isaca crisc practice test

Topic 4
The PRIMARY reason for prioritizing risk scenarios is to:

• A. facilitate risk response decisions.
• B. support risk response tracking.
• C. assign risk ownership.
• D. provide an enterprise-wide view of risk.

Topic 4
A third-party vendor has offered to perform user access provisioning and termination. Which of the following control
accountabilities is BEST retained within the organization?

• A. Reviewing access control lists
• B. Performing user access recertification
• C. Authorizing user access requests
• D. Terminating inactive user access

Topic 4
In order to determine if a risk is under-controlled, the risk practitioner will need to:

• A. determine the sufficiency of the IT risk budget
• B. monitor and evaluate IT performance
• C. identify risk management best practices
• D. understand the risk tolerance

Topic 4
Which of the following is the BEST way to quantify the likelihood of risk materialization?

• A. Balanced scorecard
• B. Business impact analysis (BIA)
• C. Threat and vulnerability assessment
• D. Compliance assessments

Topic 4
Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?

• A. Ensuring that risk and control assessments consider fraud
• B. Implementing processes to detect and deter fraud
• C. Providing oversight of risk management processes
• D. Monitoring the results of actions taken to mitigate fraud

Topic 4
Which of the following is MOST important for an organization to update following a change in legislation requiring notification
to individuals impacted by data breaches?

• A. Security awareness training
• B. Policies and standards
• C. Risk appetite and tolerance
• D. Insurance coverage

Topic 4
An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

• A. a tool for monitoring critical activities and controls
• B. procedures to monitor the operation of controls
• C. real-time monitoring of risk events and control exceptions
• D. monitoring activities for all critical assets.

Topic 4
Which of the following is MOST helpful to understand the consequences of an IT risk event?

• A. Fault tree analysis
• B. Root cause analysis
• C. Business impact analysis (BIA)
• D. Historical trend analysis

Topic 4
What information related to a system vulnerability would be MOST useful to management in making an effective risk-based
decision?

• A. Consequences if the vulnerability is exploited
• B. Availability of patches to mitigate the vulnerability
• C. Vulnerability scanning tools currently in place
• D. Risk mitigation plans for the vulnerability

Topic 4
Which of the following risk-related information is MOST valuable to senior management when formulating an IT strategic
plan?

• A. Risk mitigation plans
• B. IT risk appetite statement
• C. Emerging IT risk scenarios
• D. Key risk indicators (KRIs)

Topic 4
Before assigning sensitivity levels to information, it is MOST important to:

• A. define the information classification policy.
• B. conduct a sensitivity analysis.
• C. identify information custodians.
• D. define recovery time objectives (RTOs).

Topic 4
Within the three lines of defense model, the accountability for the system of internal controls resides with:

• A. enterprise risk management.
• B. the risk practitioner.
• C. the chief information officer (CIO).
• D. the board of directors.

Topic 4
The PRIMARY purpose of using a framework for risk analysis is to:

• A. help define risk tolerance
• B. help develop risk scenarios
• C. improve consistency
• D. improve accountability.

Topic 4
Which of the following will BEST help to ensure the continued effectiveness of the IT risk management function within an
organization experiencing high employee turnover?

• A. Change and release management
• B. Well documented policies and procedures
• C. Risk and issue tracking
• D. An IT strategy committee

Topic 4
Which of the following is MOST important to review when determining whether a potential IT service providers control
environment is effective?

• A. Control self-assessment (CSA)
• B. Service level agreements (SLAs)
• C. Key performance indicators (KPIs)
• D. Independent audit report