CRISC Questions and Answerers 2023

CRISC Questions and Answerers 2023 RISK MANAGEMENT is... the coordinated activities to direct and control an enterprise with regard to risk Risk Management starts with Understanding the organization which serves the environment or context in which it operates. Assessing an organization's context (environment) includes Evaluating the intent and capability of threats The relative value of, and trust required in, assets (or resources) The respective relationship of vulnerabilities and threats could exploit to intercept, interrupt, modify, or fabricate data in information assets. The dependency on a supply chain financing debt partners vulnerability to changes in economic or political data Changes to market trends and patterns Emergence of new competition impact of new legislation existence of potential natural disaster constraints caused by legacy systems and antiquated technology strained labor relations and inflexible management 4 main objectives of Risk Governance 1. Establish and maintain a common risk view 2. Integrate Risk Management into the enterprise 3. Make risk-aware business decisions 4. Ensure that risk management controls are implemented and operating correctly Governance answers 4 questions 1. Are we doing the right things? 2. Are we doing them the right way? 3. Are we getting them done well 4. Are we getting the benefits? The IT risk Management Life Cycle 1. Identification 2. Assessment 3. Response and Mitigation 4. Monitoring and Reporting the role of IT is to serve the business CSF stands for Critical Success Factor, such as the relationship between the Business Unit and Information Technology Business continuity starts where risk management ends IS audit is an important part of corporate governance NIST states that an organization must provide risk-based cost effective ... controls IT risk drives the selection of ____ and justitifies the choice and operation of a _________. control(s) Control failure is when a control is not operating correctly, is the wrong control, is configured incorrectly, or inadequate to address new threats. Ways to determine IT project failure 1. Over budget 2. over time allotted 3. failure to meet customer needs and expectations The success of the IT risk management effort is usually based on having an organization wide perspective of risk following a ________________________ structured methodology and gathering correct information To be effective, risk management should be applied to: A. those elements identified by a risk assessment. B. any area that exceeds acceptable risk levels. C. all organizational activities. D. only those areas that have potential impact. C. While not all organizational activities will pose an unacceptable risk, the practice of risk management is ideally applied to all organizational activities. Which of the following is the BEST indicator that incident response training is effective? A. Decreased reporting of security incidents to the incident response team B. Increased reporting of security incidents to the incident response team C. Decreased number of password resets D. Increased number of identified system vulnerabilities B. Increased reporting of incidents is a good indicator of user awareness, but increased reporting of valid incidents is the best indicator because it is a sign that users are aware of the security rules and know how to report incidents. It is the responsibility of the IT function to assess the information provided, identify false-positives, educate end users, and respond to potential problems. what is wardriving Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA). Which of the following is MOST effective in assessing business risk? A. A use case analysis B. A business case analysis C. Risk scenarios D. A risk plan C. Risk scenarios are the most effective technique in assessing business risk. Overall business risk for a particular threat can be expressed as the: A. magnitude of the impact should a threat source successfully exploit the vulnerability. B. likelihood of a given threat source exploiting a given vulnerability. C. product of the probability and magnitude of the impact if a threat exploits a vulnerability. D. collective judgment of the risk assessment team. C. The product of the probability and magnitude of the impact provides the best measure of the risk to an asset. A lack of adequate controls represents: A. a vulnerability. B. an impact. C. an asset. D. a threat. (A) Vulnerability A. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties, etc. B. Impact is the measure of the financial loss that a threat event may have. C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of an unwanted incident. Which of the following BEST describes the information needed for each risk on a risk register? A. Various risk scenarios with their date, description, impact, probability, risk score, mitigation action and owner B. Various risk scenarios with their date, description, risk score, cost to remediate, communication plan and owner C. Various risk scenarios with their date, description, impact, cost to remediate and owner D. Various activities leading to risk management planning (A) A. This choice is the best answer because it contains the necessary elements of the risk register that are needed to make informed decisions. B. This choice contains some elements of a risk register, but misses some important and key elements of a risk register (impact, probability, mitigation action) that are needed to make informed decisions and this choice lists some items that should not be included in the register (communication plan). C. This choice misses some important and key elements of a risk register (probability, risk score, mitigation action) needed to make informed decisions. D. A risk register is a result of risk management planning, not the other way around. A risk register contains Various risk scenarios with their date, description, impact, probability, risk score, mitigation action and owner When developing risk scenarios for an enterprise, which of the following is the BEST approach? A. The top-down approach for capital-intensive enterprises B. The top-down approach because it achieves automatic buy-in C. The bottom-up approach for unionized enterprises D. The top-down and the bottom-up approach because they are complementary (D) A. Both risk scenario development approaches should be considered simultaneously, regardless of the industry. B. Both risk scenario development approaches should be considered simultaneously, regardless of the risk appetite. C. Both risk scenario development approaches should be considered simultaneously, regardless of the industry. D. The top-down