Crisc Review Questions

CRISC

TM

Review Questions, Answers & Explanations Manual

5th Edition

Updated with additional questions!

About ISACA ISACA® (isaca.org) helps professionals around the globe realize the positive potential of technology in an evolving digital world. By offering industry-leading knowledge, standards, credentialing and education, ISACA enables professionals to apply technology in ways that instill confidence, address threats, drive innovation and create positive momentum for their organizations. Established in 1969, ISACA is a global association serving more than 500,000 engaged professionals in 188 countries. ISACA is the creator of the COBIT® framework, which helps organizations effectively govern and manage their information and technology. Through its Cybersecurity NexusTM (CSX), ISACA helps organizations develop skilled cyber workforces and enables individuals to grow and advance their cyber careers. Disclaimer: ISACA has designed and created the CRISCTM Review Questions, Answers & Explanations Manual 5th Edition primarily as an educational resource to assist individuals preparing to take the CRISC certification exam. It was produced independently from the CRISC exam and the CRISC Certification Committee, which has had no responsibility for its content. Copies of past exams are not released to the public and were not made available to ISACA for preparation of this publication. ISACA makes no representations or warranties whatsoever with regard to these or other ISACA publications assuring candidates’ passage of the CRISC exam. Reservation of Rights © 2017 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. ISACA 3701 Algonquin Road | Suite 1010 Rolling Meadows, IL 60008 | USA P: +1.847.660.5505 F: +1.847.253.1755 Support: support.isaca.org Website: www.isaca.org Provide feedback: [email protected] Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center Follow ISACA on Twitter: https://twitter.com/ISACANews Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ

ISBN 978-1-60420-598-5 CRISCTM Review Questions, Answers & Explanations Manual 5th Edition Printed in the United States of America CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world. ii

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

PREFACE

PREFACE ISACA is pleased to offer the 550 questions in this CRISCTM Review Questions, Answers & Explanations Manual 5th Edition. The purpose of this publication is to provide the CRISC candidate with sample questions and testing topics to help prepare and study for the CRISC exam. The material in this manual consists of 550 multiple-choice questions, answers and explanations intended to introduce CRISC candidates to the types of questions that may appear on the CRISC exam. They are not actual questions from the exam. The 550 questions are sorted by CRISC job practice domains. Additionally, 150 questions have been extracted to provide a sample exam with questions in the same proportion as the current CRISC job practice. The candidate also may want to obtain a copy of the CRISCTM Review Manual 6th Edition, which provides the foundational knowledge of a CRISC. The candidate also may wish to obtain these questions in a web-based format in the CRISCTM Review Questions, Answers & Explanations Database - 12 Month Subscription. Some of the questions are presented in scenarios. Scenarios are mini-case studies that describe a situation or an enterprise and require candidates to answer one or more questions based on the information provided. A scenario can focus on one or more domains. The CRISC exam may include scenario questions. ISACA offers this publication as an educational resource to assist individuals preparing to take the CRISC exam. It was produced independently from the CRISC Certification Working Group, which has no responsibility for its content. Copies of past exams are not released to the public and are not made available to candidates. ISACA makes no representations or warranties whatsoever with regard to these or other ISACA or IT Governance Institute publications assuring candidates’ passage of the CRISC exam. ISACA wishes you success with the CRISC exam and welcomes comments and suggestions on the utility and coverage of this manual. After completing the exam, please respond to the online evaluation that corresponds to this publication (www.isaca.org/studyaidsevaluation). Observations from exam candidates are invaluable in the preparation of new questions, answers and explanations.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

iii

ACKNOWLEDGMENTS

ACKNOWLEDGMENTS This CRISCTM Review Questions, Answers & Explanations Manual 5th Edition is the result of the collective efforts of many volunteers. ISACA members from throughout the world participated, generously offering their talent and expertise. This international team exhibited a spirit and selflessness that has become the hallmark of contributors to this valuable manual. Their participation and insight are truly appreciated.

iv

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

TABLE OF CONTENTS

TABLE OF CONTENTS PREFACE...................................................................................................................................................................................iii ACKNOWLEDGMENTS.........................................................................................................................................................iv INTRODUCTION.....................................................................................................................................................................vii OVERVIEW.......................................................................................................................................................................vii CRISC REVIEW QUESTIONS, ANSWERS & EXPLANATIONS MANUAL.............................................................vii TYPES OF QUESTIONS ON THE CRISC EXAM........................................................................................................viii PRETEST...................................................................................................................................................................................ix QUESTIONS, ANSWERS AND EXPLANATIONS BY DOMAIN......................................................................................1 DOMAIN 1—IT RISK IDENTIFICATION (27%)............................................................................................................1 DOMAIN 2—IT RISK ASSESSMENT (28%).................................................................................................................71 DOMAIN 3—RISK RESPONSE AND MITIGATION (23%)......................................................................................133 DOMAIN 4—RISK AND CONTROL MONITORING AND REPORTING (22%)....................................................197 POSTTEST..............................................................................................................................................................................245 SAMPLE EXAM.....................................................................................................................................................................247 SAMPLE EXAM ANSWER AND REFERENCE KEY.....................................................................................................269 SAMPLE EXAM ANSWER SHEET (PRETEST).............................................................................................................271 SAMPLE EXAM ANSWER SHEET (POSTTEST)...........................................................................................................273 EVALUATION.......................................................................................................................................................................275

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

v

Page intentionally left blank

vi

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

INTRODUCTION

INTRODUCTION OVERVIEW The CRISC exam evaluates a candidate’s practical knowledge, experience and application of the job practice domains. We recommend that candidates use multiple resources to prepare for the exam, including the CRISCTM Review Manual 6th Edition along with external publications. This section will offer study tips and explain how best to use this manual alongside other resources.

Getting Started Having adequate time to prepare for the CRISC exam is critical. Most candidates begin studying three to six months before the exam. Make sure to reserve time each week. Candidates may wish to increase weekly study time as the exam date approaches. Developing a specific plan can help optimize the time spent studying.

CRISC REVIEW QUESTIONS, ANSWERS & EXPLANATIONS MANUAL The CRISCTM Review Questions, Answers and Explanations Manual 5th Edition includes 550 multiple-choice questions, answers and explanations (numbered R1-1, R1-2, etc.). Questions are developed using task and knowledge statements as described in the CRISC job practice. Review questions are representative of exam questions, but they are not actual exam items. They are designed to assist candidates in understanding the material in the CRISCTM Review Manual 6th Edition and to exemplify formats typically found on the CRISC exam.

Questions Sorted by Domain Questions, answers and explanations are sorted by CRISC job practice domains. This sorting allows candidates to evaluate their comprehension by domain.

Sample Exam A random sample exam of 150 questions is also provided in this manual. This sample exam is informed by domain percentages specified in the CRISC job practice and used on the CRISC exam: Domain 1—IT Risk Identification............................................................................................. 27 percent Domain 2—IT Risk Assessment................................................................................................. 28 percent Domain 3—Risk Response and Mitigation................................................................................ 23 percent Domain 4—Risk and Control Monitoring and Reporting.......................................................... 22 percent Candidates are urged to use the sample exam and answer sheets to simulate an actual exam. The sample exam may be used in two ways. The first is as a pretest, which is taken prior to any additional study. The pretest can help identify a candidate’s weaker domains. The sample exam in the QAE manual is the same length as the actual CRISC exam. The second way to use the sample exam is as a posttest. After a given period of study, the posttest helps assess the effectiveness of a candidate’s preparation as the exam date approaches. The posttest can isolate domains and task/knowledge statements that may require additional review prior to the exam. Sample exam answer sheets have been provided for both uses. In addition, a sample exam answer/reference key is included. Sample exam questions are cross-referenced to the manual’s questions, answers and explanations by domain, so candidates may refer easily to the explanations of correct answers. This publication is ideal to use in conjunction with the CRISCTM Review Manual 6th Edition. The CRISC exam covers a broad spectrum of IS control solutions and how they relate to business and IT risk management issues. Candidates should not assume that reading the questions in this manual or completing sample exams will fully prepare them for the exam. Exam questions often relate to practical experience. Thus, CRISC candidates are advised to consult their own experience along with other publications and frameworks referenced in the CRISCTM Review Manual 6th Edition, including the COBIT® 5 framework and COBIT® 5 for Risk. The latter works are excellent sources of information and clarification. Candidates should evaluate the domains in which they feel weak or require further instruction and then study accordingly. Finally, please note that this publication has been written using standard American English. CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

vii

INTRODUCTION

TYPES OF QUESTIONS ON THE CRISC EXAM CRISC exam questions are developed to measure practical knowledge and the capacity to apply general concepts and standards. All questions are multiple-choice and are designed for one best answer. The candidate is cautioned to read each question carefully. Many times, a CRISC exam question will require the candidate to choose the appropriate answer that is MOST likely or BEST. Other times, a candidate may be asked to choose a practice or procedure that would be performed FIRST related to the other choices. In every case, the candidate is required to read the question carefully, eliminate known wrong choices and then make the best choice possible. Each CRISC question has a stem (question) and four choices (answers). The candidate should choose the best answer. The stem may be in the form of a question or an incomplete statement. In some instances, the stem may outline a professional scenario or problem. The stem may describe a situation and then ask candidates to answer two or more questions based on the same context. A helpful approach to these questions includes the following: • Read the entire stem and determine what the question is asking. Look for key words such as “BEST,” “MOST,” “FIRST,” etc., including key terms that may indicate what domain or concept is being tested. •R  ead all optional answers, and then read the stem again to see if any options can be eliminated immediately based on context. • Re-read the remaining options and apply personal experience to determine the best answer. Candidates should recognize that information security is a global profession, and individual perceptions and experiences may not reflect a global position or circumstance. Because the exam and CRISC manuals are written for an international information security community, candidates must be flexible when construing a scenario or condition that may diverge from the candidate’s local experience. CRISC exams are written by experienced information security managers from around the world. Each question on the exam is reviewed by ISACA’s CRISC Exam Item Development Working Group, which consists of international members. This geographic representation ensures that all questions are understood equally in every country and language. Note: ISACA review manuals are living documents. As technology advances, ISACA manuals will be updated to reflect such advances. Further updates or corrections to this document before the date of the exam may be viewed at www.isaca.org/studyaidupdates. Any suggestions to enhance the materials covered herein, or reference materials, should be submitted online at www.isaca.org/studyaidsevaluation. Any questions related to the material in this manual can be sent to [email protected].

viii

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

PRETEST

PRETEST If you wish to take a pretest to determine strengths and weaknesses, the Sample Exam begins on page 247 and the pretest answer sheet is on page 271. You can score your pretest with the Sample Exam Answer and Reference Key on page 269.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

ix

Page intentionally left blank

x

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

QUESTIONS, ANSWERS AND EXPLANATIONS BY DOMAIN DOMAIN 1—IT RISK IDENTIFICATION (27%) R1-1 Which of the following is MOST important to determine when defining risk management strategies? A. Risk assessment criteria B. IT architecture complexity C. An enterprise disaster recovery plan D. Business objectives and operations D is the correct answer. Justification: A. Information on the internal and external environment must be collected to define a strategy and identify its impact. Risk assessment criteria alone are not sufficient. B. IT architecture complexity is more directly related to assessing risk than defining strategies. C. An enterprise disaster recovery plan is more directly related to mitigating the risk. D. While defining risk management strategies, the risk practitioner needs to analyze the organization’s objectives and risk tolerance and define a risk management framework based on this analysis. Some organizations may accept known risk, while others may invest in and apply mitigating controls to reduce risk. R1-2 Which of the following is the MOST important information to include in a risk management strategic plan? A. Risk management staffing requirements B. The risk management mission statement C. Risk mitigation investment plans D. The current state and desired future state D is the correct answer. Justification: A. Risk management staffing requirements are generally driven by a robust understanding of the current and desired future state. B. The risk management mission statement is important but is not an actionable part of a risk management strategic plan. C. Risk mitigation investment plans are generally driven by a robust understanding of the current and desired future state. D. It is most important to paint a vision for the future and then draw a road map from the starting point; therefore, this requires that the current state and desired future state be fully understood.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

1

DOMAIN 1—IT RISK IDENTIFICATION

R1-3 Information that is no longer required to support the main purpose of the business from an information security perspective should be: A. analyzed under the retention policy. B. protected under the information classification policy. C. analyzed under the backup policy. D. protected under the business impact analysis. A is the correct answer. Justification:  A. Information that is no longer required should be analyzed under the retention policy to determine whether the organization is required to maintain the data for business, legal or regulatory reasons. Keeping data that are no longer required unnecessarily consumes resources; may be in breach of legal and regulatory obligations regarding retention of data; and, in the case of sensitive personal information, can increase the risk of data compromise. B. The information classification policy should specify retention and destruction of information that is no longer of value to the core business, as applicable. C. The backup policy is generally based on recovery point objectives. The information classification policy should specify retention and destruction of backup media. D. A business impact analysis can help determine that this information does not support the main objective of the business, but does not indicate the action to take. R1-4 An enterprise has outsourced the majority of its IT department to a third party whose servers are in a foreign country. Which of the following is the MOST critical security consideration? A. A security breach notification may get delayed due to the time difference. B. Additional network intrusion detection sensors should be installed, resulting in additional cost. C. The enterprise could be unable to monitor compliance with its internal security and privacy guidelines. D. Laws and regulations of the country of origin may not be enforceable in the foreign country. D is the correct answer. Justification: A. Security breach notification is not a problem. Time difference does not play a role in a 24/7 environment. Mobile devices (smartphones, tablets, etc.) are usually available to communicate a notification. B. The need for additional network intrusion sensors is a manageable problem that requires additional funding, but can be addressed. C. Outsourcing does not remove the enterprise’s responsibility regarding internal requirements.  D. Laws and regulations of the country of origin may not be enforceable in the foreign country. Conversely, the laws and regulations of the foreign vendor may also affect the enterprise. Potential violation of local laws applicable to the enterprise or the vendor may not be recognized or remedied due to the lack of knowledge of local laws and/or inability to enforce them.

2

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-5 An enterprise recently developed a breakthrough technology that could provide a significant competitive edge. Which of the following FIRST governs how this information is to be protected from within the enterprise? A. The data classification policy B. The acceptable use policy C. Encryption standards D. The access control policy A is the correct answer. Justification:  A. A data classification policy describes the data classification categories, level of protection to be provided for each category of data and roles and responsibilities of potential users, including data owners. B. An acceptable use policy is oriented more toward the end user and, therefore, does not specifically address which controls should be in place to adequately protect information. C. Mandated levels of protection, as defined by the data classification policy, should drive which levels of encryption will be in place. D. Mandated levels of protection, as defined by the data classification policy, should drive which access controls will be in place. R1-6 Malware has been detected that redirects users’ computers to websites crafted specifically for the purpose of fraud. The malware changes domain name system server settings, redirecting users to sites under the hackers’ control. This scenario BEST describes a: A. man-in-the-middle attack. B. phishing attack. C. pharming attack. D. social-engineering attack. C is the correct answer. Justification: A. In a man-in-the-middle attack, the attacker intercepts the communication between two victims and then replaces the traffic between them with the intruder’s own, eventually assuming control of the communication. B. A phishing attack is a type of email attack that attempts to convince a user that the originator is genuine but with the intention of obtaining information for use in social engineering.  C. A pharming attack changes the pointers on a domain name system server and redirects a user’s session to a masquerading website. D. A social-engineering attack deceives users or administrators at the target site into revealing confidential or sensitive information. They can be executed person-to-person, over the telephone or via email.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

3

DOMAIN 1—IT RISK IDENTIFICATION

R1-7 What is the MOST effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objectives? A. A compliance-oriented gap analysis B. Interviews with business process stakeholders C. A mapping of compliance requirements to policies and procedures D. A compliance-oriented business impact analysis D is the correct answer. Justification: A. A gap analysis will only identify the gaps in compliance to current requirements and will not identify impacts to business objectives or activities. B. Interviews with key business process stakeholders will identify business objectives but will not necessarily account for the compliance requirements that must be met. C. Mapping requirements to policies and procedures will identify how compliance is being achieved but will not identify business impact.  D. A compliance-oriented business impact analysis will identify compliance requirements to which the enterprise is subject and will assess their effect on business objectives and activities. R1-8 Which of the following is the BEST way to ensure that an accurate risk register is maintained over time? A. Monitor key risk indicators and record the findings in the risk register. B. Publish the risk register centrally with workflow features that periodically poll risk assessors. C. Distribute the risk register to business process owners for review and updating. D. Use audit personnel to perform regular audits and to maintain the risk register. B is the correct answer. Justification: A. Monitoring key risk indicators will only provide insights to known and identified risk and will not account for risk that has yet to be identified. B. Centrally publishing the risk register and enabling periodic polling of risk assessors through workflow features will ensure accuracy of content. A knowledge management platform with workflow and polling features will automate the process of maintaining the risk register. C. Business process owners typically cannot effectively identify risk to their business processes. They may not have the ability to be unbiased in their review and may not have the appropriate skills or tools to effectively evaluate risk. D. Audit personnel may not have the appropriate business knowledge or training in risk assessment to appropriately identify risk. Regular audits of business processes can also be a hindrance to business activities and most likely will not be allowed by business leadership.

4

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-9 Shortly after performing the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system. The risk practitioner should: A. analyze what systems and technology-related processes may be impacted. B. ensure necessary adjustments are implemented during the next review cycle. C. initiate an ad hoc revision of the corporate policy. D. notify the system custodian to implement changes. A is the correct answer. Justification: A. Assessing what systems and technology-related processes may be impacted is the best course of action. The analysis must also determine whether existing controls already address the new requirements. B. Ensuring necessary adjustments are implemented during the next review cycle is not the best answer, particularly in cases where the law does affect the enterprise. While an annual review cycle may be sufficient in general, significant changes in the internal or external environment should trigger an ad hoc reassessment. C. Initiating an ad hoc amendment to the corporate policy may be a rash and unnecessary action. D. Notifying the system custodian to implement changes is inappropriate. Changes to the system should be implemented only after approval by the process owner. R1-10 Which of the following is the PRIMARY objective of a risk management program? A. Maintain residual risk at an acceptable level B. Implement preventive controls for every threat C. Remove all identified risks D. Reduce inherent risk to zero A is the correct answer. Justification:  A. Ensuring that all residual risk is maintained at a level acceptable to the business is the objective of a risk management program. B. Implementing controls for every threat is not the objective for the risk management program. The program considers known threats and determines the risk response to those threats as determined by the enterprise’s risk appetite and acceptance levels. C. A risk management program is not intended to remove every identified risk. D. Inherent risk—the risk level of an activity, business process or entity without taking into account the actions that management has taken or may take—is always greater than zero.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

5

DOMAIN 1—IT RISK IDENTIFICATION

R1-11 Assessing information systems risk is BEST achieved by: A. using the enterprise’s past actual loss experience to determine current exposure. B. reviewing published loss statistics from comparable organizations. C. evaluating threats associated with existing information systems assets and information systems projects. D. reviewing information systems control weaknesses identified in audit reports. C is the correct answer. Justification: A. Past actual loss experience is potentially useful input to the risk assessment process, but it does not address realistic risk scenarios that have not occurred in the past. B. Published loss statistics from comparable organizations are a potentially useful input to the risk assessment process but do not address enterprise-specific risk scenarios or those that have not occurred in the past. C. To assess IT risk, threats and vulnerabilities need to be evaluated using qualitative or quantitative risk assessment approaches. D. Control weaknesses and other vulnerabilities are an important input to the risk assessment process, but by themselves are not useful. R1-12 Which of the following is the MOST important requirement for setting up an information security infrastructure for a new system? A. Performing a business impact analysis B. Considering personal devices as part of the security policy C. Basing the information security infrastructure on a risk assessment D. Initiating IT security training and familiarization C is the correct answer. Justification: A. Typically, a business impact analysis is carried out to prioritize business processes as part of a business continuity plan. B. While personal devices should be considered as part of the security policy, they are not the most important requirement. C. The information security infrastructure should be based on a risk assessment. D. Initiating IT security training may not be important for the information security infrastructure. R1-13 The PRIMARY concern of a risk practitioner reviewing a formal data retention policy is: A. storage availability. B. applicable organizational standards. C. generally accepted industry good practices. D. regulatory and business requirements. D is the correct answer. Justification: A. Storage is not of primary importance because whatever is needed must be provided. B. Applicable organizational standards support the policy but do not dictate it. C. Good practices may suggest useful guidance but are not a primary concern.  D. In determining the retention policy, the regulatory requirements are of primary importance along with the business requirements. Without business requirements, a company can keep records indefinitely regardless of available storage or business needs at a tremendous cost. 6

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-14 Which of the following areas is MOST likely to introduce vulnerability related to information security? A. Tape backup management B. Database management C. Configuration management D. Incident response management C is the correct answer. Justification: A. Tape backup management is generally less susceptible to misconfiguration than configuration management. B. Database management is generally less susceptible to misconfiguration than configuration management.  C. Configuration management is most likely to introduce information security weaknesses through misconfiguration and failure to update operating system code correctly and on a timely basis. D. Incident response management is generally less susceptible to misconfiguration than configuration management. R1-15 Which of the following is the MOST important reason for conducting security awareness programs throughout an enterprise? A. Reducing the risk of social engineering attacks B. Training personnel to respond to security incidents C. Informing business units about the security strategy D. Maintaining evidence of training records to ensure compliance A is the correct answer. Justification:  A. Social engineering is the act of manipulating people into divulging confidential information or performing actions that enable unauthorized access to sensitive information and/or systems. People are often considered the weakest link in security implementations and security awareness can help reduce the risk of successful social engineering attacks by sensitizing employees to security policies and risks, thus fostering compliance from each individual. B. Training individuals in security incident response is a corrective control action and not as important as proactively preventing an incident. C. Informing business units about the security strategy is best done through steering committee meetings or other forums. D. Maintaining evidence of training records to ensure compliance is an administrative, documentary task but should not be the objective of training.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

7

DOMAIN 1—IT RISK IDENTIFICATION

R1-16 Which of the following is the GREATEST risk of a policy that defines data and system ownership inadequately? A. Audit recommendations may not be implemented. B. Users may have unauthorized access to originate, modify or delete data. C. User management coordination does not exist. D. Specific user accountability cannot be established. B is the correct answer. Justification: A. A policy that inadequately defines data and system ownership generally does not affect the implementation of audit recommendations, particularly because audit reports assign remediation owners.  B. Without a policy defining who grants access to specific data or systems, risk increases that employees receive system access without justified business purpose. Business objectives are best supported when authority to grant access is assigned to specific individuals. C. While a policy that inadequately defines data and system ownership may affect user management coordination, the greatest risk would be granting user access inappropriately. D. User accountability is established by assigning unique user IDs and tracking transactions. R1-17 A lack of adequate controls represents: A. a vulnerability. B. an impact. C. an asset. D. a threat. A is the correct answer. Justification:  A. Lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties, etc. B. Impact is the measure of financial loss incurred by a threat or incident. C. Assets have tangible or intangible value worth protecting and include people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of a security incident. R1-18 The PRIMARY focus of managing IT-related business risk is to protect: A. information. B. hardware. C. applications. D. databases. A is the correct answer. Justification:  A. The primary objective for any enterprise is to protect mission-critical information based on a risk assessment. B. While many enterprises spend large amounts protecting IT hardware, doing so without first assessing risk to mission-critical data is not advisable. Hardware may become a focus if it stores, processes or transfers mission-critical data. C. Applications become a focus only if they process mission-critical data. D. Databases become a focus only if they store mission-critical data. 8

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-19 Which of the following can provide the BEST perspective of risk management to an enterprise’s employees and stockholders? A. An interdisciplinary team within the enterprise B. A third-party risk assessment service provider C. The enterprise’s IT department D. The enterprise’s internal compliance department A is the correct answer. Justification:  A. Assembling an interdisciplinary team to manage risk ensures that all areas are adequately considered in risk assessment and helps provide an enterprisewide perspective on risk. B. Engaging a third party to perform a risk assessment may provide additional expertise; but without internal knowledge, third parties lack judgment to determine the adequacy of risk assessment. C. A risk assessment performed by the enterprise’s IT department is unlikely to reflect the view of the entire enterprise. D. The internal compliance department ensures the implementation of risk responses based on the requirement of management. It generally does not take an active part in implementing risk responses for items that do not have regulatory implications. R1-20 Which of the following approaches to corporate policy BEST supports an enterprise’s expansion to other regions, where different local laws apply? A. A global policy without provisions that might be disputed at local levels B. A global policy amended to comply with local laws C. A global policy that complies with law at corporate headquarters and that all employees must follow D. Local policies to accommodate laws within each region B is the correct answer. Justification: A. Having one global policy that attempts to address local requirements for all locales is nearly impossible and generally cost prohibitive.  B. A global policy including local amendments ensures alignment with local laws and regulations. C. Policies tailored exclusively to laws governing the corporate headquarters, without providing for local laws and regulations, will expose the enterprise to risk of legal action as well as political and reputational loss. D. Decentralized local policies for each region require the enterprise to maintain and test documentation and processes separately for each region. This approach can become extremely expensive, and may fail to leverage common practices entailed in a global policy that is amended locally.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

9

DOMAIN 1—IT RISK IDENTIFICATION

R1-21 Which of the following is the BEST indicator that incident response training is effective? A. Decreased reporting of security incidents to the response team B. Increased reporting of security incidents to the response team C. Decreased number of password resets D. Increased number of identified system vulnerabilities B is the correct answer. Justification: A. Decreased reporting indicates that users lack awareness of what constitutes a security incident. B. Increased reporting of incidents in general is a good indicator of user awareness, but increased reporting of valid incidents is the best indicator because it shows that users are aware of security rules and know how to report incidents. It is the responsibility of the IT function to assess the information provided, identify false-positives, educate end users, and respond to potential problems. C. A decrease in the number of password resets is not an indicator of security awareness training. D. An increase in the number of system vulnerabilities is not an indicator of security awareness training. R1-22 Which of the following factors will have the GREATEST impact on the type of information security governance model that an enterprise adopts? A. The number of employees B. The enterprise’s budget C. The organizational structure D. The type of technology that the enterprise uses C is the correct answer. Justification: A. The number of employees in an enterprise does not primarily affect the choice of an information security governance model; well-defined processes provide the proper governance. B. Organizational budget does not dictate the choice of information security governance model.  C. Information security governance models depend significantly on the overall organizational structure. D. Technology in an enterprise does not primarily affect the choice of an information security governance model; well-defined processes provide the proper governance. R1-23 An enterprise learns of a security breach at another entity using similar network technology. The MOST important action for a risk practitioner is to: A. assess the likelihood of the incident occurring at the risk practitioner’s enterprise. B. discontinue the use of the vulnerable technology. C. report to senior management that the enterprise is not affected. D. remind staff that no similar security breaches have taken place. A is the correct answer. Justification:  A. The risk practitioner should first assess the likelihood of a similar incident at his/her enterprise, based on available information. B. Discontinuing vulnerable technology is not necessarily required; furthermore, the technology is likely to be needed to support the enterprise. C. Reporting to senior management that the enterprise is not affected is premature until the risk practitioner assesses the likelihood of a similar incident. D. Pending further research, the risk practitioner cannot be certain that no similar security breaches have taken place. 10

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-24 Which of the following is the GREATEST benefit of a risk-aware culture? A. Issues are escalated when suspicious activity is noticed. B. Controls are double-checked to anticipate any issues. C. Individuals communicate with peers for knowledge sharing. D. Employees are self-motivated to learn about costs and benefits. A is the correct answer. Justification:  A. Management benefits most from an escalation process because risk and/or incidents are reported in a timely manner. Escalation posture among employees is best developed through training and awareness programs. B. Double-checking controls is a thorough business practice. It is a basic business stance, so benefit for management may be limited. C. Knowledge sharing is an important theme and should be encouraged through awareness programs. However, its benefit to risk management may be indirect. D. Encouraging employees to learn is desirable. However, management may not expect awareness programs to emphasize assessment of cost and benefit. R1-25 The MAIN objective of IT risk management is to: A. prevent loss of IT assets. B. provide timely management reports. C. ensure regulatory compliance. D. enable risk-aware business decisions. D is the correct answer. Justification: A. Protecting IT assets in support of business objectives is a subordinate goal of IT risk management. B. IT risk management can add value to reports; for example, it helps to document measurable return on IT investment. However, reporting and timeliness are subordinate goals of IT risk management. C. Meeting regulatory compliance requirements is a one of the objectives in an IT risk management framework. D. IT risk management should be conducted as part of enterprisewide risk management, whose ultimate objective is to support risk-aware business decisions. R1-26 Which of the following is the BEST risk identification technique to support an enterprise that allows employees to identify risk anonymously? A. The Delphi technique B. Isolated pilot groups C. A strengths, weaknesses, opportunities and threats (SWOT) analysis D. A root cause analysis A is the correct answer. Justification:  A. With the Delphi technique, polling or information gathering is done either anonymously or privately between the interviewer and interviewee. B. Participants generally do not identify risk anonymously within isolated pilot groups. C. With a strengths, weaknesses, opportunities and threats (SWOT) analysis, participants generally do not identify risk anonymously. D. With a root cause analysis, participants generally do not identify risk anonymously. CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

11

DOMAIN 1—IT RISK IDENTIFICATION

R1-27 Who MUST give final sign-off on the IT risk management plan? A. IT auditors performing the risk assessment B. Business process owners C. Senior management D. IT security administrators C is the correct answer. Justification: A. IT auditors performing risk assessment may contribute to a risk management plan, but they are not authorized to give final sign-off. B. Business process owners may contribute to a risk management plan, but they do not have authority to give final sign-off.  C. Senior management understands performance metrics and indicators that measure the enterprise and its subsystems; they approved the policies and standards that govern the enterprise; and they have final responsibility for risks associated with audit findings and recommendations. D. IT security administrators may contribute to a risk management plan, but they do not have the authority to give final sign-off. R1-28 Which of the following is the PRIMARY reason that a risk practitioner determines the security boundary prior to conducting a risk assessment? A. To decide which laws and regulations apply B. To identify the scope of the risk assessment C. To identify the business owner(s) of the system D. To decide whether a quantitative or qualitative analysis is appropriate B is the correct answer. Justification: A. The risk assessment itself must consider what laws and regulations apply.  B. Identifying the security boundary establishes the fundamental scope of inquiry, including what systems and components are subject to assessment as well as those not subject to assessment. The boundary subsequently informs what laws and regulations apply, what business owners to consult, etc. C. Identifying business owners is secondary to determining the scope. D. Security boundaries will not directly inform criteria for selecting a quantitative or qualitative risk analysis.

