BANK SOAL ISACA CRISC
TRAINER : HERY PURNAMA, SE., MM,
MCP, PMP, ITILF, CISA, CISM, CRISC, CDPSE, CGEIT, COBIT, TOGAF
ITILF, CISSP, CDMP, CTFL
CRISC TRYOUT 40 QUESTIONS
1. Which of the following is MOST important to determine when defining risk management strategies?
⚪ A. Risk assessment criteria
⚪ B. IT architecture complexity
⚪ C. An enterprise disaster recovery plan
⚫ D. Business objectives and operations
Explanation:
Justification:
A. Information on the internal and external environment must be collected to define a strategy and identify its
impact. Risk assessment criteria alone are not sufficient.
B. IT architecture complexity is more directly related to assessing risk than defining strategies.
C. An enterprise disaster recovery plan is more directly related to mitigating the risk.
D. While defining risk management strategies, the risk practitioner needs to analyze the organization’s
objectives and risk tolerance and define a risk management framework based on this analysis. Some
organizations may accept known risk, while others may invest in and apply mitigating controls to
reduce risk
2. Which of the following is the MOST important information to include in a risk management strategic plan?
⚪ A. Risk management staffing requirements
⚪ B. The risk management mission statement
⚪ C. Risk mitigation investment plans
⚫ D. The current state and desired future state
Explanation:
D is the correct answer.
Justification:
A. Risk management staffing requirements are generally driven by a robust understanding of the current and
desired future state.
B. The risk management mission statement is important but is not an actionable part of a risk management
strategic plan.
C. Risk mitigation investment plans are generally driven by a robust understanding of the current and desired
future state.
D. It is most important to paint a vision for the future and then draw a road map from the starting point;
therefore, this requires that the current state and desired future state be fully understood.
3. Information that is no longer required to support the main purpose of the business from an information security
perspective should be:
⚫ A. analyzed under the retention policy.
⚪ B. protected under the information classification policy.
⚪ C. analyzed under the backup policy.
⚪ D. protected under the business impact analysis.
Explanation:
A is the correct answer.
Justification:
A. Information that is no longer required should be analyzed under the retention policy to determine
whether the organization is required to maintain the data for business, legal or regulatory reasons.
Keeping data that are no longer required unnecessarily consumes resources; may be in breach of
legal and regulatory obligations regarding retention of data; and, in the case of sensitive personal
information, can increase the risk of data compromise.
B. The information classification policy should specify retention and destruction of information that is no longer
of value to the core business, as applicable.
C. The backup policy is generally based on recovery point objectives. The information classification policy
should specify retention and destruction of backup media.
D. A business impact analysis can help determine that this information does not support the main objective of the
business, but does not indicate the action to take.
4. An enterprise has outsourced the majority of its IT department to a third party whose servers are in a foreign
country. Which of the following is the MOST critical security consideration?
⚪ A. A security breach notification may get delayed due to the time difference.
⚪ B. Additional network intrusion detection sensors should be installed, resulting in additional cost.
⚪ C. The enterprise could be unable to monitor compliance with its internal security and privacy guidelines.
⚫ D. Laws and regulations of the country of origin may not be enforceable in the foreign country.
Explanation:
D is the correct answer.
Justification:
A. Security breach notification is not a problem. Time difference does not play a role in a 24/7 environment.
Mobile devices (smartphones, tablets, etc.) are usually available to communicate a notification.
B. The need for additional network intrusion sensors is a manageable problem that requires additional funding,
but can be addressed.
C. Outsourcing does not remove the enterprise’s responsibility regarding internal requirements.
D. Laws and regulations of the country of origin may not be enforceable in the foreign country.
Conversely, the laws and regulations of the foreign vendor may also affect the enterprise. Potential
violation of local laws applicable to the enterprise or the vendor may not be recognized or remedied due
to the lack of knowledge of local laws and/or inability to enforce them.
5. An enterprise recently developed a breakthrough technology that could provide a significant competitive edge.
Which of the following FIRST governs how this information is to be protected from within the enterprise?
⚫ A. The data classification policy
⚪ B. The acceptable use policy
⚪ C. Encryption standards
⚪ D. The access control policy
Explanation:
A is the correct answer.
Justification:
A. A data classification policy describes the data classification categories, level of protection to be provided for each category of data and roles and responsibilities of potential users, including data owners.
B. An acceptable use policy is oriented more toward the end user and, therefore, does not specifically address
which controls should be in place to adequately protect information.
C. Mandated levels of protection, as defined by the data classification policy, should drive which levels of
encryption will be in place.
D. Mandated levels of protection, as defined by the data classification policy, should drive which access controls
will be in place.
6. Malware has been detected that redirects users’ computers to websites crafted specifically for the purpose of fraud.
The malware changes domain name system server settings, redirecting users to sites under the hackers’ control. This
scenario BEST describes a:
⚪ A. man-in-the-middle attack.
⚪ B. phishing attack.
⚫ C. pharming attack.
⚪ D. social-engineering attack.
Explanation:
C is the correct answer.
Justification:
A. In a man-in-the-middle attack, the attacker intercepts the communication between two victims and then
replaces the traffic between them with the intruder’s own, eventually assuming control of the communication.
B. A phishing attack is a type of email attack that attempts to convince a user that the originator is genuine but
with the intention of obtaining information for use in social engineering.
C. A pharming attack changes the pointers on a domain name system server and redirects a user’s session
to a masquerading website.
D. A social-engineering attack deceives users or administrators at the target site into revealing confidential or
sensitive information. They can be executed person-to-person, over the telephone or via email.
7. What is the MOST effective method to evaluate the potential impact of legal, regulatory and contractual
requirements on business objectives?
⚪ A. A compliance-oriented gap analysis
⚪ B. Interviews with business process stakeholders
⚪ C. A mapping of compliance requirements to policies and procedures
⚫ D. A compliance-oriented business impact analysis
Explanation:
D is the correct answer.
Justification:
A. A gap analysis will only identify the gaps in compliance to current requirements and will not identify impacts
to business objectives or activities.
B. Interviews with key business process stakeholders will identify business objectives but will not necessarily
account for the compliance requirements that must be met.
C. Mapping requirements to policies and procedures will identify how compliance is being achieved but will not
identify business impact.
D. A compliance-oriented business impact analysis will identify compliance requirements to which the
enterprise is subject and will assess their effect on business objectives and activities.
8. Which of the following is the BEST way to ensure that an accurate risk register is maintained over time?
⚪ A. Monitor key risk indicators and record the findings in the risk register.
⚫ B. Publish the risk register centrally with workflow features that periodically poll risk assessors.
⚪ C. Distribute the risk register to business process owners for review and updating.
⚪ D. Use audit personnel to perform regular audits and to maintain the risk register.
Explanation:
B is the correct answer.
Justification:
A. Monitoring key risk indicators will only provide insights to known and identified risk and will not account for
risk that has yet to be identified.
B. Centrally publishing the risk register and enabling periodic polling of risk assessors through workflow
features will ensure accuracy of content. A knowledge management platform with workflow and polling
features will automate the process of maintaining the risk register.
C. Business process owners typically cannot effectively identify risk to their business processes. They may not
have the ability to be unbiased in their review and may not have the appropriate skills or tools to effectively
evaluate risk.
D. Audit personnel may not have the appropriate business knowledge or training in risk assessment to
appropriately identify risk. Regular audits of business processes can also be a hindrance to business activities
and most likely will not be allowed by business leadership.
9. Shortly after performing the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system. The risk practitioner should:
⚫ A. analyze what systems and technology-related processes may be impacted.
⚪ B. ensure necessary adjustments are implemented during the next review cycle.
⚪ C. initiate an ad hoc revision of the corporate policy.
⚪ D. notify the system custodian to implement changes.
Explanation:
A is the correct answer.
Justification:
A. Assessing what systems and technology-related processes may be impacted is the best course of action.
The analysis must also determine whether existing controls already address the new requirements.
B. Ensuring necessary adjustments are implemented during the next review cycle is not the best answer,
particularly in cases where the law does affect the enterprise. While an annual review cycle may be sufficient
in general, significant changes in the internal or external environment should trigger an ad hoc reassessment.
C. Initiating an ad hoc amendment to the corporate policy may be a rash and unnecessary action.
D. Notifying the system custodian to implement changes is inappropriate. Changes to the system should be
implemented only after approval by the process owner
10. Which of the following is the PRIMARY objective of a risk management program?
⚫ A. Maintain residual risk at an acceptable level
⚪ B. Implement preventive controls for every threat
⚪ C. Remove all identified risks
⚪ D. Reduce inherent risk to zero
Explanation:
A is the correct answer.
Justification:
A. Ensuring that all residual risk is maintained at a level acceptable to the business is the objective of a
risk management program.
B. Implementing controls for every threat is not the objective for the risk management program. The program
considers known threats and determines the risk response to those threats as determined by the enterprise’s
risk appetite and acceptance levels.
C. A risk management program is not intended to remove every identified risk.
D. Inherent risk—the risk level of an activity, business process or entity without taking into account the actions
that management has taken or may take—is always greater than zero.
11. Assessing information systems risk is BEST achieved by:
⚪ A. using the enterprise’s past actual loss experience to determine current exposure.
⚪ B. reviewing published loss statistics from comparable organizations.
