CRISC Online Practice Questions and Answers

You are working in an enterprise. Assuming that your enterprise periodically compares finished goods inventory levels to the perpetual inventories in its ERP system. What kind of information is being provided by the lack of any significant differences between perpetual levels and actual levels?

A. Direct information

B. Indirect information

C. Risk management plan

D. Risk audit information

FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?

A. Annually

B. Quarterly

C. Every three years

D. Never

What are the three PRIMARY steps to be taken to initialize the project? Each correct answer represents a complete solution. (Choose three.)

A. Conduct a feasibility study

B. Define requirements

C. Acquire software

D. Plan risk management

Which of the following is the BEST method to maintain a common view of IT risk within an organization?

A. Collecting data for IT risk assessment

B. Establishing and communicating the IT risk profile

C. Utilizing a balanced scorecard

D. Performing and publishing an IT risk analysis

Which of the following BEST enables risk-based decision making in support of a business continuity plan (BCP)?

A. Impact analysis

B. Control analysis

C. Root cause analysis

D. Threat analysis

An organization retains footage from its data center security camera for 30 days when the policy requires 90-day retention The business owner challenges whether the situation is worth remediating Which of the following is the risk manager s BEST response'

A. Identify the regulatory bodies that may highlight this gap

B. Highlight news articles about data breaches

C. Evaluate the risk as a measure of probable loss

D. Verify if competitors comply with a similar policy

Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

A. The KRIs' source data lacks integrity.

B. The KRIs are not automated.

C. The KRIs are not quantitative.

D. The KRIs do not allow for trend analysis.

Who is MOST important to include in the assessment of existing IT risk scenarios?

A. Risk management consultants

B. Business process owners

C. Technology subject matter experts

D. Business users of IT systems

Risk mitigation is MOST effective when which of the following is optimized?

A. Inherent risk

B. Residual risk

C. Operational risk

D. Regulatory risk

Which of the following is the MOST likely reason an organization would engage an independent reviewer to assess its IT risk management program?

A. To identify gaps in the alignment of IT risk management processes and strategy

B. To confirm that IT risk assessment results are expressed in quantitative terms

C. To evaluate threats to the organization's operations and strategy

D. To ensure IT risk management is focused on mitigating emerging risk