12

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-29 Which of the following BEST describes the information needed for each risk on a risk register? A. Risk scenario including date, description, impact, probability, risk score, mitigation action and owner B. Risk scenario including date, description, risk score, cost to remediate, communication plan and owner C. Risk scenario including date, description, impact, cost to remediate and owner D. Various activities leading to risk management planning A is the correct answer. Justification: A. Information required for each risk in a risk register includes date, description, impact, probability, risk score, mitigation action and owner. B. This answer includes some elements of a risk register necessary to facilitate informed decisions, but misses others (impact, probability, mitigation action). It includes items that should be omitted from the register (communication plan). C. This answer misses some key elements of a risk register (probability, risk score, mitigation action) needed to make informed decisions. D. A risk register results from risk management planning, not the other way around. R1-30 The GREATEST advantage in performing a business impact analysis is that it: A. does not have to be updated because the impact will not change. B. promotes continuity awareness in the enterprise. C. requires only qualitative estimates. D. eliminates the need for risk analysis. B is the correct answer. Justification: A. A business impact analysis (BIA) should be updated periodically because existing environments, systems, risks and applications change and new systems are added.  B. A BIA raises awareness of risk to business recovery and continuity enterprisewide. C. A BIA should use both qualitative and quantitative estimates; however, the analysis can be completed and estimates determined with or without minimum historical data. D. A BIA cannot eliminate the need to perform a risk analysis; although it is a part of the documentation used during a risk analysis, it is the not the greatest advantage. R1-31 The PRIMARY advantage of creating and maintaining a risk register is to: A. ensure that an inventory of potential risk is maintained. B. record all risk scenarios considered during the risk identification process. C. collect similar data on all risk identified within the organization. D. run reports based on various risk scenarios. A is the correct answer. Justification:  A. Once assets and risks are identified, the risk register is used as an inventory of that risk. The risk register can accelerate risk decision making and establish accountability for specific risks. B. Recording all considered scenarios in the register and reassessing them annually are good practices; however, maintaining the inventory is the primary advantage. C. Similar data elements can be collected in a spreadsheet or governance, risk and compliance (GRC) tool in a single format, but ensuring the inventory is still the primary advantage. D. Running reports is a benefit of the risk registry, but not its primary purpose. CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

13

DOMAIN 1—IT RISK IDENTIFICATION

R1-32 Which of the following is MOST effective in assessing business risk? A. A use case analysis B. A business case analysis C. Risk scenarios D. A risk plan C is the correct answer. Justification: A. A use case analysis identifies business requirements for a system or process. B. Business cases are generally part of a project charter and help define the purpose/reason for the project.  C. Risk scenarios are the most effective technique in assessing business risk. Scenarios help determine the likelihood and impact of an identified risk. D. A risk plan is the output from the risk assessment. R1-33 The board of directors of a one-year-old start-up company asked their chief information officer (CIO) to create all the enterprise’s IT policies and procedures. Which of the following should the CIO create FIRST? A. The strategic IT plan B. The data classification scheme C. The information architecture document D. The technology infrastructure plan A is the correct answer. Justification:  A. The strategic IT plan is the first policy to create when developing an enterprise’s governance model. B. The strategic IT plan is created before the data classification scheme. The data classification scheme distinguishes data by factors such as criticality, sensitivity and ownership. C. The strategic IT plan is created before the information architecture is defined. The information architecture is one component of the IT architecture (together with applications and technology). The IT architecture describes the fundamental underlying design of IT components; the relationships among them; and their support for the organization’s objectives. D. The strategic IT plan is created before the technology infrastructure plan is developed. The technology infrastructure plan maps out the technology, human resources and facilities that enable current and future applications and processes.

14

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-34 The preparation of a risk register begins in which risk management process? A. Risk response planning B. Risk monitoring and control C. Risk management planning D. Risk identification D is the correct answer. Justification: A. In the risk response planning process, appropriate responses are determined by consensus and included in the risk register. B. Risk monitoring and control often require identification of new risk and reassessment of known risk. Outcomes of risk reassessments, risk audits and periodic risk reviews trigger updates to the risk register. C. Risk management planning describes how risk management will be structured and performed. D. The risk register details all identified risk, including description, category, cause, probability of occurring, impact(s) on objectives, proposed responses, owners and current status. The primary outputs from risk identification are the initial entries into the risk register. R1-35 A business impact analysis is PRIMARILY used to: A. estimate the resources required to resume normal operations after a disruption. B. evaluate the impact of disruption on an enterprise’s ability to operate over time. C. calculate the likelihood and impact of known threats on specific functions. D. evaluate high-level business requirements. B is the correct answer. Justification: A. Determining the resource requirements to resume normal operations is part of business continuity planning. B. A business impact analysis (BIA) is primarily intended to evaluate the impact of disruption over time to an enterprise’s ability to operate. It determines the urgency of each business activity. Key deliverables include recovery time objectives and recovery point objectives. C. Likelihood and impact are calculated during risk analysis. D. High-level business requirements are defined during the early phases of a system development life cycle, not as part of a BIA.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

15

DOMAIN 1—IT RISK IDENTIFICATION

R1-36 Which of the following provides the GREATEST level of information security awareness? A. Job descriptions B. A security manual C. Security training D. An organizational diagram C is the correct answer. Justification: A. While job descriptions are useful to describe job-related roles and responsibilities, including those related to security, they do not provide sufficient detail to enable employees who are not already proficient in security to understand how they can actively support and contribute to a risk-aware culture. Such detail is generally only provided through security training. B. A security manual is written for a technical audience and is usually not accessible to all staff. For this reason, it is not useful to make employees aware of their security responsibilities.  C. Security training is the best way to inform all employees about changes to the risk landscape and enhance information security awareness of risks to the enterprise risk management strategy. D. An organizational diagram shows the various departmental hierarchies, but it is not associated with information security awareness. It can, however, be used by the information security team to determine which individuals need what type of training. R1-37 Which of the following is the BIGGEST concern for a chief information security officer regarding interconnections with systems outside of the enterprise? A. Requirements to comply with each other’s contractual security obligations B. Uncertainty that the other system will be available as needed C. The ability to perform risk assessments on the other system D. Ensuring that communication between the two systems is encrypted through a virtual private network tunnel A is the correct answer. Justification:  A. Ensuring that both systems comply with mutual contractual security obligations should be the primary concern of the risk practitioner. If one system fails to comply, they will likely both miss their respective security obligations. B. Uncertainty of the other system’s availability is probably the primary concern of the business owner and users, not of the chief information security officer. C. The ability to perform risk assessment on the other system may or may not be a concern based on the interconnection agreement between the two systems. D. Communication between the two systems may not necessarily require a virtual private network tunnel, or encryption. That requirement will be based on type of data being transmitted.

16

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-38 The board of directors of a one-year-old start-up company asked the chief information officer to create all of the enterprise’s IT policies and procedures, which will be managed and approved by the IT steering committee. The IT steering committee will make all the IT decisions for the enterprise, including those related to the technology budget. Which type of IT organizational structure does the enterprise have? A. Project-based B. Centralized C. Decentralized D. Divisional B is the correct answer. Justification: A. In a project-based enterprise, a temporary group is formed to work on one particular project. Neither a group initiated by the chief information officer, nor steering committees in general, are considered temporary. B. Within a centralized IT organizational structure, one group makes all decisions for the entire enterprise. C. In a decentralized organizational structure, decisions are made by each division (sales, human resources, etc.). In this kind of organization, different and perhaps conflicting IT policies can be developed. D. In a divisional organizational structure, each geographic area or product or service will have its own group. R1-39 Which of the following is the MAIN concern when two or more staff members are allowed to use the same generic account? A. Segregation of duties B. Inability to change the password C. Repudiation D. Inability to trace account activities C is the correct answer. Justification: A. It is not an issue of segregation of duties because multiple users may perform identical activities. Because they have the same login credentials, it is a repudiation issue: none of the users can be held accountable because each user can deny accountability for transactions performed under the generic account. B. System password parameters or rules are independent of users sharing generic accounts. Specific parameters such as password history will be effective. C. Repudiation is the denial of a transaction, denial of participation in all or part of a transaction or denial of the content of communication related to the transaction. Because username and password are the same for generic accounts, repudiation becomes an issue. It will be difficult to establish which user logged in and performed operations. However, with the right tools the activity can be traced back to the media access control (MAC) address if users access information through different terminals. D. Activities can be traced by generic user name by enabling system auditing or similar functionalities.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

17

DOMAIN 1—IT RISK IDENTIFICATION

R1-40 Which of the following is a PRIMARY consideration when developing an IT risk awareness program? A. Why technology risk is owned by IT B. How technology risk can affect each attendee’s area of business C. How business process owners can transfer technology risk D. Why technology risk is more difficult to manage than other risk B is the correct answer. Justification: A. IT does not own technology risk. An appropriate topic of IT risk awareness training may be the fact that many types of IT risk are owned by the business. One example may be the risk that employees will exploit insufficient segregation of duties within an enterprise resource planning system.  B. Stakeholders must understand how IT-related risk affects the overall business and how potential threats and vulnerabilities can jeopardize the enterprise’s people, processes and technology. C. Transferring risk is not of primary consideration in developing a risk awareness program. It is a part of the risk response process. D. Technology risk may or may not be more difficult to manage than other types of risk. Although this is important from an awareness point of view, it is more critical for attendees to understand business impact. R1-41 Which of the following is the BEST approach when conducting an IT risk awareness campaign? A. Provide technical detail on exploits. B. Provide common messages tailored for different groups. C. Target system administrators and help desk staff. D. Target senior managers and business process owners. B is the correct answer. Justification: A. Providing technical detail on exploits is not advisable during an IT risk awareness campaign because individuals could learn how to circumvent controls.  B. Groups differ in level of responsibility and expertise; tailor common messages to each group’s role and level of understanding. C. Specific groups should not be singled out for training at the exclusion of others because all groups have a role to play in strengthening information systems security. D. Specific groups should not be singled out for training at the exclusion of others because all groups have a role to play in strengthening information systems security.

18

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-42 It is MOST important that risk appetite be aligned with business objectives to ensure that: A. resources are directed toward areas of low risk tolerance. B. major risk is identified and eliminated. C. IT and business goals are aligned. D. the risk strategy is adequately communicated. A is the correct answer. Justification:  A. Risk appetite refers to the amount of risk that an enterprise is willing to take on in pursuit of value. Aligning it with business objectives allows an enterprise to evaluate and deploy valuable resources toward those objectives where risk tolerance (for loss) is low. B. There is no link between aligning risk appetite with business objectives and identification and elimination of major risk. Moreover, risk cannot be eliminated; it can be reduced to an acceptable level using various risk response options. C. Alignment of risk appetite with business objectives does conform IT and business goals to a point, but alignment is not limited to these two areas. Other areas include organizational, strategic and financial objectives, among other objectives. D. Communication of the risk strategy does not depend on aligning risk appetite with business objectives. R1-43 Risk scenarios enable the risk assessment process because they: A. cover a wide range of potential risk. B. minimize the need for quantitative risk analysis techniques. C. segregate IT risk from business risk for easier risk analysis. D. help estimate the frequency and impact of risk. D is the correct answer. Justification: A. The use of risk scenarios does not indicate that the enterprise is assessing a wide range of risks. B. Risk scenarios do not necessarily minimize the need for quantitative risk analysis. C. Risk scenarios can be applied to both IT risk and business risk and there is no question of segregating the risk.  D. Risk scenarios cover a wide range of potential risk. Assessment is simplified when discrete threats and vulnerabilities are isolated, clearly defined and mapped to practical business context. R1-44 Who is accountable for business risk related to IT? A. The chief information officer B. The chief financial officer C. Users of IT services D. The chief architect C is the correct answer. Justification: A. The chief information officer supports the business, but does not own the business risk. B. The chief financial officer tracks the cost of resources and financial risk, but does not own the business risk.  C. Ultimately, the business (i.e., the users of IT services) owns business-related risk, including the risk related to the use of IT. The business should set the mandate for risk management, provide the resources and funding to support a risk management plan designed to protect business interests, and monitor whether risk is being managed. D. The chief architect mitigates IT risk through the architecture of the IT environment, but does not own the business risk. CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

19

DOMAIN 1—IT RISK IDENTIFICATION

R1-45 Which of the following information in the risk register BEST helps in developing proper risk scenarios? A list of: A. potential threats to assets. B. residual risk on individual assets. C. accepted risk. D. security incidents. A is the correct answer. Justification: A. Identifying potential threats to business assets will help isolate vulnerabilities and associated risks, all of which contribute to proper risk scenarios. B. Identifying residual risk on individual assets does not help develop a proper risk scenario. C. Accepted risk generally reflects a small subset of entries in the risk register. Accepted risk should be included in the risk register to ensure that events continue to be monitored in case an actual incident alters current acceptance of the risk. D. Previous security incidents of the enterprise itself or entities with a similar profile may inspire similar risk scenarios to be included in the risk register. However, the best approach to create a meaningful risk register is to capture potential threats on tangible and intangible assets. R1-46 Which of the following is true about IT risk? A. IT risk cannot be assessed and measured quantitatively. B. IT risk should be calculated separately from business risk. C. IT risk management is the responsibility of the IT department. D. IT risk exists whether or not it is detected or recognized by an enterprise. D is the correct answer. Justification: A. IT risk, like any business risk, can be assessed both quantitatively and qualitatively. It can be difficult to measure risk quantitatively, but quantitative information can provide a more complete picture of the risk as opposed to qualitative risk analysis alone. B. IT risk is one type of business risk. C. IT risk is the responsibility of senior management, not just the IT department.  D. The enterprise must identify, acknowledge and respond to risk; ignorance of risk is not acceptable.

20

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-47 Which of the following is MOST important when selecting an appropriate risk management methodology? A. Risk culture B. Countermeasure analysis C. Cost-benefit analysis D. Risk transfer strategy A is the correct answer. Justification: A. Without understanding risk culture—how and why an enterprise makes decisions regarding risk—one cannot select a risk management methodology. B. Countermeasure analysis targets controls that address specific attacks, sometimes while the attack is occurring. Countermeasure analysis does not inform selection of an appropriate risk management methodology. C. Cost-benefit analysis measures the projected benefit of a solution (such as a control) relative to its price, either at a given point in time or over an extended period. Cost-benefit analysis is generally not considered when selecting a risk management methodology. D. Because not all risk can be transferred, implementing a proper risk assessment methodology must begin by considering the overall risk profile not the risk transfer strategy. R1-48 Which of the following BEST determines compliance with the risk appetite of an enterprise? A. Balance between preventive and detective controls B. Inherent risk and acceptable risk level C. Residual risk and acceptable risk level D. Balance between countermeasures to threats and preventive controls C is the correct answer. Justification: A. Balance between preventive and detective controls does not help evaluate current risk appetite because the controls may have been established in the wake of an earlier risk analysis. B. Inherent risk in itself does not help define residual risk; inherent risk in combination with acceptable risk are inadequate determinants of risk appetite.  C. Considering residual risk in terms of acceptable risk yields risk that is appropriately balanced after the application of controls. In this context, management can decide to accept risk or apply additional controls based on current standards of acceptable risk. Considering residual risk in the context of acceptable risk also helps to understand the broader pattern of risk appetite of the enterprise as it changes over time. A conservative approach seeks to reduce risk levels so they remain low or very low. D. Countermeasures help when threat needs to be reduced; they do not help evaluate risk appetite.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

21

DOMAIN 1—IT RISK IDENTIFICATION

R1-49 Which of the following BEST improves decision making related to risk? A. Maintaining a documented risk register of all possible risk B. Risk awareness training in line with the risk culture C. Maintaining updated security policies and procedures D. Allocating accountability of risk to the department as a whole A is the correct answer. Justification: A. Maintaining a documented risk register improves decision making related to risk response because a risk register captures the population of relevant risk scenarios and provides a basis for prioritization of risk responses. B. Offering risk awareness training to stakeholders and customizing its content according to the enterprise’s risk culture will sensitize stakeholders and users to their risk responsibilities. Training helps enhance accountability to make decisions on acceptance of residual risk but is less useful with respect to emerging threats. C. Maintaining policies and procedures will not necessarily improve decisions related to residual risk. D. Allocating accountability to the department as a whole dilutes ownership because there will be no individual owner for risk. R1-50 The FIRST step in identifying and assessing IT risk is to: A. confirm the risk tolerance level of the enterprise. B. identify threats and vulnerabilities. C. gather information on the current and future environment. D. review past incident reports and response activity. C is the correct answer. Justification: A. A risk practitioner must understand the risk appetite of senior management and the associated risk tolerance level. However, risk tolerance primarily informs risk response and does not facilitate risk identification and assessment. B. Identification of relevant threats and vulnerabilities is important but must be supplemented by consideration of pending changes to the enterprise’s environment; anticipated changes may widen or narrow the scope of relevance.  C. The first step in any risk assessment is to gather information about the current state and pending internal and external changes to the enterprise’s environment (scope, technology, incidents, modifications, etc.). D. While the review of past incident reports may be an input for the identification and assessment of IT risk, focusing on these factors is not adequate.

