systematic way.

Correct answer: Proper definition of the project at its inception 

During a project's inception, budget and resources are planned. To effectively manage a project, its definition must be firmly established upfront. It helps ensure that all stakeholders have a shared understanding of the project's goals and expectations, reduces ambiguity, and minimizes the risk of scope creep or misunderstandings as the project progresses.

A loose definition of the project at its inception introduces ambiguity and uncertainty, making it difficult for stakeholders to align on project goals and expectations. This can lead to misunderstandings, delays, and increased risk of project failure. 

Delaying the definition of the project prolongs uncertainty and can lead to inefficiencies and confusion among team members and stakeholders. It hampers effective planning, resource allocation, and decision-making, which are essential for successful project execution. 

Waiting until the project is complete to define it means operating without clear objectives or direction throughout the project lifecycle. This approach increases the likelihood of missed deadlines, budget overruns, and dissatisfaction among stakeholders, as it does not provide a clear roadmap for project execution and success.

Correct answer: Key Performance Indicators (KPIs)

Key Performance Indicators (KPIs) measure performance against a specific objective. KPIs are used to establish a baseline for a risk management program. If a KPI exceeds or falls below its threshold, the risk practitioner and team are notified to investigate and take action.

Key Risk Indicators (KRIs) are used to measure where the current risk levels are in comparison to the thresholds that have been defined by the business.

Key Control Indicators (KCIs) help to reveal how affected specific controls are functioning. For example, how many phishing emails were not captured and blocked by the malware filter?

Key Goal Indicators (KGIs) measure if a business is meeting its desired goals. The KPIs measure performance level toward the goal. For example, if you have the goal of achieving your CRISC designation, the passing of the exam can be your KGI. Then, your KPIs are your measurement on practice tests as you move through the material as you are getting ready for the test.

Correct answer: Security categorization

A security categorization identifies and groups the required security for the enterprise data. This should be done during the SDLC to put proactive security measures in place to mitigate risk.

A business impact assessment focuses on evaluating the potential effects of disruptions on business operations, not specifically on data confidentiality.

A service level agreement defines the expected service levels and performance metrics but does not address data confidentiality requirements.

An operational integrity assessment ensures that systems operate correctly and reliably but does not specifically focus on data confidentiality.

Correct answer: Authority

The risk owner must have the authority to exercise the full scope of ownership responsibility. This includes budget, authority, and a mandate to select an appropriate risk response based upon analysis and guidance provided by the risk practitioner.

Operational experience may be valuable but does not ensure the ability to manage risk without proper authority.

Certifications can enhance a risk owner's credibility, but they do not replace the need for authority to manage and control risks effectively.

Seniority on its own does not guarantee effectiveness in risk management; having the appropriate authority is more critical for accountability and decision-making.

Correct answer: IaaS

Infrastructure as a service allows organizations to provision their own processing, storage, network, and other computing resources. Organizations deploy and run and are completely responsible for their own software.

Platform as a Service (PaaS) provides a platform that allows developers to build, deploy, and manage applications without worrying about the underlying infrastructure. 

Software as a Service (SaaS) delivers software applications over the internet, typically on a subscription basis. 

Database as a Service (DBaaS) provides organizations with access to database services without needing to manage the underlying infrastructure or database software.

Correct answer: Superficial incident investigation

Organizations that are reactive have minimal risk processes. They have not embraced risk management as the central part of their business operations or invested in it. Consequently, their approach to risk is high level and typically not proactive.

A compliance-driven culture focuses on legal compliance. 

A proactive culture has regularly scheduled lessons learned. 

A resilient culture has active monitoring and reporting.

Correct answer: End users

Current threat actors often view end users as the weakest link in the information security foundation of modern enterprises. End users, including employees, customers, and other individuals interacting with enterprise systems, often lack the same level of awareness, training, and understanding of security best practices. They may inadvertently engage in risky behaviors, such as clicking on malicious links in phishing emails or sharing sensitive information, making them more susceptible to exploitation by threat actors. 

While third-party vendors can introduce security risks through their access to systems or handling of sensitive data, they are not always the weakest link. Many organizations have rigorous vendor management programs and security controls in place to mitigate these risks. 

Mobile devices, including smartphones and tablets, are a common target for cyberattacks, but they are not universally viewed as the weakest link in the information security foundation of modern enterprises. 