and bottom-up risk scenario development approaches are complementary and should be used simultaneously. In a top-down approach, one starts from the overall business objectives and performs an analysis of the most relevant and probable risk scenarios impacting the business objectives. In a bottom-down approach, a list of generic risk scenarios is used to define a set of more concrete and customized scenarios, applied to the individual enterprise's situation. Which of the following items is MOST important to consider in relation to a risk profile? A. A summary of regional loss events B. Aggregated risk to the enterprise C. A description of critical risk D. An analysis of historical loss events (B) A. The risk profile will consider regional events that could impact the enterprise, and will also consider systemic and other risk. B. The risk profile is based on the aggregated risk to the enterprise, including historical risk, critical risk and emerging risk. C. The risk profile will consider all risk, not just critical risk. D. Analysis of historical loss events can assist in business continuity planning and risk assessment, but is incomplete for a risk profile. Which of the following is the BEST indicator of an effective information risk management program? A. The security policy is made widely available. B. Risk is considered before all decisions. C. Security procedures are updated annually. D. Risk assessments occur on an annual basis. (B) A. Making the security policy widely available will assist in ensuring the success, but is not as critical as making risk-based business decisions. B. Ensuring that risk is considered and determined before business decisions are made best ensures that risk tolerance is kept at the level approved by the organization. C. Updating security procedures annually is only necessary if policy changes. D. Ensuring that risk assessments occur annually will assist in ensuring success, but is not as critical as making risk-based business decisions. Which of the following is the MOST important reason for conducting security awareness programs throughout an enterprise? A. Reducing the risk of a social engineering attack B. Training personnel in security incident response C. Informing business units about the security strategy D. Maintaining evidence of training records to ensure compliance (A) A. Social engineering is the act of manipulating people into divulging confidential information or performing actions that allow an unauthorized individual to get access to sensitive information and/or systems. People are often considered the weakest link in security implementations and security awareness would help reduce the risk of successful social engineering attacks by informing and sensitizing employees about various security policies and security topics, thus ensuring compliance from each individual. B. Training individuals in security incident response targets is a corrective control action and not as important as proactively preventing an incident. C. Informing business units about the security strategy is best done through steering committee meetings or other forums. D. Maintaining evidence of training records to ensure compliance is an administrative, documentary task, but should not be the objective of training. Which of the following controls can be used to reduce the potential scope of impact associated with a malicious hacker gaining access to an administrator account? A. Multifactor authentication B. Audit logging C. Least privilege D. Password policy (C) A. Multifactor authentication safeguards against an account being accessed without authorization. If a malicious hacker has gained access to the account, this control has already been bypassed. B. Audit logging may be useful in identifying activities undertaken using an administrator account, but it is a lagging indicator unlikely to be effective in time to limit the scope of impact associated with a compromise. C. Privileged accounts, such as those used by administrators, are typically sought after by malicious hackers because of the perception that they will be exempt from most controls and have permission to do everything. However, except in the smallest organizations, administrators tend to be specialized in particular areas (e.g., specific servers, specific databases, firewalls, etc.). Although employing least privilege will not reduce the potential impact of a compromised account within the scope of its intended use, having specialized administrator accounts can greatly limit the impact to the organization as a whole. Even in small organizations where one person holds all roles, establishing specialized administrator accounts subject to least-privilege restrictions limits the potential impact of loss associated with an account compromise. D. A password policy requiring frequent changes can limit the reuse value of a compromised account, but it is unlikely that changes will be sufficiently restrictive to affect an account before it has been used by a malicious hacker who controls it. The FIRST step in identifying and assessing IT risk is to: A. confirm the risk tolerance level of the enterprise. B. identify threats and vulnerabilities. C. gather information on the current and future environment. D. review past incident reports and response activity. (C) A. A risk practitioner must understand the risk appetite of senior management and the associated risk tolerance level. This is not the first step because risk tolerance becomes relevant during risk response. B. Identification of relevant threats and vulnerabilities is important, but is limited in its view. C. The first step in any risk assessment is to gather information about the current state and pending internal and external changes to the enterprise's environment (scope, technology, incidents, modifications, etc.). D. While the review of past incident reports may be an input for the identification and assessment of IT risk, focusing on these factors is not prudent. When a start-up company becomes popular, it suddenly is the target of hackers. This is considered: A. an emerging vulnerability. B. a vulnerability event. C. an emerging threat. D. an environmental risk factor. (C) A. A vulnerability is a weakness in the design, implementation, operation or internal control of a process that can expose the system to adverse threats from threat events, which is not described in the question stem. B. A vulnerability event is any event from which a material increase in vulnerability results from changes in control conditions or from changes in threat capability/force. C. A threat is any event in which a threat element/actor acts against an asset in a manner that has the