Practice Questions - 4.

6 Results of Control
Assessment (CRISC Chapter 4)
Total points5/10

Email*

farisadeeb26@gmail.com

Name

Country

jo

(1) Enterprise’s risk management capabilities can be determined by:

0/1

A. use of capability maturity model

B. determining the capability by conducting internal audit
C. self-assessing the capability

D. comparing capability with industry standards

Correct answer
A. use of capability maturity model
Feedback

Answer: A. use of capability maturity model

Explanation: Adoption of a capability maturity model (CMM) helps to indicate the
maturity of the risk management process year over year. CMM helps an organization to
understand its level of maturity by analyzing the operational effectiveness, efficiency
and readiness. It provides insight into organization’s risk management capabilities.
Other options are not as effective capability maturity model.

(2) High maturity of organization’s risk management process can be determined by:
1/1

A. risk aware culture

B. high security budget

C. frequent internal audits
D. frequent penetration testing
Feedback

Answer: A. risk aware culture

Explanation: Maturity can be determined by analyzing the risk aware culture of the
organization. Employees of a matured organization are aware about the risk of their
processes and willing to resolve the same.

(3) An organization wants to measure its risk management process against its peers.
Organization should:
0/1

A. adopt the internal audit best practices

B. adopt the balance score card
C. adopt the maturity model
D. adopt appropriate risk assessment methodology

Correct answer
C. adopt the maturity model
Feedback

Answer: C. adopt the maturity model

Explanation: Adoption of a capability maturity model (CMM) helps to indicate the
maturity of the risk management process year over year. CMM helps an organization to
understand its level of maturity by analyzing the operational effectiveness, efficiency
and readiness. It provides insight into organization’s risk management capabilities. With
the help of maturity model, level of competence of the organization can be
benchmarked and compared with the peers.

(4) Prime reason for adopting a maturity model for risk management is:
0/1

A. to reduce the security budget

B. to align business and IT objectives
C. to ensure effectiveness of security controls
D. to strive for continuous improvement
Feedback

Answer: D. to strive for continuous improvement

Explanation: Objective of adopting a maturity model is to strive for continuous
improvement. This can be done by assessing the current maturity level of the business
process and comparing the same with desired level. Gaps, if any, needs to be
addressed to improve the process and maturity level.
(5) Best method to determine whether existing security framework meets the
organization needs is:
1/1

A. to conduct a control self-assessment

B. to compare security test results
C. to capture security logs
D. to conduct a process maturity assessment

Feedback

Answer: D. to conduct a process maturity assessment

Explanation: Best method to determine whether existing security framework meets the
organization needs is to conduct a process maturity assessment. This can be done by
assessing the current maturity level of the business process and comparing the same
with desired level. Gaps, if any, needs to be addressed to improve the process and
maturity level. Other options are not as effective as process maturity assessment.

(6) Which of the following reviews will provide the MOST insight into an enterprise's risk
management capabilities?
0/1

A. A capability maturity model (CMM) review

B. A capability comparison with industry standards or regulations

C. A self-assessment of capabilities
D. An internal audit review of capabilities

Correct answer
A. A capability maturity model (CMM) review
Feedback

A is the correct answer.

Justification:
A. Capability maturity modeling allows an enterprise to understand its level of maturity
in its risk
capabilities, which is an indicator of operational readiness and effectiveness.
B. A capability comparison with industry standards or regulations does not provide
insights into readiness and
effectiveness, but only into the existence or nonexistence of capabilities exclusive of
maturity.
C. A self-assessment of capabilities does not provide insights into readiness and
effectiveness, but only into the
existence or nonexistence of capabilities exclusive of maturity.
D. An internal audit review of capabilities does not provide insights into readiness and
effectiveness, but only into
the existence or nonexistence of capabilities exclusive of maturity.

(7) Which of the following is the BEST indicator of high maturity of an enterprise's IT risk
management process?
1/1

A. People have appropriate awareness of risk and are comfortable talking about it.

B. Top management is prepared to invest more money in IT security.

C. Risk assessment is encouraged in all areas of IT and business management.
D. Business and IT are aligned in risk assessment and risk ranking.
Feedback

A is the correct answer.

A. Some of the most important measures of a mature IT risk management process are
those related to a riskaware
culture--an enterprise where people recognize the risk inherent to their activities, are
able to discuss it
and are willing to work together to resolve the risk.
B. While investment in IT security may strengthen the overall risk management posture
of the enterprise, it is not
an appropriate measure of IT risk management process maturity.
c. While risk assessment is an important step in the risk manager,ent process, it is not a
good indicator of a
mature risk management process, even when deployed across all business units and
functions.
D. Alignment between IT and business is the foundation of an effective IT risk
management process; however, it
is not a good indicator of a mature IT risk management process.

(8) Which of the following BEST enables an enterprise to measure its risk management
process against peers?
0/1

A. Adoption of an enterprise architecture (EA) model

B. Adoption of a balanced scorecard (BSC)
C. Adoption of a risk assessment methodology

D. Adoption of a maturity model

Correct answer
D. Adoption of a maturity model
Feedback
D is the correct answer.
Justification:
A. An enterprise architecture (EA) is unique to an enterprise.
B. A balanced scorecard (BSC) is unique to an enterprise.
C. Results of risk assessments will be enterprise-specific because no two business
environments are the same.
D. A maturity model consists of various levels of competence that enterprises can use
as benchmarks to assess
how they compare to peers.

(9) The BEST reason to implement a maturity model for risk management is to:
1/1

A. permit alignment with business objectives.

B. help improve governance and compliance.
C. ensure that security controls are effective.
D. enable continuous improvement.

Feedback

D is the correct answer.

Justification:
A. Maturity models help benchmark processes and identify gaps between the current
and the desired state of
specific processes. They do not enable alignment with business objectives, which is
more effectively achieved
through a balanced scorecard or a goals cascade approach.
B. While maturity models help identify gaps between the current and the desired state
of specific business
processes, they do not explicitly improve governance and compliance efforts.
C. Maturity models help benchmark business processes and identify gaps between the
current and the desired
states. Maturity models to not explicitly ensure that security controls are effective.
D. Maturity models are designed to enable continuous improvement. This is achieved by
first assessing the
current maturity level of specific business processes and determining whether it is
congruent with the desired
maturity levels. Where gaps exist, maturity models implicitly provide steps to lnmrove
the process by defining
requirements for each maturity level.

(10) What is the BEST approach to determine whether existing security control
management meets the organizational needs?
1/1

A. Perform a process maturity assessment.

B. Perform a control self-assessment (CSA).
C. Review security logs for trends or issues.
D. Compare current and historical security test results.
Feedback

A is the correct answer.

Justification:
A. A process maturity assessment can be used to determine the presence of the control
as well as the
reliable operation and maintenance of the control, and determine any gaps between the
desired and
current state of the control.
B. Control self-assessments (CSAs) are a valuable tool to monitor controls on an
ongoing basis, but will not
indicate the maturity of the security control management process.
C. Logs will record what has happened, but they will not indicate whether the
configurations used to create the
logs are incorrect.
D. Running test data through the system and comparing to previous results will show
whether the effectiveness
of the controls has changed, but will not indicate whether the controls are effectively
being maintained or are
effective to mitigate new risk.A is the correct answer.
Justification:
A. A process maturity assessment can be used to determine the presence of the control
as well as the
reliable operation and maintenance of the control, and determine any gaps between the
desired and
current state of the control.
B. Control self-assessments (CSAs) are a valuable tool to monitor controls on an
ongoing basis, but will not
indicate the maturity of the security control management process.
C. Logs will record what has happened, but they will not indicate whether the
configurations used to create the
logs are incorrect.
D. Running test data through the system and comparing to previous results will show
whether the effectiveness
of the controls has changed, but will not indicate whether the controls are effectively
being maintained or are
effective to mitigate new risk.

(1) Most effective method to validate the efforts of line manager to monitor the key risk
indicators (KRI) is:
1/1

A. independent review of reported results

B. provide risk management training to line manager
C. risk management team should design the KRI
D. KRI should always be quantifiable
Feedback

Answer: A. independent review of reported results

Explanation: Line manager is responsible to monitor the key risk indicator. However, it
is equally important that his efforts are reviewed and validated by a senior official. Most
effective method to validate the efforts of line manager is to review the reported results
by an independent person. This helps to determine the efficiency and effectiveness of
line manager in monitoring the key risk indicators.

(2) Key risk indicator (KRI) is mostly identified at which of the following stage?
1/1

A. risk response stage

B. risk monitoring stage

C. control testing stage
D. risk analysis stage
Feedback

Answer: A. risk response stage

Explanation: Key risk indicators are generally identified during risk response stage (i.e.
before risk monitoring stage). During risk response stage, controls for mitigation the
risks are selected and implemented. Once the controls are implemented, some KRI is to
be identified and developed. These KRIs will help to determine the effectiveness of the
control. If KRI is within the threshold, it indicates that controls are effective. In case KRI
crosses the threshold, then it indicates that existing control is not adequate and
additional controls may be required.

