CRISC Test Bank 2 Question & Answers
with Rationales
Q1
Which of the following is true for Single loss expectancy (SLE), Annual rate of
occurrence (ARO), and Annual loss expectancy (ALE)?
A. ALE= ARO/SLE
B. ARO= SLE/ALE
C. ARO= ALE*SLE
D. ALE= ARO*SLE - Correct Answerr: D
Section: Volume A
Explanation
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values.
This involves gathering data and then entering it into standard formulas.
The results can help in identifying the priority of risks. These results are also used to
determine the effectiveness of controls. Some of the terms associated with quantitative
risk assessments are:
Single loss expectancy (SLE)-It refers to the total loss expected from a single incident.
This incident can occur when vulnerability is being exploited by threat.
The loss is expressed as a dollar value such as $1,000. It includes the value of data,
software, and hardware. SLE = Asset value * Exposure factor Annual rate of occurrence
(ARO)-It refers to the number of times expected for an incident to occur in a year. If an
incident occurred twice a month in the past
year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times
next year. Annual loss expectancy (ALE)-It is the expected loss for a year.
ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar
value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the
ARO is 24, the ALE is $24,000.
ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to
mitigate risk. For example, antivirus software of an average cost of $50 for
,each computer. If there are 50 computers, the safeguard value is $2,500. A, B, C:
These are wrong formulas and are not used in quantitative risk assessment.
Q2
Which of the following statements are true for enterprise's risk management capability
maturity level 3?
A. Workflow tools are used to accelerate risk issues and track decisions
B. The business knows how IT fits in the enterprise risk universe and the risk portfolio
view
C. The enterprise formally requires continuous improvement of risk management skills,
based on clearly defined personal and enterprise goals
D. Risk management is viewed as a business issue, and both the drawbacks and
benefits of risk are recognized - Correct Answerr: ABD
Section: Volume A
Explanation
An enterprise's risk management capability maturity level is 3 when:
Risk management is viewed as a business issue, and both the drawbacks and benefits
of risk are recognized.
There is a selected leader for risk management, engaged with the enterprise risk
committee, across the enterprise.
The business knows how IT fits in the enterprise risk universe and the risk portfolio
view.
Local tolerances drive the enterprise risk tolerance.
Risk management activities are being aligned across the enterprise.
Formal risk categories are identified and described in clear terms.
,Situations and scenarios are included in risk awareness training beyond specific policy
and structures and promote a common language for communicating risk.
Defined requirements exist for a centralized inventory of risk issues.
Workflow tools are used to accelerate risk issues and track decisions.
Incorrect Answers:
C: Enterprise having risk management capability maturity level 5 requires continuous
improvement of risk management skills, based on clearly defined personal and
enterprise goals.
Q3
Which of the following role carriers is accounted for analyzing risks, maintaining risk
profile, and risk-aware decisions?
A. Business management
B. Business process owner
C. Chief information officer (CIO)
D. Chief risk officer (CRO) - Correct Answerr: A
Section: Volume A
Explanation
Business management is the business individuals with roles relating to managing a
program. They are typically accountable for analyzing risks, maintaining risk profile, and
risk-aware decisions. Other than this, they are also responsible for managing risks,
react to events, etc.
Incorrect Answers:
B: Business process owner is an individual responsible for identifying process
requirements, approving process design and managing process performance. He/she is
responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is
not accounted for them.
C: CIO is the most senior official of the enterprise who is accountable for IT advocacy;
aligning IT and business strategies; and planning, resourcing and managing the delivery
of IT services and information and the deployment of associated human resources. CIO
, has some responsibility analyzing risks, maintaining risk profile, and risk-aware
decisions but is not accounted for them.
D: CRO is the individual who oversees all aspects of risk management across the
enterprise. He/she is responsible for analyzing risks, maintaining risk profile, and risk-
aware decisions but is not accounted for them.
Q4
You are using Information system. You have chosen a poor password and also
sometimes transmits data over unprotected communication lines. What is this poor
quality of password and unsafe transmission refers to?
A. Probabilities
B. Threats
C. Vulnerabilities
D. Impacts - Correct Answerr: C
Section: Volume A
Explanation
Vulnerabilities represent characteristics of information resources that may be exploited
by a threat. The given scenario describes such a situation, hence it is a vulnerability.
Incorrect Answers:
A: Probabilities represent the likelihood of the occurrence of a threat, and this scenario
does not describe a probability.
B: Threats are circumstances or events with the potential to cause harm to information
resources. This scenario does not describe a threat.
D: Impacts represent the outcome or result of a threat exploiting a vulnerability. The
stem does not describe an impact.
Q5
Which of the following is the BEST way to ensure that outsourced service providers
comply with the enterprise's information security policy?
A. Penetration testing
B. Service level monitoring
C. Security awareness training
D. Periodic audits - Correct Answerr: D
Section: Volume A
Explanation
As regular audits can spot gaps in information security compliance, periodic audits can
ensure that outsourced service provider comply with the enterprise's information
security policy.
