SELF-ASSESSMENT QUESTIONS CRISC self-assessment questions support the content in this manual and provide an understanding of the type and structure of questions that have typically appeared on the exam. Questions are written ina multiple-choice format and designed for one best answer. Each question has a stem (question) and four options (answer choices). The stem may be written in the form of a question or an incomplete statement. In some instances, a scenario or a description problem may also be included. These questions normally include a description of situation and require the candidate to answer two or more questions based on the information provided, Many times a question will require the candidate to choose the MOST likely or BEST answer among the options provided. Ineach case, the candidate must read the question carefully, eliminate known incorrect answers and then make the best choice possible. Knowing the format in which questions are asked, and how to study and gain knowledge of what will be tested, will help the candidate correctly answer the questions. 1-1 Which of the following business requirements BEST relates to the need for resilient business and information systems processes? A, Effectiveness: B. Confidentiality C. Integrity D. Availability 1-2 Which of the following statements BEST describes the value of a risk register? A. It captures the risk inventory. B, It drives the risk response plan. C. Itis a risk reporting tool D. Itlists internal risk and external risk. 1-3. Shortly after performing the annual review and revision of corporate policies, a risk practitioner becomes aware that a new law may affect security requirements for the human resources system, The risk practitioner should: A. analyze in detail how the law may affect the enterprise. B, ensure that necessary adjustments are implemented during the next review eycle. C. initiate an ad hoc revision of the corporate policy. D. notify the system custodian to implement changes. 1-4 Aninformation system that processes weather forecasts for public consumption is MOST likely to place its highest priority on: A. nonrepudiation, B. confidentiality. C. integrity. D. availability. 1-5 Which of the following choices provides the BEST view of risk management?16 . An interdisciplinary team A third-party risk assessment service provider C, The enterprise’s IT department D. The enterprise’s internal compliance department o> ‘Which of the following choices is a PRIMARY consideration when developing an IT risk awareness program? A. Why technology risk is owned by IT B. How technology risk can impact each attendee’s area of business C. How business process owners can transfer technology risk D. Why technology risk is more difficult to manage compared to other risk Itis MOST important that risk appetite is aligned with business objectives to ensure that: A. resources are directed toward areas of low risk tolerance. B, major risk is identified and eliminated. C. IP and business goals are aligned D. the risk strategy is adequately communicated. Weak passwords and transmission over unprotected communication lines are examples of A. vulnerabilities. B. threats. C. probabilit D. impacts.ANSWERS TO SELF-ASSESSMENT QUESTIONS Correct answers are shown in bold. 1 12 A B. Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner, While the lack of system resilience can in some cases affect effectiveness, resilience is more closely linked to the business information requirement of availability. Confidentiality deals with the protection of sensitive information from unauthorized disclosure. While the lack of system resilience can in some cases affect data confidentiality, resilience is more closely linked to the business information requirement of availability. Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. While the lack of system resilience can in some cases affect data integrity, resilience is more closely linked to the business information requirement of availability. Availability relates to information being available when required by the business process now and in the future. Resilience is the ability to provide and maintain an acceptable level of service during disasters or when facing operational challenges. is used to provide detailed information on each identified risk such as ri owner, details of the scenario and assumptions, affected stakeholders, causes/indicators, information on the detailed scores (i.e., risk ratings) on the risk analysis, and detailed information on the risk response (e.g., action owner and the risk response status, time frame for action, related projects, and risk tolerance level). These components can also be defined as the risk universe, Risk registers serve as the main reference for all risk-related information, supporting risk-related decisions such as risk response activities and their prioritization. Risk register data are utilized to generate management reports, but are not in themselves a risk reporting tool. The risk register tracks all internal and external risk, the quality and quantity of the controls, and the likelihood and impact of the risk. Assessing how the law may affect the enterprise is the best course of action. The analysis must also determine whether existing controls already address the new requirements. Ensuring that necessary adjustments are implemented during the next review cycle is not the best answer, particularly when the law does affect the enterprise. While an annual review cycle may be sufficient in general, significant changes in the internal or external environment should trigger an ad hoc reassessment. Corporate policy should be developed in a systematic and deliberate manner. An ad hoc amendment to the corporate policy is not warranted and may create risk rather than reducing it. Notifying the system custodian to implement changes is inappropriate. Changes to the system should be implemented only after approval by the process owner. ‘Nonrepudiation reters to the ability to verifiably prove the originator of data, which is unlikely to be of importance for weather forecasts that are rendered accurately. Keeping data confidential would be at odds with the business purpose of a system designed to provide data for public use. Asystem that delivers weather forecasts is likely to place its highest priority on the integrity of the data, The risk practitioner should keep in mind that whether a forecast turns out to be accurate in its prediction is distinct from whether the data was accurately represented.15 18 A Availability of data is likely to be a lower priority for a weather-forecasting system than the accuracy with which the data is presented. Having an interdisciplinary team contribute to risk management ensures that all areas are adequately considered and included in the risk assessment processes to support an enterprise view of risk. Engaging a third party to performa risk assessment may provide additional expertise to conduct the risk assessment; but without internal knowledge, it will be difficult to assess the adequacy of the risk assessment performed. Arisk assessment performed by the enterprise’s IT department is unlikely to reflect the view of the entire enterprise. The internal compliance department ensures the implementation of risk responses based on the requirement of management. It generally does not take an active part in implementing risk responses for items that do not have regulatory implications. IT does not own technology risk. An appropriate topic of IT risk awareness training may be the fact that many types of IT risk are owned by the business. One example may be the risk of employees exploiting insufficient segregation of duties (SoD) within an enterprise resource planning (ERP) system. Stakeholders must understand how the IT-related risk impacts the overall business. ‘Transferring risk is not of primary consideration in developing a risk awareness program. Itis a part of the risk response process. Technology risk may or may not be more difficult to manage than other types of risk. Although this is important from an awareness point of view, it is not as primary as understanding the impact in the area of business. Risk appetite is the amount of risk that an enterprise is willing to take on in pursuit of value. Aligning it with business objectives allows an enterprise to evaluate and deploy valuable resources toward those objectives where the risk tolerance (for loss) is low. There is no link between aligning risk appetite with business objectives and identification and elimination of major risk, and although risk can typically be reduced to an acceptable level using various risk response options, its elimination is rarely cost-effective even when it is possible. Alignment of risk appetite with business objectives does converge IT and business goals to a point, but alignment is not limited to these two areas. Other areas include organizational, strategic and financial objectives, among other objectives. Communication of the risk strategy does not depend on aligning risk appetite with business objectives. Vulnerabilities represent characteristics of information resources that may be exploited by a threat. Threats are circumstances or events with the potential to cause harm to information resources. Probabilities represent the likelihood of the occurrence of a threat. Impacts represent the outcome or result of a threat exploiting a vulnerability. Note: For more sessment questions, you may alo want to obiain a copy ofthe CRISCT™ Review Questions, Answers & Explanations Manual 4" Bdition or the Database, which each consist of $00 multiple-choice stady question, answers and explanations