CRISC QUESTIONS BANK; COMPLETE
ACCURATE QUIZZES WITH VERIFIED ANSWERS
A business case developed to support risk mitigation efforts for a
complex application development project should
be retained until:
A. the project is approved.
B. user acceptance of the application.
C. the application is deployed.
D. the application's end of life - correct answer- D
A business impact analysis (BIA) is PRIMARILY used to:
A. estimate the resources required to resume and return to
normal operations after a disruption.
B. evaluate the impact of a disruption to an enterprise's ability
to operate over time.
C. calculate the likelihood and impact of known threats on
specific functions.
D. evaluate high-level business requirements. - correct
answer- B
,A chief information security officer (CISO) has recommended
several controls such as anti-malware to protect the
enterprise's information systems. Which approach to handling
risk is the CIsa recommending?
A. Risk transference
B. Risk mitigation
C. Risk acceptance
D. Risk avoidance - correct answer- B
A company has set the unacceptable error level at 10 percent.
Which of the following tools can be used to trigger a
warning when the error level reaches eight percent?
A. A fault tree analysis
B. Statistical process control (SPC)
C. A key performance indicator (KPI)
D. A failure modes and effects analysis (FMEA) - correct
answer- C
A company is confident about the state of its organizational
security and compliance program. Many improvements
have been made since the last security review was conducted
one year ago. What should the company do to evaluate
,its current risk profile?
A. Review previous findings and ensure that all issues have been
resolved.
B. Conduct follow-up audits in areas that were found deficient in
the previous review.
C. Monitor the results of the key risk indicators (KRJs) and use
those to develop targeted assessments.
D. Perform a new enterprise risk assessment using an
independent expert. - correct answer- D
A database administrator notices that the externally hosted,
web-based corporate address book application requires
users to authenticate, but that the traffic between the
application and users is not encrypted. The MOST appropriate
course of action is to:
A. notify the business owner and the security manager of the
discovery and propose an addition to the
risk register.
B. contact the application administrators and request that they
enable encryption of the application's web traffic.
C. alert all staff about the vulnerability and advise them not to
log on from public networks.
, D. accept that current controls are suitable for nonsensitive
business data. - correct answer- A
A global enterprise that is subject to regulation by multiple
governmental jurisdictions with differing
requirements should:
A. bring all locations into conformity with the aggregate
requirements of all governmental jurisdictions.
B. bring all locations into conformity with a generally accepted
set of industry best practices.
C. establish a baseline standard incorporating those
requirements that all jurisdictions have in common.
D. establish baseline standards for all locations and add
supplemental standards as required. - correct answer- D
A global financial institution has decided not to take any further
action on a denial-of-service (DoS) vulnerability
found by the risk assessment team. The MOST likely reason for
making this decision is that:
A. the needed countermeasure is too complicated to deploy.
B. there are sufficient safeguards in place to prevent this risk
from happening.
C. the likelihood of the risk occurring is unknown.
ACCURATE QUIZZES WITH VERIFIED ANSWERS
A business case developed to support risk mitigation efforts for a
complex application development project should
be retained until:
A. the project is approved.
B. user acceptance of the application.
C. the application is deployed.
D. the application's end of life - correct answer- D
A business impact analysis (BIA) is PRIMARILY used to:
A. estimate the resources required to resume and return to
normal operations after a disruption.
B. evaluate the impact of a disruption to an enterprise's ability
to operate over time.
C. calculate the likelihood and impact of known threats on
specific functions.
D. evaluate high-level business requirements. - correct
answer- B
,A chief information security officer (CISO) has recommended
several controls such as anti-malware to protect the
enterprise's information systems. Which approach to handling
risk is the CIsa recommending?
A. Risk transference
B. Risk mitigation
C. Risk acceptance
D. Risk avoidance - correct answer- B
A company has set the unacceptable error level at 10 percent.
Which of the following tools can be used to trigger a
warning when the error level reaches eight percent?
A. A fault tree analysis
B. Statistical process control (SPC)
C. A key performance indicator (KPI)
D. A failure modes and effects analysis (FMEA) - correct
answer- C
A company is confident about the state of its organizational
security and compliance program. Many improvements
have been made since the last security review was conducted
one year ago. What should the company do to evaluate
,its current risk profile?
A. Review previous findings and ensure that all issues have been
resolved.
B. Conduct follow-up audits in areas that were found deficient in
the previous review.
C. Monitor the results of the key risk indicators (KRJs) and use
those to develop targeted assessments.
D. Perform a new enterprise risk assessment using an
independent expert. - correct answer- D
A database administrator notices that the externally hosted,
web-based corporate address book application requires
users to authenticate, but that the traffic between the
application and users is not encrypted. The MOST appropriate
course of action is to:
A. notify the business owner and the security manager of the
discovery and propose an addition to the
risk register.
B. contact the application administrators and request that they
enable encryption of the application's web traffic.
C. alert all staff about the vulnerability and advise them not to
log on from public networks.
, D. accept that current controls are suitable for nonsensitive
business data. - correct answer- A
A global enterprise that is subject to regulation by multiple
governmental jurisdictions with differing
requirements should:
A. bring all locations into conformity with the aggregate
requirements of all governmental jurisdictions.
B. bring all locations into conformity with a generally accepted
set of industry best practices.
C. establish a baseline standard incorporating those
requirements that all jurisdictions have in common.
D. establish baseline standards for all locations and add
supplemental standards as required. - correct answer- D
A global financial institution has decided not to take any further
action on a denial-of-service (DoS) vulnerability
found by the risk assessment team. The MOST likely reason for
making this decision is that:
A. the needed countermeasure is too complicated to deploy.
B. there are sufficient safeguards in place to prevent this risk
from happening.
C. the likelihood of the risk occurring is unknown.