Social media platforms can be used by threat actors as a vector for social engineering attacks, phishing campaigns, and the dissemination of malware. However, while social media platforms can pose security risks to organizations, they are not typically viewed as the weakest link; rather, it is the end users who interact with social media platforms who may be targeted by such attacks.

Correct answer: Incident reports

An organization's incident report system tracks risk incidents that have occurred. The information captured is event date and time, type, impact, and resolution. This information provides detailed insight into how to improve existing controls and design new controls.

Third-party audits focus on external evaluations of compliance and performance rather than capturing internal risk incidents. 

Performance reports focus on employee or department performance, not risk events.

User access logs are logs of user activities but do not provide a full picture of risk events.

Correct answer: Take the outsourcer's word

To verify that data security controls and processes are in place, the best practice is to either audit the outsourcer or engage an independent reviewer. This will ensure that an objective review is done, and if it is conducted periodically, it is done consistently. Trusting the outsourcer's self-assessment without objective evidence or validation undermines the effectiveness of third-party risk management efforts.

Conducting audits of the processes of the outsourcer supplier allows the outsourcing organization to verify compliance with agreed-upon data security controls and processes. 

Obtaining an attestation from external auditors provides independent verification of the outsourcer's compliance with data security controls and processes. 

Engaging with an independent reviewer, such as a third-party risk management firm or consultant, allows the outsourcing organization to obtain unbiased assessments of the outsourcer's data security controls and processes.

Correct answer: Auditable

An auditable risk management program has thorough and transparent documentation. This allows auditors to understand how the program is constructed, examine how risk is managed in the organization, and evaluate the effectiveness of the overall program.

While it's important for risk management decisions to be justifiable, meaning they are based on sound reasoning and analysis, this does not necessarily imply that the program is reviewable by an independent third party.  

While completeness is essential for the effectiveness of the risk management program, it does not directly relate to whether the program is reviewable by an independent third party. 

Enforcing policies and procedures alone does not guarantee that the risk management program is reviewable by an independent third party. 

Correct answer: Accountable

Individuals who are accountable are liable for the completion of the task. They oversee and manage individuals who are responsible for performing the task. However, ultimately, it is their accountability that ensures that the tasks are done well and according to specifications.

Consulted parties are those whose opinions are sought, typically subject matter experts. 

Informed parties are those who are kept up-to-date on progress, often only on the completion of the task or deliverables, and with whom there is just one-way communication.

Responsible parties refer to the person or team members who actually do the work to achieve the task or deliverable but are not ultimately liable for it.

Correct answer: Progressive 

Progressive testing seeks to execute multiple test plans with the goal of finding defects and potential risks. As such, progressive testing is very comprehensive and involves many use cases.

Regressive testing is a method focused on ensuring new changes do not disrupt existing functionalities. 

Unit testing focuses on testing individual components or units of a system in isolation.

Fuzz testing is a type of black-box testing that involves feeding random data into a system to identify vulnerabilities or crashes.

Correct answer: Risk owner

The risk owner is the individual the enterprise has given the authority and accountability for making risk-based decisions. This individual also owns the loss that would be associated with a realized risk scenario.

A risk analyst is responsible for analyzing risks and providing insights to support decision-making, but they do not have the authority to make final decisions.

A risk manager oversees the overall risk management process, but may not have the authority to make final decisions.

A subject matter expert provides specialized knowledge and advice on particular aspects of risk, but they do not usually have the authority to make risk-based decisions.

Correct answer: Something worth protecting

An asset, in the context of risk management, broadly refers to anything of value to an organization that requires protection. This includes both tangible and intangible items, such as physical equipment, intellectual property, market reputation, financial assets, and data. 

Assets can be tangible as well as intangible.

Assets include more than just IT resources. 

Something that is a liability to an organization is a debt.

Correct answer: Risk evaluation

The company is in the risk evaluation phase, where it determines the acceptability of the identified risks, prioritizes them, and decides on the appropriate course of action for each.

Risk analysis involves assessing the likelihood and impact of identified risks, which is a step that precedes risk evaluation. 

Risk treatment refers to the process of implementing strategies to handle risks, such as mitigating, transferring, or avoiding them.

Risk acceptance is the decision to tolerate a risk without taking any further action.