potential to directly result in harm. The stem describes the emerging threat of hackers attacking the start-up company. D. Environmental risk factors can be split into internal and external environmental risk factors. Internal environmental factors are, to a large extent, under the control of the enterprise, although they may not always be easy to change. External environmental The MOST important external factors that should be considered in a risk assessment effort are: A. proposed new security tools and technologies. B. the number of viruses and other malware being developed. C. international crime statistics and political unrest. D. supply chain and market conditions. D. A. It is always good to watch for new technologies and tools that can help the enterprise, especially ones that staff may want to bring into the office. But a risk assessment should not be based on proposed new products. B. The number of new malware types being developed is something worth watching, but it is not a factor that the risk professional can use in the calculation of risk for a risk assessment report. C. International crime statistics and political unrest may cause problems, but these are not the most important factors to be considered in a risk assessment effort. D. Risk assessment should consider both internal and external factors, including supply chain and market conditions. Supply chain problems (e.g., lack of raw material, strikes at a transportation company or supplier) can severely interrupt operations. A new competitor in the market or even a new company opening up in the area may affect availability of trained staff or pose a risk to growth and profitability. It is MOST important that risk appetite be aligned with business objectives to ensure that: A. resources are directed toward areas of low risk tolerance. B. major risk is identified and eliminated. C. IT and business goals are aligned. D. the risk strategy is adequately communicated. (A) A. Risk appetite is the amount of risk that an enterprise is willing to take on in pursuit of value. Aligning it with business objectives allows an enterprise to evaluate and deploy valuable resources toward those objectives where the risk tolerance (for loss) is low. B. There is no link between aligning risk appetite with business objectives and identification and elimination of major risk. Moreover, risk cannot be eliminated; it can be reduced to an acceptable level using various risk response options. C. Alignment of risk appetite with business objectives does converge IT and business goals to a point, but alignment is not limited to these two areas. Other areas include organizational, strategic and financial objectives, among other objectives. D. Communication of the risk strategy does not depend on aligning risk appetite with business objectives. Which of the following is true about IT risk? A. IT risk cannot be assessed and measured quantitatively. B. IT risk should be calculated separately from business risk. C. IT risk management is the responsibility of the IT department. D. IT risk exists whether or not it is detected or recognized by an enterprise (D) A. IT risk, like any business risk, can be assessed both quantitatively and qualitatively. It is very difficult and incomplete to measure risk quantitatively. B. IT risk is one type of business risk. C. IT risk is the responsibility of senior management, not just the IT department. D. The enterprise must identify, acknowledge and respond to risk; ignorance of risk is not acceptable. Scope Creep also called requirement creep, refers to uncontrolled changes in a project's scope. Unless the scope of the project is controlled, its duration and budget cannot be effectively held to account, resulting in a high probability that the project will go over budget as it seeks to meet changing requirements. Which of the following information in the risk register BEST helps in developing proper risk scenarios? A list of: A. potential threats to assets. B. residual risk on individual assets. C. accepted risk. D. security incidents. (A) A. Potential threats that may impact the various business assets will help in developing scenarios on how these threats can exploit vulnerabilities and cause a risk and therefore help in developing proper risk scenarios. B. Residual risk on individual assets does not help in developing a proper risk scenario. C. Accepted risk is generally a small subset of entries within the risk register. Accepted risk should be included in the risk register to ensure that events that may affect the current decision of the enterprise to accept the risk are monitored. D. Previous security incidents of the enterprise itself or entities with a similar profile may inspire similar risk scenarios to be included in the risk register. However, the best approach to create a meaningful risk register is to capture potential threats on tangible and intangible asset When assessing strategic IT risk, the FIRST step is: A. summarizing IT project risk. B. understanding organizational strategy from senior executives. C. establishing enterprise architecture (EA) strategy. D. reviewing IT incident reports from service delivery. (B) A. Summarizing project risk does not necessarily lead to an understanding of all risk, e.g., not realizing the benefits or impact of project risk on programs and portfolios or business or strategic objectives. Unintended consequences, reputation and brand risk, and strategic objectives need to be considered in order to assess strategic IT risk. B. Strategic IT risk is related to the strategy and strategic objectives of the organization. Once this is understood, a conversation with senior executives will provide an enterprise view of the dependencies and expectations for IT, which leads to an understanding of the potential risk. C. Enterprise architecture (EA) is fundamentally about producing a view of the current state of IT, establishing a vision for a future state and generating a strategy to get there (preferably by optimizing resource risk while realizing benefits). This view of IT should demonstrate the linkage of IT to organizational objectives and produce a view of current risk, but the development of EA takes significant effort, resources and time. Enterprise architectures also benefit from being informed by an understanding of organizational strategy and the views of the senior executives, which change rapidly in the current business environment and, therefore, need to be regularly reviewed. D. Developing an understanding of current incidents will not directly provide a strategic view of the objectives of the organization and how the organization is dependent on IT to achieve those objectives.