CRISC TOPIC 3 EXAM QUESTIONS AND
VERIFIED ANSWERS; 100% CORRECT;
GRADED A+
Question #:8 - (Exam Topic 3)
A recent vulnerability assessment of a web-facing application
revealed several weaknesses. Which of the following should be
done NEXT to determine the risk exposure?
A. Code review
B. Penetration test
C. Gap assessment
D. Business impact analysis (BIA) - correct answer- B.
Penetration test
Question #:10 - (Exam Topic 3)
An organization wants to grant remote access to a system
containing sensitive data to an overseas third party. Which of
the following should be of GREATEST concern to management?
,A. Transborder data transfer restrictions
B. Differences in regional standards
C. Lack of monitoring over vendor activities
D. Lack of after-hours incident management support - correct
answer- C. Lack of monitoring over vendor activities
Question #:15 - (Exam Topic 3)
To reduce costs, an organization is combining the second and
third tines of defense in a new department that reports to a
recently appointed C-level executive. Which of the following is
the GREATEST concern with this situation?
A. The risk governance approach of the second and third lines of
defense may differ.
B. The independence of the internal third line of defense may be
compromised.
C. Cost reductions may negatively impact the productivity of
other departments.
D. The new structure is not aligned to the organization's internal
control framework. - correct answer- B. The
independence of the internal third line of defense may be
compromised.
,Question #:18 - (Exam Topic 3)
A cote data center went offline abruptly for several hours
affecting many transactions across multiple locations. Which of
the to" owing would provide the MOST useful information to
determine mitigating controls?
A. Forensic analysis
B. Risk assessment
C. Root cause analysis
D. Business impact analysis (BlA) - correct answer- A.
Forensic analysis
Question #:20 - (Exam Topic 3)
An organization learns of a new ransomware attack affecting
organizations worldwide. Which of the following should be done
FIRST to reduce the likelihood of infection from the attack?
A. Identify systems that are vulnerable to being exploited by the
attack.
B. Confirm with the antivirus solution vendor whether the next
update will detect the attack.
C. Verify the data backup process and confirm which backups
are the most recent ones available.
, D. Obtain approval for funding to purchase a cyber insurance
plan. - correct answer- A. Identify systems that are
vulnerable to being exploited by the attack.
Question #:21 - (Exam Topic 3)
While reviewing a contract of a cloud services vendor, it was
discovered that the vendor refuses to accept liability for a
sensitive data breach. Which of the following controls will BES
reduce the risk associated with such a data breach?
A. Ensuring the vendor does not know the encryption key
B. Engaging a third party to validate operational controls
C. Using the same cloud vendor as a competitor
D. Using field-level encryption with a vendor supplied key -
correct answer- B. Engaging a third party to validate
operational controls
Question #:22 - (Exam Topic 3)
An IT department has organized training sessions to improve
user awareness of organizational information security policies.
Which of the following is the BEST key performance indicator
(KPI) to reflect effectiveness of the training?
VERIFIED ANSWERS; 100% CORRECT;
GRADED A+
Question #:8 - (Exam Topic 3)
A recent vulnerability assessment of a web-facing application
revealed several weaknesses. Which of the following should be
done NEXT to determine the risk exposure?
A. Code review
B. Penetration test
C. Gap assessment
D. Business impact analysis (BIA) - correct answer- B.
Penetration test
Question #:10 - (Exam Topic 3)
An organization wants to grant remote access to a system
containing sensitive data to an overseas third party. Which of
the following should be of GREATEST concern to management?
,A. Transborder data transfer restrictions
B. Differences in regional standards
C. Lack of monitoring over vendor activities
D. Lack of after-hours incident management support - correct
answer- C. Lack of monitoring over vendor activities
Question #:15 - (Exam Topic 3)
To reduce costs, an organization is combining the second and
third tines of defense in a new department that reports to a
recently appointed C-level executive. Which of the following is
the GREATEST concern with this situation?
A. The risk governance approach of the second and third lines of
defense may differ.
B. The independence of the internal third line of defense may be
compromised.
C. Cost reductions may negatively impact the productivity of
other departments.
D. The new structure is not aligned to the organization's internal
control framework. - correct answer- B. The
independence of the internal third line of defense may be
compromised.
,Question #:18 - (Exam Topic 3)
A cote data center went offline abruptly for several hours
affecting many transactions across multiple locations. Which of
the to" owing would provide the MOST useful information to
determine mitigating controls?
A. Forensic analysis
B. Risk assessment
C. Root cause analysis
D. Business impact analysis (BlA) - correct answer- A.
Forensic analysis
Question #:20 - (Exam Topic 3)
An organization learns of a new ransomware attack affecting
organizations worldwide. Which of the following should be done
FIRST to reduce the likelihood of infection from the attack?
A. Identify systems that are vulnerable to being exploited by the
attack.
B. Confirm with the antivirus solution vendor whether the next
update will detect the attack.
C. Verify the data backup process and confirm which backups
are the most recent ones available.
, D. Obtain approval for funding to purchase a cyber insurance
plan. - correct answer- A. Identify systems that are
vulnerable to being exploited by the attack.
Question #:21 - (Exam Topic 3)
While reviewing a contract of a cloud services vendor, it was
discovered that the vendor refuses to accept liability for a
sensitive data breach. Which of the following controls will BES
reduce the risk associated with such a data breach?
A. Ensuring the vendor does not know the encryption key
B. Engaging a third party to validate operational controls
C. Using the same cloud vendor as a competitor
D. Using field-level encryption with a vendor supplied key -
correct answer- B. Engaging a third party to validate
operational controls
Question #:22 - (Exam Topic 3)
An IT department has organized training sessions to improve
user awareness of organizational information security policies.
Which of the following is the BEST key performance indicator
(KPI) to reflect effectiveness of the training?
