CRISC Review UPDATED ACTUAL Questions and CORRECT Answers
1. R1-1 Which of the follow- D is the correct answer.
ing is MOST important to Justification:
determine when defining A. Information on the internal and external environment must be
risk management strate- collected to define a strategy and identify its
gies? impact. Risk assessment criteria alone are not suflcient.
A. Risk assessment crite- B. IT architecture complexity is more directly related to assessing risk
ria than defining strategies.
B. IT architecture com- C. An enterprise disaster recovery plan is more directly related to
plexity mitigating the risk.
C. An enterprise disaster D. While defining risk management strategies, the risk practitioner
recovery plan needs to analyze the organization's
D. Business objectives objectives and risk tolerance and define a risk management frame-
and operations work based on this analysis. Some
organizations may accept known risk, while others may invest in and
apply mitigating controls to
reduce risk.
2. R1-2 Which of the fol- D is the correct answer.
lowing is the MOST im- Justification:
portant information to in- A. Risk management staflng requirements are generally driven by a
clude in a risk manage- robust understanding of the current and
ment strategic plan? desired future state.
A. Risk management B. The risk management mission statement is important but is not an
staffing requirements actionable part of a risk management
B. The risk management strategic plan.
mission statement C. Risk mitigation investment plans are generally driven by a robust
C. Risk mitigation invest- understanding of the current and desired
ment plans future state.
D. The current state and D. It is most important to paint a vision for the future and then draw
desired future state a road map from the starting point;
therefore, this requires that the current state and desired future state
be fully understood.
,3. R1-3 Information that is A is the correct answer.
no longer required to Justification:
support the main pur- A. Information that is no longer required should be analyzed under
pose of the business the retention policy to determine
from an information se- whether the organization is required to maintain the data for busi-
curity ness, legal or regulatory reasons.
perspective should be: Keeping data that are no longer required unnecessarily consumes
A. analyzed under the re- resources; may be in breach of
tention policy. legal and regulatory obligations regarding retention of data; and, in
B. protected under the the case of sensitive personal
information classification information, can increase the risk of data compromise.
policy. B. The information classification policy should specify retention and
C. analyzed under the destruction of information that is no longer
backup policy. of value to the core business, as applicable.
D. protected under the C. The backup policy is generally based on recovery point objectives.
business impact analysis. The information classification policy
should specify retention and destruction of backup media.
D. A business impact analysis can help determine that this information
does not support the main objective of the
business, but does not indicate the action to take.
4. R1-4 An enterprise has D is the correct answer.
outsourced the majority Justification:
of its IT department to a A. Security breach notification is not a problem. Time difference does
third party whose servers not play a role in a 24/7 environment.
are in a foreign Mobile devices (smartphones, tablets, etc.) are usually available to
country. Which of the fol- communicate a notification.
lowing is the MOST crit- B. The need for additional network intrusion sensors is a manageable
ical security considera- problem that requires additional funding,
tion? but can be addressed.
A. A security breach noti- C.Outsourcing does not remove the enterprise's responsibility re-
, fication may get delayed garding internal requirements.
due to the time differ- D. Laws and regulations of the country of origin may not be enforce-
ence. able in the foreign country.
B. Additional network in- Conversely, the laws and regulations of the foreign vendor may also
trusion detection sen- affect the enterprise. Potential
sors should be installed, violation of local laws applicable to the enterprise or the vendor may
resulting in additional not be recognized or remedied due
cost. to the lack of knowledge of local laws and/or inability to enforce them.
C. The enterprise could
be unable to monitor
compliance with its inter-
nal security and privacy
guidelines.
D. Laws and regulations
of the country of origin
may not be enforceable
in the foreign country.
5. R1-5 An enterprise re- A is the correct answer.
cently developed a break- Justification:
through technology that A. A data classification policy describes the data classification cate-
could provide a signifi- gories, level of protection to be provided
cant competitive edge. for each category of data and roles and responsibilities of potential
Which of the following users, including data owners.
