ISACA CRISC Exam Questions

Page 8 of 25

141.

Which personnel role in the risk management function is responsible for the routine management and maintenance of controls?

  • Control steward

  • Control owner

  • Risk manager

  • Risk owner

Correct answer: Control steward

A control steward is responsible for the ongoing management and maintenance of controls. This individual gets their direction from the control owner and institutes changes at the direction of the control owner.

The control owner is accountable for the design and implementation of controls. 

The risk manager is responsible for ensuring that risk management functions are carried out correctly. 

The risk owner is responsible for analyzing, evaluating, assessing, and making decisions upon threats to the enterprise.

142.

As it relates to the risk register, which metric cost has to do with expenses associated with managing the risk event?

  • Cost of response

  • Recovery cost

  • Cost of prevention

  • Compliance

Correct answer: Cost of response

The cost of responding to a risk event impacts the expense budget of the organization. It is important to quantify costs to properly allocate funds should the risk event occur.

Recovery cost can refer to the expenses involved in recovering from a risk event, but not the overall cost of managing the risk event.

Cost of prevention can refer to expenses associated with preventing a risk event, not managing it once it occurs.

Compliance refers to adhering to laws, regulations, and policies.

143.

What is a system configuration approach that reduces variation from the norm or baseline?

  • Standardization

  • Customization

  • Diversification

  • Ad-hoc

Correct answer: Standardization

Standardization is an approach in which all configurations follow the same template for outline. This creates consistency, predictability, and reliability.

Customization involves tailoring a system to meet specific needs or preferences, which can increase variation rather than reduce it.

Diversification refers to increasing variety, the opposite of reducing variation.

Ad-hoc refers to configuring systems on a case-by-case basis, which leads to greater variation rather than reducing it.

144.

What is the relationship between IT risk and business risk?

  • IT risk is a subset of business risk

  • Business risk is a subset of IT risk

  • There is no relationship; they are separate and distinct

  • They are the same

Correct answer: IT risk is a subset of business risk

IT exists to enable and accelerate business operations. Without a business structure, there is no need for IT. This means that any IT risk has a direct impact on the business and must be evaluated in the context of how the business is going to be affected.

Without a business structure, there is no need for IT, so it isn't accurate to say that business risk is a subset of IT risk. 

There is a relationship because as IT dependence has grown, IT risk has become a critical part of business risk. 

IT risk and business risk are not exactly the same because there are business risks that exist that have no relationship to IT risk.

145.

What type of project management methodology incorporates interim customer engagement and evaluation?

  • Agile

  • Waterfall

  • Programmatic

  • Offshore

Correct answer: Agile 

The agile methodology organizes work in multiple Sprints. The customer is engaged at the end of every Sprint, which is typically two weeks in length. At that time, they give their feedback, which is incorporated into the planning for the next Sprint.

A waterfall approach is a linear, sequential approach where customer involvement typically happens at the start and end, with no interim customer engagement or feedback.

A programmatic approach refers to a broad approach to managing multiple related projects but does not specifically focus on regular customer engagement.

Offshore refers to outsourcing work to teams in other countries and does not imply a specific project management methodology focused on customer feedback.

146.

Which method of risk identification uses audit or incident reports, public media, and organization documents such as annual reports and press releases?

  • Historical

  • Systematic

  • Inductive

  • Existing taxonomy

Correct answer: Historical

Risk practitioners can use the historical methods, otherwise known as evidence-based methods. Historical information provides empirical evidence that can be used to forecast potential risks going forward.

Systematic approaches involve expert opinions using tools such as vulnerability assessments and interviews with employees. 

Inductive methods are theoretical analyses where possible points of compromise are considered.

Existing taxonomy uses a risk library as its starting point.

147.

What trend in technology has to do with allowing workers the option to use their personal devices for work purposes?

  • BYOD

  • Omnipresent connectivity

  • IoT

  • Decryption

Correct answer: BYOD

Bring Your Own Device (BYOD) is a cost-effective option that allows workers to bring their own devices to work. However, this is considered to be a form of risk, since the enterprise is still liable for any data breaches.

Omnipresent connectivity refers to the idea that individuals are connected to the internet at most times in locations where they typically would not have been in the past. 

The Internet of Things (IoT) is the connectivity of non-traditional devices, such as refrigerators and doorbells, to the Internet. 

Decryption is the process of converting encrypted data back into its original form, making it understandable or usable again.

148.

What is the purpose of vulnerability identification?

  • To find problems before they are found by an adversary and exploited

  • To reduce the need for manual IT audits

  • To improve customer service operations

  • To conduct an in-depth vulnerability analysis

Correct answer: To find problems before they are found by an adversary and exploited

Vulnerabilities are weaknesses, gaps, or holes in the organization's environment. Vulnerabilities provide an opportunity for a threat actor to exploit, which creates consequences that impact the organization.