(3) Number of workstation can be a key risk indicator for:

1/1

A. data management
B. configuration management

C. change management
D. operations management
Feedback

Answer: B. configuration management

Explanation: Number of workstation vis-à-vis count of employee can be considered as a
key risk indicator for configuration management. High amount of excess inventory as
compared to actual employee indicates poor configuration as same is not mapped
correctly with actual business requirement. Similarly, high level of shortage of
workstation also indicates poor configuration mapping.

(4) Which of the following best indicates that controls are effective to mitigate the risks?
1/1

A. experience of risk practitioner

B. key risk indicator

C. key performance indicator

D. business impact analysis
Feedback

Answer: B. key risk indicator

Explanation: Key risk indicator best indicates that controls are effective to mitigate the
risk. KRI helps to determine the effectiveness of the control. If KRI is within the
threshold, it indicates that controls are effective. In case KRI crosses the threshold, then
it indicates that existing control is not adequate and additional controls may be
required.

(5) Most important aspect while designing a key risk indicator (KRI) is:
1/1

A. KRI is linked to specific risk

B. KRI is easy to measure

C. KRI is easy to interpret
D. KRI is easy to quantify
Feedback

Answer: A. KRI is linked to specific risk

Explanation: Linking to a specific risk is the most important criterion when selecting a
KRI. If KRI is not addressing a specific risk, then it will not serve any purpose. Following
are some of the key aspect for design of KRI in order of their priority:
1. KRI should be linked to specific risk
2. KRI should be capable to predict a risk event
3. KRI should be complete and accurate
4. KRI should be easily measurable and comparable

(6) Most useful data for communicating to senior management about status of
enterprise risk is:
1/1

A. results of control self-assessment

B. audit reports
C. risk scenarios
D. results of key risk indicators

Feedback

Answer: D. results of key risk indicators

Explanation: Results of key risk indicators is to be placed to senior management at
periodic interval. KRIs are the most useful data for management to determine current
state of risk.

(7) Most effective aspect for design of key risk indictor (KRI) is:
1/1

A. KRI is accurate and complete

B. KRI has capability to predict a risk event

C. KRI is quantifiable
D. KRI is interpretable
Feedback

Answer: B. KRI has capability to predict a risk event

Explanation: Following are some of the key aspect for design of KRI in order of their
priority:
1. KRI should be linked to specific risk
2. KRI should be capable to predict a risk event
3. KRI should be complete and accurate
4. KRI should be easily measurable and comparable

(8) Key risk indicator metric is said to be most reliable when:

1/1

A. it provide results within threshold

B. it provide results at predefined interval
C. it flags exception everytime they occur

D. it provide quantifiable results

Feedback

Answer: C. it flags exception everytime they occur

Explanation: Risk indicator is a measure used by organization to determine the level of
current risk for an activity. This helps the organization to monitor the risk level and
receives an alert when a risk level approaches an unacceptable level. Thus objective of
key risk indicator is to flag the exception as and when they occur. This provides an
opportunity for the organization to respond to the risk before damage is done.
(9) Which of the following best assists in the proper design of an effective key risk
indicator (KRI)?
1/1

A. designing the frequency of reporting

B. designing measurement criteria for the risk
C. reviewing the security budget for each risk
D. documenting detailed flow of operational process

Feedback

Answer: D. documenting detailed flow of operational process

Explanation: To ensure the KRI are effective and linked to specific risk, a risk manager
must understand the end-to-end operational flow of the business processes. This will
help to understand various aspect of the business such as detailed processes, data
flows, decision-making processes, risk appetite and tolerance. On the basis of this
information, risk practitioner can design relevant and specific KRI along with
measurement criteria.

(10) A risk practitioner noted that a specific KRI related to critical system reached to its
threshold. It should be first reported to:
1/1

A. process owner

B. IT dept.
C. security team
D. senior management
Feedback

Answer: A. process owner

Explanation: When KRI reaches its threshold, it should be first reported to business
process owner who owns the risk and determines the risk response. Process owner
should evaluate the effectiveness of existing control and to determine whether
additional controls are required.

(11) An operations manager assigns monitoring responsibility of key risk indicators

(KRIs) to line staff. Which of the following is MOST effective in validating the effort?
1/1

A. Reported results should be independently reviewed.

B. Line staff should complete risk management training.

C. The threshold should be determined by risk management.
D. Indicators should have benefits that exceed their costs.
Feedback

A is the correct answer.

Justification:
A. Because key risk indicators (KRIs) are monitored by line staff, there is a chance that
staff may alter
results to suppress unfavorable results. Additional reliability of monitoring metrics can
be achieved by
having the results reviewed by an independent party.
B. It is not mandatory that line staff complete risk management training in order to be
engaged in monitoring
ofKRls.
C. The threshold should be determined through discussion between risk management
and line
stafflbusiness managers.
D. It is important that the benefits ofKRls justify their costs; however, this determination
does not help verify
that the monitoring efforts of KRIs are effective.

(12) Where are key risk indicators (KRIs) MOST likely identified when initiating risk
management across a range of projects?
1/1

A. Risk governance
B. Risk response

C. Risk analysis
D. Risk monitoring
Feedback

B is the correct answer.

Justification:
A. Risk governance is a systemic approach to decision-making processes associated
with risk. From a CRISC
perspective, information technology risk is adopted to achieve more effective risk
management and to reduce
risk exposure and vulnerability by filling gaps in the risk policy. This is not the best
answer because it is not a
risk management activity, but rather a risk management oversight function.
B. Key risk indicators (KRIs) and risk definition and prioritization are both considered
part of the risk response
process. After having identified, quantified and prioritized the risk to the enterprise,
relevant risk indicators
need to be identified to help provide risk owners with meaningful information about a
specific risk, or a
combination of types of risk.
C. Risk analysis is the process of identifying the types, probability and severity of risk
that may occur during a
project. Once the identification has taken place, the analysis feeds into the risk
response process where one of
the tasks is to identify KRls.
D. Risk monitoring occurs after the risk response process and is ongoing. Assigning
ownership to KRls and
defining various levels of KRI thresholds-along with automating the monitoring and
notification processhelp
ensure monitoring of KRIs. KRIs must be identified before risk monitoring is
implemented.

(13) An excessive number of standard workstation images can be categorized as a key

risk indicator (KRI) for:
1/1

A. change management.
B. configuration management.

C. IT operations management.
D. data management.
Feedback

B is the correct answer.

Justification:
A. Change management deals with the process of managing changes to existing
environments, rather than the
initial environment definition.
B. An excessive number of unique workstation images is an indicator that poor
configuration management
processes are in place and that sufficient attention to actual business requirements has
not been paid during
the initial image definition.
C. IT operations management relates to the day-to-day operations of IT.
D. Data management relates to the handling of the data, rather than environment
definition.

(14) Which of the following provides the BEST capability to identify whether controls that
are in place remain effective in mitigating their intended risk?
1/1

A. A key performance indicator (KPI)

B. A risk assessment
C. A key risk indicator (KRI)

D. An audit
Feedback

C is the correct answer.

Justification:
A. A key performance indicator (KPI) is a measure that determines how well the process
enables the goal to be
reached. A KPI is a lead indicator of whether a goal wiIllikely be reached and a good
indicator of capabilities,
practices and skills. It measures an activity goal, which is an action that the process
owner must take to
achieve effective process performance.
B. A risk assessment is a process used to identify and evaluate risk and its potential
effects. It includes assessing
the critical functions necessary for an enterprise to continue business operations,
defining the controls in
place to reduce enterprise exposure and evaluating the cost for such controls. Risk
analysis often involves an
evaluation of the probabilities of a particular event.
c. A key risk indicator (KRI) identifies whether a risk exists and has the potential to be
realized in such way
that it will have a negative impact on the enterprise. If controls that are in place to
mitigate identified risk are
working properly, then KRls should not report a concern.
D. An audit is a formal inspection and verification to check whether a standard or set of
guidelines is being
followed, records are accurate, or efficiency and effectiveness targets are being met.

(15) Which of the following considerations is MOST important when implementing key
risk indicators (KRIs)?
1/1

A. The metric is easy to measure.

B. The metric is easy to aggregate.
C. The metric is easy to interpret.
D. The metric links to a specific risk.

Feedback

D is the correct answer.

Justification:
A. Ease of measuring the key risk indicator (KRI) is an important consideration and
includes the consideration
of data extraction, validation, aggregation and analysis. It is, however, secondary to
linking a KRI to a
specific risk.
B. An important consideration of metrics is the ability to classify and combine several
metrics together in order to
understand the underlying risk they represent. This is, however, secondary to linking a
KRI to a specific risk.
C. Being able to easily understand (interpret) the metric is an important consideration.
It is, however, secondary
to linking a KRI to a specific risk.
D. Linking to a specific risk is the most important criterion when selecting a KRI.