⚫ C. evaluating threats associated with existing information systems assets and information systems projects.
⚪ D. reviewing information systems control weaknesses identified in audit reports.
Explanation:
C is the correct answer.
Justification:
A. Past actual loss experience is potentially useful input to the risk assessment process, but it does not address
realistic risk scenarios that have not occurred in the past.
B. Published loss statistics from comparable organizations are a potentially useful input to the risk assessment
process but do not address enterprise-specific risk scenarios or those that have not occurred in the past.
C. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk
assessment approaches.
D. Control weaknesses and other vulnerabilities are an important input to the risk assessment process, but by
themselves are not useful.
12. Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system?
⚪ A. Performing a business impact analysis
⚪ B. Considering personal devices as part of the security policy
⚫ C. Basing the information security infrastructure on a risk assessment
⚪ D. Initiating IT security training and familiarization
Explanation:
C is the correct answer.
Justification:
A. Typically, a business impact analysis is carried out to prioritize business processes as part of a business
continuity plan.
B. While personal devices should be considered as part of the security policy, they are not the most
important requirement.
C. The information security infrastructure should be based on a risk assessment.
D. Initiating IT security training may not be important for the information security infrastructure
13. The PRIMARY concern of a risk practitioner reviewing a formal data retention policy is:
⚪ A. storage availability.
⚪ B. applicable organizational standards.
⚪ C. generally accepted industry good practices.
⚫ D. regulatory and business requirements.
Explanation:
D is the correct answer.
Justification:
A. Storage is not of primary importance because whatever is needed must be provided.
B. Applicable organizational standards support the policy but do not dictate it.
C. Good practices may suggest useful guidance but are not a primary concern.
D. In determining the retention policy, the regulatory requirements are of primary importance along with the business requirements. Without business requirements, a company can keep records indefinitely
regardless of available storage or business needs at a tremendous cost.
14. Which of the following areas is MOST likely to introduce vulnerability related to information security?
⚪ A. Tape backup management
⚪ B. Database management
⚫ C. Configuration management
⚪ D. Incident response management
Explanation:
C is the correct answer.
Justification:
A. Tape backup management is generally less susceptible to misconfiguration than configuration management.
B. Database management is generally less susceptible to misconfiguration than configuration management.
C. Configuration management is most likely to introduce information security weaknesses through
misconfiguration and failure to update operating system code correctly and on a timely basis.
D. Incident response management is generally less susceptible to misconfiguration than configuration management.
15. Which of the following is the MOST important reason for conducting security awareness programs throughout an enterprise?
⚫ A. Reducing the risk of social engineering attacks
⚪ B. Training personnel to respond to security incidents
⚪ C. Informing business units about the security strategy
⚪ D. Maintaining evidence of training records to ensure compliance
Explanation:
A is the correct answer.
Justification:
A. Social engineering is the act of manipulating people into divulging confidential information or
performing actions that enable unauthorized access to sensitive information and/or systems. People are
often considered the weakest link in security implementations and security awareness can help reduce
the risk of successful social engineering attacks by sensitizing employees to security policies and risks,
thus fostering compliance from each individual.
B. Training individuals in security incident response is a corrective control action and not as important as
proactively preventing an incident.
C. Informing business units about the security strategy is best done through steering committee meetings or
other forums.
D. Maintaining evidence of training records to ensure compliance is an administrative, documentary task but
should not be the objective of training.
16. The MOST significant drawback of using quantitative risk analysis instead of qualitative risk analysis is the:
⚪ A. lower objectivity.
⚪ B. greater reliance on expertise.
⚪ C. less management buy-in.
⚫ D. higher cost
17. Risk scenarios are analyzed to determine:
⚪ A. strength of controls.
⚫ B. likelihood and impact.
⚪ C. current risk profile.
⚪ D. scenario root cause.
18. The risk to an information system that supports a critical business process is owned by:
⚪ A. the IT director.
⚫ B. senior management.
⚪ C. the risk management department.
⚪ D. the system users.
19. The PRIMARY reason risk assessments should be repeated at regular intervals is:
⚪ A. omissions in earlier assessments can be addressed.
⚪ B. periodic assessments allow various methodologies.
⚫ C. business threats are constantly changing.
⚪ D. they help raise risk awareness among staff.
20. Which of the following choices BEST assists a risk practitioner in measuring the existing level of development of risk management processes against their desired state?
⚫ A. A capability maturity model (CMM)
⚪ B. Risk management audit reports
⚪ C. A balanced scorecard (BSC)
⚪ D. Enterprise security architecture
21. Which of the following choices BEST helps identify information systems control deficiencies?
⚫ A. Gap analysis
⚪ B. The current IT risk profile
⚪ C. The IT controls framework
⚪ D. Countermeasure analysis
22. Deriving the likelihood and impact of risk scenarios through statistical methods is MOST LIKELY to be associated with which type of risk analysis?
