ISACA CRISC Exam Questions

Correct answer: Budget

Budget does have an impact on an organization's ability to build a controlled environment. However, the ability to acquire and process high-quality data is the most important criterion.

Effective control monitoring requires timely reporting to ensure that issues are identified and addressed promptly. 

Data analyst skills are crucial for interpreting and analyzing data effectively.

High-quality data is essential for effective control monitoring for ensuring that controls are evaluated correctly and that any identified issues are based on solid evidence.

Correct answer: Customer lists

Customer lists contain information about those who purchase products and services. This information is valuable because it typically includes buying preferences, purchase history, relationship management encounters, and sales campaign information. If this information fell into the hands of a competitor or was compromised in any way, it would be very detrimental.

Industry catalogs contain information about products or services offered within a particular industry but do not specifically provide information about an organization's buyers or revenue sources.

A general ledger is a financial record that contains all the financial transactions of an organization but does not directly contain details about buyers or customers.

Sales run books are guides or manuals that outline processes and strategies for sales teams but do not contain specific information about buyers or revenue sources.

Correct answer: FEAF

FEAF is the Federal Enterprise Architecture Framework used by nonmilitary, civilian agencies. The purpose of FEAF is to facilitate a common taxonomy and shared development as well as common processes across federal agencies.

The Department of Defense Architecture Framework (DODAF) was developed for use by the U.S. Department of Defense, not civilian agencies.

The Open Group Architecture Framework (TOGAF) is a widely used enterprise architecture framework, but it is not specific to federal agencies and is used globally across various industries.

Sherwood Applied Business Security Architecture (SABSA) is a framework focusing on security architecture, not designed specifically for federal agencies.

Correct answer: Gap analysis

By conducting a gap analysis, the risk practitioner can identify the gap or delta between risk controls that exist currently and the intended state. Gap analysis provides a roadmap for control improvements and additions that the risk practitioner can put in place.

Log screening involves reviewing logs for anomalies or security incidents but does not focus on identifying discrepancies between current and desired states.

Root cause analysis focuses on identifying the underlying causes of problems rather than comparing current and desired states.

Stack ranking is a method used to prioritize items or individuals based on certain criteria, often related to performance or importance, but it is not used to assess differences between current and desired states in control design.

Correct answer: SWIFT

SWIFT (structured "what if" technique) uses structured brainstorming to identify risk. It uses prompts and words to facilitate. SWIFT is typically used in conjunction with other risk analysis and evaluation techniques.

The Program Evaluation and Review Technique (PERT) is a project management tool used to plan and control large projects by analyzing the time required to complete tasks and identifying the critical path. 

A Gantt chart is a project management tool that visualizes the timeline of a project’s tasks or activities. 

A Hazard and Operability Study (HAZOP) is a risk assessment technique primarily used in industrial processes to identify hazards and operational issues.

Correct answer: To align enterprise and risk strategy

Ultimately, risk management functions need to support the organization's goals and regulatory objectives. Aligning enterprise and risk strategy ensures that risk management activities are integrated into the organization's overall strategic objectives and decision-making processes. This alignment enables the organization to identify, assess, and manage risks in a manner that supports and enhances its long-term goals and objectives, contributing to improved performance and resilience.

Employing government regulators may be necessary in some industries to ensure compliance with regulations, but it is not the primary purpose of implementing a governance framework around risk management functions. 

While avoiding excessive oversight is important to prevent bureaucracy and inefficiencies, it is not the primary goal of implementing a governance framework around risk management functions. The main purpose is to establish appropriate oversight mechanisms that ensure accountability, transparency, and effective risk management practices throughout the organization. 

While technology specifications may be influenced by risk management considerations, driving technology specifications is not the primary purpose of a governance framework for risk management functions.

Correct answer: Annually

Attestation is the process of certifying something. Organizations have processes such as training, performance reviews, and data privacy that employees review annually. Adding ethics attestation to that annual cycle is an industry best practice.

Attestation at the exit interview does not help maintain ongoing compliance or reinforce ethical standards for current employees.

Attestation during onboarding does not ensure continued adherence as employees grow within the organization.

A five-year interval is too infrequent to effectively maintain ongoing awareness and compliance with the ethics policy.

Correct answer: Cyber threats

As the population of consumers with computing devices has increased, the number and type of cyber threats have increased. This is because there are more virtual assets and data now available for attackers to benefit from.

Available training is not a vulnerability but a benefit to the computing workspace.

Lack of risk assessments are part of a structured security process and can be applied regardless of entry barriers.

Hardware availability has increased, making computing more accessible, but this does not directly create vulnerabilities.

Correct answer: Systemic

Systemic events impact a large group, such as organizations in an industry or clients of a service provider. Systemic events can be catastrophic because of their scope and duration.

A repetitive scenario focuses on risks that occur repeatedly within an organization or industry, but not necessarily affecting a large group of organizations.

A contagious scenario involves risks that spread from one entity to others. 

A situational scenario looks at risks based on specific situations or scenarios affecting particular contexts.

