CRISC FULL EXAM QUESTIONS WITH
COMPLETE SOLUTIONS
Which of the following situations is BEST addressed by transferring risk?
A. An antiquated fire suppression system in the computer room
B. The threat of disgruntled employee sabotage
C. The possibility of the loss of a universal serial bus (USB) removable media drive
D. A building located in a l Ou-year flood plain - Answer-D
The CIO should respond to the findings identified in the IT security audit report by
mitigating:
A. the most critical findings on both the business-critical and nonbusiness-critical
systems.
B. all vulnerabilities on business-critical information systems first.
C. the findings that are the least expensive to mitigate first to save funds.
D. the findings that are the most expensive to mitigate first and leave all others until
more funds
become available. - Answer-B
Assuming that the CIO is unable to address all of the findings, how should the CIO deal
with any findings that
remain after available funds have been spent?
A. Create a plan of actions and milestones for open vulnerabilities.
B. Shut down the information systems with the open vulnerabilities.
C. Reject the risk on the open vulnerabilities.
D. Implement compensating controls on the systems with open vulnerabilities. - Answer-
A
Which of the following MOST likely indicates that a customer data warehouse should
remain in-house rather than
be outsourced to an offshore operation?
A. The telecommunications costs may be much higher in the first year.
B. Privacy laws may prevent a cross-border flow of information.
C. Time zone differences may impede communications between IT teams.
D. Software development may require more detailed specifications. - Answer-B
Which of the following is the MOST important factor when designing IS controls in a
complex environment?
A. Development methodologies
B. Scalability of the solution
C. Technical platform interfaces
D. Stakeholder requirements - Answer-D
,A global enterprise that is subject to regulation by multiple governmental jurisdictions
with differing
requirements should:
A. bring all locations into conformity with the aggregate requirements of all
governmental jurisdictions.
B. bring all locations into conformity with a generally accepted set of industry best
practices.
C. establish a baseline standard incorporating those requirements that all jurisdictions
have in common.
D. establish baseline standards for all locations and add supplemental standards as
required. - Answer-D
The person responsible for ensuring that information is classified is the:
A. security manager.
B. technology group.
C. data owner.
D. senior management. - Answer-C
When transmitting personal information across networks, there MUST be adequate
controls over:
A. encrypting the personal information.
B. obtaining consent to transfer personal information.
C. ensuring the privacy of the personal information.
D. change management. - Answer-C
Which of the following BEST addresses the risk of data leakage?
A. Incident response procedures
B. File backup procedures
C. Acceptable use policies (AUPs)
D. Database integrity checks - Answer-C
Which of the following devices should be placed within a demilitarized zone (DMZ)?
A. An authentication server
B. A mail relay
C. A firewall
D. A router - Answer-B
Which of the following controls within the user provision process BEST enhances the
removal of system access for
contractors and other temporary users when it is no longer required?
A. Log all account usage and send it to their manager.
S. Establish predetermined, automatic expiration dates.
C. Ensure that each individual has signed a security acknowledgement.
D. Require managers to email security when the user leaves. - Answer-B
,Which of the following BEST provides message integrity, sender identity authentication
and nonrepudiation?
A. Symmetric cryptography
B. Message hashing
C. Message authentication code
D. Public key infrastructure (PKl) - Answer-D
Which of the following will BEST prevent external security attacks?
A. Securing and analyzing system access logs
B. Network address translation
C. Background checks for temporary employees
D. Static Internet protocol (IP) addressing - Answer-B
Which of the following is the BEST control for securing data on mobile universal serial
bus (USB) drives?
A. Requiring authentication when using USB devices
B. Prohibiting employees from copying data to USB devices
C. Encrypting USB devices
D. Limiting the use of USB devices - Answer-C
When configuring a biometric access control system that protects a high-security data
center, the system's
sensitivity level should be set to:
A. a lower equal error rate (EER).
B. a higher false acceptance rate (FAR).
C. a higher false reject rate (FRR).
D. the crossover error rate exactly. - Answer-C
Which of the following is the MOST effective measure to protect data held on mobile
computing devices?
A. Protection of data being transmitted
B. Encryption of stored data
C. Power-on passwords
D. Biometric access control - Answer-B
Which of the following is MOST useful in managing increasingly complex deployments?
A. Policy development
B. A security architecture
C. Senior management support
D. A standards-based approach - Answer-B
Business continuity plans (BCPs) should be written and maintained by:
A. the information security and information technology functions.
8. representatives from all functional units.
C. the risk management function.
D. executive management. - Answer-B
, Which of the following is a control designed to prevent segregation of duties (SoD)
violations?
A. Enabling IT audit trails
B. Implementing two-way authentication
C. Reporting access log violations
D. Implementing role-based access - Answer-D
System backup and restore procedures can BEST be classified as:
A. Technical controls
B. Detective controls
C. Corrective controls
D. Deterrent controls - Answer-C
Which of the following system development life cycle (SDLC) stages is MOST suitable
for incorporating internal
controls?
A. Development
B. Testing
C. Implementation
D. Design - Answer-D
An enterprise has outsourced personnel data processing to a supplier, and a regulatory
violation occurs during
processing. Who will be held legally responsible?
A. The supplier, because it has the operational responsibility
B. The enterprise, because it owns the data
C. The enterprise and the supplier
D. The supplier, because it did not comply with the contract - Answer-B
Which of the following provides the formal authorization on user access?
A. Database administrator
B. Data owner
C. Process owner
D. Data custodian - Answer-B
To determine the level of protection required for securing personally identifiable
information, a risk practitioner
should PRIMARILY consider the information:
A. source.
B. cost.
C. sensitivity.
D. validity. - Answer-C
Risk assessments are MOST effective in a software development organization when
they are performed:
COMPLETE SOLUTIONS
Which of the following situations is BEST addressed by transferring risk?