Incorrect Answers:
with Rationales
Q1
Which of the following is true for Single loss expectancy (SLE), Annual rate of
occurrence (ARO), and Annual loss expectancy (ALE)?
A. ALE= ARO/SLE
B. ARO= SLE/ALE
C. ARO= ALE*SLE
D. ALE= ARO*SLE - Correct Answerr: D
Section: Volume A
Explanation
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values.
This involves gathering data and then entering it into standard formulas.
The results can help in identifying the priority of risks. These results are also used to
determine the effectiveness of controls. Some of the terms associated with quantitative
risk assessments are:
Single loss expectancy (SLE)-It refers to the total loss expected from a single incident.
This incident can occur when vulnerability is being exploited by threat.
The loss is expressed as a dollar value such as $1,000. It includes the value of data,
software, and hardware. SLE = Asset value * Exposure factor Annual rate of occurrence
(ARO)-It refers to the number of times expected for an incident to occur in a year. If an
incident occurred twice a month in the past
year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times
next year. Annual loss expectancy (ALE)-It is the expected loss for a year.
ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar
value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the
ARO is 24, the ALE is $24,000.
ALE = SLE * ARO Safeguard value-This is the cost of a control. Controls are used to
mitigate risk. For example, antivirus software of an average cost of $50 for
,each computer. If there are 50 computers, the safeguard value is $2,500. A, B, C:
These are wrong formulas and are not used in quantitative risk assessment.
Q2
Which of the following statements are true for enterprise's risk management capability
maturity level 3?
A. Workflow tools are used to accelerate risk issues and track decisions
B. The business knows how IT fits in the enterprise risk universe and the risk portfolio
view
C. The enterprise formally requires continuous improvement of risk management skills,
based on clearly defined personal and enterprise goals
D. Risk management is viewed as a business issue, and both the drawbacks and
benefits of risk are recognized - Correct Answerr: ABD
Section: Volume A
Explanation
An enterprise's risk management capability maturity level is 3 when:
Risk management is viewed as a business issue, and both the drawbacks and benefits
of risk are recognized.
There is a selected leader for risk management, engaged with the enterprise risk
committee, across the enterprise.
The business knows how IT fits in the enterprise risk universe and the risk portfolio
view.
Local tolerances drive the enterprise risk tolerance.
Risk management activities are being aligned across the enterprise.
Formal risk categories are identified and described in clear terms.
,Situations and scenarios are included in risk awareness training beyond specific policy
and structures and promote a common language for communicating risk.
Defined requirements exist for a centralized inventory of risk issues.
Workflow tools are used to accelerate risk issues and track decisions.
Incorrect Answers:
C: Enterprise having risk management capability maturity level 5 requires continuous
improvement of risk management skills, based on clearly defined personal and
enterprise goals.
Q3
Which of the following role carriers is accounted for analyzing risks, maintaining risk
profile, and risk-aware decisions?
A. Business management
B. Business process owner
C. Chief information officer (CIO)
D. Chief risk officer (CRO) - Correct Answerr: A
Section: Volume A
Explanation
Business management is the business individuals with roles relating to managing a
program. They are typically accountable for analyzing risks, maintaining risk profile, and
risk-aware decisions. Other than this, they are also responsible for managing risks,
react to events, etc.
Incorrect Answers:
B: Business process owner is an individual responsible for identifying process
requirements, approving process design and managing process performance. He/she is
responsible for analyzing risks, maintaining risk profile, and risk-aware decisions but is
not accounted for them.
C: CIO is the most senior official of the enterprise who is accountable for IT advocacy;
aligning IT and business strategies; and planning, resourcing and managing the delivery
of IT services and information and the deployment of associated human resources. CIO
, has some responsibility analyzing risks, maintaining risk profile, and risk-aware
decisions but is not accounted for them.
D: CRO is the individual who oversees all aspects of risk management across the
enterprise. He/she is responsible for analyzing risks, maintaining risk profile, and risk-
aware decisions but is not accounted for them.
Q4
You are using Information system. You have chosen a poor password and also
sometimes transmits data over unprotected communication lines. What is this poor
quality of password and unsafe transmission refers to?
A. Probabilities
B. Threats
C. Vulnerabilities
D. Impacts - Correct Answerr: C
Section: Volume A
Explanation
Vulnerabilities represent characteristics of information resources that may be exploited
by a threat. The given scenario describes such a situation, hence it is a vulnerability.
Incorrect Answers:
A: Probabilities represent the likelihood of the occurrence of a threat, and this scenario
does not describe a probability.
B: Threats are circumstances or events with the potential to cause harm to information
resources. This scenario does not describe a threat.
D: Impacts represent the outcome or result of a threat exploiting a vulnerability. The
stem does not describe an impact.
Q5
Which of the following is the BEST way to ensure that outsourced service providers
comply with the enterprise's information security policy?
A. Penetration testing
B. Service level monitoring
C. Security awareness training
D. Periodic audits - Correct Answerr: D
Section: Volume A
Explanation
As regular audits can spot gaps in information security compliance, periodic audits can
ensure that outsourced service provider comply with the enterprise's information
security policy.
Incorrect Answers:
