CRISC Practice Test

A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

A.

Business continuity director

B.

Disaster recovery manager

C.

Business application owner

D.

Data center manager

Who should be accountable for monitoring the control environment to ensure controls are effective?

A.

Risk owner

B.

Security monitoring operations

C.

Impacted data owner

D.

System owner

Which of the following is the BEST way to identify changes to the risk landscape?

A.

Internal audit reports

B.

Access reviews

C.

Threat modeling

D.

Root cause analysis

An organization has outsourced its backup and recovery procedures to a third-party cloud provider. Which of
the following is the risk practitioner s BEST course of action?

A.

Accept the risk and document contingency plans for data disruption.

B.

Remove the associated risk scenario from the risk register due to avoidance.

C.

Mitigate the risk with compensating controls enforced by the third-party cloud provider.

D.

Validate the transfer of risk and update the register to reflect the change.

Which of the following should be the PRIMARY consideration when implementing controls for monitoring
user activity logs?

A.

Ensuring availability of resources for log analysis

B.

Implementing log analysis tools to automate controls

C.

Ensuring the control is proportional to the risk

D.

Building correlations between logs collected from different sources