Question 1

An organization has outsourced its ERP application to an external SaaS provider. Which of the following provides the MOST useful information to identify risk scenarios involving data loss?

Accepted Answer

D

Explanation: Data flow documentation provides insight into how and where data moves, stored, or processed. It helps identify vulnerable points in the data lifecycle where data loss can occur. Reference:CRISC Manual – Domain 1: Governance, Slide 240

Question 2

Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

Accepted Answer

B

Explanation: A primary benefit of engaging the risk owner during the risk assessment process is prioritization of risk action plans across departments, because this helps to ensure that the most critical and relevant risks are addressed first, and that the resources and efforts are allocated and coordinated efficiently and effectively. A risk owner is the person or group who is responsible for the day-to-day management and mitigation of a specific risk, and who has the authority and accountability to make risk-related decisions. A risk assessment is the process of identifying, analyzing, and evaluating the risks that may affect the organization’s objectives, performance, or value. A risk action plan is the set of actions and tasks that are designed and implemented to reduce the likelihood and impact of a risk, or to exploit the opportunities that a risk may create. By engaging the risk owner during the risk assessment process, the organization can benefit from the following advantages: The risk owner can provide valuable input and feedback on the risk identification, analysis, and evaluation, based on their knowledge, experience, and perspective of the risk and its context. The risk owner can help to develop and implement the risk action plan, based on their understanding of the risk objectives, expectations, and outcomes, and their ability to influence and control the risk factors and sources. The risk owner can help to prioritize the risk action plan, based on their assessment of the risk severity, urgency, and importance, and their consideration of the costs, benefits, and feasibility of the risk actions. The risk owner can help to coordinate the risk action plan across departments, by communicating and collaborating with other risk owners, stakeholders, and resources, and by aligning and integrating the risk actions with the organization’s strategy, processes, and culture. Reference = Risk Owners — What Do They Do1

Question 3

An organization uses a biometric access control system for authentication and access to its server room. Which control type has been implemented?

Accepted Answer

C

Explanation: Biometric systems are preventive controls designed to restrict access to authorized personnel only, thereby proactively mitigating unauthorized access risks. This aligns withAccess and Authentication Controlprinciples in risk management.

Question 4

An organization discovers significant vulnerabilities in a recently purchased commercial off-the-shelf
software product which will not be corrected until the next release. Which of the following is the risk
manager's BEST course of action?

Accepted Answer

A

Explanation: The risk manager’s best course of action when discovering significant vulnerabilities in a commercial off-the-shelf software product is to review the risk of implementing versus postponing with stakeholders. This means that the risk manager should assess the potential impact and likelihood of the vulnerabilities being exploited, as well as the benefits and costs of using the software product. The risk manager should also consult with the relevant stakeholders, such as the business owners, the IT department, the security team, and the vendor, to understand their perspectives, expectations, and requirements. Based on this analysis, the risk manager should decide whether to proceed with the implementation, delay it until the next release,or look for alternative solutions. The risk manager should also document and communicate the decision and the rationale behind it, and monitor the situation for any changes or new developments. The other options are not the best course of action, because: Running vulnerability testing tools to independently verify the vulnerabilities is a useful step to confirm the existence and severity of the vulnerabilities, but it is not sufficient to address the risk. The risk manager still needs to evaluate the trade-offs between implementing and postponing the software product, and involve the stakeholders in the decision-making process. Reviewing the software license to determine the vendor’s responsibility regarding vulnerabilities is an important step to understand the contractual obligations and liabilities of the vendor, but it is not enough to mitigate the risk. The risk manager still needs to consider the impact and likelihood of the vulnerabilities, and the benefits and costs of the software product, and consult with the stakeholders to decide the best course of action. Requiring the vendor to correct significant vulnerabilities prior to installation is an unrealistic and impractical option, as the vendor has already stated that the vulnerabilities will not be corrected until the next release. The risk manager cannot force the vendor to change their schedule or priorities, and may risk damaging the relationship with the vendor. The risk manager should instead work with the vendor to understand the nature and scope of the vulnerabilities, and the expected timeline and features of the next release, and use this information to inform the risk assessment and decision-making process.

Question 5

Which of the following is the BEST way to determine the value of information assets for risk management purposes?

Accepted Answer

A

Explanation: The best way to determine the value of information assets for risk management purposes is to assess the loss impact if the information is inadvertently disclosed, as this reflects the potential damage or harm that the organization may suffer due to a breach of confidentiality, integrity, or availability of the information. The loss impact can be measured in terms of financial, operational, reputational, legal, or regulatory consequences, depending on the nature, sensitivity, and criticality of the information. The loss impact can also help the organization to prioritize the protection and mitigation of the information assets, and to align the risk management strategy with the business objectives and risk appetite. Reference: •ISACA, IT Asset Valuation, Risk Assessment and Control Implementation Model1 •ISACA, Data Classification: What It Is, Why You Should Care and How to Perform It2

Question 6

An organization's Internet-facing server was successfully attacked because the server did not have
the latest security patches. The risk associated with poor patch management had been documented
in the risk register and accepted. Who should be accountable for any related losses to the
organization?

