Free ISACA CRISC Practice Exams

Question #1

Which of the following is the MOST important document regarding the treatment of sensitive data?

A . Encryption policy
B . Organization risk profile
C . Digital rights management policy
D . Information classification policy

Reveal Solution Hide Solution

Question #2

Which of the following is the MOST important element of a successful risk awareness training program?

A . Customizing content for the audience
B . Providing incentives to participants
C . Mapping to a recognized standard
D . Providing metrics for measurement

Reveal Solution Hide Solution

Question #3

An organization has outsourced its IT security operations to a third party.

Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

A . The third party s management
B . The organization’s management
C . The control operators at the third party
D . The organization’s vendor management office

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Outsourcing IT security operations is a common practice that can provide benefits such as cost savings, access to specialized skills, and improved service quality12. However, outsourcing also introduces risks such as loss of control, dependency, contractual issues, and service failures12.

When an organization outsources its IT security operations to a third party, it does not transfer the accountability for the risk associated with the outsourced operations. Accountability is the obligation to answer for the execution of one’s assigned responsibilities34.

The organization’s management is ultimately accountable for the risk associated with the outsourced operations, as they are responsible for defining the organization’s risk appetite, strategy, and objectives, and for ensuring that the organization’s IT security operations are aligned with them34. The organization’s management is also accountable for selecting, contracting, and overseeing the third party, and for ensuring that the third party meets the agreed service levels, standards, and compliance requirements34.

The organization’s management is also accountable for monitoring and reporting the risk associated with the outsourced operations, and for taking corrective actions when necessary34.

The other options are not ultimately accountable, but rather have different roles and responsibilities in relation to the outsourced operations.

For example:

The third party’s management is responsible for delivering the IT security services according to the contract, and for managing the risk within their own organization34. They are accountable to the organization’s management, but not to the organization’s stakeholders.

The control operators at the third party are responsible for implementing and operating the IT security controls according to the service specifications, and for reporting any issues or incidents to the organization’s management34. They are accountable to the third party’s management, but not to the organization’s management or stakeholders.

The organization’s vendor management office is responsible for facilitating the relationship between the organization and the third party, and for supporting the organization’s management in the outsourcing process34. They are accountable to the organization’s management, but not for the risk associated with the outsourced operations.

Reference: =

1: Outsourcing IT Security: A Risk Management Perspective, ISACA Journal, Volume 2, 2019

2: The Cyber Security Risks Of Outsourcing, Cybersecurity Intelligence, January 4, 2022

3: Accountability for Information Security Roles and Responsibilities, Part 1, ISACA Journal, Volume 5, 2019

4: Risk IT Framework, ISACA, 2009

Question #4

When of the following is the BEST key control indicator (KCI) to determine the effectiveness of en intrusion prevention system (IPS)?

A . Percentage of system uptime
B . Percentage of relevant threats mitigated
C . Total number of threats identified
D . Reaction time of the system to threats

Reveal Solution Hide Solution

Question #5

Because of a potential data breach, an organization has decided to temporarily shut down its online sales order system until sufficient controls can be implemented.

Which risk treatment has been selected?

A . Avoidance
B . Transfer
C . Mitigation
D . Acceptance

Reveal Solution Hide Solution

Question #6

An organization has contracted with a cloud service provider to support the deployment of a new product.

Of the following, who should own the associated risk?

A . The head of enterprise architecture (EA)
B . The IT risk manager
C . The information security manager
D . The product owner

Reveal Solution Hide Solution

Question #7

For a large software development project, risk assessments are MOST effective when performed:

A . before system development begins.
B . at system development.
C . at each stage of the system development life cycle (SDLC).
D . during the development of the business case.

Reveal Solution Hide Solution

Question #8

An organization is concerned that its employees may be unintentionally disclosing data through the use of social media sites.

Which of the following will MOST effectively mitigate tins risk?

A . Requiring the use of virtual private networks (VPNs)
B . Establishing a data classification policy
C . Conducting user awareness training
D . Requiring employee agreement of the acceptable use policy

Reveal Solution Hide Solution

Question #9

What is the PRIMARY benefit of risk monitoring?

A . It reduces the number of audit findings.
B . It provides statistical evidence of control efficiency.
C . It facilitates risk-aware decision making.
D . It facilitates communication of threat levels.

Reveal Solution Hide Solution

Question #10

Which of the following BEST supports the management of identified risk scenarios?

A . Collecting risk event data
B . Maintaining a risk register
C . Using key risk indicators (KRIs)
D . Defining risk parameters

Reveal Solution Hide Solution