CRISC Certified in Risk and Information Systems Control - Practice Questions

Question 13 (Volume B)

You are the IT manager in Bluewell Inc. You identify a new regulation for safeguarding the information processed by a specific type of transaction. What would be the FIRST action you will take?

Select an option, then click Submit answer.

○
Assess whether existing controls meet the regulation
○
Update the existing security privacy policy
○
Meet with stakeholders to decide how to comply
○
Analyze the key risk in the compliance process

Question 14 (Volume C)

Which of the following is BEST described by the definition below?

"They are heavy influencers of the likelihood and impact of risk scenarios and should be taken into account during every risk analysis, when likelihood and impact are assessed."

Select an option, then click Submit answer.

○
Obscure risk
○
Risk factors
○
Risk analysis
○
Risk event

Reference / correct answer:

Risk factors

Risk factors are those features that influence the likelihood and/or business impact of risk scenarios. They have heavy influences on probability and impact of risk scenarios. They should be taken into account during every risk analysis, when likelihood and impact are assessed.

Incorrect Answers:

A: The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events.

Such scenarios can be developed by considering two things:

Visibility Recognition

For the fulfillment of this task enterprise must:

Be in a position that it can observe anything going wrong

Have the capability to recognize an observed event as something wrong

C: A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk from an organizational perspective consists of:

Threats to various processes of organization.

Threats to physical and information assets.

Likelihood and frequency of occurrence from threat. Impact on assets from threat and vulnerability.

Risk analysis allows the auditor to do the following tasks:

Identify threats and vulnerabilities to the enterprise and its information system.

Provide information for evaluation of controls in audit planning.

Aids in determining audit objectives. Supporting decision based on risks.

D: A risk event represents the situation where you have a risk that only occurs with a certain probability and where the risk itself is represented by a specified distribution.

Question 15 (Volume D)

A vulnerability assessment of a vendor-supplied solution has revealed that the software is susceptible to cross-site scripting and SQL injection attacks. Which of the following will BEST mitigate this issue?

Select an option, then click Submit answer.

○
Require the software vendor to remediate the vulnerabilities.
○
Approve exception to allow the software to continue operating.
○
Monitor the databases for abnormal activity.
○
Accept the risk and let the vendor run the software as is.

CRISC – Certified in Risk and Information Systems Control