CRISC Certified in Risk and Information Systems Control (CRISC) Questions and Answers

Verify authorization by senior management.

Increase the risk appetite to align with the current risk level

Ensure the acceptance is set to expire over lime

Update the risk response in the risk register.

helping personnel make better-informed decisions

assisting the development of a risk register.

improving the effectiveness of IT controls.

increasing participation in the risk assessment process.

Compliance manager

Data architect

Data owner

Chief information officer (CIO)

Enable data encryption in the test environment.

Prevent the use of production data in the test environment

De-identify data before being transferred to the test environment.

Enforce multi-factor authentication within the test environment.

The quantity of data logged by the attack control tools

Blocking the attack route immediately

The ability to trace the source of the attack

The timeliness of attack recognition

The volume of risk scenarios is too large

Risk aggregation has not been completed

Risk scenarios are not applicable

The risk analysts for each scenario is incomplete

Obtaining management support

Benchmarking against industry standards

Assessing compliance requirements

Identifying threats and vulnerabilities

Failure to test the disaster recovery plan (DRP)

Lack of well-documented business impact analysis (BIA)

Lack of annual updates to the disaster recovery plan (DRP)

Significant changes in management personnel

To provide input to business impact analyses (BIAs)

To protect information assets

To facilitate risk assessments

To manage information asset licensing

Employees

Data

Reputation

Customer lists

by the security administration team.

successfully within the expected time frame.

successfully during the first attempt.

without causing an unplanned system outage.

Removing entries from the register after the risk has been treated

Recording and tracking the status of risk response plans within the register

Communicating the register to key stakeholders

Performing regular reviews and updates to the register

Internal auditor

Asset owner

Finance manager

Control owner

Collecting data for IT risk assessment

Establishing and communicating the IT risk profile

Utilizing a balanced scorecard

Performing and publishing an IT risk analysis

Periodically review application on BYOD devices

Include BYOD in organizational awareness programs

Implement BYOD mobile device management (MDM) controls.

Enable a remote wee capability for BYOD devices

Require the vendor to degauss the hard drives

Implement an encryption policy for the hard drives.

Require confirmation of destruction from the IT manager.

Use an accredited vendor to dispose of the hard drives.

Risk practitioner

Business manager

Risk owner

Control owner

Review risk governance

Asset identification

Identify risk factors

Inherent risk identification

Cause-and-effect diagram

Delphi technique

Bottom-up approach

Top-down approach

accounts without documented approval

user accounts with default passwords

active accounts belonging to former personnel

accounts with dormant activity.

Audit reports

Industry benchmarks

Financial forecasts

Annual threat reports

Threat event

Inherent risk

Risk event

Security incident

Historical losses due to past risk events

Cost to reduce the impact and likelihood

Likelihood and impact of the risk scenario

Actor and threat type of the risk scenario

IT service desk manager

Sales manager

Customer service manager

Access control manager

Obtain the risk owner's approval.

Record the risk as accepted in the risk register.

Inform senior management.

update the risk response plan.

Single sign-on

Audit trail review

Multi-factor authentication

Data encryption at rest

inquire about the status of any planned corrective actions

keep monitoring the situation as there is evidence that this is normal

adjust the risk threshold to better reflect actual performance

initiate corrective action to address the known deficiency

The number of users who can access sensitive data

A list of unencrypted databases which contain sensitive data

The reason some databases have not been encrypted

The cost required to enforce encryption

Not providing capability for employees to work remotely

Outsourcing the IT activities and infrastructure

Enforcing change and configuration management processes

Taking out insurance coverage for IT-related incidents

Failed login attempts

Simulating a denial of service attack

Absence of IT audit findings

Penetration test

Testing control design

Accepting residual risk

Establishing business information criteria

Establishing the risk register

reset the alert threshold based on peak traffic

analyze the traffic to minimize the false negatives

analyze the alerts to minimize the false positives

sniff the traffic using a network analyzer

Customer database manager

Customer data custodian

Data privacy officer

Audit committee

two-factor authentication.

continuous data backup controls.

encryption for data at rest.

encryption for data in motion.

Organizational reporting process

Incident reporting procedures

Regularly scheduled audits

Incident management policy

Enforce segregation of duties.

Disclose potential conflicts of interest.

Delegate responsibilities involving the acquaintance.

Notify the subsidiary's legal team.

