CRIS EXAM QUESTIONS & ANSWERS
Which of the following is MOST important to determine when defining risk management
strategies? - Answers :Business objectives and operations.
While defining risk management strategies, the risk practitioner needs to analyze the
enterprise's objectives and risk tolerance and define a risk management framework
based on this analysis. Some enterprises may accept known risk, while others may
invest in and apply mitigating controls to reduce risk.
Improper oversight of IT investment is the greatest risk. Without proper oversight from
management, IT investment may fail to align with business strategy, and IT
expenditures may not support business objectives.
When assessing strategic IT risk, the FIRST step is: - Answers :Understanding
enterprise strategy from senior executives.
Strategic IT risk is related to the strategy and objectives of the enterprise. Senior
executives provide the enterprise view of dependencies and expectations for IT, which
aids understanding of potential risk.
The PRIMARY consideration when selecting a risk response technique is: - Answers
:Enterprise goals and objectives.
The risk response will be based primarily on goals and objectives of the enterprise. Risk
can harm these goals and must be mitigated according to priority.
Who is accountable for business risk related to IT? - Answers :Users of IT services.
Ultimately, the enterprise (i.e., the users of IT services) owns business-related risk,
including the risk related to the use of IT. The business should set the mandate for risk
management, provide the resources and funding to support a risk management plan
designed to protect business interests, and monitor whether risk is being managed.
Which of the following is the MOST important information to include in a risk
management strategic plan? - Answers :Current state and desired future state.
It is most important to paint a vision for the future and then draw a road map from the
starting point, which requires that the current state and desired future state be fully
understood.
Which of the following will have the MOST significant impact on standard information
security governance models? - Answers :Complexity of the organizational structure.
Information security governance models are highly dependent on the complexity of the
organizational structure. Elements that affect organizational structure include multiple
, business units, dispersion of multiple functions across the organization, multiple
leadership hierarchies and multiple lines of communication.
The PRIMARY focus of managing IT-related business risk is to protect: - Answers
:Information.
The primary objective for any enterprise is to protect mission-critical information based
on a risk assessment.
Which of the following can provide the BEST perspective of risk management to an
enterprise's employees and stakeholders? - Answers :An interdisciplinary team within
the enterprise.
Management wants to ensure that IT is successful in delivering against business
requirements. Which of the following BEST supports that effort? - Answers :An internal
control system or framework.
For IT to be successful in delivering against business requirements, management
should develop an internal control system that supports its business requirements.
Which of the following risk assessment outputs is MOST suitable to help justify an
enterprise information security program? - Answers :A list of appropriate controls for
addressing risk.
A list of information security controls corresponding to risk scenarios identified during
risk assessment is one of the primary deliverables of the risk assessment exercise. The
list demonstrates due consideration of risk and applicable controls to address the risk
and therefore helps justify a program predicated on risk mitigation.
Whether a risk has been reduced to an acceptable level should be determined by: -
Answers :Enterprise requirements.
Enterprise requirements as dictated by enterprise goals and objectives should
determine when a risk has been reduced to an acceptable level. Information systems
and security requirements and standards may help inform enterprise requirements, but
in themselves lack the critical context of enterprise business goals.
Commitment and support of senior management for information security investment can
BEST be accomplished by a business case that: - Answers :Ties security risk to
enterprise business objectives.
Senior management seeks to understand the business justification for investing in
security. This can best be accomplished by tying security to key business objectives.
Which of the following is MOST important to determine when defining risk management
strategies? - Answers :Business objectives and operations.
While defining risk management strategies, the risk practitioner needs to analyze the
enterprise's objectives and risk tolerance and define a risk management framework
based on this analysis. Some enterprises may accept known risk, while others may
invest in and apply mitigating controls to reduce risk.
Improper oversight of IT investment is the greatest risk. Without proper oversight from
management, IT investment may fail to align with business strategy, and IT
expenditures may not support business objectives.
When assessing strategic IT risk, the FIRST step is: - Answers :Understanding
enterprise strategy from senior executives.
Strategic IT risk is related to the strategy and objectives of the enterprise. Senior
executives provide the enterprise view of dependencies and expectations for IT, which
aids understanding of potential risk.
The PRIMARY consideration when selecting a risk response technique is: - Answers
:Enterprise goals and objectives.
The risk response will be based primarily on goals and objectives of the enterprise. Risk
can harm these goals and must be mitigated according to priority.
Who is accountable for business risk related to IT? - Answers :Users of IT services.
Ultimately, the enterprise (i.e., the users of IT services) owns business-related risk,
including the risk related to the use of IT. The business should set the mandate for risk
management, provide the resources and funding to support a risk management plan
designed to protect business interests, and monitor whether risk is being managed.
Which of the following is the MOST important information to include in a risk
management strategic plan? - Answers :Current state and desired future state.
It is most important to paint a vision for the future and then draw a road map from the
starting point, which requires that the current state and desired future state be fully
understood.
Which of the following will have the MOST significant impact on standard information
security governance models? - Answers :Complexity of the organizational structure.
Information security governance models are highly dependent on the complexity of the
organizational structure. Elements that affect organizational structure include multiple
, business units, dispersion of multiple functions across the organization, multiple
leadership hierarchies and multiple lines of communication.
The PRIMARY focus of managing IT-related business risk is to protect: - Answers
:Information.
The primary objective for any enterprise is to protect mission-critical information based
on a risk assessment.
Which of the following can provide the BEST perspective of risk management to an
enterprise's employees and stakeholders? - Answers :An interdisciplinary team within
the enterprise.
Management wants to ensure that IT is successful in delivering against business
requirements. Which of the following BEST supports that effort? - Answers :An internal
control system or framework.
For IT to be successful in delivering against business requirements, management
should develop an internal control system that supports its business requirements.
Which of the following risk assessment outputs is MOST suitable to help justify an
enterprise information security program? - Answers :A list of appropriate controls for
addressing risk.
A list of information security controls corresponding to risk scenarios identified during
risk assessment is one of the primary deliverables of the risk assessment exercise. The
list demonstrates due consideration of risk and applicable controls to address the risk
and therefore helps justify a program predicated on risk mitigation.
Whether a risk has been reduced to an acceptable level should be determined by: -
Answers :Enterprise requirements.
Enterprise requirements as dictated by enterprise goals and objectives should
determine when a risk has been reduced to an acceptable level. Information systems
and security requirements and standards may help inform enterprise requirements, but
in themselves lack the critical context of enterprise business goals.
Commitment and support of senior management for information security investment can
BEST be accomplished by a business case that: - Answers :Ties security risk to
enterprise business objectives.
Senior management seeks to understand the business justification for investing in
security. This can best be accomplished by tying security to key business objectives.