Correct answer: Risk ranking

Risk ranking is derived from a combination of all components of risk. This includes the characteristics and capabilities of direct source, the severity of a vulnerability, the likelihood of attack success, and the impact. All these factors are used together to rank risk.

Risk mapping involves visually displaying risks but doesn't rank them in a specific order for response.

Risk allocation implies assigning responsibility for risks but doesn't involve sequencing them.

Risk categorization involves grouping risks into categories but doesn't prioritize them in order.

Correct answer: Self-assessment

Controls are easily accessed and understood by those who execute risk control processes on a regular basis, typically through their job. A self-assessment is often done as a precursor to an audit.

A fire drill refers to an emergency preparedness exercise, not a control assessment.

A compliance audit is conducted by external or internal auditors, not by individuals who interact with controls regularly.

Due diligence refers to a thorough investigation performed during activities such as mergers or acquisitions.

Correct answer: Initiation

During the initiation phase, the current state is assessed. The results of that assessment determine and drive the need for a new system.

The development phase involves building the system based on requirements gathered earlier.

The implementation phase is when the system is installed and deployed. 

The discovery phase is not a formal phase in the SDLC.

Correct answer: Feedback and evaluation 

The team's current focus on assessing the effectiveness of the updates they've made to their systems and gathering insights through employee interviews and system usage data is part of feedback and evaluation.

Scheduling and implementing changes has already been done in this situation since the team has made updates to their systems.

Identifying potential changes occurs before implementing changes.

Documenting and evaluating current business processes occurs at the beginning of the business process review.

Correct answer: Privacy impact assessment

A privacy impact assessment is concerned with when information is used, shared, and maintained. It is different from a risk assessment in that the focus is on the impact on the individual or data subject instead of the enterprise.

A destruction assessment would assess the impact and processes related to data destruction, not specifically the privacy impact on individuals.

A minimization assessment would evaluate whether data collection and use are minimized according to privacy principles, but not specifically the impact on individuals.

An informed consent assessment would examine whether individuals have given proper consent for data collection or use, but does not specifically focus on the impact of a privacy event on individuals.

Correct answer: Risk acceptance

An organization can willingly allow risk to take place based upon its risk appetite and tolerance. This scenario often takes place when the organization has access to sufficient resources to absorb the cost of impact.

Risk avoidance involves eliminating the risk entirely by changing plans or strategies. 

Risk mitigation seeks to reduce the impact or likelihood of the risk through proactive measures.

Risk transfer involves shifting the risk to a third party, such as through insurance or outsourcing.

Correct answer: User acceptance testing 

User acceptance testing is conducted by business users and other non-technical stakeholders. These individuals test the system in the context of their operational procedures.

Unit testing involves testing individual components or modules of the system in isolation to ensure they work correctly.

Scenario testing involves testing the system under various scenarios or conditions to see how it performs, but it may not specifically focus on validating user requirements against the design.

System testing involves testing the entire system as a whole to ensure that it meets the specified requirements and functions correctly.

Correct answer: On-demand self-service

On-demand self-service automatically scales up or scales down computing capabilities such as server and storage and network without requiring human intervention. The system detects when additional capacity is needed or when it needs to be decommissioned and automatically handles the provisioning and deprovisioning.

Resource pooling refers to pooling computing resources to serve multiple consumers using a multi-tenant model. 

Broad network access ensures that cloud services are accessible over the network from various client devices, such as laptops, tablets, and smartphones.

Measured service automatically controls and optimizes resource use by leveraging metering capabilities, which allows users to monitor and pay for only the resources they use.

Correct answer: Risk register

The risk register is the central artifact that documents all information regarding each risk. This includes the risk owner, who is the person accountable for the final decision about how to handle the risk.

A risk portfolio refers to a collection of risks but is not commonly used to document detailed risk ownership information.

An annual risk report is a comprehensive document produced by an organization that evaluates its exposure to various risks and the effectiveness of its risk management strategies over the past year.  

The term risk shared directory is not a standard or widely recognized term in risk management or information technology.

Correct answer: FAIR

Factor Analysis of Information Risk (FAIR) is a taxonomy that classifies factors contributing to risk. It is used to establish accurate probabilities for the frequency and magnitude of data loss events.

Holistic Approach to Risk Management (HARM) accounts for loss magnitudes at a discrete level and factors in control objective maturity.

Human Reliability Analysis (HRA) focuses on assessing the likelihood of human error in complex systems.

Hazard and Operability Study (HAZOP) is used to identify hazards and operability issues in industrial processes but does not provide a taxonomy of risk factors.

Correct answer: Dashboard

A dashboard is a visual way of representing data. It provides at-a-glance views of key information that the users most often want to see.

Sensitivity vectors are techniques related to analyzing the impact of changes in variables, not for real-time sequential presentation of control data.

Scorecards present data with distinct indicators but are often used for periodic reviews rather than real-time monitoring.

Scatter plots are used to display relationships between two variables, not for real-time sequential reporting of control data.