CRIS Exam ACTUAL QUESTIONS AND
CORRECT ANSWERS
Which of the following is MOST important to determine when defining risk
management strategies? - CORRECT ANSWERS Business objectives
and operations.
While defining risk management strategies, the risk practitioner needs to
analyze the enterprise's objectives and risk tolerance and define a risk
management framework based on this analysis. Some enterprises may accept
known risk, while others may invest in and apply mitigating controls to reduce
risk.
Management wants to ensure that IT is successful in delivering against business
requirements. Which of the following BEST supports that effort? - CORRECT
ANSWERS An internal control system or framework.
For IT to be successful in delivering against business requirements,
management should develop an internal control system that supports its
business requirements.
Which of the following risk assessment outputs is MOST suitable to help justify
an enterprise information security program? - CORRECT ANSWERS A
list of appropriate controls for addressing risk.
A list of information security controls corresponding to risk scenarios identified
during risk assessment is one of the primary deliverables of the risk assessment
exercise. The list demonstrates due consideration of risk and applicable controls
to address the risk and therefore helps justify a program predicated on risk
mitigation.
Whether a risk has been reduced to an acceptable level should be determined
by: - CORRECT ANSWERS Enterprise requirements.
,Enterprise requirements as dictated by enterprise goals and objectives should
determine when a risk has been reduced to an acceptable level. Information
systems and security requirements and standards may help inform enterprise
requirements, but in themselves lack the critical context of enterprise business
goals.
Commitment and support of senior management for information security
investment can BEST be accomplished by a business case that: - CORRECT
ANSWERS Ties security risk to enterprise business objectives.
Senior management seeks to understand the business justification for investing
in security. This can best be accomplished by tying security to key business
objectives.
The PRIMARY reason for developing an enterprise security architecture is to: -
CORRECT ANSWERS Align security strategies among the functional
areas of an enterprise and external entities.
The enterprise security architecture must align strategies and objectives of
diverse functional areas within the enterprise, optimize the flow of information
within an enterprise, and support all required communication with external
partners, customers and suppliers.
Which of the following signifies the need to review an enterprise's risk
practices? - CORRECT ANSWERS Business owners regularly challenge
risk assessment findings.
An enterprise's risk management practices must be clearly understood and
supported by business stakeholders. This principle must be documented in the
enterprise's risk management policy/framework/plan with senior management
approval and direction. Business owners who challenge the risk assessment
findings either do not support the findings or do not understand them clearly.
, Which of the following choices should drive the IT plan? - CORRECT
ANSWERS Strategic planning and business requirements.
IT exists to support business objectives. Management of enterprise IT should
align the IT plan closely with the business.
The GREATEST risk posed by an absence of strategic planning is: - CORRECT
ANSWERS Improper oversight of IT investment.
Improper oversight of IT investment is the greatest risk. Without proper
oversight from management, IT investment may fail to align with business
strategy, and IT expenditures may not support business objectives.
When assessing strategic IT risk, the FIRST step is: - CORRECT ANSWERS
Understanding enterprise strategy from senior executives.
Strategic IT risk is related to the strategy and objectives of the enterprise. Senior
executives provide the enterprise view of dependencies and expectations for IT,
which aids understanding of potential risk.
The PRIMARY consideration when selecting a risk response technique is: -
CORRECT ANSWERS Enterprise goals and objectives.
The risk response will be based primarily on goals and objectives of the
enterprise. Risk can harm these goals and must be mitigated according to
priority.
Who is accountable for business risk related to IT? - CORRECT ANSWERS
Users of IT services.
CORRECT ANSWERS
Which of the following is MOST important to determine when defining risk
management strategies? - CORRECT ANSWERS Business objectives
and operations.
While defining risk management strategies, the risk practitioner needs to
analyze the enterprise's objectives and risk tolerance and define a risk
management framework based on this analysis. Some enterprises may accept
known risk, while others may invest in and apply mitigating controls to reduce
risk.
Management wants to ensure that IT is successful in delivering against business
requirements. Which of the following BEST supports that effort? - CORRECT
ANSWERS An internal control system or framework.
For IT to be successful in delivering against business requirements,
management should develop an internal control system that supports its
business requirements.
Which of the following risk assessment outputs is MOST suitable to help justify
an enterprise information security program? - CORRECT ANSWERS A
list of appropriate controls for addressing risk.
A list of information security controls corresponding to risk scenarios identified
during risk assessment is one of the primary deliverables of the risk assessment
exercise. The list demonstrates due consideration of risk and applicable controls
to address the risk and therefore helps justify a program predicated on risk
mitigation.
Whether a risk has been reduced to an acceptable level should be determined
by: - CORRECT ANSWERS Enterprise requirements.
,Enterprise requirements as dictated by enterprise goals and objectives should
determine when a risk has been reduced to an acceptable level. Information
systems and security requirements and standards may help inform enterprise
requirements, but in themselves lack the critical context of enterprise business
goals.
Commitment and support of senior management for information security
investment can BEST be accomplished by a business case that: - CORRECT
ANSWERS Ties security risk to enterprise business objectives.
Senior management seeks to understand the business justification for investing
in security. This can best be accomplished by tying security to key business
objectives.
The PRIMARY reason for developing an enterprise security architecture is to: -
CORRECT ANSWERS Align security strategies among the functional
areas of an enterprise and external entities.
The enterprise security architecture must align strategies and objectives of
diverse functional areas within the enterprise, optimize the flow of information
within an enterprise, and support all required communication with external
partners, customers and suppliers.
Which of the following signifies the need to review an enterprise's risk
practices? - CORRECT ANSWERS Business owners regularly challenge
risk assessment findings.
An enterprise's risk management practices must be clearly understood and
supported by business stakeholders. This principle must be documented in the
enterprise's risk management policy/framework/plan with senior management
approval and direction. Business owners who challenge the risk assessment
findings either do not support the findings or do not understand them clearly.
, Which of the following choices should drive the IT plan? - CORRECT
ANSWERS Strategic planning and business requirements.
IT exists to support business objectives. Management of enterprise IT should
align the IT plan closely with the business.
The GREATEST risk posed by an absence of strategic planning is: - CORRECT
ANSWERS Improper oversight of IT investment.
Improper oversight of IT investment is the greatest risk. Without proper
oversight from management, IT investment may fail to align with business
strategy, and IT expenditures may not support business objectives.
When assessing strategic IT risk, the FIRST step is: - CORRECT ANSWERS
Understanding enterprise strategy from senior executives.
Strategic IT risk is related to the strategy and objectives of the enterprise. Senior
executives provide the enterprise view of dependencies and expectations for IT,
which aids understanding of potential risk.
The PRIMARY consideration when selecting a risk response technique is: -
CORRECT ANSWERS Enterprise goals and objectives.
The risk response will be based primarily on goals and objectives of the
enterprise. Risk can harm these goals and must be mitigated according to
priority.
Who is accountable for business risk related to IT? - CORRECT ANSWERS
Users of IT services.
