ISACA CRISC Exam Questions

Page 2 of 25

21.

A network in a telecommunication company's research and development department needs to be high-speed without the use of switching. Furthermore, it needs to avoid single points of failure with the minimum amount of cabling. 

Which network topology would be the BEST solution to implement?

  • Ring

  • Bus

  • Star

  • Mesh

Correct answer: Ring

Ring topology has all devices connected in a circular fashion. This topology is ideal for high-speed communication without the use of switching, as each device can transmit directly to the next device.

Mesh topology requires a large amount of cabling and is complex to manage.

Bus topology is prone to single points of failure and is not suitable for high-speed communication.

Star topology requires a central switch.

22.

Which category of risk control is related to securing or preventing access to facilities or devices?

  • Physical

  • Technical

  • Administrative

  • Corrective

Correct answer: Physical 

Physical control restricts access to devices, rooms, and facilities. Physical controls are often referred to as the first line of controls.

Technical controls use technology to mitigate vulnerabilities, including hardware and software solutions like firewalls and encryption. 

Administrative controls consist of policies, procedures, and guidelines to manage people's behavior and operations within an organization. 

Corrective controls are measures taken to restore systems to their normal status following an incident or breach.

23.

With whom does the ultimate decision on risk response lie within an organization?

  • Risk owner

  • Risk steward

  • Risk practitioner

  • Risk manager

Correct answer: Risk owner 

The risk owner manages the risk life: identification, assessment, analysis, and response determination. This individual owns the accountability for risk in the organization and its impacts.

A risk steward is involved in overseeing risk management activities and ensuring that the risk management processes are followed.

A risk practitioner conducts risk assessments, advises on risk management strategies, and implements controls.

A risk manager is responsible for coordinating and overseeing the risk management process across the organization.

24.

Which of the following is NOT a minimum requirement that a security awareness and training program should address?

  • How to reduce security implementation costs

  • Threats from social engineering

  • Methods of alerting internal security teams

  • Mandatory regulatory requirements

Correct answer: How to reduce security implementation costs

Security awareness and training is intended to educate users on the array of potential attacks and how to proactively prevent them. Expense management is not in the scope of this training.

Understanding social engineering is crucial, as it is a common tactic used by attackers to manipulate individuals into giving away sensitive information.

Training employees on how to report security incidents is essential for quick response and mitigation.

Compliance with laws and regulations is a key aspect that organizations need to train their staff on to avoid legal repercussions.

25.

What is the MAIN focus of a high-level risk policy versus a functional risk policy?

  • To determine the approach of the enterprise toward risk management

  • To establish specific risk category classifications

  • To set guidelines related to the acceptable use of organizational resources

  • To outline detailed steps necessary to carry out the day-to-day risk management activities 

Correct answer: To determine the approach of the enterprise toward risk management

High-level risk policies establish overarching principles, objectives, and strategic direction for risk management across the organization. They outline the enterprise's overall risk appetite, tolerance, and desired risk management culture. These policies provide guidance on how risk should be identified, assessed, mitigated, and monitored at a broad organizational level. 

Specific risk category classifications is more detailed and typically found in functional risk policies.

Acceptable use of resources to risk management is usually covered in separate policies, like IT usage or security policies.

Day-to-day risk management activities are outlined in operational procedures and guidelines, not high-level policies.

26.

Data is created in two ways. The first method is original collection. What is the second method?

  • Synthesis

  • Archival

  • Permutation

  • Demarcation

Correct answer: Synthesis

Existing data can be merged and combined with each other to create new data entities.

Archival refers to the process of storing data for long-term retention and does not represent a method of creating new data.

Permutation relates to rearranging existing data elements but does not imply the generation of new data or information.

Demarcation refers to the act of setting boundaries or limits, which does not pertain to data creation methods.

27.

During a risk management business process review, it is important to classify processes by criticality. What additional information do you need to gather for each process?

  • Process responsibility and accountability

  • Process duration

  • Process cost

  • Process transfer time

Correct answer: Process responsibility and accountability

In addition to understanding what risk management processes are implemented, it is equally important to identify who is establishing those processes and who is executing them. The reason for gathering this additional level of information is to ensure that the right people (subject matter expertise and role of the organization) are assigned to the processes. 

The important element to think about here is that the question is asking about risk management review. The process duration, cost, and possible transfer time are less critical or subtopics that can be discussed but would be discussed with the person who is responsible and the person who is accountable.

28.

Which of the following is a form of risk transfer?

  • Outsourcing

  • Self-insurance

  • Risk acceptance

  • Business continuity

Correct answer: Outsourcing

Outsourcing leverages third-party providers to execute tasks on behalf of the organization. It is a form of risk transfer in that the outsourcer is responsible for managing risks for the tasks they are contracted to take care of.

Self-insurance is a form of risk retention, where the company sets aside its own funds to cover potential losses, not a transfer of risk to another party.

Risk acceptance is when an organization chooses to bear the risk without taking steps to transfer it to others.

Business continuity involves planning for recovery after an incident, but it does not transfer the risk to another party.

29.

An organization is going to use a third party to conduct a penetration test. What type of contract should the third party sign to protect the organization's intellectual property?

  • NDA

  • FAIR

  • SLA

  • HAZOP

Correct answer: NDA 

A Non-Disclosure Agreement (NDA) ensures that employees of the outsourcer or third-party firm cannot disclose any information about the organization they are working for. Many times, outsourcers are doing work for multiple clients within the same industry. Therefore, this is an important agreement to put in place to ensure confidentiality.

A Factor Analysis of Information Risk (FAIR) is a framework for understanding, analyzing, and quantifying information risk in financial terms and is not related to protecting intellectual property. 

A Service Level Agreement (SLA) is a contractual agreement between a service provider and a customer that outlines the level of service expected, including performance metrics, responsibilities, and guarantees. While SLAs may address aspects of intellectual property rights in the context of service delivery, their primary focus is on service quality and performance rather than intellectual property protection. 

A HAZard and OPerability (HAZOP) study is a structured and systematic examination of a planned or existing process or operation to identify and evaluate potential hazards or deviations from design intent.

30.

What process needs to be in place to ensure that risk management is aligned with the enterprise's goals and objectives?

  • Governance

  • Management

  • Monitoring

  •  Regulation

Correct answer: Governance

Governance is the process of overseeing the direction and execution of activities and/or a program. Governance is essential to risk management execution to ensure that it is following the enterprise's overall goals.

Management refers to the daily operations and execution of tasks, such as risk management. 

Monitoring is the process of continually tracking and evaluating risk management activities. 

Regulation refers to external rules and laws that organizations must comply with.

31.

What do key performance indicators measure?

  • Activity goals

  • Staff utilization

  • Financial and market results

  • Project completion times

Correct answer: Activity goals

Key Performance Indicators (KPIs) measure how well a process, which consists of a set of activities, is performing. The measurement provides insight into how well the process is executing based on activities. If necessary, the activities can be adjusted to improve attainment toward the goals.

KPIs do not measure staff utilization, financial and market results, or defects. 

Staff utilization measures how effectively an organization's employees are used, but it is not a direct indicator of overall performance. 

Financial and market results involve specific areas like revenue growth, profitability, and market share rather than overall process performance.

Project completion times measure project efficiency, but KPIs aim at broader organizational performance rather than project-specific metrics.

32.

Which approach to risk scenario development involves senior managers from the start?

  • Top-down

  • Bottom-up

  • Lateral

  • Middle-out

Correct answer: Top-down

The top-down approach starts by identifying business goals. It then examines the relationship between risk events and business outcomes. This analysis requires participation from senior managers.

The bottom-up approach refers to identifying risks that are associated with specific enterprise situations. 

A lateral or middle-out approach implies a horizontal spread of responsibilities.

33.

A company has entered into a long-term contract with a major supplier for the purchase of a critical component. The supplier is facing financial difficulties, and there is a risk that they may be unable to fulfill their obligations under the contract. 

What type of risk is the company facing?

  • Credit

  • Market

  • Operational

  • Compliance

Correct answer: Credit

A credit risk is the risk of financial loss due to the failure of a counterparty to meet their contractual obligations. In this scenario, the company is facing the risk that the supplier may default on their contract and not deliver the critical component.

Market risk involves exposure to changes in market conditions like price fluctuations, which is unrelated to the supplier's financial issues.

Operational risk pertains to risks arising from internal processes or systems, not the failure of a third-party supplier.

Compliance risk relates to the company failing to adhere to laws or regulations, which is not the core issue here.

34.

Which risk response selection parameter takes into consideration the size and scope of the risk?

  • Magnitude

  • Effectiveness

  • Efficiency

  • Cost

Correct answer: Magnitude

Magnitude refers to the size and scope of the risk, specifically considering the potential impact or severity of the risk event if it were to occur. Size and scope have a great deal of influence on the impact of the risk and must be considered carefully. 

While cost, efficiency, and effectiveness are all valuable in selecting a response strategy, they do not specifically consider the size and scope of the risk.

Cost refers to the financial resources required to implement a risk response. 

Efficiency pertains to the cost-effectiveness of a risk response, focusing on achieving the desired risk reduction with minimal expenditure. 

Effectiveness measures how well a risk response mitigates the identified risk.

35.

Which recovery metric is driven by how critical the process is to value creation?

  • RTO

  • RPO

  • SLA

  • OLA

Correct answer: RTO

The recovery time objective (RTO) has to do with how quickly, in terms of clock time, operations can be restored. Critical processes are prioritized first.

The recovery point objective (RPO) measures the acceptable amount of data loss in terms of time but is not the criticality of the process itself.

A service level agreement (SLA) is a contract between service providers and customers that defines the expected level of service, such as uptime or response times.

An operational level agreement (OLA) is an internal agreement between teams within an organization that supports SLAs.

36.

Which changeover approach is the MOST costly?

  • Parallel

  • Dual

  • Phase

  • Abrupt

Correct answer: Parallel 

A parallel changeover approach runs the new and old systems simultaneously. This approach is the most costly because resources such as infrastructure and staff need to be funded at the same time.

Dual systems may run for specific functions but not entirely in parallel, so it is typically less costly.

A phase approach involves gradually implementing the new system in phases, making it less costly as it spreads the workload and costs over time.

An abrupt approach involves switching from the old system to the new one all at once.

37.

An insurance company is undergoing a major restructuring that involves consolidating multiple business units and implementing new technologies. The risk management team wants to ensure that risk management becomes a fundamental part of the organization's decision-making processes and that all employees are aware of their role in managing risks. 

What is the primary risk governance objective of the risk management team in this situation?

  • Integrating risk management into the enterprise

  • Making risk-aware business decisions

  • Establishing and maintaining a common risk view

  • Ensuring that risk management controls are implemented and operating correctly

Correct answer: Integrating risk management into the enterprise

The primary objective of the risk management team in this scenario is to integrate risk management into the enterprise. This means ensuring that risk management is considered at all levels of the organization and is embedded into the decision-making process. 

Making risk-aware business decisions is an outcome of effective risk management but is not involved in integrating risk management into the enterprise.

Establishing and maintaining a common risk view is more of a side activity rather than embedding risk management into the organization.

Ensuring that risk management controls are implemented and operating correctly is primarily an operational aspect rather than integrating risk management into the organization.

38.

What source of vulnerability can impact data flow and traffic in an organization?

  • Network

  • Applications

  • Utilities

  • Supply chain

Correct answer: Network

Network vulnerabilities are created through misconfiguration and poor architecture. This can result in an exploitation by an attacker who can gain access and enter the organization's computing environment.

Applications can impact the security and integrity of data within those applications, but they are not the primary factor affecting overall data flow and traffic across an organization.

Utilities are essential for keeping systems operational but do not directly impact the data flow and traffic within an organization's network.

Supply chain vulnerabilities can lead to risks such as delayed deliveries, but they do not directly impact the flow of data and traffic.

39.

The goal of effective data management is to protect it in all states. When data is being stored and not in use, what is that state called?

  • At rest

  • In transit

  • In use

  • In motion

Correct answer: At rest 

Data at rest is data that is residing in storage but not being transmitted through the network. It can either be data that is actively used or archived.

Data in use refers to data that is actively being accessed, processed, or manipulated by applications or users, contrasting with data that is stored and not in use. 

Data in transit and data in motion both refer to data that is actively being transmitted or transferred between systems or networks rather than being stored and not in use.

40.

Which of the following is information typically NOT found in a risk register?

  • Risk mission statement

  • Risk owner

  • Impact rating

  • Risk source

Correct answer: Risk mission statement

A risk register documents risk factors and information that is specific to an organization. It is used for ongoing operational risk management within the enterprise. However, it does not include any sort of mission statement.

A risk source is included and gives information about where each risk originates.

A risk owner assigns responsibility for managing each identified risk.

An impact rating is an assessment of the potential impact or severity of each risk, which is crucial for prioritizing responses.