While vulnerability identification might reduce the frequency of certain audits, this is not its primary purpose.

Enhancing customer service is unrelated to the goal of identifying vulnerabilities.

Conducting an in-depth vulnerability analysis is a follow-up activity after vulnerabilities have been identified.

149.

A group of healthcare organizations consisting of several hospitals and clinics is looking to adopt a cloud deployment model that allows them to share resources and data securely among themselves. They want to ensure that the cloud environment is tailored to their specific needs and complies with healthcare regulations. 

Which cloud deployment model should they choose to meet their requirements?

  • Community

  • Private

  • Hybrid

  • Public

Correct answer: Community

A community cloud is specifically designed to be shared among a group of organizations that have similar requirements and needs, such as healthcare regulations. This model allows for shared infrastructure, tailored services, and collaborative efforts while ensuring compliance with specific industry standards, making it ideal for the healthcare sector.

A private cloud offers dedicated resources to a single organization; it doesn't facilitate shared resources among multiple organizations.

A hybrid cloud combines both private and public clouds, but may not ensure the level of security and compliance needed for sharing sensitive data.

A public cloud provides resources to multiple users over the internet, which may raise concerns regarding data security and compliance.

150.

What is the term for "acceptable level of variation that management is willing to allow for a specific risk"?

  • Risk tolerance

  • Risk appetite

  • Risk aversion

  • Risk aggregation

Correct answer: Risk tolerance

Risk tolerance is the ability to handle volatility and losses. To maintain control of the overall organizational risk profile, risk variation is typically evaluated and tolerated at the individual policy or initiative level.

Risk appetite refers to the overall amount of risk an organization is willing to take on to achieve its objectives.

Risk aversion indicates a preference to avoid risk, usually implying a lower tolerance for risk.

Risk aggregation involves combining individual risks to understand their overall impact on the organization.

151.

Risk practitioners continually monitor a wide variety of risk indicators. All the following are examples of risk indicators EXCEPT:

  • Existing assets

  • New assets

  • Changes to business operations

  • Legal changes

Correct answer: Existing assets

Existing assets have already been accounted for in the risk program. If they are replaced, upgraded, or decommissioned, then the appropriate action would be taken by the risk practitioner.

When monitoring risk, one of the critical things to look for is changes. The three wrong answers are all changes to the environment, or could be. New assets may be identical to ones that the business already has and do not change the risk profile much, but, at the same time, they could be different from anything they already have.

When the operations of the business change, there are many possible things that could mean. Again, here, it could be very different from how the business has been operating.

Legal changes could be new laws, such as the fairly recent European Union General Data Protection Regulation (EU GDPR) or the California Consumer Privacy Act (CCPA).

152.

Which of the following characteristics is representative of a compliance-driven risk culture?

  • Periodic testing

  • Superficial incident investigations

  • Ad hoc training

  • Communication on a need-to-know basis

Correct answer: Periodic testing

A compliance risk culture is one that has legal and monetary consequences if risk is not managed in a comprehensive and disciplined manner. Examples of organizations that have a compliance risk culture are those in heavily regulated industries such as financial services, healthcare, or environmental.

Superficial incident investigations is characteristic of a vulnerable risk culture.

Ad hoc training and communication on a need-to-know basis are characteristic of a reactive risk culture.

153.

An electronics company is reviewing its risk management strategy and has identified several risks related to its supply chain operations. The risk management team is considering various response options to address these risks. Before making a decision, they are considering which risks should be addressed first, based on their significance to the business. 

Which factor is the team addressing when choosing the appropriate risk response?

  • Priority of the risk in the risk report

  • Complexity of the recommended controls

  • Requirements for compliance

  • Cost of the response option

Correct answer: Priority of the risk in the risk report

The priority of the risk in the risk report should guide the company's decision-making. Risks that are more severe or likely to occur should be addressed first to ensure the most critical threats are mitigated promptly.

The cost of the response option should not take precedence over addressing the most critical risks first. 

Complexity is sometimes necessary for high-priority risks, but priority should be determined first.

Requirements for compliance are not being addressed in this situation.

154.

What is one reason why the need for information security awareness has increased?

  • The average home computer is equally if not more powerful than a business computer

  • The number of people who use computers is orders of magnitude lower

  • People are storing less data

  • The number of devices that people have is decreasing

Correct answer: The average home computer is equally if not more powerful than a business computer 

This means that home computers can and are being used more for business use. Personal and business data are co-mingled and can present a potential breach vulnerability.

The number of computer users has significantly increased over time, not decreased, making security awareness more critical.

People are storing more data than ever before, especially with the growth of cloud services and digital storage, which increases the need for strong information security measures.

The number of connected devices (phones, tablets, laptops, etc.) has increased, leading to more opportunities for security breaches and, thus, a greater need for awareness.

155.

Which approach to risk scenario development starts with understanding business goals?

  • Top-down

  • Bottom-up

  • Lateral

  • Hierarchical

Correct answer: Top-down

Top-down scenario development starts by identifying business goals and how risk events impact the realization of those goals. The risk practitioner evaluates the impact of risk outcomes against business objectives.

A bottom-up approach involves describing potential risk events that are specific to individual solutions through hypothetical situations. 

A lateral approach could involve considering risks from different perspectives or areas within an organization without necessarily starting with high-level business goals. 

A hierarchical approach could involve understanding risks at different levels of the organization, but it does not specifically start with business goals.

156.

How should an enterprise address the risk of employees engaging in unethical activities?

  • By having senior management communicate the policy to all employees equally

  • By allowing employees to make ethical decisions on their own accord based on their previous experiences

  • By having a copy of an ethics manual posted in a common area where all employees can view it

  • By assigning an ethics manager in each department who can help each employee make the right choices at all times

Correct answer: By having senior management communicate the policy to all employees equally

Ethics is an important aspect of risk management. Clearly conveying the organization's ethical standards from the top down establishes a strong ethical foundation.

Employee autonomy is important, but providing clear guidelines through policy communication is essential.

Ethics manual accessibility is not as effective as direct communication from leadership.

An ethics manager can be a valuable resource, but the primary responsibility for setting ethical expectations lies with senior management.

157.

Which threat model method focuses on data security?

  • LINDDUN

  • VAST

  • PASTA

  • STRIDE

Correct answer: LINDDUN

LINDDUN is used for data security. It uses a dataflow diagram of the system to document data flows, data stores, processes, and external entities.

STRIDE focuses on the system detail design and models the in-place system. 

PASTA is a risk-centric threat modeling framework. 

VAST is a modeling method based on the automated platform ThreadModeler.

158.

When designing controls, what is the FIRST step that the risk practitioner should take?

  • Be aware of the control environment current state

  • Be aware of the control environment budget

  • Disregard the current control environment and start from scratch

  • Disregard the current control environment and hire a new team

Correct answer: Be aware of the control environment current state

It is important to understand the current controls that are put in place. By doing so, the risk practitioner can have a clear picture of which risks are being addressed already and conduct a gap analysis. The gap analysis then helps the risk practitioner build out the new necessary controls.

While the budget is an essential consideration in control design, it should not be the first step. Prioritizing budget over understanding the current control environment could lead to ineffective control design or overlooking existing controls that may already address certain risks. 

Disregarding the current control environment entirely and starting from scratch is not advisable. Doing so could result in duplication of efforts, unnecessary costs, and potentially overlooking effective controls that are already in place. It is essential to build upon existing controls rather than reinventing the wheel. 

Hiring a new team is not typically the first step in designing controls. Disregarding the current control environment and hiring a new team could disrupt continuity, waste resources, and overlook valuable insights and expertise possessed by existing team members. It's more effective to leverage the knowledge and experience of the current team to assess and enhance the control environment.

159.

What is the purpose of the risk register?

  • Consolidate risk data

  • Decentralize risk data

  • Distribute risk responsibilities

  • Isolate risk events

Correct answer: Consolidate risk data

To efficiently manage risk across the enterprise, risk data could be consolidated in one visible location. Examples of the type of data in a risk register would be the owner, severity, source, and potential impact of a risk.

Decentralizing risk data is the opposite of the purpose of a risk register. 

Although distributing responsibilities is part of risk management, the risk register itself is about consolidating information, not distributing it.

Isolating risk events would involve treating them separately, rather than bringing all risk data together, which is the goal of the risk register.

160.

What is the purpose of a risk program management audit function?

  • Demonstrate that controls and proactive practices are in place

  • Demonstrate that a business can survive an adverse event

  • Demonstrate that the risk management programs are fully documented

  • Demonstrate that risk management teams are trained on industry compliance

Correct answer: Demonstrate that controls and proactive practices are in place

The audit function provides the organization, as well as external stakeholders and regulatory bodies, with assurances that the risk management program is effective. This is accomplished by conducting a comprehensive, objective review of the risk program that includes people, process, and technology.

A demonstration of the completeness of the documentation of the risk management program would not show just how complete the program is. Especially in comparison to the correct answer of demonstrating that the controls are in place.

Demonstrating the knowledge and skill level of the risk management team would be useful, but it does not show that the risk program management is actually being performed.

Testing the disaster recovery plan would provide information to management about their ability to survive an adverse event.