22

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-51 Which of the following outcomes of outsourcing noncore processes is of GREATEST concern to the management of an enterprise? A. Total cost of ownership exceeds projections. B. Internal information systems experience has been lost. C. Employees of the vendor were disloyal to the client enterprise. D. Processing of sensitive data was subcontracted by the vendor. D is the correct answer. Justification: A. Total cost of ownership (TCO) exceeding projections is significant, but not uncommon. Because TCO is based on modeling, some variation can be expected. B. Loss of internal information systems experience can be problematic when core processes or subprocesses are outsourced. However, for noncore processes, the loss of such experience would not be a concern. C. Lack of vendor loyalty to the client enterprise is generally managed via service level agreements. D. The greatest risk in third-party relationships is the fact that the enterprise is ceding direct control of its IS processes. Subcontracting will increase this risk; therefore, the subcontracting process must be reviewed because sensitive data are involved. R1-52 Which of the following is MOST important for effective risk management? A. Assignment of risk owners to identified risk B. Ensuring compliance with regulatory requirements C. Integration of risk management into operational processes D. Implementation of a risk avoidance strategy A is the correct answer. Justification: A. It is of utmost importance to assign risk to individual owners and therein maximize accountability. B. Regulatory compliance is a relatively small part of risk management. C. Risk management should be integrated into strategic, tactical and operational processes of an enterprise. D. Risk avoidance is not always feasible in a business environment. R1-53 Risk scenarios should be created PRIMARILY based on which of the following? A. Input from senior management B. Previous security incidents C. Threats that the enterprise faces D. Results of the risk analysis C is the correct answer. Justification: A. Input from senior management is not as critical as organizational threats in developing risk scenarios. B. Previous incidents are not as critical as organizational threats in developing risk scenarios.  C. When creating risk scenarios, the most important factor to consider is the likely threats or threat actions that could act upon the risk. D. Risk scenarios should be an input to the risk analysis, not vice versa.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

23

DOMAIN 1—IT RISK IDENTIFICATION

R1-54 Which of the following triggers an internal ad hoc risk assessment to be performed before the annual occurrence? A. A new chief information officer is hired. B. Senior management adjusts risk appetite. C. Risk changes on a frequent basis. D. A new system is introduced into the environment. D is the correct answer. Justification: A. A new chief information officer may undertake a new organizational risk assessment, but it would not necessarily be required because he/she could review the last risk assessment if there have been no changes to the environment. B. Senior management adjusting risk appetite will significantly affect risk responses but does not require a risk assessment. C. Risk changing on a frequent basis will be captured during the annual risk assessment.  D. Introduction of new systems adds to overall risk of business objectives. The level of new or added risk should be determined via an ad hoc risk assessment. R1-55 An enterprise expanded its operations into Europe, Asia and Latin America. The enterprise has a single-version, multiple-language employee handbook that was last updated three years ago. Which of the following is of MOST concern? A. The handbook may not have been correctly translated into all languages. B. Newer policies may not be included in the handbook. C. Expired policies may be included in the handbook. D. The handbook may violate local laws and regulations. D is the correct answer. Justification: A. Translation errors may lead to confusion and jeopardize enforceability in a given region, but they are less damaging than policies which contravene local laws and customs. B. While the handbook may not reflect the latest policies, it is more important for the handbook to comply with local laws and regulations. C. While the handbook may contain expired policies, it is more important for the handbook to comply with local laws and regulations.  D. Because customs and laws affect an enterprise’s ability to operate in a given location, and because both customs and laws vary by state and by country, it is critical for the employee handbook to acknowledge and account for regional domestic and national differences.

24

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-56 When requesting information to comply with ediscovery, an enterprise learned that its cloud email provider was never contracted to back up messages even though the company’s email retention policy explicitly states that all email must be saved for three years. Which of the following would have BEST safeguarded the company from this outcome? A. Providing the contractor with the record retention policy up front B. Validating the company policies to the provider’s contract C. Providing the contractor with the email retention policy up front D. Backing up the data on the company’s internal network nightly B is the correct answer. Justification: A. Providing the contractor with the record retention policy does not legally obligate the third party to perform in accordance with internal policies.  B. The initial review of third-party services should confirm that vendors are contractually required to enforce all internal policies, including the policy on record retention if the enterprise’s record retention policy specifically covers data that will be managed by a third party. C. Providing the contractor with the email record retention policy in and of itself does not legally bind the third party to perform in accordance with internal policies. D. An enterprise can choose to perform internal backup of data stored by a third party. However, an opposing party may ask for original sources during e-discovery and the policy variance could become problematic. R1-57 Which of the following is the BEST indicator of an effective information risk management program? A. The security policy is made widely available. B. Risk is considered before all decisions. C. Security procedures are updated annually. D. Risk assessments occur on an annual basis. B is the correct answer. Justification: A. Making the security policy widely available will facilitate its success but is not as critical to information risk management as ensuring that business decisions are informed by consideration of risk.  B. Defining information risk in advance of business decisions best ensures that risk tolerance remains at approved levels. C. Updating security procedures is necessary only if policy changes. D. Ensuring that risk assessments occur annually will facilitate effective risk management, but is not as critical as making risk-based business decisions.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

25

DOMAIN 1—IT RISK IDENTIFICATION

R1-58 Risk management strategic plans are MOST effective when developed for: A. the enterprise as a whole. B. each individual system based on technology used. C. every location based on geographic threats. D. end-to-end business processes. A is the correct answer. Justification: A. Risk management strategic plans are most effective when they are created and followed by the entire enterprise. B. Because most enterprises use many different technologies, creating a management plan for each technology creates unnecessary and counterproductive complexity, and may increase conflicts among policies. C. It is difficult to create a risk management plan for each location based on geographic threats. Also, these plans do not take other types of threats into account. D. Risk management plans based on end-to-end business processes can result in overlapping and/or conflicting policies and procedures. R1-59 Which of the following is MOST important when considering the risk appetite of an enterprise? A. The capacity of the enterprise to absorb loss B. The definition of responsibilities for risk management C. The line of business and the typical risk of the industry D. The culture and predisposition toward risk taking D is the correct answer. Justification: A. While the capacity of the enterprise to absorb loss is an important risk mitigation factor, it does not influence risk appetite as much as culture and predisposition toward risk taking. B. The definition of the responsibilities and the accountability for IT risk management says nothing about the enterprise’s risk appetite. Risk appetite mostly depends on an enterprise’s risk culture, risk tolerance and risk acceptance. C. The line of business and typical risk of the industry say nothing about the risk appetite of a single enterprise. Risk appetite depends on the individual risk culture of an enterprise.  D. When considering risk appetite, two major factors are relevant: the management culture and the predisposition toward risk taking.

26

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-60 The PRIMARY purpose of adopting an enterprisewide risk management framework is to: A. allow flexibility to adjust the risk response strategy throughout the enterprise. B. centralize the responsibility for the maintenance of the risk response program. C. enable a consistent approach to risk response throughout the enterprise. D. avoid higher costs for risk reduction and audit strategies throughout the enterprise. C is the correct answer. Justification: A. A risk management framework enables a consistent approach while allowing the necessary flexibility at the local level. B. Risk management is the responsibility of all individuals. Accountability of risk management lies with senior management and the board.  C. Enabling consistent risk response is a key objective of the risk management framework. D. Avoiding higher costs for risk reduction and audit strategies throughout the enterprise is good practice, but not the primary purpose of adopting an enterprisewide risk management framework. R1-61 A review of an enterprise’s IT projects finds that projects frequently exceed timelines or budget by nearly 10 percent. On review, management advises the risk practitioner that a deviation of 15 percent is acceptable. This is an example of: A. risk avoidance. B. risk tolerance. C. risk acceptance. D. risk mitigation. B is the correct answer. Justification: A. Risk avoidance involves terminating or suspending an activity to steer clear of the inherent risk. Risk avoidance generally also affects the potential opportunity offered by engaging in the activity. B. Risk tolerance is the permissible deviation from declared risk appetite levels. C. Risk acceptance means that the enterprise makes an educated decision not to take action relative to a particular risk and accepts loss when/if it occurs. D. Risk mitigation is the management of risk through the use of countermeasures and controls.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

27

DOMAIN 1—IT RISK IDENTIFICATION

R1-62 When a start-up company becomes popular, it suddenly is the target of hackers. This is considered: A. an emerging vulnerability. B. a vulnerability event. C. an emerging threat. D. an environmental risk factor. C is the correct answer. Justification: A. A vulnerability is a weakness in the design, implementation, operation or internal control of a process that can expose the system to adverse threats from threat events (the question stem does not specify a particular process). B. A vulnerability event reflects a material increase in vulnerability as a result of changes in control conditions or changes in threat capability/force.  C. A threat is any event in which a threat condition or actor acts upon an asset in a manner that has the potential to directly result in harm. The stem describes the emerging threat of hackers attacking the start-up company. D. Environmental risk factors can be split into internal and external environmental risk factors. Internal environmental factors are, to a large extent, under the control of the enterprise, although they may not always be easy to change. External environmental factors are, to a large extent, outside the control of the enterprise. The question stem references a new and emerging threat (hackers attacking the start-up company), but does not focus on its environmental origin inside or outside the enterprise. R1-63 Which of the following is a MAJOR risk associated with the use of governance, risk and compliance (GRC) tools? A. Misinterpretation of the dashboard’s output B. Poor authentication mechanism C. Obsolescence of content D. Complex integration of the diverse requirements C is the correct answer. Justification: A. Misinterpreting the dashboard’s output is easily corrected by training or using subject matter experts. B. New technologies have overcome the challenge of poor authentication mechanisms. C. A governance, risk and compliance (GRC) application has to be updated regularly with current regulations, policies, etc. Obsolete content will render the GRC outdated. Many GRC applications are based on the unified compliance framework (UCF) for mapping to various regulations, frameworks and standards. The technology team should refresh the UCF file quarterly through its vendor and should implement processes to identify and address changes from one release to the next. Additionally, the enterprise needs to commit internal resources to maintain company data in the tool to guard against obsolescence. D. Most GRC tools are designed to integrating diverse, complex requirements. Obsolete content represents the greater risk because its maintenance rests entirely with users.

28

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-64 The PRIMARY reason an external risk assessment team reviews documentation before starting the actual risk assessment is to gain a thorough understanding of: A. the technologies used. B. gaps in the documentation. C. the enterprise’s business processes. D. the risk assessment plan. C is the correct answer. Justification: A. Technology can be reviewed during the risk assessment. B. Gaps in documentation can be surfaced during the risk assessment. C. In order to evaluate risk, the external assessment team should thoroughly understand the enterprise’s business processes before the assessment, because risk is always formulated within the context of business objectives. D. The risk assessment plan should be created by the external auditors. R1-65 A small start-up software development company has been flooded and insurance does not pay out because the premium had lapsed. In relation to risk management, the lapsed premium is considered a: A. risk. B. vulnerability. C. threat. D. negligence. B is the correct answer. Justification: A. This scenario describes a weakness in the insurance premium payment process, which is considered a vulnerability, which was a management decision. B. A lapsed insurance premium describes a vulnerability. A vulnerability is a weakness in the design, implementation, operation or internal control of a process that could expose the enterprise to adverse threats from threat events. C. A threat is anything (e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. In the question stem, flood is the threat. D. Negligence is a legal term describing a civil wrong causing injury or harm to another person or to property as the result of doing something or failing to provide a proper or reasonable level of care. Negligence is not specifically related to risk management.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

29

DOMAIN 1—IT RISK IDENTIFICATION

R1-66 Which of the following statements BEST describes the value of a risk register? A. It captures the risk inventory. B. It drives the risk response plan. C. It is a risk reporting tool. D. It lists internal risk and external risk. B is the correct answer. Justification: A. A risk register provides detailed information on each identified risk including risk owner, details of the risk scenario, assumptions, affected stakeholders, causes/indicators, detailed scores (i.e., risk ratings) on the risk analysis and detailed information on the risk response (e.g., action owner and the risk response status, time frame for action, related projects and risk tolerance level). These components can also be defined as the risk universe.  B. Risk registers serve as the main reference for all risk-related information, supporting risk-related decisions such as risk response activities and their prioritization. C. Risk register data are used to generate management reports, but are not in themselves a risk reporting tool. D. The risk register tracks all internal and external risk, the quality and quantity of the controls, and the likelihood and impact of the risk. R1-67 Accountability for risk ultimately belongs to the: A. chief risk officer. B. compliance officer. C. chief financial officer. D. board of directors. D is the correct answer. Justification: A. The chief risk officer has responsibilities in risk management but is not ultimately accountable for risk. B. The compliance officer has responsibility for certain risk governance and risk response activities but is not ultimately accountable. C. The chief financial officer has major responsibilities in risk management but is not ultimately accountable. D. The board of directors of an enterprise has ultimate accountability to shareholders, customers, employees and the general public.

30

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-68 What is the MAIN objective of risk identification? A. To detect possible threats that may affect the business B. To ensure that risk factors and root causes are managed C. To enable the review of the key performance indicators D. To provide qualitative impact values to stakeholders A is the correct answer. Justification: A. Risk identification is the process of determining and documenting the risk that an enterprise faces. The identification of risk is based on the recognition of threats, vulnerabilities, assets and controls in the enterprise’s operational environment. B. Ensuring that risk factors and root causes are addressed is the objective of the risk response process, not risk identification. C. Enabling review of key performance indicators is the objective of the risk monitoring process. D. Qualitative risk impact values derive from the risk assessment process. R1-69 Which of the following examples of risk should be addressed during application design? A. A lack of skilled resources B. The risk of migration to a new system C. Incomplete technical specifications D. Third-party supplier risk A is the correct answer. Justification: A. A lack of skilled resources implies that the project is beyond the skills of the personnel involved and thus represents risk associated with the design phase. B. Migration risk is typically associated with the implementation phase. C. Technical risk is introduced when the technical requirements may be beyond the scope of the project. D. Risk that a third-party supplier would not be able to deliver on time or to requirements is associated with the implementation phase. R1-70 If risk has been identified, but not yet mitigated, the enterprise would: A. record and mitigate serious risk and disregard low-level risk. B. obtain management commitment to mitigate all identified risk within a reasonable time frame. C. document all risk in the risk register and maintain the status of the remediation. D. conduct an annual risk assessment, but disregard previous assessments to prevent risk bias. C is the correct answer. Justification: A. All levels of risk identified should be documented in the risk register. It is important to be able to identify where low-level risk can be aggregated within the register. B. Not all identified risk will necessarily be mitigated. The enterprise will conduct a cost-benefit analysis before determining the appropriate risk response. C. All identified risk should be included in the risk register. The register should capture the proposed remediation plan, the risk owner and anticipated date of completion. D. Annual risk assessments should consider previous risk assessments.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

31

DOMAIN 1—IT RISK IDENTIFICATION

R1-71 When developing IT-related risk scenarios with a top-down approach, it is MOST important to identify the: A. information system environment. B. business objectives. C. hypothetical risk scenarios. D. external risk scenarios. B is the correct answer. Justification: A. Top-down risk scenario development identifies the enterprise’s business objectives and builds risk scenarios based on risks that may jeopardize these objectives. The information system environment would be a risk factor.  B. Typically, top-down risk scenario development is performed by identifying business objectives and recognizing risk scenarios with the greatest potential to jeopardize business objectives. C. The identification of generic risk scenarios is usually related to a bottom-up risk identification method. D. It is important to identify both external and internal risk scenarios. R1-72 An enterprise has outsourced several business functions to a firm in another country, including IT development, data hosting and support. What is the MOST important question the risk professional will ask in relation to the outsourcing arrangements? A. Are policies and procedures in place to handle security exceptions? B. Is the outsourcing supplier meeting the terms of the service level agreements? C. Is the security program of the outsourcing provider based on an international standard? D. Are specific security controls mandated in the outsourcing contract/agreement? D is the correct answer. Justification: A. There should be policies and procedures to handle incidents or exceptional circumstances; however, this is not the most important consideration. B. Whether the provider meets the service level agreements (SLAs) is of concern to the outsourcing enterprise and the auditors; however, this is not the most important consideration. Stipulating the SLA in the contract is the first requirement. C. The contract should stipulate the required levels of security and risk management. Basing the security program on a recognized international standard may be an excellent foundation for the security program but is not the most important consideration.  D. Without enumerating security requirements directly in the outsourcing contract, the outsourcing company has no assurance that the provider will comply with specific security requirements.

32

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-73 The MAIN purpose for creating and maintaining a risk register is to: A. ensure that all assets have low residual risk. B. define the risk assessment methodology. C. document all identified risk. D. study various risk scenarios in the threat landscape. C is the correct answer. Justification: A. Creating and maintaining the risk register does not automatically ensure that all assets have low residual risk. The reduction in risk is based on mitigating controls. B. Creating and maintaining a risk register is the result of following a risk assessment methodology.  C. A risk register provides detailed information on each identified risk including risk owner, details of the risk scenario, assumptions, affected stakeholders, causes/indicators, detailed scores (i.e., risk ratings) on the risk analysis and detailed information on the risk response (e.g., action owner and the risk response status, time frame for action, related projects and risk tolerance level). These components can also be defined as the risk universe, which includes all identified risk to an organization. D. Creating and maintaining a risk register is not primarily used to study risk scenarios and redefine the threat landscape. The latter goals can be achieved without creating the risk register. R1-74 Which of the following activities provides the BEST basis for establishing risk ownership? A. Documenting interdependencies between departments B. Mapping identified risk to a specific business process C. Referring to available RACI charts D. Distributing risk equally among all asset owners B is the correct answer. Justification: A. Documenting interdependencies between or among departments helps identify the work flow, but does not identify risk ownership.  B. Mapping identified risk to a specific business process helps identify the process owner. Aggregation of related business processes results in identification of the prospective risk owner. C. The review of a RACI chart identifies who is responsible, accountable, consulted and informed within an organizational framework, but a RACI chart is too general to establish ownership. D. Ownership of risk cannot be a shared responsibility; rather, each risk must be allocated to specific individual owners.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

33

DOMAIN 1—IT RISK IDENTIFICATION

R1-75 Which of the following types of risk is high for projects that affect multiple business areas? A. Control risk B. Inherent risk C. Compliance risk D. Residual risk B is the correct answer. Justification: A. Control risk may be high, but it would follow from failure to identify, evaluate and/or test internal controls, not from the number of users or business areas affected.  B. Inherent risk normally grows as the number of users and business areas that may be affected increases. Inherent risk reflects risk or exposure without accounting for mitigating action by management. It is often higher whenever multiple parties may have conflicting responsibilities for a business process. C. Compliance risk reflects the penalty applied to current and future earnings for nonconformance to laws and regulations; number of users and affected business areas will not necessarily increase compliance risk. D. Residual risk is risk that persists after management implements a risk response. It is not based on the number of users or business areas affected. R1-76 To be effective, risk management should be applied to: A. those elements identified by a risk assessment. B. any area that exceeds acceptable risk levels. C. all organizational activities. D. only those areas that have potential impact. C is the correct answer. Justification: A. The elements of unacceptable risk will require treatment, but all activities are subject to risk management oversight. Risk assessment along with determining which risk is acceptable and which has the potential for impact are all functions of risk management. B. Risk management must be holistic and should not be limited to areas that exceed acceptable risk levels; areas that are within acceptable risk levels may provide opportunity to improve performance by reducing control measures or assuming more risk.  C. While not all organizational activities entail unacceptable risk, the practice of risk management is ideally applied to all organizational activities. D. When assessing risk, determining which risk is acceptable, which exceeds acceptable levels and which has the potential for impact are all functions of risk management.

34

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-77 Development of corporate information security policy should PRIMARILY be based on: A. vulnerabilities. B. threats. C. assets. D. impacts. C is the correct answer. Justification: A. Absent a threat, vulnerabilities do not pose a risk. A vulnerability is defined as a weakness in the design, implementation, operation or internal control of a process that could expose the system to adverse threats from threat events. B. A threat is defined as anything (e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. The information security policy is not written to address a threat directly, but rather to address the protection of assets from threats. C. The corporate information security policy is based on management’s commitment to protect the assets of the enterprise (and relevant information of its business partners) from threats, risk and exposures that could occur. D. Impact is not an issue if no threat exists. The impact is generally quantified as a direct financial loss in the short term or an ultimate (indirect) financial loss in the long term. Impact does not drive the development of the policy, but is a component of the policy. R1-78 Which of the following vulnerabilities is the MOST serious and allows attackers to access data through a web application? A. Validation checks are missing in data input fields. B. Password rules do not enforce sufficient complexity. C. Application transaction log management is weak. D. The application and database share a single access ID. A is the correct answer. Justification: A. When validation checks are missing in data input fields, attackers are able to exploit other weaknesses in the system. For example, they can submit part of a structured query language (SQL) statement (SQL injection attack) to retrieve application data illegally, deface or even disable the web application. Input validation checks are effective countermeasures. B. Noncomplex passwords may make accounts vulnerable to brute force attacks, but these can be countered in other ways besides complexity (e.g., lockout thresholds). C. If application transaction log management is weak, confidential information could inadvertently be written to the application transaction log. Sufficient care should therefore be given to log management. However, it is uncommon for attackers to use the log server to steal database information. D. It is quite common that the application and database share a single access ID. If the supporting domain architecture is sufficiently secure, the overall risk is low.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

35

DOMAIN 1—IT RISK IDENTIFICATION

R1-79 Which of the following combinations of factors helps quantify risk? A. Probability and consequence B. Impact and threat C. Threat and exposure D. Sensitivity and exposure A is the correct answer. Justification:  A. The quantification of risk is based on the probability (likelihood) of a threat exploiting a vulnerability resulting in a damaging consequence (impact) to an asset. B. A threat is anything (e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. The impact is the effect of the threat on the asset. Threat and impact are not sufficient to quantify risk. C. A threat is anything (e.g., object, substance, human actor) that is capable of acting against an asset in a manner that can result in harm. Exposure reflects potential loss due to the occurrence of an adverse event. Threat and exposure are not sufficient to quantify risk. D. Sensitivity is a measure of the impact that improper disclosure of information may have on an enterprise. Exposure reflects potential loss due to the occurrence of an adverse event, but is not used to quantify risk. R1-80 Which of the following requirements MUST be met during the initial stages of developing a risk management program? A. Management establishes ownership of identified risk. B. Information security policies and standards are established. C. A management committee exists to provide program oversight. D. The context and purpose of the program are defined. D is the correct answer. Justification: A. Although an important component in the development of any managed program, establishing ownership of identified risk would occur later in the program. B. Information security policies and standards are based on the decisions made in the planning phase of the program and are developed based on the outcomes and business objectives established by the business. C. Management oversight of the risk management program constitutes a monitoring control developed to ensure that the program meets business objectives. This process is established in later stages of development, after the purpose of the program and the mechanics of its deployment have been established.  D. Initial requirements to determine the enterprise’s purpose for creating an information security risk management program include determining the desired outcomes and defining objectives.

36

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-81 The likelihood of an attack being launched against an enterprise is MOST dependent on: A. the skill and motivation of the potential attacker. B. the frequency that monitoring systems are reviewed. C. the ability to respond quickly to any incident. D. the effectiveness of the controls. A is the correct answer. Justification:  A. Factors that affect likelihood include the skill and motivation of the attacker, knowledge of vulnerabilities, use of popular hardware or software, value of the asset (which varies directly with motivation) and environmental factors such as politics, activists and disgruntled employees or dissatisfied customers. B. Monitoring systems may detect an attack but will not usually affect the likelihood of an attack. An exception occurs when the attacker knows that he/she is being monitored, realizes the likelihood of being caught is high, and accordingly becomes less likely to launch an attack. C. The ability to respond is important but is only relevant once an attack has been conducted. It will not affect likelihood. D. Controls may deter, prevent, detect or recover from an attack, but they will not necessarily affect the likelihood of someone trying to attack. R1-82 Which of the following choices is the MOST important part of any outsourcing contract? A. The right to audit the outsourcing provider B. Provisions to assess the compliance of the provider C. Procedures for dealing with incident notification D. Requirements to encrypt hosted data B is the correct answer. Justification: A. The service provider may not allow the outsourcing company the ability to audit them directly, but may provide proof of compliance conducted by an independent auditor. B. If a contract contains no provision to monitor and hold a supplier accountable for security, then the outsourcing enterprise cannot ensure compliance or proper handling of its data. C. The outsourcing contract will not usually contain details on the procedures to follow when dealing with incidents. D. Encryption may not be required for all data. Only sensitive data may require encryption. R1-83 The MOST important external factors that should be considered in risk assessment are: A. the discovery of new vulnerabilities. B. the number of viruses and other malware being developed. C. international crime statistics and political unrest. D. the installation of many insecure devices on the Internet. D is the correct answer. Justification: A. Discovery of new vulnerabilities is an internal, not external, factor. B. The number of new malware types being developed is something worth watching, but it is not a factor that the risk professional can use directly to calculate risk for a risk assessment report. C. International crime statistics and political unrest may raise concerns, but are not the most important factors to consider in risk assessment. D. The proliferation of insecure devices (i.e., the Internet of Things) creates a serious external threat that must be considered. CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

37

DOMAIN 1—IT RISK IDENTIFICATION

R1-84 Which of the following will have the MOST significant impact on standard information security governance models? A. Number of employees B. Cultural differences between physical locations C. Complexity of the organizational structure D. Evolving legislative requirements C is the correct answer. Justification: A. The number of employees has less impact on information security governance models because well-defined process, technology and personnel components combine to provide proper governance. B. Cultural disparities between different physical locations have less impact on information security governance models because well-defined process, technology and personnel components combine to provide proper governance.  C.  Information security governance models are highly dependent on the complexity of the organizational structure. Elements that affect organizational structure include multiple business units, dispersion of multiple functions across the organization, multiple leadership hierarchies and multiple lines of communication. D. Currency with respect to legislative requirements should not have a major impact once good governance models are in place; therefore, governance will help in effective management of the organization’s ongoing compliance as mechanisms will be in place to address these evolving requirements. R1-85 Senior management will MOST likely have the highest tolerance for moving which of the following to a public cloud? A. Credit-card processing B. Research and development C. The legacy financial system D. The corporate email system D is the correct answer. Justification: A. Credit-card processing can be eligible for public cloud computing, but in comparison to an email system, enforcing security requirements may be more challenging. B. Research and development generally contain confidential, proprietary information and are less likely than email to be outsourced to a cloud environment. C. The legacy financial system not only contains sensitive financial information, but also will most likely be more complex to outsource than an email system.  D. Consideration for moving processes and information to the cloud (public or hybrid) should include, among other factors, the criticality and complexity as well as the classification of the data supported by the process. Of the options offered, the corporate email system has the least competitive distinction, complexity and sensitive/highly classified information.

38

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-86 Which of the following items is MOST important to consider in relation to a risk profile? A. A summary of regional loss events B. Aggregated risk to the enterprise C. A description of critical risk D. An analysis of historical loss events B is the correct answer. Justification: A. The risk profile will consider regional loss events that could affect the enterprise in roughly equal measure with systemic and other risk.  B. The risk profile is based on the aggregated risk to the enterprise, including historical risk, critical risk and emerging risk. C. The risk profile will consider all risk, not just critical risk. D. Analysis of historical loss events can assist in business continuity planning and risk assessment, but cannot substantively inform the risk profile. R1-87 Which of the following factors determines the acceptable level of residual risk in an enterprise? A. Management discretion B. Regulatory requirements C. Risk assessment results D. Internal audit findings A is the correct answer. Justification: A. Deciding what level of risk is acceptable to an enterprise is fundamentally a function of management. At its discretion, enterprise management may decide to accept risk. The target risk level for a control is, therefore, subject to management discretion. B. Failure to comply with regulatory requirements has consequences, but those consequences are considered in the context of organizational risk. In some cases, the cost of failure to comply may be lower than the cost of compliance; in this case, management may decide to accept the risk. C. The acceptable level of residual risk is determined by management and is not dependent on the results of the risk assessment. D. The results of an internal audit determine the actual level of residual risk within a specific audit scope, but whether this level is acceptable is fundamentally a management decision.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

39

DOMAIN 1—IT RISK IDENTIFICATION

R1-88 Which of the following environments typically represents the GREATEST risk to organizational security? A. An enterprise data warehouse B. A load-balanced, web server cluster C. A centrally managed data switch D. A locally managed file server D is the correct answer. Justification: A. Enterprise data warehouses are generally subject to close scrutiny, good change control practices and monitoring. B. Load-balanced, web server clusters are generally subject to close scrutiny, good change control practices and monitoring. C. Centrally managed data switches are generally subject to close scrutiny, good change control practices and monitoring.  D. A locally managed file server will be the least likely to conform to organizational security policies because it is generally subject to less oversight and monitoring. Locally managed servers may be subject to inconsistent enforcement of security procedures. R1-89 Overall business risk for a particular threat can be expressed as the: A. magnitude of impact should a threat source successfully exploit the vulnerability. B. likelihood of a given threat source exploiting a given vulnerability. C. product of the probability of exploitation and magnitude of the impact if a threat exploits a vulnerability. D. collective judgment of the risk assessment team. C is the correct answer. Justification: A. The magnitude of the impact of a successful threat provides only one factor. B. The likelihood alone of the impact of a successful threat provides only one factor.  C. The product of the probability of exploitation and magnitude of the impact provides the best measure of the risk to an asset. D. The judgment of the risk assessment team defines the risk on an arbitrary basis and is not suitable for a scientific risk management process.

40

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-90 When developing risk scenarios for an enterprise, which of the following is the BEST approach? A. The top-down approach to consider overall business impact B. The top-down approach because it has the support of senior management C. The bottom-up approach to understand the impact of system outages more accurately D. The top-down and the bottom-up approach because they have different perspectives D is the correct answer. Justification: A. Business impact is important, and IT risk must be measured relative to associated business practices. However, an exclusive assessment from business objectives will lack detail grounded in daily processes. B. Management buy-in is essential, but risk scenarios should also consider the impact of individual system outages. C. A bottom-up approach is too narrow; risk cannot be separated from business objectives. D. Top-down and bottom-up risk scenario development integrates both perspectives. In a top-down approach, one starts from the overall business objectives and performs an analysis of the most relevant and probable risk scenarios affecting business objectives. The bottom-up approach builds on generic risk scenarios to create more concrete and customized scenarios, applied to the individual enterprise’s situation. A combined approach affords the best of both. R1-91 Which of the following documents BEST identifies an enterprise’s compliance risk and the corrective actions in progress to meet these regulatory requirements? A. An internal audit report B. A risk register C. An external audit report D. A risk assessment report B is the correct answer. Justification: A. Audit reports track audit findings and their respective actions, but based on the audit scope, do not necessarily include compliance-oriented findings or their risk. They generally do not include corrective actions in progress.  B. A risk register provides a report of all current identified risk within an enterprise (including compliance risk) and tracks the status of corrective actions or exceptions. C. External audit reports are generally more reliable than internal audit reports due to the relative independence of external auditors. However, they do not generally include all relevant compliance risk. They may focus on one regulatory requirement at a time, such as privacy, the US Occupational Safety and Health Administration (OSHA), the US Sarbanes-Oxley Act of 2002, etc. They generally do not include corrective actions in progress. D. Risk assessment reports may include compliance risk, but often do not track ongoing or anticipated corrective actions.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

41

DOMAIN 1—IT RISK IDENTIFICATION

R1-92 Information classification is the responsibility of the: A. information security officer. B. information owner. C. information systems auditor. D. information custodian. B is the correct answer. Justification: A. The information security officer has functional responsibility for security and does not determine the classification of information.  B. The information owner determines classification based on the criticality and sensitivity of information. C. The information systems auditor examines security and does not determine the classification of information. D. The information custodian preserves the confidentiality, availability and integrity of information and does not determine the classification of information. R1-93 According to good practices, which of the following is PRIMARILY used to detect vulnerabilities in Internet-facing systems? A. Penetration testing B. Intrusion prevention systems (IPSs) C. Antivirus systems D. Spam filtering systems A is the correct answer. Justification:  A. A penetration test simulates the actions of real attackers to test security defenses and detect vulnerabilities. B. Intrusion prevention systems (IPSs) are designed to detect attacks and prevent the target hosts from being affected. These systems do not scan for vulnerabilities. C. Antivirus systems block malware. They do not detect vulnerabilities. D. Spam filtering systems block spam email. They do not detect vulnerabilities. R1-94 Which of the following cloud computing deployment models is MOST appropriate for a collaborative research program between universities? A. A private cloud deployment model B. A community cloud deployment model C. A public cloud deployment model D. A hybrid cloud deployment model B is the correct answer. Justification: A. A private cloud deployment model is operated solely for a single organization.  B. A community cloud deployment model is appropriate because it is shared between several organizations and supports a specific community that has a common mission or interest. C. A public cloud deployment model is made available to the general public and is owned by cloud service providers. D. A hybrid deployment model is composed of two or more clouds that remain unique entities but are bound together by standard technology.

