CRISC UPDATED ACTUAL Questions and CORRECT Answers
1. What is the primary force for Regulation
driving privacy?
2. What is Confidentiality? Maintains the secrecy and privacy of data
"need to know / least privilege"
3. What is Integrity? Guarding against improper information modification, ex-
clusion, or destruction
"authenticity"
4. What is Availability? Providing timely and reliable access to information
5. What is the order of Informa- 1) Context Establishment
tion Security Risk Management 2) Risk Identification
Process steps? 3) Risk Analysis
4) Risk Evaluation
5) Risk Treatment
6. What does the Risk Identifica- 1) Identify Assets
tion Process involve? 2) Identify Threats
3) Identify Existing Controls
4) Identify Vulnerabilities
5) Identify Consequences
6) Risk Estimation
7. What are examples of Threats? personnel, natural events, theft, terrorism, criminal acts,
software errors, mechanical failure, accidents
8. The IT risk action plan is an out- Chief Risk Oflcer and the Enterprise Risk Management
put communication from? Committee
9. What is risk Magnitude? The impact to the enterprise when the event occurs
,10. What are synonyms for Fre- Likelihood and Impact
quency and Magnitude?
11. What is Risk Appetite? The amount of risk, on a broad level, that an entity is willing
tot accept in pursuit of its mission
12. What is Risk Tolerance? The acceptable level of variation that management is willing
to allow for any particular risk as it pursues its objectives
13. What does Risk Governance ad- Oversight of the business risk strategy for the enterprise
dress?
14. What are the 3 objectives of Risk 1) Establish a common risk view
Governance? 2) Integrate risk management into the enterprise
3) Make risk-aware business decisions
15. What are the 5 components of 1) Alignment
Governance? 2) Value Delivery
3) Risk Management
4) Performance Measurement
5) Resource Management
16. What is the difference between Responsibility belong to those who must ensure that activ-
Responsibility and Accountabili- ities are completed successfully
ty?
VS
Accountability which applies to those who either own the re-
quired resource or those who have the authority to approve
the execution and/or accept the outcome of an activity
17. What is another term for IT Risk Stress Test
Scenario Analysis?
, 18. What is the rough allocation of Financial Risk (35%)
risk relevant to almost all orga- Strategic Risk (25%)
nizations? Operational Risk (25%)
Legal and Compliance Risk (15%)
19. What are the Four CRISC do- 1) IT Risk Identification
mains? 2) IT Risk Assessment
3) Risk Response and Mitigation
(which also represent the cyclic 4) Risk and Control Monitoring and Reporting
process of IT Risk Management)
20. What is a Risk? When a threat exploits a vulnerability which damages an
asset which breaks a business process
21. How do you classify assets? Using an Information/Data Classification Policy
22. Which line of defense is a 2nd line
CRISC?
23. Which line of defense is a CIO? 1st line
24. Which level of Management ac- Executive management (i.e. CEO)
cepts a risk?
25. What is Control Risk? When the controls chosen to mitigate risk are incorrect
26. What is the #1 Project Risk? Failure to meet expectations
27. What are the 4 ways to deal with 1) avoid
a risk? 2) mitigate
3) accept
4) transfer
28. Is IT Risk part of Op Risk? Yes
1. What is the primary force for Regulation
driving privacy?
2. What is Confidentiality? Maintains the secrecy and privacy of data
"need to know / least privilege"
3. What is Integrity? Guarding against improper information modification, ex-
clusion, or destruction
"authenticity"
4. What is Availability? Providing timely and reliable access to information
5. What is the order of Informa- 1) Context Establishment
tion Security Risk Management 2) Risk Identification
Process steps? 3) Risk Analysis
4) Risk Evaluation
5) Risk Treatment
6. What does the Risk Identifica- 1) Identify Assets
tion Process involve? 2) Identify Threats
3) Identify Existing Controls
4) Identify Vulnerabilities
5) Identify Consequences
6) Risk Estimation
7. What are examples of Threats? personnel, natural events, theft, terrorism, criminal acts,
software errors, mechanical failure, accidents
8. The IT risk action plan is an out- Chief Risk Oflcer and the Enterprise Risk Management
put communication from? Committee
9. What is risk Magnitude? The impact to the enterprise when the event occurs
,10. What are synonyms for Fre- Likelihood and Impact
quency and Magnitude?
11. What is Risk Appetite? The amount of risk, on a broad level, that an entity is willing
tot accept in pursuit of its mission
12. What is Risk Tolerance? The acceptable level of variation that management is willing
to allow for any particular risk as it pursues its objectives
13. What does Risk Governance ad- Oversight of the business risk strategy for the enterprise
dress?
14. What are the 3 objectives of Risk 1) Establish a common risk view
Governance? 2) Integrate risk management into the enterprise
3) Make risk-aware business decisions
15. What are the 5 components of 1) Alignment
Governance? 2) Value Delivery
3) Risk Management
4) Performance Measurement
5) Resource Management
16. What is the difference between Responsibility belong to those who must ensure that activ-
Responsibility and Accountabili- ities are completed successfully
ty?
VS
Accountability which applies to those who either own the re-
quired resource or those who have the authority to approve
the execution and/or accept the outcome of an activity
17. What is another term for IT Risk Stress Test
Scenario Analysis?
, 18. What is the rough allocation of Financial Risk (35%)
risk relevant to almost all orga- Strategic Risk (25%)
nizations? Operational Risk (25%)
Legal and Compliance Risk (15%)
19. What are the Four CRISC do- 1) IT Risk Identification
mains? 2) IT Risk Assessment
3) Risk Response and Mitigation
(which also represent the cyclic 4) Risk and Control Monitoring and Reporting
process of IT Risk Management)
20. What is a Risk? When a threat exploits a vulnerability which damages an
asset which breaks a business process
21. How do you classify assets? Using an Information/Data Classification Policy
22. Which line of defense is a 2nd line
CRISC?
23. Which line of defense is a CIO? 1st line
24. Which level of Management ac- Executive management (i.e. CEO)
cepts a risk?
25. What is Control Risk? When the controls chosen to mitigate risk are incorrect
26. What is the #1 Project Risk? Failure to meet expectations
27. What are the 4 ways to deal with 1) avoid
a risk? 2) mitigate
3) accept
4) transfer
28. Is IT Risk part of Op Risk? Yes
