CRISC EXAM 2024 ACTUAL EXAM QUESTIONS WITH
DETAILED VERIFIED ANSWERS /ALREADY GRADED
A+
R1-1 Which of the following is MOST important to determine when defining risk management strategies?
• Risk assessment criteria
• IT architecture complexity
• An enterprise disaster recovery plan
• Business objectives and operations - ✔◻✔◻D is the correct answer.
Justification:
• Information on the internal and external environment must be collected to define a strategy and
identify its
impact. Risk assessment criteria alone are not sufficient.
• IT architecture complexity is more directly related to assessing risk than defining strategies.
• An enterprise disaster recovery plan is more directly related to mitigating the risk.
• While defining risk management strategies, the risk practitioner needs to analyze the
organization's objectives and risk tolerance and define a risk management framework based on this
analysis. Some organizations may accept known risk, while others may invest in and apply mitigating
controls to reduce risk.
R1-2 Which of the following is the MOST important information to include in a risk management
strategic plan?
• Risk management staffing requirements
• The risk management mission statement
• Risk mitigation investment plans
• The current state and desired future state - ✔◻✔◻D is the correct answer.
Justification:
,• Risk management staffing requirements are generally driven by a robust understanding of the
current and
desired future state.
• The risk management mission statement is important but is not an actionable part of a risk
management
strategic plan.
• Risk mitigation investment plans are generally driven by a robust understanding of the current
and desired
future state.
• It is most important to paint a vision for the future and then draw a road map from the starting
point; therefore, this requires that the current state and desired future state be fully understood.
R1-3 Information that is no longer required to support the main purpose of the business from an
information security
perspective should be:
• analyzed under the retention policy.
• protected under the information classification policy.
• analyzed under the backup policy.
• protected under the business impact analysis. - ✔◻✔◻A is the correct answer.
Justification:
• Information that is no longer required should be analyzed under the retention policy to
determine whether the organization is required to maintain the data for business, legal or regulatory
reasons. Keeping data that are no longer required unnecessarily consumes resources; may be in breach
of legal and regulatory obligations regarding retention of data; and, in the case of sensitive personal
information, can increase the risk of data compromise.
• The information classification policy should specify retention and destruction of information that
is no longer
,of value to the core business, as applicable.
• The backup policy is generally based on recovery point objectives. The information classification
policy
should specify retention and destruction of backup media.
• A business impact analysis can help determine that this information does not support the main
objective of the
business, but does not indicate the action to take.
R1-4 An enterprise has outsourced the majority of its IT department to a third party whose servers are in
a foreign
country. Which of the following is the MOST critical security consideration?
• A security breach notification may get delayed due to the time difference.
• Additional network intrusion detection sensors should be installed, resulting in additional cost.
• The enterprise could be unable to monitor compliance with its internal security and privacy
guidelines.
• Laws and regulations of the country of origin may not be enforceable in the foreign country. -
✔◻✔
◻D is the correct answer.
Justification:
• Security breach notification is not a problem. Time difference does not play a role in a 24/7
environment.
Mobile devices (smartphones, tablets, etc.) are usually available to communicate a notification.
• The need for additional network intrusion sensors is a manageable problem that requires
additional funding,
but can be addressed.
• Outsourcing does not remove the enterprise's responsibility regarding internal requirements.
, • Laws and regulations of the country of origin may not be enforceable in the foreign country.
Conversely, the laws and regulations of the foreign vendor may also affect the enterprise. Potential
violation of local laws applicable to the enterprise or the vendor may not be recognized or remedied due
to the lack of knowledge of local laws and/or inability to enforce them.
R1-5 An enterprise recently developed a breakthrough technology that could provide a significant
competitive edge.
Which of the following FIRST governs how this information is to be protected from within the enterprise?
• The data classification policy
• The acceptable use policy
• Encryption standards
• The access control policy - ✔◻✔◻A is the correct answer.
Justification:
• A data classification policy describes the data classification categories, level of protection to be
provided
for each category of data and roles and responsibilities of potential users, including data owners.
• An acceptable use policy is oriented more toward the end user and, therefore, does not
specifically address
which controls should be in place to adequately protect information.
• Mandated levels of protection, as defined by the data classification policy, should drive which
levels of
encryption will be in place.
• Mandated levels of protection, as defined by the data classification policy, should drive which
access controls
will be in place.