42

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-95 What is the ULTIMATE objective of risk governance? A. Benefits realization B. Risk optimization C. Resource optimization D. Value creation D is the correct answer. Justification: A. Benefits realization is just one of objective of risk governance. Benefits realization entails creation of new benefits for the enterprise, maintenance and extension of existing benefits and elimination of initiatives and assets that are not creating sufficient value. B. Risk optimization is just one objective of risk governance. Risk is optimized when the upside and downside of risk are considered. For example, decision makers should balance the exposure that may result if risk is not mitigated; the benefit of reducing exposure to acceptable levels; the potential disadvantage where opportunities are missed; and the benefit that may accrue if opportunities are taken. C. Resource optimization is just one of risk governance objective. Resource optimization involves effective, efficient and responsible use of all resources—human, financial, equipment, facilities, etc.  D. Value creation is the main objective of risk governance and is achieved when the three underlying objectives (benefits realization, risk optimization and resource optimization) are balanced. R1-96 Risk tolerance levels, risk ratings, related projects, affected stakeholders, assessment details and risk owners are all captured in which of the following items? A. A risk register B. A risk subject C. Risk factors D. A risk action plan A is the correct answer. Justification:  A. A risk register includes risk tolerance levels, risk ratings, related projects, affected stakeholders, assessment details and risk owners. B. A risk subject refers to the risk owner and affected business unit but does not address projects. C. Risk factors reference internal and external context, risk management and IT-related capabilities. D. A risk action plan includes risk scenarios requiring mitigation, root cause analysis, risk response evaluation criteria, accountability and responsibility, proposed actions, required resources, performance measurements and constraints, cost-benefit analysis, reporting and monitoring requirements, and timing and scheduling.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

43

DOMAIN 1—IT RISK IDENTIFICATION

R1-97 Which of the following principles of information security is of the GREATEST concern to a social media outlet? A. Integrity B. Confidentiality C. Availability D. Nonrepudiation C is the correct answer. Justification: A. An integrity problem will not have the immediate and widespread effect of an availability problem. Integrity is usually the responsibility of the social media user. B. Confidentiality is the responsibility, and at the discretion, of the user.  C. For a social media outlet, availability is of the greatest concern because integrity, confidentiality and nonrepudiation are not the greatest concerns of social media outlet customers. D. Nonrepudiation is a concern in social media because a user can create a profile claiming they are someone else. However, this is the responsibility of social media users. R1-98 Which of the following vulnerabilities will make a web application MOST susceptible to a structured query language (SQL) injection attack? A. Insecure cryptographic storage B. Weak session identifiers C. Fail-open error handling D. Inadequate validation of input D is the correct answer. Justification: A. Access to cryptographic storage can only occur after the fields in the application have been compromised through inadequate input validation. B. Weak session identifiers will lead to session hijacking, not to structured query language (SQL) injection attacks. C. Fail-open error handling is a design error in which a system leaves its component exposed when in a failed state. Error messages are often so verbose that sensitive information may be revealed. This vulnerability results from inadequate validation of input data. D. SQL injection attacks occur through the input of commands in fields meant for simple data. If the fields do not validate properly, the commands will be executed.

44

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-99 Which of the following choices poses the MOST significant threat to a project? A. A lack of feedback upon project completion B. A lack of unit testing C. Missed opportunities from lessons learned D. Misunderstanding the requirements D is the correct answer. Justification: A. Postcompletion feedback is useful for documenting lessons learned and improving future projects, but it does not affect the success of the project to which the feedback relates. B. Unit testing eliminates flaws in a project’s deliverables before they are presented as final, but the more fundamental threat posed by misunderstanding requirements is not addressed in unit testing. C. Lessons learned can help make future projects more effective. However, lessons that fall short of causing a project to fail are not as significant as misunderstanding original requirements. The latter can result in delivery of outcomes that fail to meet business objectives.  D. Projects exist to deliver specific outcomes as stated in requirements. If requirements are misunderstood, a project can be successful in terms of its internal criteria, scheduling and budget, yet result in a business failure because the project will not have delivered business value. R1-100 Which of the following poses the GREATEST risk to an organization that recently engaged the services of a cloud provider? A. The cloud provider’s primary facility is in the same vicinity as the subscriber. B. The service level agreement is ambiguous. C. References from other customers were not obtained. D. Auditing the vendor requires dependence on a third-party audit firm. B is the correct answer. Justification: A. There is no direct impact if the subscriber and the cloud provider reside in the same geographic region, provided the latter has a continuity plan that is unlikely to be affected by the same local event.  B. If the service level agreement is ambiguous, it will be difficult to determine whether the provider complies. C. References are important, but they cannot provide reasonable assurance that the vendor will deliver. D. Inability to audit a third-party provider is less than desirable; however, it is allowed in reporting under Statement on Standards for Attestation Engagements No. 16 (SSAE 16).

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

45

DOMAIN 1—IT RISK IDENTIFICATION

R1-101 Which of the following choices should drive the IT plan? A. Strategic planning and business requirements B. Technology and operational procedures C. Compliance with laws and regulations D. Project plans and stakeholder requirements A is the correct answer. Justification:  A. IT exists to support business objectives. Management of enterprise IT should align the IT plan closely with the business. B. IT exists to support business objectives. The IT plan should consider technology and procedures, but they cannot eclipse business strategy without risking a gap between strategy and IT. C. IT exists to support business objectives. Compliance with laws and regulations should be evaluated in the same manner as any other risk. D. IT exists to support business objectives. When IT projects are based on a project-by-project approach, effort is often duplicated or wasted, and results are likely to be incompatible across the organization. R1-102 Who should be accountable for risk to an IT system that supports a critical business process? A. IT management B. Senior management C. The risk management department D. System users B is the correct answer. Justification: A. IT management is responsible for managing information systems on behalf of business owners; they are not accountable for risk.  B. The accountable party is senior management. Although they are not responsible for executing the risk management program, they are ultimately liable for acceptance and mitigation of all risk. C. The risk management department is responsible for the execution of the risk management program and will identify, evaluate and report on risk and risk response efforts; the department is not accountable for the risk. D. System users are responsible for using the system properly and following procedures; they are not accountable for the risk.

46

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-103 In which phase of the system development life cycle should a risk practitioner FIRST become involved? A. Analysis B. Design C. Planning D. Implementation C is the correct answer. Justification: A. In the analysis phase, initial planning and the high-level project budget and schedule have typically already been developed. The risk practitioner should be involved during planning to represent risk considerations like control design and testing, so that analysis, scheduling and budget will not need to be updated later. B. In the design phase, requirements are already effectively decided. If risk has not been taken into account, adding controls into the design may result in unexpected delays and higher cost. C. The risk practitioner should become involved as early as possible in the system development life cycle and remain involved throughout the course of the project. When risk practitioners participate in planning, they can influence requests for resources in order to meet requirements of risk objectives most efficiently and effectively. D. In the implementation phase, the design has already been finalized, and everything is scheduled with the approved design in mind. Adding controls at this point is likely to have significant impact on the budget and schedule, and controls implemented without having been part of the design are likely to be less effective than those built natively into the design. R1-104 Which of the following controls can reduce the potential impact of a malicious hacker who gains access to an administrator account? A. Multifactor authentication B. Audit logging C. Least privilege D. Password policy C is the correct answer. Justification: A. Multifactor authentication safeguards against an account being accessed without authorization. If a malicious hacker has gained access to the account, this control has already been bypassed. B. Audit logging may help identify activities undertaken using an administrator account, but it is a lagging indicator; in the absence of other measures, it will not limit malicious activities already underway.  C. Hackers often target administrative accounts because they are understood to be exempt from controls and have the widest scope of permission. However, given that administrators in many large enterprises specialize in particular areas (e.g., specific servers, specific databases, firewalls, etc.), least privilege can reduce the impact of a compromised account within the scope of its intended use and limit impact to the organization as a whole, without restricting the performance of employees in administrative roles. Even in small organizations (where one person holds multiple roles) least privilege can reduce losses that otherwise may result from compromised accounts. D. A password policy requiring frequent changes can limit the reuse value of a compromised account, but will not limit its scope; password changes are likely not frequent enough to prevent malicious access absolutely.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

47

DOMAIN 1—IT RISK IDENTIFICATION

R1-105 Which of the following approaches results in risk scenarios applicable to an enterprise’s identified risk? A. A bottom-up approach based on generic scenarios B. A bottom-up approach emphasizing threat events C. A top-down approach based on magnitude of loss D. A top-down approach driven by business objectives D is the correct answer. Justification: A. Generic risk scenarios help ensure that no risk is overlooked; they encourage the organization to avoid blind spots outside its normal frame of reference. However, the bottom-up approach is not tailored to specific risk identified by the business. Most organizations will combine the bottom-up and top-down approaches to ensure business relevance. B. Threat events represent only one component of a risk scenario. C. Magnitude of loss does not entail probability. If risk scenarios are developed primarily on the basis of potential impact, they may become highly theoretical and appear unrealistic to business owners.  D. Top-down approaches ensure that an organization’s unique perspectives and business objectives are prioritized in risk scenarios. R1-106 IT plans to replace its existing wired local area network with a wireless infrastructure to accommodate the use of mobile devices within the organization. This will increase the risk of which of the following attacks? A. Wardriving B. Port scanning C. Malware on mobile devices D. Spoofing attacks A is the correct answer. Justification: A. Wireless infrastructure is specifically subject to wardriving attacks; therefore, risk associated with wired local area networks (LANs) will increase to reflect the new wireless infrastructure. B. Risk of port scanning will not increase because wired LANs and wireless infrastructures are equally susceptible. C. End points on wired LANs and wireless infrastructures do not affect the number of malware attacks because the attacks are common on both wired LANs and wireless infrastructures. D. Spoofing attacks are common on both wired LANs and wireless infrastructures, so the risk will remain the same.

48

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-107 Which of the following is MOST likely to result in a project going over budget? A. Testing B. Scope creep C. Loss of sponsorship D. Quality control B is the correct answer. Justification: A. Testing should be a critical part of the project, and funding for adequate testing should be built into the program from the start; therefore, this should not cause the project to go over budget.  B. Scope creep, also called requirement creep, refers to uncontrolled changes in a project’s scope. Unless the scope of the project is controlled, its duration and budget cannot be held to account; the project may exceed budget in order to meet changing requirements. C. Loss of sponsorship may delay the project, but generally does not cause it to go over budget. D. Quality control verifies that deliveries meet quality standards. Failure to meet standards is symptomatic of other root causes and does not directly nor necessarily add cost or exceed budget in itself. R1-108 Which of the following BEST addresses the potential for bias in developing risk scenarios? A. Using representative and significant historical data B. Securing participation of a large team of functional experts C. Establishing a clearly defined escalation process D. Integrating quantitative risk analysis techniques A is the correct answer. Justification: A. Using representative and significantly broad historical data helps to avoid bias that may otherwise characterize the selection of data by individual functional experts. B. Securing participation of a large team of functional experts can help reduce subjectivity to some extent. However, it will not preclude bias because each expert may provide data according to his/her own experience and knowledge. C. Establishing a clearly defined escalation process will provide opportunities to challenge risk values but will not address potential bias in itself. D. Integrating quantitative risk analysis techniques will not reduce bias unless factual internal and external data are available in the first place.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

49

DOMAIN 1—IT RISK IDENTIFICATION

R1-109 To which of the following documents does an organization refer to determine the intellectual property ownership of an application built by a third-party service manager in the course of its work for the organization? A. Service level agreement B. Statement of work C. Operational level agreement D. Nondisclosure agreement B is the correct answer. Justification: A. A service level agreement (SLA) defines minimum performance targets; mechanisms for performance measurement; and, typically, penalties for noncompliance. It does not address matters of intellectual property (IP) ownership.  B. A statement of work typically defines terms of governance, conditions for third-party engagement and delineates IP ownership of products developed under the contract. Failure to include adequate language for IP may result in limited or no rights to resulting deliverables. Therefore, it is critical to review language rather than rely on boilerplate clauses to optimize ownership of deliverables and assess vulnerability associated with third-party engagements. C. An operational level agreement is comparable to an SLA but involves different departments within an organization. IP ownership is usually not disputed among departments within the same organization. D. A nondisclosure agreement typically provides confidentiality of shared materials and information. It does not apply to work performed under contract by one party for the other. R1-110 The GREATEST risk posed by an absence of strategic planning is: A. increase in the number of licensing violations. B. increase in the number of obsolete systems. C. improper oversight of IT investment. D. unresolved current and past problems. C is the correct answer. Justification: A. Licensing violations can lead to fines and penalties from software companies; however, absence of strategic planning does not necessarily entail an increase in licensing violations. B. The number of obsolete systems can increase if strategic planning lapses; however, improper or negligent oversight of IT investment is the more fundamental direct risk, as investment informs the execution of future strategy and ensures that new systems align with business objectives. C. Improper oversight of IT investment is the greatest risk. Without proper oversight from management, IT investment may fail to align with business strategy, and IT expenditures may not support business objectives. D. Strategic planning is future-oriented, whereas unresolved current and past problems are tactical in nature.

50

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-111 What should be performed FIRST when establishing the IT risk framework of an organization? A. Setting accountabilities and responsibilities for risk B. Articulating the financial risk appetite for the organization C. Allocating control owners for critical information systems D. Endorsing a risk matrix that specifies risk tolerances A is the correct answer. Justification: A. Without ownership and accountability, the risk framework will not be driven forward. B. A financial risk appetite is important, but its articulation is not the first step in establishing the IT risk framework, which must set accountabilities and ownership to be effective. Furthermore, the risk appetite will require interpretation and translation into the IT domain. C. Ownership of critical systems is a subset of overall accountability, without which the IT risk framework could not be complete or enforceable. D. Risk matrices are not required for risk assessments and risk frameworks (especially those emphasizing risk tolerance). R1-112 Which of the following threats is the MOST difficult to detect? A. Viruses B. Bots C. Rootkits D. Worms C is the correct answer. Justification: A. Viruses can be detected with antivirus software. B. Bots can be identified through traffic analysis. C. Rootkits are software suites that help intruders gain unauthorized administrative access to a computer system. They are designed to be stealthy in operation. D. Worms involve self-replicating programs that spread independently of users’ actions. Worms can be detected with antivirus software.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

51

DOMAIN 1—IT RISK IDENTIFICATION

R1-113 When assessing strategic IT risk, the FIRST step is: A. summarizing IT project risk. B. understanding organizational strategy from senior executives. C. establishing enterprise architecture strategy. D. reviewing IT incident reports from service delivery. B is the correct answer. Justification: A. Summarizing project risk does not necessarily facilitate understanding of all risk. Unintended consequences, reputation and brand risk, and strategic objectives should all be considered in order to assess strategic IT risk.  B. Strategic IT risk is related to the strategy and objectives of the enterprise. Senior executives provide the enterprise view of dependencies and expectations for IT, which in turn lead to understanding of potential risk. C. Enterprise architecture (EA) is fundamentally concerned to produce a view of the current state of IT, establish a vision for the future state and set strategy to realize it (preferably by optimizing resource risk while providing benefit). EA is informed by understanding organizational strategy and views of senior executives, which change rapidly in the current business environment and should be reviewed regularly. D. Understanding current incidents will not directly provide a strategic view of organizational objectives or illustrate how the organization depends on IT to achieve the objectives. R1-114 A risk practitioner’s PRIMARY role is to: A. evaluate and decide effective mitigation techniques. B. implement and monitor controls. C. provide governance over risk. D. consult and recommend risk responses. D is the correct answer. Justification: A. Evaluating mitigation techniques and deciding on the most effective are the responsibility of management. B. Implementation and monitoring are the responsibility of control owners. C. Governance is a role of the board and senior management.  D. A risk practitioner is responsible for consulting about risk and recommending possible solutions for risk responses.

