Isaca CRISC Free Practice Questions

NEW QUESTION 1

Which of the following is the GREATEST benefit of analyzing logs collected from different systems?

• A. A record of incidents is maintained.
• B. Forensic investigations are facilitated.
• C. Security violations can be identified.
• D. Developing threats are detected earlier.

Answer: C

NEW QUESTION 2

Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?

• A. Data owner
• B. Control owner
• C. Risk owner
• D. System owner

Answer: B

NEW QUESTION 3

A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?

• A. Add a digital certificate
• B. Apply multi-factor authentication
• C. Add a hash to the message
• D. Add a secret key

Answer: C

NEW QUESTION 4

When updating a risk register with the results of an IT risk assessment, the risk practitioner should log:

• A. high impact scenarios.
• B. high likelihood scenarios.
• C. treated risk scenarios.
• D. known risk scenarios.

Answer: D

NEW QUESTION 5

The MOST important characteristic of an organization s policies is to reflect the organization's:

• A. risk assessment methodology.
• B. risk appetite.
• C. capabilities
• D. asset value.

Answer: B

NEW QUESTION 6

A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

• A. Business continuity director
• B. Disaster recovery manager
• C. Business application owner
• D. Data center manager

Answer: C

NEW QUESTION 7

Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

• A. Interview control owners.
• B. Observe the control enhancements in operation.
• C. Inspect external audit documentation.
• D. Review management's detailed action plans.

Answer: B

NEW QUESTION 8

Which of the following is the BEST way to validate the results of a vulnerability assessment?

• A. Perform a penetration test.
• B. Review security logs.
• C. Conduct a threat analysis.
• D. Perform a root cause analysis.

Answer: A

NEW QUESTION 9

Risk mitigation procedures should include:

• A. buying an insurance policy.
• B. acceptance of exposures
• C. deployment of counter measures.
• D. enterprise architecture implementation.

Answer: C

NEW QUESTION 10

A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

• A. implement the planned controls and accept the remaining risk.
• B. suspend the current action plan in order to reassess the risk.
• C. revise the action plan to include additional mitigating controls.
• D. evaluate whether selected controls are still appropriate.

Answer: D

NEW QUESTION 11

Which of the following is the MOST common concern associated with outsourcing to a service provider?

• A. Lack of technical expertise
• B. Combining incompatible duties
• C. Unauthorized data usage
• D. Denial of service attacks

Answer: B

NEW QUESTION 12

Which of the following is MOST effective in continuous risk management process improvement?

• A. Periodic assessments
• B. Change management
• C. Awareness training
• D. Policy updates

Answer: C

NEW QUESTION 13

A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be
used. Of the following, who should own the risk if the ERP and payroll system fail to operate as expected?

• A. The business owner
• B. The ERP administrator
• C. The project steering committee
• D. The IT project manager

Answer: A

NEW QUESTION 14

The PRIMARY objective of The board of directors periodically reviewing the risk profile is to help ensure:

• A. the risk strategy is appropriate
• B. KRIs and KPIs are aligned
• C. performance of controls is adequate
• D. the risk monitoring process has been established

Answer: B

NEW QUESTION 15

The BEST way to improve a risk register is to ensure the register:

• A. is updated based upon significant events.
• B. documents possible countermeasures.
• C. contains the risk assessment completion date.
• D. is regularly audited.

Answer: D

NEW QUESTION 16

Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

• A. Corporate incident escalation protocols are established.
• B. Exposure is integrated into the organization's risk profile.
• C. Risk appetite cascades to business unit management
• D. The organization-wide control budget is expanded.

Answer: B

NEW QUESTION 17

The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:

• A. accounts without documented approval
• B. user accounts with default passwords
• C. active accounts belonging to former personnel
• D. accounts with dormant activity.

Answer: A

NEW QUESTION 18

Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

• A. Control chart
• B. Sensitivity analysis
• C. Trend analysis
• D. Decision tree

Answer: D

NEW QUESTION 19

To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?

• A. business owner
• B. IT department
• C. Risk manager
• D. Third-party provider

Answer: D

NEW QUESTION 20

An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?

• A. IT risk manager
• B. IT system owner
• C. Information security manager
• D. Business owner

Answer: D

NEW QUESTION 21

Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

• A. An updated risk register
• B. Risk assessment results
• C. Technical control validation
• D. Control testing results

Answer: D

NEW QUESTION 22

A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?

• A. Regulatory requirements may differ in each country.
• B. Data sampling may be impacted by various industry restrictions.
• C. Business advertising will need to be tailored by country.
• D. The data analysis may be ineffective in achieving objectives.

Answer: A

NEW QUESTION 23

A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

• A. Risk appetite statement
• B. Enterprise risk management framework
• C. Risk management policies
• D. Risk register

Answer: D

NEW QUESTION 24
......