Information Technology and Security for CRISC

Sample Practice Questions

1. Question 1

   Which of the following controls is an example of non-technical controls?
   1. A. Access control
   2. B. Physical security
   3. C. Intrusion detection system
   4. D. Encryption
   Explanation

   The correct answer is: B. Physical security.

   Physical security - fences, locks, guards, cameras, environmental controls - is a non-technical control because it works through tangible physical means rather than through software, firmware, or system logic. ISACA and NIST taxonomies separate physical and environmental controls from technical controls precisely on this basis. Access control as listed in the option set typically refers to logical access control implemented in operating systems, applications, and directory services and is therefore a technical control. An intrusion detection system is a technical control that inspects network or host data through software-based detection logic. Encryption is a technical control implemented by cryptographic algorithms running on systems. Only physical security operates outside the information-system layer, which is what makes it the non-technical example among the choices presented.

2. Question 2

   Which of the following is the MOST important objective of the information system control?
   1. A. Business objectives are achieved and undesired risk events are detected and corrected
   2. B. Ensuring effective and efficient operations
   3. C. Developing business continuity and disaster recovery plans
   4. D. Safeguarding assets
   Explanation

   The correct answer is: A. Business objectives are achieved and undesired risk events are detected and corrected.

   The most important objective of information system control is to ensure that business objectives are achieved while undesired risk events are detected and corrected because controls exist to produce intended business outcomes and to handle deviations from those outcomes. ISACA's framing of internal control over information systems combines achievement of objectives with detection and correction of failures in a single integrated purpose. Ensuring effective and efficient operations is one component of achieving business objectives and is therefore a subset of the broader objective, not a fuller answer. Developing business continuity and disaster recovery plans is one specific control activity that supports the broader objective but is not the objective itself; the plans serve the higher-level goal. Safeguarding assets is also one component of achieving business objectives; assets are protected because their protection enables the business to deliver, so the broader phrase that combines business-outcome achievement with risk-event handling is the more complete description of the control's purpose.

3. Question 3

   Which of the following is prepared by the business and serves as a starting point for producing the IT Service Continuity Strategy?
   1. A. Business Continuity Strategy
   2. B. Index of Disaster-Relevant Information
   3. C. Disaster Invocation Guideline
   4. D. Availability/ ITSCM/ Security Testing Schedule
   Explanation

   The correct answer is: A. Business Continuity Strategy.

   In ITIL Service Continuity Management, the Business Continuity Strategy is the document the business itself prepares to set out which processes must continue, the acceptable downtime, and the recovery priorities; the IT Service Continuity Strategy is then derived from those business requirements to define how IT will support them. The business document is therefore the starting point. An Index of Disaster-Relevant Information is an internal IT reference catalogue assembled to support continuity planning rather than a business-prepared input. A Disaster Invocation Guideline tells the response team how and when to declare a disaster and trigger the recovery procedures; it sits inside the response process and presupposes that a strategy already exists. The Availability, ITSCM, and Security Testing Schedule plans how the recovery and security capabilities will be exercised, which is an output of the strategy rather than a precursor to it.

4. Question 4

   Which of the following is TRUE for Cost Performance Index (CPI)?
   1. A. If the CPI > 1, it indicates better than expected performance of project
   2. B. CPI = Earned Value (EV) * Actual Cost (AC)
   3. C. It is used to measure performance of schedule
   4. D. If the CPI = 1, it indicates poor performance of project
   Explanation

   The correct answer is: A. If the CPI > 1, it indicates better than expected performance of project.

   The Cost Performance Index is the ratio of Earned Value to Actual Cost, and a value greater than one indicates that the project is producing more value per unit of cost than planned, which is the textbook definition of better-than-expected performance. PMBOK defines CPI as EV divided by AC, with one being on-plan, less than one being unfavourable, and greater than one being favourable. CPI is not the product of EV and AC; multiplying the two would produce a meaningless figure with no interpretation in earned-value management. CPI is used to measure cost performance, not schedule performance; the schedule equivalent is the Schedule Performance Index, which is EV divided by Planned Value. A CPI value of one represents performance exactly as planned and is therefore the neutral benchmark rather than an indicator of poor performance; the unfavourable region is CPI less than one.

5. Question 5

   Which of the following are the principles of access controls? Each correct answer represents a complete solution. (Choose three.)
   1. A. Confidentiality
   2. B. Availability
   3. C. Reliability
   4. D. Integrity
   Explanation

   The correct answers are: A. Confidentiality, B. Availability, D. Integrity.

   The principles of access controls map onto the CIA triad: confidentiality, integrity, and availability. Confidentiality is preserved when access controls keep unauthorized parties from reading information; integrity is preserved when controls prevent unauthorized modification; and availability is preserved when controls ensure authorized users can reach information and services when they need them. Together these three properties define what access controls exist to enforce. Reliability, the remaining option, is a system-engineering quality describing the consistency and dependability of a system's operation; it is a property of the system overall rather than a principle of access control. Mixing reliability into the access-control principles confuses operational quality attributes with the security objectives that access decisions are designed to protect. The three correct principles - confidentiality, integrity, and availability - are the security-objective triad against which the design and assessment of access controls are framed in ISACA, ISO 27001, and NIST guidance.

Other CRISC domains

• Governance (319 questions)
• IT Risk Assessment (368 questions)
• Risk Response and Reporting (881 questions)