52

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-115 Which of the following attacks occurs PRIMARILY because user input is not properly validated? A. Uniform resource locator obfuscation B. Directory traversal C. Cross-site scripting D. Session hijacking C is the correct answer. Justification: A. Uniform resource locator (URL) obfuscation is a form of phishing attack that uses manipulated links and URLs to trick users into accessing fake, spoofed websites rather than the website they intended. B. Directory traversal is a Hypertext Transfer Protocol exploit in which attackers access restricted directories and execute commands that may compromise information.  C. Cross-site scripting (XSS) is an injection attack in which malicious scripts are injected into otherwise benign and trusted web sites. XSS results when insufficient input validation allows a user to submit malicious executable code into a web application. D. Session hijacking attacks exploit session-control mechanisms to gain unauthorized access to a system. R1-116 Project-related risk that can threaten the successful completion of a software development project is BEST identified by the: A. project manager. B. project sponsor. C. project steering committee. D. quality assurance team. A is the correct answer. Justification: A. The project manager is responsible for the identification, analysis and monitoring of project-related risk. The risk should be reported to the project sponsor. B. The project sponsor focuses on risk that can hinder the project from achieving the expected deliverables. C. The project steering committee oversees the handling of the risk identified by the project manager. D. The quality assurance team ensures that quality standards are enforced. R1-117 Which one of the following aspects is MOST important for an effective IT risk management process? A. Addressing information security risk management B. Addressing regulatory risk management C. Aligning with financial risk management D. Aligning with enterprise risk management D is the correct answer. Justification: A. Information security risk management is a subset of enterprise risk management (ERM). B. Regulatory risk management is a subset of ERM. C. Financial risk management is a part of ERM.  D. Aligning IT risk management with ERM is the most important aspect because it ensures alignment of IT objectives with enterprise objectives.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

53

DOMAIN 1—IT RISK IDENTIFICATION

R1-118 Which of the following statements is a risk scenario? A. The password for the configuration of the tape backup system is set to the vendor default. B. A program that processes records does not include data input validation. C. Dedicated capacity for processing on an enterprise system exceeds projected maximum usage, resulting in wasted infrastructure resources. D. Attackers develop a new piece of malware based on a known, but patched, vulnerability. C is the correct answer. Justification: A. If the password to configure a tape backup system is set to its vendor default, the password reflects the state of a technology control. Its state is not an event that could result in a loss. B. A program that processes records without data input validation presents a vulnerability. It is not an event that could result in a loss.  C. Dedicated processing capacity that exceeds projected maximum usage and therefore results in wasted infrastructure resources constitutes potential loss. D. If attackers develop a new piece of malware based on a known, but patched, vulnerability, their actions constitute a threat, but not a valid risk, because the vulnerability has already been patched. R1-119 Which of the following is the MAIN outcome of a business impact analysis? A. Project prioritization B. Criticality of business processes C. The root cause of IT risk D. Third-party vendor risk B is the correct answer. Justification: A. Project prioritization is a core focus of program management and seeks to optimize resource utilization. It is not the main outcome of a business impact analysis. B. A business impact analysis (BIA) measures the total impact of tangible and intangible assets on business processes. Therefore, the sum of the value and opportunity lost as well as the investment and time required to recover indicates the criticality of business processes. C. A root cause analysis investigates and diagnoses the origins of events. It typically assesses consequences of errors and/or problems, and is not an outcome of a BIA. D. Third-party vendor risk should be documented during the BIA process, but it is not a main outcome.

54

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-120 Which of the following is the BEST method to ensure the overall effectiveness of a risk management program? A. Assignment of risk within the enterprise B. Comparison of the program results with industry standards C. Participation by applicable members of the enterprise D. User assessment of changes in risk C is the correct answer. Justification: A. Assignment of risk within the enterprise is important to ensure that risk owners are clearly defined; but without active participation of risk owners the program will not achieve optimal success. B. Comparison of the program results with industry standards may result in valuable benchmarking but is not as important as stakeholder participation.  C. Effective risk management requires participation, support and acceptance by all applicable members of the enterprise, beginning with executives. Personnel must understand their responsibilities, receive training on how to fulfill their roles, exercise active judgment and take appropriate action. D. User assessment of changes is a subjective method of assessing risk and not part of a mature risk management program. R1-121 Which of the following is of MOST concern in a review of a virtual private network implementation? Computers on the network are located: A. at the enterprise’s remote offices. B. on the enterprise’s internal network. C. at the backup site. D. in employees’ homes. D is the correct answer. Justification: A. Computers on the network at the enterprise’s remote offices may be administered by different security employees but they are still subject to enterprise security policy; therefore, remote-office machines present less risk than employees’ home computers. B. There should be security policies in place on an enterprise’s internal network to detect and halt an outside attack that uses an internal machine as a staging platform. C. Computers at the backup site are subject to the corporate security policy and, therefore, are not high-risk computers. D. In a virtual private network, all machines should be subject to the same security policy. Home computers are least often subject to the corporate security policy and therefore are high-risk machines. Once a computer is hacked and “owned,” any network that trusts that computer is at risk. Implementation and adherence to the corporate security policy are easier when all computers on the network reside at the enterprise’s campus.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

55

DOMAIN 1—IT RISK IDENTIFICATION

R1-122 Which of the following is the MOST prevalent risk in the development of end-user computing applications? A. Increased development and maintenance costs B. Increased application development time C. Impaired decision making due to diminished responsiveness to requests for information D. Failure to subject applications to testing and IT general controls D is the correct answer. Justification: A. End-user computing (EUC) applications typically result in reduced application development and maintenance costs. B. EUC applications typically result in a reduced development cycle time. C. EUC applications normally increase flexibility and responsiveness to management’s information requests. D. End-user applications may not be subject to independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. The applications may lack appropriate standards, controls, quality-assurance procedures and documentation. End-user applications may not be subject to backup and recovery procedures because operations may not be aware of them. R1-123 Which of the following is critical to the risk practitioner for an effective risk management program? A. Risk response strategy B. Risk register content C. Risk profile content D. Risk owners and accountability D is the correct answer. Justification: A. The risk response strategy to mitigate identified risk provides risk owners with options for managing their owned risk. B. The risk register identifies risk and available controls. C. The risk profile describes current risk facing the organization and documents its compliance with risk appetite and tolerance.  D.  The identification of risk owners is critical because risk owners must make informed and cost-effective business decisions regarding appropriate controls to mitigate their owned risk. Risk response strategy, risk registers and risk profiles are tools that require owners who use or apply them accountably and proactively. R1-124 Risk management programs are designed to reduce risk to: A. the point at which the benefit exceeds the expense. B. a level that is too small to be measurable. C. a rate of return that equals the current cost of capital. D. a level that the enterprise is willing to accept. D is the correct answer. Justification: A. Depending on the risk preference (risk appetite) of an enterprise, it may or may not choose to pursue risk mitigation to the point at which the benefit equals or exceeds the expense. B. Reducing risk to a level too small to measure is not practical and is often cost prohibitive. C. Tying risk to a specific rate of return ignores the qualitative aspects of risk.  D. Risk should be reduced to a level that an organization (i.e., management) is willing to accept; therefore, risk management primarily seeks to facilitate business judgment and support enterprise business goals. 56

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-125 Whether a risk has been reduced to an acceptable level should be determined by: A. information systems requirements. B. information security requirements. C. international standards. D. organizational requirements. D is the correct answer. Justification: A. Information systems requirements should not make the ultimate determination. B. Information security requirements should not make the ultimate determination. C. Because each enterprise is unique, international standards do not necessarily represent the best solution, which depends on local risk appetite and other requirements.  D. Organizational requirements should determine when a risk has been reduced to an acceptable level. Information systems and security requirements and standards may help inform organizational requirements, but in themselves lack the critical context of enterprise business goals. R1-126 Commitment and support of senior management for information security investment can BEST be accomplished by a business case that: A. explains the technical risk to the enterprise. B. includes industry good practices as they relate to information security. C. details successful attacks against a competitor. D. ties security risk to organizational business objectives. D is the correct answer. Justification: A. Senior management will not likely be interested in technical risk unless it is related specifically to business environment and objectives. B. Industry good practices are important to senior management; however, the practices must be related to key business objectives in order for senior management to understand their full significance. C. Senior management will not be as interested in examples of successful attacks against a competitor if they are not tied to the impact on business environment and objectives.  D. Senior management seeks to understand the business justification for investing in security. This can best be accomplished by tying security to key business objectives.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

57

DOMAIN 1—IT RISK IDENTIFICATION

R1-127 Acceptable risk for an enterprise is achieved when: A. transferred risk is minimized. B. control risk is minimized. C. inherent risk is minimized. D. residual risk is within tolerance levels. D is the correct answer. Justification: A. Risk transfer is the process of assigning risk to another organization, usually through the purchase of an insurance policy or outsourcing the service. In both a physical and legal sense this risk transfer does not relieve an enterprise of a risk, but it can leverage the skills of another party to help manage the risk and thus reduce the financial consequence of adverse events. B. Control risk is the risk that a material error would not be prevented or detected on a timely basis by the system of internal controls. C. Inherent risk reflects a level of risk or exposure apart from actions that management has taken or might take (e.g., implementing controls). Inherent risk cannot be minimized.  D. Residual risk is the risk that remains after all controls have been applied; therefore, acceptable risk is achieved when residual risk is aligned with the enterprise risk appetite. R1-128 Which of the following BEST supports business continuity management in meeting external stakeholder expectations? A. Prioritizing applications based on business criticality. B. Ensuring that backup data are available for restoration. C. Disclosing the crisis management strategy statement. D. Obtaining risk assessment by an independent party. A is the correct answer. Justification: A. External parties (such as customers) expect that their information assets are secured. To meet this goal, it is strategically important to prioritize applications based on business criticality. This approach allows external expectations to be met optimally with limited resources. B. Ensuring accessibility of backup data is a fundamental requirement of business continuity. However, external stakeholders are less likely to raise backup and restoration as top agenda items. Backup data are not always necessary to solve business continuity problems, which can result from causes other than loss of data (e.g., technical failures). C. Based on industry, country or regulatory requirements, some enterprises disclose public crisis management strategy, but such strategy depends in the first place on prioritizing applications according to business criticality. D. Obtaining third-party assessment is quite important. However, it does not necessarily guarantee that business continuity management meets external stakeholder expectations.

58

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-129 Which of the following BEST identifies changes in an enterprise’s risk profile? A. The risk register B. Risk classification C. Changes in risk indicator thresholds D. Updates to the control inventory A is the correct answer. Justification:  A. The risk register is the central document to identify changes in an enterprise’s risk profile. B. Risk classification helps prioritize risk for effective response but does not capture changes in the business environment. C. Changes in risk indicator thresholds may affect the time within which risk events trigger responses. However, such changes do not necessarily reflect changes in the business environment. D. Updates to the control inventory are important inputs into the risk management process because they represent key internal environmental risk factors. Other risk factors include external environment, internal capacity and IT capacity. R1-130 Which of the following BEST identifies controls addressing risk related to cloud computing? A. Data encryption, tenant isolation, controlled change management B. Data encryption, customizing the application template, creating and importing custom widgets C. Use of technology based upon open standards, data encryption, tenant isolation D. Tenant isolation, controlled change management, creating and importing custom widgets A is the correct answer. Justification:  A. Encryption facilitates separation of data among tenants. Tenant isolation ensures that one tenant’s data are sequestered from other tenants. Controlled change management ensures that all changes are well planned and tenant dependencies are mapped to underlying resources and services. B. Customizing the application template and importing custom widgets are application or software activities that do not specifically relate to data. C. Open-standards technology does not necessarily relate to controls addressing data risk. D. As in choice B, importing custom widgets is an application or software activity and does not specifically relate to data.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

59

DOMAIN 1—IT RISK IDENTIFICATION

R1-131 The MAIN benefit of information classification is that it helps: A. determine how information can be further labeled. B. establish access control matrices. C. determine risk tolerance level. D. select security measures proportional to risk. D is the correct answer. Justification: A. Information labeling identifies classification level as determined by process owners, but is not the main benefit of classification. B. An access control matrix indicates what roles have access to given information, but is not a benefit of information classification. C. The risk tolerance level is determined by current risk level and weighs risk that needs to be addressed as part of risk response. Information classification does not help in the process.  D. Based on information classification, information is partitioned according to sensitivity, importance and risk so proportional security measures can be designed and applied. R1-132 Which of the following resources has the GREATEST risk of failure while implementing any security solution? A. Security hardware B. Security staff C. Security processes D. Security software B is the correct answer. Justification: A. Security hardware failure is a risk to the enterprise, but not the greatest risk. The misconfiguration of the hardware by staff is the greatest risk.  B. Staff represent the greatest risk of failure because people are vulnerable to risk such as fraud and deliberate or accidental misconfiguration of software processes or hardware. C. Security process failures per se are a risk to the enterprise, but failure to follow the process by staff is the greater risk. D. Security software failures are a risk to the enterprise, but most failures result from misuse or misconfiguration, not from flaws in the software. R1-133 An enterprise security policy is an example of which control? A. Operational control B. Management control C. Technical control D. Corrective control B is the correct answer. Justification: A. Manufacturing procedures are generally categorized as operational controls.  B. There are two control methods: technical and nontechnical. Enterprise security policies are nontechnical management controls. C. Encryption and intrusion detection systems (IDSs) are typical examples of technical controls. D. Corrective controls are used to respond to an incident and are not an example of policy. 60

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-134 Why is it important that business managers provide IT with requirements rather than requests for specific products? A. To ensure that software development is given equal consideration B. To ensure that the solution meet business objectives C. To reduce potential for conflicts of interest among business managers D. To reduce the cost of maintenance associated with aging software B is the correct answer. Justification: A. Guaranteeing equal consideration for purchased and developed software is not a primary concern for IT, which needs requirements rather than requests for specific products. Decisions to purchase or develop internally generally require management to judge business cost and value.  B. The goal of IT is to deliver solutions that meet requirements. Therefore, business managers should identify requirements rather than making requests for specific products. C. Reducing the potential for conflict of interest is not a primary concern for IT. D. Maintenance cost is only one component in evaluating technical solutions. R1-135 Which of the following is MOST essential for a risk management program to be effective? A. New risk detection B. A sound risk baseline C. Accurate risk reporting D. A flexible security budget A is the correct answer. Justification:  A. Without identifying new risk, other measures will succeed only for a limited period. B. A risk baseline is essential for implementing risk management, but new risk detection is the most essential. C. Accurate risk reporting is essential for implementing risk management, but new risk detection is the most essential. D. A flexible security budget is not available to most enterprises. A limited security budget reflects a common limitation in scope which should be considered, along with other limitations, in prioritizing risk responses. R1-136 Which of the following MOST enables risk-aware business decisions? A. Robust information security policies B. Exchange of accurate and timely information C. Skilled risk management personnel D. Effective process controls B is the correct answer. Justification: A. Security policies generally focus on protecting the business and do not enable risk-aware business decisions, particularly when the decision affects future business needs. B. Robust exchange of information enables management to optimize their risk-related decisions. Accuracy and timeliness of information are critical success factors. C. Skilled risk management personnel enable risk-aware business decisions, but ideally the flow of information will be bidirectional. Risk management personnel should report risk, loss and vulnerability events to management. Likewise, risk management personnel should understand changes in the organization’s risk appetite and tolerance. D. Process controls generally exist for known threats and do not enable risk-based business decisions. Control monitoring, however, involves the dissemination of control information to enable a timely risk response (business decision). CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

61

DOMAIN 1—IT RISK IDENTIFICATION

R1-137 Which of the following is the BEST indicator of high maturity of an enterprise’s IT risk management process? A. People have appropriate awareness of risk and are comfortable talking about it. B. Top management is prepared to invest more money in IT security. C. Risk assessment is encouraged in all areas of IT and business management. D. Business and IT are aligned in risk assessment and risk ranking. A is the correct answer. Justification:  A. Some of the most important aspects of mature IT risk management are related to culture. An enterprise is best served by a culture in which people recognize risk inherent to their activities, discuss the risk transparently and collaborate willingly to resolve it. B. Investment in IT security may strengthen overall risk management posture; however, it is not necessarily an appropriate measure of IT risk management process maturity. C. While risk assessment is an important step in the risk management process, it is not a sufficient indicator of a mature risk management process, even when deployed across all business units and functions. D. Alignment between IT and business is the foundation of effective IT risk management; however, it is not a sufficient indicator of mature a IT risk management process. R1-138 The PRIMARY reason for developing an enterprise security architecture is to: A. align security strategies among the functional areas of an enterprise and external entities. B. build a barrier between the IT systems of an enterprise and the outside world. C. foster understanding of the enterprise’s technologies and interactions among them. D. protect the enterprise from external threats and monitor the corporate network proactively. A is the correct answer. Justification:  A. The enterprise security architecture must align strategies and objectives of diverse functional areas within the enterprise, optimize the flow of information within an enterprise and support all required communication with external partners, customers and suppliers. B. Building a barrier between the IT systems of an enterprise and the outside world without considering business objectives may interfere with valid business processes. C. Enterprise security architecture should not only inventory every piece of technology that exists in the enterprise but also document their interactions and interdependencies in relation to business objectives. The enterprise security architecture should further document interactions with, and dependencies on, external processes, suppliers, partners and customers as they relate to business goals. D. An enterprise security architecture does not protect the enterprise from threats nor does monitor threats; it establishes a blueprint including internal and external controls needed to protect the enterprise.