(16) Which of the following data is MOST useful for communicating enterprise risk to
management
1/1

A. Control self-assessment results

B. A controls inventory
C. Key risk indicators (KRIs)

D. Independent audit reports

Feedback

C is the correct answer.

Justification:
A. Creating economies of scale will allow for the enterprise to share common resources.
This is typically done
during the identification of business opportunities phase.
B. A controls inventory will assist the enterprise in managing risk more efficiently
because existing controls can
be considered during risk scenario development or when selecting a risk response.
C. Reporting on key risk indicators (KRls) is the most useful for informing management
ofthe current state of
enterprise risk.
D. Independent audit reports provide insights on audit findings and related risk, based
on the specific scope of
the audits being performed. Audit reports do not provide an enterprisewide risk
perspective.

(17) What is the MOST essential attribute of an effective key risk indicator (KRI)?
1/1

A. The KRI is accurate and reliable.

B. The KRI is predictive of a risk event.

C. The KRI provides quantitative metrics.

D. The KRI indicates required action.
Feedback

B is the correct answer.

Justification:
A. Key risk indicators (KRIs) are usually indicators that risk is developing and typically
are neither accurate nor
reliable in the sense that they indicate what the actual risk is.
B. A KRI should indicate that a risk is developing or changing to show that investigation
is needed to determine
the nature and extent of a risk.
C. KRIs typically do not provide quantitative metrics about risk.
D. KRIs will not indicate that any particular action is required other than to investigate
further.

(18) Reliability of a key risk indicator (KRI) would indicate that the metric:
1/1

A. performs within the appropriate thresholds.

B. tests the target at predetermined intervals.
c. flags exceptions every time they occur.

D. initiates corrective action.

Feedback

C is the correct answer.

Justification:
A. Sensitivity of the key risk indicator (KRI) relates to the variation from a defined state
that the indicator will
allow before it flags an exception. The smaller the variation, the more sensitive the KRI.
While sensitivity may
affect the reliability of the KRI, sensitivity itself is not sufficient to determine reliability.
B. Testing the target at predetermined intervals relates to the frequency of the KRI.
While frequency may affect
the reliability of the KRI, frequency itself is not sufficient to determine reliability.
c. KRIs that are reporting on the data points that cannot be controlled by the enterprise,
or are not
alerting management at the correct time to an adverse condition, must be adjusted
(optimized) to be
more precise, more relevant or more accurate. Flagging exceptions every time they
occur indicates the
reliability of the KRI.
D. Reliability does not initiate corrective action; it means that there is a high correlation
with the risk and is a
good predictor or outcome measure.

(19) Which of the following BEST assists in the proper design of an effective key risk
indicator (KRI)?
1/1

A. Generating the frequency of reporting cycles to report on the risk

B. Preparing a business case that includes the measurement criteria for the risk
C. Conducting a risk assessment to provide an overview of the key risk
D. Documenting the operational flow of the business from beginning to end
Feedback

D is the correct answer.

Justification:
A. Generating the frequency of reporting for the key risk indicator (KRI) means nothing
if the KRI is not designed.
B. A proper business case describes what is going to be done, why it is worth doing,
how it will be accomplished
and what resources will be required. It will not document the data points, structures or
any other needed data
for designing a KRI.
C. A risk assessment is the determination of a value of risk related to some situation
and a recognized threat.
While it contributes somewhat to the design of the KRI, there still is a need for
additional information.
D. Prior to starting to design the KRl, a risk manager must understand the end-to-end
operational flow
of the respective business. This gives insight into the detailed processes, data flows,
decision-making
processes, acceptable levels of risk for the business, etc., which in turn give the risk
manager the ability
to apply top and bottom levels for the KRI.

(20) When the key risk indicator (KRI) for the IT change management process reaches
its threshold, a risk practitioner should FIRST report this to the:
1/1

A. business owner.

B. chief information security officer (CISO).

C. help desk.
D. incident response team.
Feedback

A is the correct answer.

Justification:
A. Reporting to the business owners first is the most appropriate action because they
own the risk and
determine the risk response.
B. Reporting to the chief information security officer (CISO) is important, but is not as
critical as reporting to the
business owners.
C. Reporting to the help desk is not appropriate when reporting on risk. The report must
go to the business
owners because they own the risk and determine the risk response.
D. Reporting to the incident response team is not appropriate when reporting on risk.
The report must go to the