Key stakeholders are enrolled as members

Approved minutes ate forwarded to senior management

Committee meets at least quarterly

Functional overlap across the business is minimized

User self-assessment

User behavior after training

Course evaluation

Quality of training materials

identify key risk indicators (KRls) for ongoing monitoring

validate the CTO's decision with the business process owner

update the risk register with the selected risk response

recommend that the CTO revisit the risk acceptance decision.

The inherent risk is below the asset residual risk.

Remediation cost is below the asset business value

The risk tolerance threshold s above the asset residual

Remediation is completed within the asset recovery time objective (RTO)

To enable consistent data on risk to be obtained

To allow for proper review of risk tolerance

To identify dependencies for reporting risk

To provide consistent and clear terminology

Sufficient resources are not assigned to IT development projects.

Customer support help desk staff does not have adequate training.

Email infrastructure does not have proper rollback plans.

The corporate email system does not identify and store phishing emails.

require the vendor to sign a nondisclosure agreement

clearly define the project scope.

perform background checks on the vendor.

notify network administrators before testing

Senior management has approved the control design.

Inherent risk has been reduced from original levels.

Residual risk remains within acceptable levels.

Costs for control maintenance are reasonable.

Obtain objective assessment of the control environment.

Ensure the risk profile is defined and communicated.

Validate the threat management process.

Obtain an objective view of process gaps and systemic errors.

Sensitivity of the data

Readability of test data

Security of the test environment

Availability of data to authorized staff

Risk self-assessment

Risk register

Risk dashboard

Risk map

Key risk indicators (KRIs)

Key management indicators (KMIs)

Key performance indicators (KPIs)

Key control indicators (KCIs)

Least privilege access

Inability to edit

Ability to overwrite

Encryption

Qualitative measures require less ongoing monitoring.

Qualitative measures are better aligned to regulatory requirements.

Qualitative measures are better able to incorporate expert judgment.

Qualitative measures are easier to update.

Expected frequency and potential impact

Risk tolerance

Enterprise-wide IT risk assessment

Risk appetite

Detective

Directive

Preventive

Compensating

Regulatory requirements may differ in each country.

Data sampling may be impacted by various industry restrictions.

Business advertising will need to be tailored by country.

The data analysis may be ineffective in achieving objectives.

Occurrences of specific events

A performance measurement

The risk tolerance level

Risk scenarios

Data retention requirements

Data destruction requirements

Cloud storage architecture

Key management

BCP testing is net in conjunction with the disaster recovery plan (DRP)

Recovery time objectives (RTOs) do not meet business requirements.

BCP is often tested using the walk-through method.

Each business location has separate, inconsistent BCPs.

Decreased success rate of internal phishing tests

Decreased number of reported security incidents

Number of disciplinary actions issued for security violations

Number of employees that complete security training

Perform a post-implementation review.

Conduct user acceptance testing.

Review the key performance indicators (KPIs).

Interview process owners.

The audit plan for the upcoming period

Spend to date on mitigating control implementation

A report of deficiencies noted during controls testing

A status report of control deployment

Reduced ability to evaluate key risk indicators (KRIs)

Reduced access to internal audit reports

Dependency on the vendor's key performance indicators (KPIs)

Dependency on service level agreements (SLAs)

Percentage of systems included in recovery processes

Number of key systems hosted

Average response time to resolve system incidents

Percentage of system availability

An increase in attempted distributed denial of service (DDoS) attacks

An increase in attempted website phishing attacks

A decrease in achievement of service level agreements (SLAs)

A decrease in remediated web security vulnerabilities

Monitoring

Analysis

Identification

Response selection

The control catalog

The asset profile

Business objectives

Key risk indicators (KRls)

Perform annual risk assessments.

Interview process owners.

Review the risk register.

Analyze key performance indicators (KPIs).

It compares performance levels of IT assets to value delivered.

It facilitates the alignment of strategic IT objectives to business objectives.

It provides input to business managers when preparing a business case for new IT projects.

It helps assess the effects of IT decisions on risk exposure

low risk tolerance.

corporate culture misalignment.

corporate culture alignment.

high risk tolerance

plan awareness programs for business managers.

evaluate maturity of the risk management process.

assist in the development of a risk profile.

maintain a risk register based on noncompliances.

Reviewing the implementation of the risk response

Creating a separate risk register for key business units

Performing real-time monitoring of threats

Performing regular risk control self-assessments

Single sign-on

Data integrity checking

Strong authentication

Intrusion detection system

Information security managers

Internal auditors

Business process owners

Operational risk managers

Align business objectives to the risk profile.