62

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-139 An information security trade journal publishes information about potential cybercriminal activity and targeted organizations. A risk practitioner identifies that the company is on the list of targets. What is the FIRST action the risk practitioner should take? A. Advise IT management about the threat. B. Inform all employees about the threat. C. Contact law enforcement officials about the threat. D. Inform senior management about the threat. D is the correct answer. Justification: A. Only critical members of the IT management team should be notified of the threat. B. Information should be given on a need-to-know basis; all employees do not need to know of a potential threat to the company. C. Contacting law enforcement is premature, although law enforcement may need to be contacted in the future with management approval. D. All senior management needs to be aware of the threat so they can be prepared if an incident takes place. R1-140 A financial institution conducts high-value electronic transactions with several of its customers using their selfsigned digital certificates. Which of the following would be of the MOST concern to the risk practitioner? A. Customers’ self-signed digital certificates may not be accepted by an internal user’s browser. B. Non-repudiation requirements may not be enforced by these certificates. C. The certificate’s private key may be susceptible to a malicious attack. D. Self-signed digital certificates may lead to session hijacking due to unencrypted traffic. B is the correct answer. Justification: A. Self-signed certificates can be used in internal applications and would not represent a concern to the risk practitioner. B. Non-repudiation of transactions is a critical requirement in financial transactions. This can only be satisfied by using third party-trusted certificates signed by an accredited authority. C. Browsers will display warnings, and users are responsible for accepting or rejecting the certificate. However, after the browser accepts the certificate, the transaction can be repudiated due to absence of a trusted third party. D. In Secure Socket Layer (SSL) communications traffic is encrypted using the session key and therefore not susceptible to session hijacking.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

63

DOMAIN 1—IT RISK IDENTIFICATION

R1-141 Which of the following risk considerations is of MORE concern to the risk practitioner regarding hardware as opposed to software? A. Misconfiguration B. Access control C. Skilled resources D. Version control A is the correct answer. Justification: A. Misconfiguration can lead to potential vulnerabilities, leaving the system open to external parties, and is a larger concern for hardware than software. B. The risk of access control applies to both hardware and software. C. Lack of skilled resources can affect both hardware and software. D. Version control does not apply to hardware. R1-142 At which phase of the system development life cycle should risk related to system requirements be determined? A. Development B. Implementation C. Initiation D. Maintenance C is the correct answer. Justification: A. During development, risks have already been identified to inform security analyses of the IT system and therefore suggest compromises in architecture and/or design requirements to address security concerns. B. At implementation, the risk management process supports implementation against established requirements and within its modeled operational environment.  C. Upon initiation of the system development life cycle, identified risk should inform system requirements, including security requirements and a security concept of operations. D. Risk management activities are performed for periodic system reauthorization. Requirements must have been developed prior to maintenance. R1-143 Who is responsible for approving an organization’s risk appetite and risk tolerance related to information security? A. Business unit manager B. Information security officer C. Senior management D. Risk manager C is the correct answer. Justification: A. The business unit manager does not determine risk appetite or risk tolerance for the organization. B. The information security officer does not determine risk appetite or risk tolerance for the organization. C. Senior management determines organizational risk appetite and risk tolerance. D. The risk manager does not determine risk appetite or risk tolerance for the organization.

64

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-144 Which of the following provides the BEST safeguard against a data breach? A. Data encryption B. Security awareness training C. Cyberrisk insurance D. Data masking B is the correct answer. Justification: A. Data encryption follows employees’ identification of sensitive data, which they would learn to identify through awareness training.  B. Security awareness training helps employees ensure they have adequate protections and safeguards for the data they handle. C. Cyberrisk insurance will protect against monetary damages but not necessarily from the breach itself. D. Data masking follows employees’ identification of sensitive data, which they would learn to identify through awareness training. R1-145 Which of the following threats would MOST concern the risk practitioner? A. An enterprise allows Internet-facing applications for business functions. B. An enterprise allows third-party access through remote network connectivity. C. An enterprise allows employee-owned devices for business functions. D. An enterprise allows artificial intelligence systems for business functions. C is the correct answer. Justification: A. Organizations doing business over the Internet should use secure Internet-facing applications to interact and share information with clients and suppliers. Effective ongoing monitoring treats this risk. B. Third-party access through remote network connectivity uses a secure means of communication and can guarantee end-to-end protection of information exchanged between an organization and its suppliers and third parties. C. Increased risk of malware propagation, information loss, loss of device and unauthorized access are all potential risks when employees access business information on employee-owned devices. These risks would be of most concern to the risk practitioner. D. The use of artificial intelligence systems does not pose a higher risk than any other risk to the organization. R1-146 Which of the following would be the MOST influential in determining an organization’s approach to risk management? A. Findings from recent audit reports B. Formal approval from the chief information security officer C. Key performance indicators and key risk indicators D. Enterprise policies D is the correct answer. Justification: A. Findings from recent audit reports only focus on specific areas of the business, and not the enterprise as a whole. B. The risk management approach cannot be determined only from the chief information security officer. C. Key performance indicators and key risk indicators do not determine an organization’s approach to risk management. Instead, they monitor the attainment of the risk management program.  D. Enterprise policies state the organization’s guidance for risk management.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

65

DOMAIN 1—IT RISK IDENTIFICATION

R1-147 A healthcare practitioner is providing care to one of her patients but is provided the file of a patient she is meeting later on in the day. What is the PRIMARY type of risk faced in this situation? A. Relevance B. Integrity C. Security D. Availability A is the correct answer. Justification:  A. Relevance risk is the risk of not getting the right information to the right person at the right time for the correct action to be taken. The practitioner requires the correct health information to provide the appropriate care. The file provided to the practitioner is not relevant to that patient. B. Integrity risk is the risk that information is incomplete or inaccurate and therefore unreliable. The file is not relevant to that particular patient; however, there is no indication that the file is incomplete or inaccurate. C. Security risk is the risk that confidential information may be divulged to unauthorized individuals. The practitioner is authorized to view both patient files, so there is no risk of confidential information being divulged to unauthorized individuals in this situation. D. Availability risk is the risk that the data is not available when needed. Even though the incorrect file was provided, there is no indication that the patient file information would be unavailable when providing the care. R1-148 A new data protection regulation directly affects an organization. What information should the risk practitioner gather to BEST ensure compliance? A. List of controls that must be implemented to achieve and maintain compliance B. Gaps associated with existing controls and control owners C. Risk scenarios with the potential impact on compliance D. The organization’s risk appetite C is the correct answer. Justification: A. The list of controls that must be implemented to achieve and maintain compliance will be created after the business decision regarding compliance itself. B. Control gaps will be useful after the business decision regarding compliance. C. Risk scenarios should indicate potential effects of noncompliance with the new regulation and guide management in evaluating whether the cost of compliance outweighs the cost of noncompliance and if this is in alignment with the organization’s risk tolerance. Understanding the impact of compliance versus noncompliance will inform which controls are ultimately implemented to achieve and maintain compliance. D. The organization’s risk appetite will inform risk scenarios that contribute to a business decision regarding compliance.

66

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-149 An organization has contracted an external supplier to develop critical components of a consumer product. Risk tolerance levels for the outsourced component have been documented and approved. Which of the following can serve to gauge risks that may trigger stakeholder concern? A. Indicators with approved thresholds B. Approved status report of completed milestones C. List of controls to be implemented by the supplier D. Number of findings in external audit reports A is the correct answer. Justification:  A. Indicators with approved thresholds demonstrate the acceptable risk levels stakeholders are willing to tolerate, and any risk above those approved levels will likely trigger stakeholder concern. B. A status report of completed milestones only shows deliverables that have been completed against projected timelines for the outsourced component. C. The lists of controls to be implemented by the supplier are requirements that the supplier will fulfill. To gauge potential for stakeholder concern, indicators for thresholds and tolerance must be defined and approved. D. The number of findings in external audit reports is not an indicator of risk tolerance levels. R1-150 Which of the following will BEST assist a risk practitioner when addressing risk within the supply chain lifecycle? A. Understanding the supplier’s organizational systems B. Understanding the business case in support of the lifecycle C. Understanding relevant jurisdictional legal requirements D. Understanding the organization’s risk approach toward the supply chain C is the correct answer. Justification: A. Understanding of the supplier’s organizational systems is important, but would not be the best means to assist a risk practitioner when addressing risk within the supply chain lifecycle. B. The business case in support of the lifecycle occurs prior to the agreement between the organization and the supplier for product and/or service.  C. Identification and understanding of the legal requirements relevant to the supply chain will assist the risk practitioner to identify, assess and monitor risk on an ongoing basis. D. The organization’s risk approach toward the supply chain is important, but understanding relevant jurisdictional legal requirements is more important when conducting business across different regions.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

67

DOMAIN 1—IT RISK IDENTIFICATION

R1-151 An organization is considering a cloud computing deployment and accepts the risk of confidential information in the cloud. Which is the BEST cloud deployment model that offers the most safeguards for this information? A. Public cloud B. Private cloud C. Community cloud D. Hybrid cloud B is the correct answer. Justification: A. A public cloud may not have controls that a private cloud can provide regarding confidentiality.  B. The private cloud model operates solely for the enterprise and will have controls in place needed to keep enterprise information confidential. C. A community cloud may not have controls that a private cloud can provide regarding confidentiality. D. A hybrid cloud may not have controls that a private cloud can provide regarding confidentiality. R1-152 To ensure an organization’s risk program effectively mitigates risk, which of the following should be FIRST addressed by management? A. Risk findings B. Incomplete new hire checks C. Low rate of risk management training completion D. Blame culture D is the correct answer. Justification: A. Addressing risk findings will not be as smooth and effective in a blame culture as in an organization that does not have a blame culture. B. Incomplete new hire checks are a consideration but not as important as addressing the blame culture. C. Low rates of completion in risk management training are a consideration but not as important as addressing the blame culture.  D. A blame culture should be addressed and remedied as soon as possible. It hinders effective risk mitigation because it defeats accountability. R1-153 Which of the following is a KEY element of risk culture? A. Tolerance B. Policies C. Behavior D. Controls C is the correct answer. Justification: A. Tolerance is one element of a risk behavior, which would be key to the risk culture. B. Policies are influenced by the risk culture but do not determine the risk culture.  C. Behavior towards taking risk, negative outcomes and policy compliance are all elements of an organization’s risk culture. D. Controls are influenced by the risk culture but do not determine the risk culture.

68

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

DOMAIN 1—IT RISK IDENTIFICATION

R1-154 Who is accountable for the overall enterprise strategy for risk governance? A. Senior management B. Business unit management C. Chief risk officer D. Board of directors D is the correct answer. Justification: A. Senior management is incorrect as the risk governance enterprise strategy comes from the board. B. Business unit management is incorrect as the risk governance enterprise strategy comes from the board. C. Chief risk officer is incorrect as the risk governance enterprise strategy comes from the board.  D. The board of directors is accountable for the overall enterprise risk governance strategy as they state the enterprise strategy. R1-155 Which of the following MOST affects a risk scenario? A. A threat type B. An event C. An asset D. An actor D is the correct answer. Justification: A. A threat type is incorrect because there is no scenario without an actor. B. An event is incorrect because there is no scenario without an actor. C. An asset is incorrect because there is no scenario without an actor. D. An actor is correct as someone needs to exploit the vulnerability. R1-156 Where is the MOST useful place for enterprise management to store data related to a potential information breach? A. Incident log B. Problem management log C. Risk register D. Change management log C is the correct answer. Justification: A. The incident register captures incidents and not potential information-breach findings. B. The problem register captures problems and not potential information-breach findings. C. The risk register captures all information related to exposure like action plans, residual risk rating and stakeholders for follow-up. D. The change register captures changes and not potential information-breach findings.

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.

69

DOMAIN 1—IT RISK IDENTIFICATION

R1-157 Which of the following is of MOST concern for the risk practitioner regarding applications running in production? A. Unpatched vulnerabilities B. Back doors C. Unskilled resources D. Informal system development life cycle B is the correct answer. Justification: A. Unpatched vulnerabilities do not apply to applications.  B. Attackers can use backdoors to bypass authorized access control in application; therefore, it would be of the most concern to the risk practitioner. C. Unskilled resources would be a concern; however, they do not present an immediate concern relative to the risk posed by back doors. D. An informal system development life cycle would be a concern; however, it does not present an immediate concern relative to the risk posed by back doors. R1-158 What is the PRIMARY goal of an organization’s IT risk management process? A. Protect the organization’s IT assets and its environment. B. Protect the organization and its ability to perform its mission. C. Report on the status of the IT risk register. D. Ensure risks are identified and properly managed. B is the correct answer. Justification: A. The primary goal of an organization’s risk management process should be to protect the organization and its ability to perform its mission, not just its IT assets. B. The primary goal of an organization’s risk management process is to protect the organization and its ability to perform its mission. C. Reporting on the status of the IT risk register is one tool used in the IT risk management process; however, this does not reflect its goal. D. Ensuring risks are identified and properly managed is one component of the IT risk management process; however, this does not reflect its goal. R1-159 Which of the following is the MOST significant risk associated with handling credit card data through a web application? A. Displaying both the first six and last four digits of the credit card, thus exposing sensitive information B. Allowing the transmission of credit card data over the Internet using a secure channel such as Transport Layer Security (TLS) or IPSEC C. Failure to store credit card data in a secure area segregated from the demilitarized zone D. Installation of network devices with default access settings disabled or inoperable C is the correct answer. Justification: A. The Payment Card Industry Data Security Standard (PCI DSS) allows the display of both the first six and last four digits; only the six digits in the middle must be protected. B. Transport Layer Security and IPSEC are secure protocols commonly used to transmit sensitive data over the Internet. C. Failure to store credit card data in a secure area segregated from the demilitarized zone is one of the most common and serious flaws in a secure architecture. D. The default setting must be changed on all network devices that will process credit card data. 70

CRISCTM Review Questions, Answers & Explanations Manual 5th Edition © 2017 ISACA. All Rights Reserved.