Accepted Answer

A

Explanation: The risk owner is the person who should be accountable for any related losses to the organization, because they are the person who has the authority and responsibility to manage the risk and its associated controls.The risk owner is also the person who accepts the risk and its residual level, and who monitors and reports on the risk status and performance. The IT risk manager, the server administrator, and the risk practitioner are all involved in the riskmanagement process, but they are not the person who should be accountable for the risk and its outcomes, as they do not have the ultimate decision-making power and accountability for therisk. Reference = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.1.1, page 79

Question 7

When developing a response plan to address security incidents regarding sensitive data loss, it is MOST important

Accepted Answer

C

Explanation: When developing a response plan to address security incidents regarding sensitive data loss, it is most important to review the data classification policy. A data classification policy is a document that defines the categories and levels of data based on their sensitivity, value, and criticality, and specifies the appropriate security measures and handling procedures for each data type. A data classification policy helps to identify and protect the sensitive data that could be exposed or compromised in a security incident, and to comply with the relevant laws, regulations, standards, and contracts. Reviewing the data classification policy is important when developing a response plan, because it helps to determine the scope, impact, and priority of the security incident, and to select the most appropriate and effective response actions and strategies. Reviewing the data classification policy also helps to communicate and coordinate the response plan with the internal and external stakeholders, such as the data owners, users, custodians, and regulators, and to report and disclose the security incident as required. The other options are not as important as reviewing the data classification policy, although they may be part of or derived from the response plan. Revalidating current key risk indicators (KRIs), revising risk management procedures, and revalidating existing risk scenarios are all activities that can help to improve or update the risk management process, but they are not the most important when developing aresponse plan. Reference = Risk and Information Systems Control Study Manual, Chapter 5, Section 5.3.1, page 5-25.

Question 8

Which of the following is the MOST important document regarding the treatment of sensitive data?

Accepted Answer

D

Explanation: The information classification policy is the most important document regarding the treatment of sensitive data, because it defines the categories and criteria for classifying data according to their sensitivity, confidentiality, and value to the organization, and specifies the appropriate handling and protection measures for each category. Sensitive data are data that contain personal,proprietary, or confidential information that may cause harm or damage to the organization or its stakeholders if disclosed, modified, or destroyed without authorization. An information classification policy helps to ensure that sensitive data are identified and treated in a consistent and secure manner, and that the organization complies with the applicable laws andregulations regarding data protection and privacy. An encryption policy, an organization risk profile, and a digital rights management policy are all useful documents for the treatment of sensitive data, but they are not the most important document, as they do not directly address the classification and handling of sensitive data. Reference = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.2, page 158

Question 9

Which of the following should be the PRIMARY goal of developing information security metrics?

Accepted Answer

B

Explanation: Information security metrics are quantitative or qualitative measures that indicate the performance and effectiveness of the information security processes, controls, and objectives. The primary goal of developing information security metrics is to enable continuous improvement of the information security program and to align it with the business goals and strategy. Information security metrics can help to identify the strengths and weaknesses of thesecurity program, to monitor and report on the progress and outcomes of the security initiatives, to evaluate the return on investment and value of the security activities, and to provide feedback and guidance for improvement actions. Information security metrics should be relevant, reliable, consistent, and actionable. Reference = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.2, p. 116-117

Question 10

Which of the following BEST measures the impact of business interruptions caused by an IT service outage?

Accepted Answer

A

Explanation: The best measure of the impact of business interruptions caused by an IT service outage is the sustained financial loss. This is the amount of money that the enterprise loses due to the disruption of its normal operations, such as lost revenue, increased expenses, or reduced profits. Sustained financial loss reflects the extent and severity of the business interruption, and theeffect on the enterprise’s objectives and performance. Sustained financial loss also helps to determine the recovery objectives and priorities, and to justify the investment in risk mitigation and business continuity strategies. Reference = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.2.2, page 691

Question 11

Which of the following would BEST help to ensure that suspicious network activity is identified?

Accepted Answer

A

Explanation: An intrusion detection system (IDS) is a network security tool that monitors and analyzes network traffic for signs of malicious or suspicious activity, such as unauthorized access, data exfiltration, malware infection, or denial-of-service attack. An IDS can detect and alert the organization to potential threats based on predefined rules or signatures, or based on anomalies or deviations from normal network behavior. An IDS can also generate logs that record the details of the network events and incidents, such as the source, destination, content, and context of the network traffic. By analyzing the IDS logs, the organization can identify and validate the suspicious network activity, and determine its scope, impact, and root cause. The organization can also use the IDS logs to support the incident response and remediation process, and to improve the network security and resilience. The other options are less effective ways to ensure that suspicious network activity is identified. Analyzing server logs can provide some information about the network activity, but it may not be sufficient or timely to detect and validate the suspicious or malicious activity, as server logs only capture the events or activities that occur on the server, and not on the entire network. Using a third- party monitoring provider can help to outsource the network monitoring and analysis function, but it may not be the best option, as it may introduce additional risks, such as data privacy, vendor reliability, or service quality issues. Coordinating events with appropriate agencies can help to share information and resources with other organizations or authorities, such as law enforcement, regulators, or industry peers, but it may not be the best option, as it may depend on the availability andcooperation of theagencies, and it may not be feasible or desirable to disclose the network activity to external parties. Reference = Monitoring for Suspicious Network Activity: Key Tips to Secure Your Network 1

Question 12

Reviewing which of the following BEST helps an organization gam insight into its overall risk profile''

Accepted Answer

A

Explanation: A risk register is a tool that records and tracks the information about the identified risks, such as the risk description, category, owner, probability, impact, response strategy, status, and action plan. Reviewing the risk register is the best way to help an organization gain insight into its overall risk profile, which is the summary of the nature and level of risk that the organization faces. By reviewing the risk register, the organization can obtain a comprehensive and holistic view of the sources, causes, and consequences of the risks, their likelihood and impact, their interrelationships and dependencies, and their alignment with therisk appetite and tolerance. The risk register can also help the organization to prioritize the risks, allocate the resources, select the risk responses, monitor the risk performance, and evaluate the risk outcomes. Reference = CRISC Review Manual, 7th Edition, page 99.

Question 13

An organization wants to transfer risk by purchasing cyber insurance. Which of the following would
be MOST important for the risk practitioner to communicate to senior management for contract
negotiation purposes?

Accepted Answer

C

Explanation: The most important information for the risk practitioner to communicate to senior management for contract negotiation purposes when the organization wants to transfer risk by purchasing cyber insurance is the current annualized loss expectancy report, as it provides an estimate of the potential financial loss or impact that theorganization may incur due to a cyber risk event in a given year, and helps to determine the optimal coverage and premium of the cyber insurance. The other options are not the most important information, as they are more related to the audit, asset, or industry aspects of the cyber risk, respectively, rather than the financial aspect of the cyber risk. Reference = CRISC Review Manual, 7th Edition, page 111.

Question 14

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Accepted Answer

D

Explanation: An IT risk and control self-assessment (RCSA) is a process that helps organizations identify and evaluate operational risks and assess the effectiveness of their control measures12. It is a structured approach that involves identifying, assessing, mitigating, and monitoring risks across all levels of an organization12. A report to senior management is a document that summarizes and communicates the results and findings of the RCSA, and provides recommendations and action plans for improving the risk management and control processes34. The most important aspect of an IT risk and control self-assessment to include in a report to senior management is an increase in residual risk, which is the risk remaining after risk treatment, and represents the exposure or potential impact of the risk on the organization’s objectives56. An increase in residual risk is the most important aspect because it indicates the level of risk that the organization is willing to accept or tolerate, and the gap between the current and desired risk profile56. An increase in residual risk is also the most important aspect because it requires the attention and decision of the senior management, who are responsible for defining the organization’s risk appetite, strategy, and criteria, and for ensuring that the residual risk is within the acceptable range56. The other options are not the most important aspects, but rather possible components or outcomes of an IT risk and control self-assessment that may support or complement the report to senior management. For example: Changes in control design are components of an IT risk and control self-assessment that involve modifying or updating the control measures to address the changes in the risk environment or the organization’s objectives56. However, changes in control design are not the most importantaspect because they do not measure or reflect the residual risk, which is the ultimate goal of the risk treatment56. A decrease in the number of key controls is an outcome of an IT risk and control self-assessment that indicates the improvement or optimization of the control processes, and the reduction of the complexity or redundancy of the control measures56. However, a decrease in the number of key controls is not the most important aspect because it does not indicate or imply the residual risk, which may depend on other factors such as the effectiveness or efficiency of the controls56. Changes in control ownership are components of an IT risk and control self-assessment that involve assigning or reassigning the responsibility and accountability for the control processes to the appropriate individuals or groups within the organization56. However,changes in control ownership are not the most important aspect because they do not affect or determine the residual risk, which is independent of the control owners56. Reference = 1: Risk and control self-assessment - KPMG Global1 2: Control Self Assessments - PwC2 3: How-To Guide: Implementing Risk Control Self-Assessment Steps4 4: RISK MANAGEMENT SELF-ASSESSMENT TEMPLATE - Smartsheet5 5: Risk IT Framework, ISACA, 2009 6: IT Risk Management Framework, University of Toronto, 2017

Question 15

Which of the following BEST indicates the condition of a risk management program?

Accepted Answer

D

Explanation: The best indicator of the condition of a risk management program is the amount of residual risk. Residual risk is the risk that remains after the implementation of risk responses. Residual risk reflects the effectiveness and efficiency of the risk management program in reducing the risk exposure to an acceptable level, and in aligning the risk profile with the risk appetite and tolerance of the enterprise. A low amount of residual risk indicates that the risk managementprogram is performing well, and that the controls are adequate and appropriate. A high amount of residual risk indicates that the risk management program is not functioning properly, and that the controls are insufficient or ineffective. Reference = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 1, Section 1.2.2, page 191

Free ISACA CRISC Actual Exam Questions