FIRST governs how this B. An acceptable use policy is oriented more toward the end user and,
information is to be pro- therefore, does not specifically address
tected from within the which controls should be in place to adequately protect information.
enterprise? C. Mandated levels of protection, as defined by the data classification
A. The data classification policy, should drive which levels of
policy encryption will be in place.
B. The acceptable use D. Mandated levels of protection, as defined by the data classification
policy
, C. Encryption standards policy, should drive which access controls
D. The access control pol- will be in place.
icy
6. R1-6 Malware has been C is the correct answer.
detected that redirects Justification:
users' computers to web- A. In a man-in-the-middle attack, the attacker intercepts the commu-
sites crafted specifically nication between two victims and then
for the purpose of fraud. replaces the traflc between them with the intruder's own, eventually
The malware changes do- assuming control of the communication.
main name system serv- B. A phishing attack is a type of email attack that attempts to convince
er settings, redirecting a user that the originator is genuine but
users to sites under the with the intention of obtaining information for use in social engineer-
hackers' control. This ing.
scenario BEST describes C. A pharming attack changes the pointers on a domain name system
a: server and redirects a user's session
A. man-in-the-middle at- to a masquerading website.
tack. D. A social-engineering attack deceives users or administrators at the
B. phishing attack. target site into revealing confidential or
C. pharming attack. sensitive information. They can be executed person-to-person, over
D. social-engineering at- the telephone or via email.
tack.
7. R1-7 What is the MOST ef- D is the correct answer.
fective method to evalu- Justification:
ate the potential impact A. A gap analysis will only identify the gaps in compliance to current
of legal, regulatory and requirements and will not identify impacts
contractual to business objectives or activities.
requirements on busi- B. Interviews with key business process stakeholders will identify
ness objectives? business objectives but will not necessarily
A. A compliance-oriented account for the compliance requirements that must be met.
gap analysis C. Mapping requirements to policies and procedures will identify how
1. R1-1 Which of the follow- D is the correct answer.
ing is MOST important to Justification:
determine when defining A. Information on the internal and external environment must be
risk management strate- collected to define a strategy and identify its
gies? impact. Risk assessment criteria alone are not suflcient.
A. Risk assessment crite- B. IT architecture complexity is more directly related to assessing risk
ria than defining strategies.
B. IT architecture com- C. An enterprise disaster recovery plan is more directly related to
plexity mitigating the risk.
C. An enterprise disaster D. While defining risk management strategies, the risk practitioner
recovery plan needs to analyze the organization's
D. Business objectives objectives and risk tolerance and define a risk management frame-
and operations work based on this analysis. Some
organizations may accept known risk, while others may invest in and
apply mitigating controls to
reduce risk.
2. R1-2 Which of the fol- D is the correct answer.
lowing is the MOST im- Justification:
portant information to in- A. Risk management staflng requirements are generally driven by a
clude in a risk manage- robust understanding of the current and
ment strategic plan? desired future state.
A. Risk management B. The risk management mission statement is important but is not an
staffing requirements actionable part of a risk management
B. The risk management strategic plan.
mission statement C. Risk mitigation investment plans are generally driven by a robust
C. Risk mitigation invest- understanding of the current and desired
ment plans future state.
D. The current state and D. It is most important to paint a vision for the future and then draw
desired future state a road map from the starting point;
therefore, this requires that the current state and desired future state
be fully understood.
,3. R1-3 Information that is A is the correct answer.
no longer required to Justification:
support the main pur- A. Information that is no longer required should be analyzed under
pose of the business the retention policy to determine
from an information se- whether the organization is required to maintain the data for busi-
curity ness, legal or regulatory reasons.
perspective should be: Keeping data that are no longer required unnecessarily consumes
A. analyzed under the re- resources; may be in breach of
tention policy. legal and regulatory obligations regarding retention of data; and, in
B. protected under the the case of sensitive personal
information classification information, can increase the risk of data compromise.
policy. B. The information classification policy should specify retention and
C. analyzed under the destruction of information that is no longer
backup policy. of value to the core business, as applicable.
D. protected under the C. The backup policy is generally based on recovery point objectives.
business impact analysis. The information classification policy
should specify retention and destruction of backup media.
D. A business impact analysis can help determine that this information
does not support the main objective of the
business, but does not indicate the action to take.
4. R1-4 An enterprise has D is the correct answer.
outsourced the majority Justification:
of its IT department to a A. Security breach notification is not a problem. Time difference does
third party whose servers not play a role in a 24/7 environment.
are in a foreign Mobile devices (smartphones, tablets, etc.) are usually available to
country. Which of the fol- communicate a notification.
lowing is the MOST crit- B. The need for additional network intrusion sensors is a manageable
ical security considera- problem that requires additional funding,
tion? but can be addressed.
A. A security breach noti- C.Outsourcing does not remove the enterprise's responsibility re-
, fication may get delayed garding internal requirements.
due to the time differ- D. Laws and regulations of the country of origin may not be enforce-
ence. able in the foreign country.
B. Additional network in- Conversely, the laws and regulations of the foreign vendor may also
trusion detection sen- affect the enterprise. Potential
sors should be installed, violation of local laws applicable to the enterprise or the vendor may
resulting in additional not be recognized or remedied due
cost. to the lack of knowledge of local laws and/or inability to enforce them.
C. The enterprise could
be unable to monitor
compliance with its inter-
nal security and privacy
guidelines.
D. Laws and regulations
of the country of origin
may not be enforceable
in the foreign country.
5. R1-5 An enterprise re- A is the correct answer.
cently developed a break- Justification:
through technology that A. A data classification policy describes the data classification cate-
could provide a signifi- gories, level of protection to be provided
cant competitive edge. for each category of data and roles and responsibilities of potential
Which of the following users, including data owners.
FIRST governs how this B. An acceptable use policy is oriented more toward the end user and,
information is to be pro- therefore, does not specifically address
tected from within the which controls should be in place to adequately protect information.
enterprise? C. Mandated levels of protection, as defined by the data classification
A. The data classification policy, should drive which levels of
policy encryption will be in place.
B. The acceptable use D. Mandated levels of protection, as defined by the data classification
policy
, C. Encryption standards policy, should drive which access controls
D. The access control pol- will be in place.
icy
6. R1-6 Malware has been C is the correct answer.
detected that redirects Justification:
users' computers to web- A. In a man-in-the-middle attack, the attacker intercepts the commu-
sites crafted specifically nication between two victims and then
for the purpose of fraud. replaces the traflc between them with the intruder's own, eventually
The malware changes do- assuming control of the communication.
main name system serv- B. A phishing attack is a type of email attack that attempts to convince
er settings, redirecting a user that the originator is genuine but
users to sites under the with the intention of obtaining information for use in social engineer-
hackers' control. This ing.
scenario BEST describes C. A pharming attack changes the pointers on a domain name system
a: server and redirects a user's session
A. man-in-the-middle at- to a masquerading website.
tack. D. A social-engineering attack deceives users or administrators at the
B. phishing attack. target site into revealing confidential or
C. pharming attack. sensitive information. They can be executed person-to-person, over
D. social-engineering at- the telephone or via email.
tack.
7. R1-7 What is the MOST ef- D is the correct answer.
fective method to evalu- Justification:
ate the potential impact A. A gap analysis will only identify the gaps in compliance to current
of legal, regulatory and requirements and will not identify impacts
contractual to business objectives or activities.
requirements on busi- B. Interviews with key business process stakeholders will identify
ness objectives? business objectives but will not necessarily
A. A compliance-oriented account for the compliance requirements that must be met.
gap analysis C. Mapping requirements to policies and procedures will identify how
