CRISC Online Practice Questions and Answers
Which of the following processes is described in the statement below?
"It is the process of implementing risk response plans, tracking identified risks, monitoring residual risk, identifying new risks, and evaluating risk process effectiveness throughout the project."
A. Perform Quantitative Risk Analysis
B. Monitor and Control Risks
C. Identify Risks
D. Perform Qualitative Risk Analysis
Which of the following is true for Cost Performance Index (CPI)?
A. If the CPI > 1, it indicates better than expected performance of project
B. CPI = Earned Value (EV) * Actual Cost (AC)
C. It is used to measure performance of schedule
D. If the CPI = 1, it indicates poor performance of project
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
A. Annually
B. Quarterly
C. Every three years
D. Never
Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?
A. Background checks
B. Awareness training
C. User access
D. Policy management
An organization has decided to implement an emerging technology and incorporate the new capabilities into its strategic business plan. Business operations for the technology will be outsourced. What will be the risk practitioner's PRIMARY role during the change?
A. Managing third-party risk
B. Developing risk scenarios
C. Managing the threat landscape
D. Updating risk appetite
Which of the following BEST protects an organization against breaches when using a software as a service (SaaS) application?
A. Control self-assessment (CSA)
B. Security information and event management (SIEM) solutions
C. Data privacy impact assessment (DPIA)
D. Data loss prevention (DLP) tools
An organization has decided to implement a new Internet of Things (loT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology?
A. Develop new loT risk scenarios.
B. Implement loT device monitoring software.
C. Introduce controls to the new threat environment.
D. Engage external security reviews.
Which of the following is the MOST important consideration for a risk owner when deciding whether to accept IT-related risk?
A. Industry risk standards
B. Opinion of external audit
C. The likelihood that the risk will materialize
D. The organization's risk appetite
Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of IT policies? The number of:
A. senior management approvals.
B. processes covered by IT policies.
C. IT policy exceptions granted.
D. key technology controls covered by IT policies.
Which of the following events is MOST likely to trigger an update to the risk register?
A. A reminder to reassess an identified risk has been sent to risk owners and risk custodians.
B. A business case for implementing a new solution for automating controls has been proposed.
C. A project to implement a risk response action plan has been completed and closed successfully.
D. A post-implementation review of a new application has been initiated by senior management.