CRISC Online Practice Questions and Answers

Who is at the BEST authority to develop the priorities and identify what risks and impacts would occur if there were loss of the organization's private information?

A. External regulatory agencies

B. Internal auditor

C. Business process owners

D. Security management

John works as a project manager for BlueWell Inc. He is determining which risks can affect the project. Which of the following inputs of the identify risks process is useful in identifying risks associated to the time allowances for the activities or projects as a whole, with a width of the range indicating the degrees of risk?

A. Activity duration estimates

B. Activity cost estimates

C. Risk management plan

D. Schedule management plan

Which of the following processes addresses the risks by their priorities, schedules the project management plan as required, and inserts resources and activities into the budget?

A. Monitor and Control Risk

B. Plan risk response

C. Identify Risks

D. Qualitative Risk Analysis

During which of the following processes, probability and impact matrix are prepared?

A. Risk response

B. Monitoring and Control Risk

C. Quantitative risk assessment

D. Qualitative risk assessment

You are the project manager of your enterprise. You have introduced an intrusion detection system for the control. You have identified a warning of violation of security policies of your enterprise. What type of control is an intrusion detection system (IDS)?

A. Detective

B. Corrective

C. Preventative

D. Recovery

Which of the following would provide the MOST reliable evidence of the effectiveness of security controls implemented for a web application?

A. Penetration testing

B. IT general controls audit

C. Vulnerability assessment

D. Fault tree analysis

An organization recently implemented a machine learning-based solution to monitor IT usage and analyze user behavior in an effort to detect internal fraud. Which of the following is MOST likely to be reassessed as a result of this initiative?

A. Risk likelihood

B. Risk culture

C. Risk appetite

D. Risk capacity

The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

A. availability of fault tolerant software.

B. strategic plan for business growth.

C. vulnerability scan results of critical systems.

D. redundancy of technical infrastructure.

Which of the following tasks should be completed prior to creating a disaster recovery plan (DRP)?

A. Conducting a business impact analysis (BIA)

B. Identifying the recovery response team

C. Procuring a recovery site

D. Assigning sensitivity levels to data

When reviewing a risk response strategy, senior management's PRIMARY focus should be placed on the:

A. cost-benefit analysis.

B. investment portfolio.

C. key performance indicators (KPIs).

D. alignment with risk appetite.