⚪ A. risk scenario
⚪ B. qualitative
⚫ C. quantitative
⚪ D. semiquantitative
23. Which of the following reviews is BEST suited for the review of IT risk analysis results before the results are sent to management for approval and use in decision making?
⚪ A. An internal audit review
⚫ B. A peer review
⚪ C. A compliance review
⚪ D. A risk policy review
24. When a risk cannot be sufficiently mitigated through manual or automatic controls, which of the following options will BEST protect the enterprise from the potential financial impact of the risk?
⚫ A. Insuring against the risk
⚪ B. Updating the IT risk register
⚪ C. Improving staff training in the risk area
⚪ D. Outsourcing the related business process to a third party
25. To be effective, risk mitigation MUST reduce the:
⚫ A. residual risk.
⚪ B. inherent risk.
⚪ C. frequency of a threat.
⚪ D. impact of a threat.
26. The BEST control to prevent unauthorized access to an enterprise’s information is user:
⚪ A. accountability.
⚪ B. authentication.
⚪ C. identification.
⚫ D. access rules.
27. Which of the following controls BEST protects an enterprise from unauthorized individuals gaining access to sensitive information?
⚪ A. Using a challenge response system
⚪ B. Forcing periodic password changes
⚪ C. Monitoring and recording unsuccessful logon attempts
⚫ D. Providing access on a need-to-know basis
28. Which of the following defenses is BEST to use against phishing attacks?
⚪ A. An intrusion detection system (IDS)
⚪ B. Spam filters
⚫ C. End-user awareness
⚪ D. Application hardening
29. When responding to an identified risk event, the MOST important stakeholders involved in reviewing risk response options to an IT risk are the:
⚪ A. information security managers.
⚪ B. internal auditors.
⚪ C. incident response team members.
⚫ D. business managers.
30. Which of the following choices should be considered FIRST when designing information system controls?
⚫ A. The organizational strategic plan
⚪ B. The existing IT environment
⚪ C. The present IT budget
⚪ D. The IT strategic plan
31. Residual risk can be accurately calculated on the basis of:
⚪ A. Threats and vulnerabilities
⚫ B. Inherent risk and control risk
⚪ C. Compliance risk and reputation
⚪ D. Risk governance and risk response
32. The MOST important reason to maintain key risk indicators (KRIs) is that:
⚪ A. complex metrics require fine-tuning.
⚫ B. threats and vulnerabilities change over time.
⚪ C. risk reports need to be timely.
⚪ D. they help to avoid risk.
33. Which of the following choices is the BEST measure of the operational effectiveness of risk management process capabilities?
⚫ A. Key performance indicators (KPIs)
⚪ B. Key risk indicators (KRIs)
⚪ C. Base practices
⚪ D. Metric thresholds
34. During a data extraction process, the total number of transactions per year was forecasted by multiplying the monthly average by twelve. This is considered:
⚪ A. a controls total.
⚪ B. simplistic and ineffective.
⚪ C. a duplicates test.
⚫ D. a reasonableness test.
35. The BEST test for confirming the effectiveness of the system access management process is to map:
⚪ A. access requests to user accounts.
⚫ B. user accounts to access requests.
⚪ C. user accounts to human resources (HR) records.
⚪ D. the vendor database to user accounts.
36. Which of the following choices provides the BEST assurance that a firewall is configured in compliance with an enterprise’s security policy?
⚪ A. Review the actual procedures.
⚪ B. Interview the firewall administrator.
⚫ C. Review the parameter settings.
⚪ D. Review the device’s log file for recent attacks.
37. One way to verify control effectiveness is by determining:
⚪ A. its reliability.
⚪ B. whether it is preventive or detective.
⚪ C. the capability of providing notification of failure.
⚫ D. the test results of intended objectives.
38. Tools that correlate information from multiple systems to improve trend analysis are MOST likely to be applied to:
⚫ A. transaction data.
⚪ B. configuration settings.
⚪ C. system changes.
⚪ D. process integrity.
39. Which of the following methods is the MOST effective way to ensure that outsourced service providers comply with the enterprise’s information security policy?
⚫ A. Periodic audits
⚪ B. Security awareness training
⚪ C. Penetration testing
⚪ D. Service level monitoring
40. What type of policy would an organization use to forbid its employees from using organizational e-mail for personal use?
⚪ A. Anti-harassment policy
⚫ B. Acceptable use policy
⚪ C. Intellectual property policy
⚪ D. Privacy policy
){kind=link}
0 Komentar