DETAILED VERIFIED ANSWERS /ALREADY GRADED
A+
R1-1 Which of the following is MOST important to determine when defining risk management strategies?
• Risk assessment criteria
• IT architecture complexity
• An enterprise disaster recovery plan
• Business objectives and operations - ✔◻✔◻D is the correct answer.
Justification:
• Information on the internal and external environment must be collected to define a strategy and
identify its
impact. Risk assessment criteria alone are not sufficient.
• IT architecture complexity is more directly related to assessing risk than defining strategies.
• An enterprise disaster recovery plan is more directly related to mitigating the risk.
• While defining risk management strategies, the risk practitioner needs to analyze the
organization's objectives and risk tolerance and define a risk management framework based on this
analysis. Some organizations may accept known risk, while others may invest in and apply mitigating
controls to reduce risk.
R1-2 Which of the following is the MOST important information to include in a risk management
strategic plan?
• Risk management staffing requirements
• The risk management mission statement
• Risk mitigation investment plans
• The current state and desired future state - ✔◻✔◻D is the correct answer.
Justification:
,• Risk management staffing requirements are generally driven by a robust understanding of the
current and
desired future state.
• The risk management mission statement is important but is not an actionable part of a risk
management
strategic plan.
• Risk mitigation investment plans are generally driven by a robust understanding of the current
and desired
future state.
• It is most important to paint a vision for the future and then draw a road map from the starting
point; therefore, this requires that the current state and desired future state be fully understood.
R1-3 Information that is no longer required to support the main purpose of the business from an
information security
perspective should be:
• analyzed under the retention policy.
• protected under the information classification policy.
• analyzed under the backup policy.
• protected under the business impact analysis. - ✔◻✔◻A is the correct answer.
Justification:
• Information that is no longer required should be analyzed under the retention policy to
determine whether the organization is required to maintain the data for business, legal or regulatory
reasons. Keeping data that are no longer required unnecessarily consumes resources; may be in breach
of legal and regulatory obligations regarding retention of data; and, in the case of sensitive personal
information, can increase the risk of data compromise.
• The information classification policy should specify retention and destruction of information that
is no longer
,of value to the core business, as applicable.
• The backup policy is generally based on recovery point objectives. The information classification
policy
should specify retention and destruction of backup media.
• A business impact analysis can help determine that this information does not support the main
objective of the
business, but does not indicate the action to take.
R1-4 An enterprise has outsourced the majority of its IT department to a third party whose servers are in
a foreign
country. Which of the following is the MOST critical security consideration?
• A security breach notification may get delayed due to the time difference.
• Additional network intrusion detection sensors should be installed, resulting in additional cost.
• The enterprise could be unable to monitor compliance with its internal security and privacy
guidelines.
• Laws and regulations of the country of origin may not be enforceable in the foreign country. -
✔◻✔
◻D is the correct answer.
Justification:
• Security breach notification is not a problem. Time difference does not play a role in a 24/7
environment.
Mobile devices (smartphones, tablets, etc.) are usually available to communicate a notification.
• The need for additional network intrusion sensors is a manageable problem that requires
additional funding,
but can be addressed.
• Outsourcing does not remove the enterprise's responsibility regarding internal requirements.
, • Laws and regulations of the country of origin may not be enforceable in the foreign country.
Conversely, the laws and regulations of the foreign vendor may also affect the enterprise. Potential
violation of local laws applicable to the enterprise or the vendor may not be recognized or remedied due
to the lack of knowledge of local laws and/or inability to enforce them.
R1-5 An enterprise recently developed a breakthrough technology that could provide a significant
competitive edge.
Which of the following FIRST governs how this information is to be protected from within the enterprise?
• The data classification policy
• The acceptable use policy
• Encryption standards
• The access control policy - ✔◻✔◻A is the correct answer.
Justification:
• A data classification policy describes the data classification categories, level of protection to be
provided
for each category of data and roles and responsibilities of potential users, including data owners.
• An acceptable use policy is oriented more toward the end user and, therefore, does not
specifically address
which controls should be in place to adequately protect information.
• Mandated levels of protection, as defined by the data classification policy, should drive which
levels of
encryption will be in place.
• Mandated levels of protection, as defined by the data classification policy, should drive which
access controls
will be in place.