Assess risk against business objectives

Implement an organization-specific risk taxonomy.

Explain risk details to management.

Alignment to risk responses

Alignment to management reports

Alerts when risk thresholds are reached

Identification of trends

Key risk indicators (KRls)

Inherent risk

Residual risk

Risk appetite

Logs and system events

Intrusion detection system (IDS) rules

Vulnerability assessment reports

Penetration test reports

for compliance with laws and regulations

as a basis for cost-benefit analysis.

as input foe decision-making

to measure organizational success.

recommend a program that minimizes the concerns of that production system.

inform the development team of the concerns, and together formulate risk reduction measures.

inform the process owner of the concerns and propose measures to reduce them

inform the IT manager of the concerns and propose measures to reduce them.

a gap analysis

a root cause analysis.

an impact assessment.

a vulnerability assessment.

The percentage of systems meeting recovery target times has increased.

The number of systems tested in the last year has increased.

The number of systems requiring a recovery plan has increased.

The percentage of systems with long recovery target times has decreased.

A decrease in control layering effectiveness

An increase in inherent risk

An increase in control vulnerabilities

An increase in the level of residual risk

Risk owner

Security management function

IT management

Enterprise risk function

Business impact analysis

Risk analysis

Threat risk assessment

Vulnerability assessment

identification.

treatment.

communication.

assessment

Number of tickets for provisioning new accounts

Average time to provision user accounts

Password reset volume per month

Average account lockout time

Leading industry frameworks

Business context

Regulatory requirements

IT strategy

Testing the transmission of credit card numbers

Reviewing logs for unauthorized data transfers

Configuring the DLP control to block credit card numbers

Testing the DLP rule change control process

Perform a penetration test.

Review security logs.

Conduct a threat analysis.

Perform a root cause analysis.

Cost of offsite backup premises

Cost of downtime due to a disaster

Cost of testing the business continuity plan

Response time of the emergency action plan

The risk response addresses the risk with a holistic view.

The risk response is based on a cost-benefit analysis.

The risk response is accounted for in the budget.

The risk response aligns with the organization's risk appetite.

create an action plan

assign ownership

review progress reports

perform regular audits.

Performing a benchmark analysis and evaluating gaps

Conducting risk assessments and implementing controls

Communicating components of risk and their acceptable levels

Participating in peer reviews and implementing best practices

Risk action plans are approved by senior management.

Residual risk is within the organizational risk appetite

Mitigating controls are designed and implemented.

Risk is recorded and tracked in the risk register

The third party s management

The organization's management

The control operators at the third party

The organization's vendor management office

The team that performed the risk assessment

An assigned risk manager to provide oversight

Action plans to address risk scenarios requiring treatment

The methodology used to perform the risk assessment

A robust risk aggregation tool set

Clearly defined roles and responsibilities

A well-established risk management committee

Well-documented and communicated escalation procedures

Customizing content for the audience

Providing incentives to participants

Mapping to a recognized standard

Providing metrics for measurement

Business continuity manager (BCM)

Human resources manager (HRM)

Chief risk officer (CRO)

Chief information officer (CIO)

map findings to objectives.

provide a quantified detailed analysts.

recommend risk tolerance thresholds.

quantify key risk indicators (KRls).

Risk analysis results

Exception handling policy

Vulnerability assessment results

Benchmarking assessments

Conduct interviews with key stakeholders.

Conduct a tabletop exercise.

Conduct a disaster recovery exercise.

Conduct a full functional exercise.

The manager responsible for IT operations that will support the risk mitigation efforts

The individual with authority to commit organizational resources to mitigate the risk

A project manager capable of prioritizing the risk remediation efforts

The individual with the most IT risk-related subject matter knowledge

implement uniform controls for common risk scenarios.

ensure business unit risk is uniformly distributed.

build a risk profile for management review.

quantify the organization's risk appetite.

Complexity of the IT infrastructure

Value of information assets

Management culture

Threats and vulnerabilities

Implementing record retention tools and techniques

Establishing e-discovery and data loss prevention (DLP)

Sending notifications when near storage quota

Implementing a bring your own device 1BVOD) policy

Business continuity director

Disaster recovery manager

Business application owner

Data center manager

Communicate the decision to the risk owner for approval

Seek approval from the previous action plan manager.

Identify an owner for the new control.

Modify the action plan in the risk register.

overall effectiveness of risk management

consequences of risk materializing

necessity of developing a risk strategy,

organization s risk threshold.

perform a business impact analysis.

identify potential sources of risk.

establish risk guidelines.

understand control design.

Change management as determined by a change control board

Benchmarking analysis with similar completed projects

Project governance criteria as determined by the project office

The risk owner as determined by risk management processes

The scenarios are based on industry best practice.

The scenarios focus on current vulnerabilities.

The scenarios are relevant to the organization.

The scenarios include technical consequences.

business process owner.

database administrator.

chief information officer.

systems administrator.

Internal audit

Control owner

Senior management

Risk manager

Relative positions on the risk map

Risk treatment options

Capability of enterprise to implement

The multiple risk factors addressed by a chosen response

identity early risk transfer strategies.

lessen the impact of realized risk.

analyze the chain of risk events.

identify the root cause of risk events.

Increase in compliance breaches

Increase in loss event impact

Increase in residual risk

Increase in customer complaints

Key performance indicator (KPI) trend data is incomplete.

New key risk indicators (KRIs) have been established.

Key performance indicators (KPIs) are outside of targets.

Key risk indicators (KRIs) are lagging.

Nondisclosure agreement (NDA)

Independent audit report

Business impact analysis (BIA)

Service level agreement (SLA)

Key performance indicators

Business objectives

The organization's risk framework

Risk appetite

immediately uninstall the unlicensed software from the laptops

centralize administration rights on laptops so that installations are controlled

report the issue to management so appropriate action can be taken.

procure the requisite licenses for the software to minimize business impact.

Audit engagement letter

Risk profile

IT risk register

Change control documentation

Engaging sponsorship by senior management

Utilizing data and resources internal to the organization

Including input from risk and business unit management

Developing in collaboration with internal audit

Monitoring of service costs

Provision of internal audit reports

Notification of sub-contracting arrangements

Confidentiality of customer data

Updating the threat inventory with new threats

Automating log data analysis

Preventing the generation of false alerts

Determining threshold levels

determine data backup and recovery availability at an alternate site.

identify critical business functions and resources.

define roles and responsibilities for implementation.

identify recovery time objectives (RTOs) for critical business applications.

Testing in a non-production environment

Performing a security control review

Reviewing the security audit report

Conducting a risk assessment

Collect data of past incidents and lessons learned.

Conduct a high-level risk assessment based on the nature of business.

Identify the risk appetite of the organization.

Assess the goals and culture of the organization.

An IT project manager is not assigned to oversee development.

Controls are not applied to the applications.

There is a lack of technology recovery options.

The applications are not captured in the risk profile.

Implement monitoring techniques.

Implement layered security.

Outsource to a local processor.

Conduct an awareness campaign.

using the same scales in assessing risk

utilizing industry benchmarks

using reliable qualitative data for risk Hems

including primarily low level risk factors

Application owner

Senior management

Risk practitioner

Business process owner

Chief information officer (CIO)

Executive management team

Audit committee

Business process owner

A recommendation for internal audit validation

Plans for mitigating the associated risk

Suggestions for improving risk awareness training

The impact to the organization’s risk profile

the organization's risk culture

benchmarking results against similar organizations

industry-specific regulatory requirements

expertise available within the IT department

Provide risk management feedback to key stakeholders.

Collect and analyze risk data for report generation.

Monitor and prioritize risk data according to the heat map.

Engage key stakeholders in risk management practices.

Designing compensating controls

Determining if KRIs have been updated recently

Assessing the effectiveness of the incident response plan

Determining what has changed in the environment

The risk register template uses an industry standard.

The risk register is regularly updated.

All fields in the risk register have been completed.

Controls are listed against risk entries in the register.

Obtaining funding support

Defining the risk assessment scope

Selecting the risk assessment framework

Establishing inherent risk

populate risk register entries and build a risk profile for management reporting.

prioritize IT-related actions by considering risk appetite and risk tolerance.

define the IT risk framework for the organization.

comply with the organization's IT risk and information security policies.

determine if the scenarios need 10 be accepted or responded to.

record the scenarios into the risk register.

continue with a qualitative risk analysis.

continue with a quantitative risk analysis.

The user requirements were not documented.

Payroll files were not under the control of a librarian.

The programmer had access to the production programs.

The programmer did not involve the user in testing.

After user acceptance testing (UAT)

Upon release to production

During backlog scheduling

When reviewing functional requirements

Implementing control activities

Monitoring control effectiveness

Conducting control self-assessments

Owning risk scenarios

Risk magnitude

Incident probability

Risk appetite

Cost-benefit analysis

Control effectiveness

Risk appetite

Risk likelihood

Key risk indicator (KRI)

Implement targeted awareness training for new BYOD users.

Implement monitoring to detect control deterioration.

Identify log sources to monitor BYOD usage and risk impact.

Reduce the risk tolerance level.

Risk assessment results are accessible to senior management and stakeholders.

Risk mitigation activities are managed and coordinated.

Key risk indicators (KRIs) are evaluated to validate they are still within the risk threshold.

Risk information is available to enable risk-based decisions.

encrypting the data

including a nondisclosure clause in the CSP contract

assessing the data classification scheme

reviewing CSP access privileges

Number of days taken to remove access after staff separation dates

Number of days taken for IT to remove access after receipt of HR instructions

Number of termination requests processed per reporting period

Number of days taken for HR to provide instructions to IT after staff separation dates

Fewer security incidents have been reported.

The number of audit findings has decreased.

Residual risk is reduced.

inherent risk Is unchanged.

Segregation of duties

Code review

Change management

Audit modules

risk response.

control monitoring.

risk identification.

risk ownership.

Recommend risk remediation of the ineffective controls.

Compare the residual risk to the current risk appetite.

Determine the root cause of the control failures.

Escalate the control failures to senior management.

Accountability is established for risk treatment decisions

Stakeholders are consulted about risk treatment options

Risk owners are informed of risk treatment options

Responsibility is established for risk treatment decisions.

Risk profile

Risk culture

Risk appetite

Risk tolerance

Verbal majority acceptance of risk by committee

List of compensating controls

IT audit follow-up responses

A memo indicating risk acceptance

Prioritizing risk within each business unit

Reviewing risk ranking methodology

Promoting an organizational culture of risk awareness

Assigning risk ownership to appropriate roles

Number of service level agreement (SLA) violations

Percentage of recovery issues identified during the exercise

Number of total systems recovered within tie recovery point objective (RPO)

Percentage of critical systems recovered within tie recovery time objective (RTO)

Average bandwidth usage

Peak bandwidth usage

Total bandwidth usage

Bandwidth used during business hours

risk scenarios

risk maps

risk appetite

risk ownership.

Subscribe to threat intelligence to monitor external attacks.

Apply patches for a newer version of the application.

Segment the application within the existing network.

Increase the frequency of regular system and data backups.

Define information retention requirements and policies

Provide information security awareness training

Establish security management processes and procedures

Establish an inventory of information assets

The organization may not have a sufficient number of skilled resources.

Application and data migration cost for backups may exceed budget.

Data may not be recoverable due to system failures.

The database system may not be scalable in the future.

Escalate the non-cooperation to management

Exclude applicable controls from the assessment.

Review the supplier's contractual obligations.

Request risk acceptance from the business process owner.

Survey device owners.

Rescan the user environment.

Require annual end user policy acceptance.

Review awareness training assessment results

Forensic analysis

Risk assessment

Root cause analysis

Business impact analysis (BlA)

Increased time to remediate vulnerabilities

Inaccurate reporting of results

Increased number of vulnerabilities

Network performance degradation

Collaborate with the risk owner to determine the risk response plan.

Document the gap in the risk register and report to senior management.

Include a right to audit clause in the service provider contract.

Advise the risk owner to accept the risk.

Existing IT environment

IT strategic plan

Risk register

Organizational strategic plan

Accountable

Informed

Responsible

Consulted

Business benefits of shadow IT

Application-related expresses

Classification of the data

Volume of data

Security control owners based on control failures

Cyber risk remediation plan owners

Risk owners based on risk impact

Enterprise risk management (ERM) team

Ongoing training

Timely notification

Return on investment (ROI)

Cost minimization

Incomplete end-user device inventory

Unsupported end-user applications

Incompatible end-user devices

Multiple end-user device models

A summary of risk response plans with validation results

A report with control environment assessment results

A dashboard summarizing key risk indicators (KRIs)

A summary of IT risk scenarios with business cases

Some critical business applications are not included in the plan

Several recovery activities will be outsourced

The plan is not based on an internationally recognized framework

The chief information security officer (CISO) has not approved the plan

Identify the regulatory bodies that may highlight this gap

Highlight news articles about data breaches

Evaluate the risk as a measure of probable loss

Verify if competitors comply with a similar policy