A. An antiquated fire suppression system in the computer room
B. The threat of disgruntled employee sabotage
C. The possibility of the loss of a universal serial bus (USB) removable media drive
D. A building located in a l Ou-year flood plain - Answer-D
The CIO should respond to the findings identified in the IT security audit report by
mitigating:
A. the most critical findings on both the business-critical and nonbusiness-critical
systems.
B. all vulnerabilities on business-critical information systems first.
C. the findings that are the least expensive to mitigate first to save funds.
D. the findings that are the most expensive to mitigate first and leave all others until
more funds
become available. - Answer-B
Assuming that the CIO is unable to address all of the findings, how should the CIO deal
with any findings that
remain after available funds have been spent?
A. Create a plan of actions and milestones for open vulnerabilities.
B. Shut down the information systems with the open vulnerabilities.
C. Reject the risk on the open vulnerabilities.
D. Implement compensating controls on the systems with open vulnerabilities. - Answer-
A
Which of the following MOST likely indicates that a customer data warehouse should
remain in-house rather than
be outsourced to an offshore operation?
A. The telecommunications costs may be much higher in the first year.
B. Privacy laws may prevent a cross-border flow of information.
C. Time zone differences may impede communications between IT teams.
D. Software development may require more detailed specifications. - Answer-B
Which of the following is the MOST important factor when designing IS controls in a
complex environment?
A. Development methodologies
B. Scalability of the solution
C. Technical platform interfaces
D. Stakeholder requirements - Answer-D
,A global enterprise that is subject to regulation by multiple governmental jurisdictions
with differing
requirements should:
A. bring all locations into conformity with the aggregate requirements of all
governmental jurisdictions.
B. bring all locations into conformity with a generally accepted set of industry best
practices.
C. establish a baseline standard incorporating those requirements that all jurisdictions
have in common.
D. establish baseline standards for all locations and add supplemental standards as
required. - Answer-D
The person responsible for ensuring that information is classified is the:
A. security manager.
B. technology group.
C. data owner.
D. senior management. - Answer-C
When transmitting personal information across networks, there MUST be adequate
controls over:
A. encrypting the personal information.
B. obtaining consent to transfer personal information.
C. ensuring the privacy of the personal information.
D. change management. - Answer-C
Which of the following BEST addresses the risk of data leakage?
A. Incident response procedures
B. File backup procedures
C. Acceptable use policies (AUPs)
D. Database integrity checks - Answer-C
Which of the following devices should be placed within a demilitarized zone (DMZ)?
A. An authentication server
B. A mail relay
C. A firewall
D. A router - Answer-B
Which of the following controls within the user provision process BEST enhances the
removal of system access for
contractors and other temporary users when it is no longer required?
A. Log all account usage and send it to their manager.
S. Establish predetermined, automatic expiration dates.
C. Ensure that each individual has signed a security acknowledgement.
D. Require managers to email security when the user leaves. - Answer-B
,Which of the following BEST provides message integrity, sender identity authentication
and nonrepudiation?
A. Symmetric cryptography
B. Message hashing
C. Message authentication code
D. Public key infrastructure (PKl) - Answer-D
Which of the following will BEST prevent external security attacks?
A. Securing and analyzing system access logs
B. Network address translation
C. Background checks for temporary employees
D. Static Internet protocol (IP) addressing - Answer-B
Which of the following is the BEST control for securing data on mobile universal serial
bus (USB) drives?
A. Requiring authentication when using USB devices
B. Prohibiting employees from copying data to USB devices
C. Encrypting USB devices
D. Limiting the use of USB devices - Answer-C
When configuring a biometric access control system that protects a high-security data
center, the system's
sensitivity level should be set to:
A. a lower equal error rate (EER).
B. a higher false acceptance rate (FAR).
C. a higher false reject rate (FRR).
D. the crossover error rate exactly. - Answer-C
Which of the following is the MOST effective measure to protect data held on mobile
computing devices?
A. Protection of data being transmitted
B. Encryption of stored data
C. Power-on passwords
D. Biometric access control - Answer-B
Which of the following is MOST useful in managing increasingly complex deployments?
A. Policy development
B. A security architecture
C. Senior management support
D. A standards-based approach - Answer-B
Business continuity plans (BCPs) should be written and maintained by:
A. the information security and information technology functions.
8. representatives from all functional units.
C. the risk management function.
D. executive management. - Answer-B
, Which of the following is a control designed to prevent segregation of duties (SoD)
violations?
A. Enabling IT audit trails
B. Implementing two-way authentication
C. Reporting access log violations
D. Implementing role-based access - Answer-D
System backup and restore procedures can BEST be classified as:
A. Technical controls
B. Detective controls
C. Corrective controls
D. Deterrent controls - Answer-C
Which of the following system development life cycle (SDLC) stages is MOST suitable
for incorporating internal
controls?
A. Development
B. Testing
C. Implementation
D. Design - Answer-D
An enterprise has outsourced personnel data processing to a supplier, and a regulatory
violation occurs during
processing. Who will be held legally responsible?
A. The supplier, because it has the operational responsibility
B. The enterprise, because it owns the data
C. The enterprise and the supplier
D. The supplier, because it did not comply with the contract - Answer-B
Which of the following provides the formal authorization on user access?
A. Database administrator
B. Data owner
C. Process owner
D. Data custodian - Answer-B
To determine the level of protection required for securing personally identifiable
information, a risk practitioner
should PRIMARILY consider the information:
A. source.
B. cost.
C. sensitivity.
D. validity. - Answer-C
Risk assessments are MOST effective in a software development organization when
they are performed:
