Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 19 )

Updated On: 24-Feb-2026
Page 19 of 380
PDF with 1895 Questions

Which of the following scenarios represents a threat?

  1. Connecting a laptop to a free, open,wireless access point (hotspot)
  2. Visitors not signing in as per policy
  3. Storing corporate data in unencrypted form on a laptop
  4. A virus transmitted on a USB thumb drive

Answer(s): D

Explanation:

A virus transmitted on a USB thumb drive is a scenario that represents a threat, as it involves a malicious or harmful event that could compromise the confidentiality, integrity, or availability of an information system. A virus is a type of malware that can infect and damage files, programs, or devices by replicating itself and spreading to other systems or networks. A USB thumb drive is a portable storage device that can be used to transfer data between computers or devices. Avirus transmitted on a USB thumb drive can occur when a user inserts an infected USB thumb drive into a computer or device, or when a user downloads or copies an infected file from a USB thumb drive to a computer or device. A virus transmitted on a USB thumb drive can pose a serious risk to the information system, as it can corrupt or delete data, disrupt or degrade performance, steal or leak information, or allow unauthorized access or control.
The other options are not scenarios that represent a threat, but rather vulnerabilities or weaknesses that could increase the likelihood or impact of a threat. Connecting a laptop to a free, open, wireless access point (hotspot) is a vulnerability, as it exposes the laptop to potential eavesdropping, interception, or manipulation by malicious actors on the same network. Visitorsnot signing in as per policy is a vulnerability, as it creates a gap in the physical security and access control of the premises, and could allow unauthorized or malicious visitors to enter or access sensitive areas or assets. Storing corporate data in unencrypted form on a laptop is a vulnerability, as it reduces the protection and security of the data, and could enable unauthorized or malicious access, disclosure, or modification of the data in case of loss, theft, or compromise of the laptop. References = What is a Computer Virus? | McAfee, What is a USB Flash Drive? | Kingston Technology, Threats, Vulnerabilities, and Exploits ­ oh my!



A risk practitioner is performing a risk assessment of recent external advancements in quantum computing.
Which of the following would pose the GREATEST concern for the risk practitioner?

  1. The organization has incorporated blockchain technology in its operations.
  2. The organization has not reviewed its encryption standards.
  3. The organization has implemented heuristics on its network firewall.
  4. The organization has not adopted Infrastructure as a Service (laaS) for its operations.

Answer(s): B



An IT organization is replacing the customer relationship management (CRM) system.
Who should own the risk associated with customer data leakage caused by insufficient IT security controls for the new system?

  1. Chief information security officer
  2. Business process owner
  3. Chief riskofficer
  4. IT controls manager

Answer(s): B

Explanation:

The business process owner is the stakeholder who is responsible for the business process that is supported by the IT system, such as the CRM system. The business process owner has the authority and accountability to manage the risk and its response associated with the business process and the IT system. The business process owner should own the risk of customer data leakage caused by insufficient IT security controls for the new system, as it directly affects the performance, functionality, and compliance of the business process. The other options are not the correct answer, as they involve different roles or responsibilities in the risk management process:
The chief information security officer is the senior executive who oversees the enterprise- wide information security program, and provides guidance and direction to the information security managers and practitioners. The chief information security officer may advise or support the business process owner in managing the risk of customer data leakage, but does not own the risk.
The chief risk officer is the senior executive who oversees the enterprise-wide risk management program, and provides guidance and direction to the risk managers and practitioners. The chief risk officer may advise or support the business process owner in managing the risk of customer data leakage, but does not own the risk. The IT controls manager is the person who designs, implements, and monitors the IT controls that mitigate the IT risks, such as the IT security controls for the new system. The IT controls manager may advise or support the business process owner in managing the risk of customer data leakage, but does not own the risk. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.1.1.1, pp. 95-96.



A recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services.
Which of the following is the BEST course of action?

  1. Conduct a gap analysis.
  2. Terminate the outsourcing agreement.
  3. Identify compensating controls.
  4. Transfer risk to the third party.

Answer(s): A

Explanation:

The best course of action when a recent regulatory requirement has the potential to affect an organization's use of a third party to supply outsourced business services is to conduct a gap analysis, as it involves comparing the current and desired states of compliance, and identifying any gaps or discrepancies that need to be addressed. Terminating the outsourcing agreement, identifying compensating controls, and transferring risk to the third party are not the best courses of action, as they may not be feasible, effective, or appropriate, respectively, and may require the prior knowledge of the compliance gaps and risks. References = CRISC Review Manual, 7th Edition, page 111.



The PRIMARY advantage of involving end users in continuity planning is that they:

  1. have a better understanding of specific business needs
  2. can balance the overall technical and business concerns
  3. can see the overall impact to the business
  4. are more objective than information security management.

Answer(s): A

Explanation:

Continuity planning is the process of developing strategies and plans to ensure the continuity of critical business functions and processes in the event of a disruption or disaster. Continuity planning involves identifying the risks, impacts, and recovery options for various scenarios, as well as testing and updating the plans regularly. The primary advantage of involving end users in continuity planning is that they have a better understanding of specific business needs, such as the operational requirements, the customer expectations, and the dependencies and interdependencies of the business processes. End users can provide valuable input and feedback on the continuity plans, as well as participate in the testing and validation of the plans. End users can also help to ensure the alignment of the continuity plans with the business objectives and priorities, as well as the compliance with the relevant standards and regulations. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.4.1, p. 204-205






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion