Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 30)

Page 30 of 238
PDF with 1895 Questions

The MAIN purpose of selecting a risk response is to.

  1. ensure compliance with local regulatory requirements
  2. demonstrate the effectiveness of risk management practices.
  3. ensure organizational awareness of the risk level
  4. mitigate the residual riskto be within tolerance

Answer(s): D

Explanation:

The main purpose of selecting a risk response is to mitigate the residual risk to be within tolerance. Residual risk is the risk that remains after applying a risk response. Risk tolerance is the amount and type of risk that an organization is willing to accept in order to achieve its objectives. Risk response is the process of selecting and implementing actions to address risk. The goal of risk response is to reduce the residual risk to a level that is acceptable to the organization and its stakeholders. The other options are not the main purpose of selecting a risk response, although they may be secondary benefits or outcomes. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.1, page 4-23.



Which of the following is the PRIMARY benefit of implementing key control indicators (KCIs)?

  1. Confirming the adequacy of recovery plans.
  2. Improving compliance with control standards.
  3. Providing early detection of control degradation.
  4. Reducing the number of incidents.

Answer(s): C

Explanation:

Key Control Indicators (KCIs) are metrics used to monitor the performance of controls. Their primary benefit is the early detection of control degradation, allowing organizations to take corrective actions before issues escalate into significant problems.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 3: Risk Response and Reporting, Section: Control Monitoring and Reporting.



Which of the following is the PRIMARY objective for automating controls?

  1. Reducing the need for audit reviews
  2. Facilitating continuous control monitoring
  3. Improving control process efficiency
  4. Complying with functionalrequirements

Answer(s): B

Explanation:

The primary objective of automating controls is to facilitate continuous control monitoring. Automation enables real-time or near-real-time oversight of control activities, allowing for prompt detection and response to control failures or anomalies. This continuous monitoring enhances the organization's ability to maintain compliance and manage risks effectively.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 4: Information Technology and Security, Section: Control Monitoring and Automation.



Which of the following is MOST important to identify when developing top-down risk scenarios?

  1. Key procedure control gaps
  2. Business objectives
  3. Senior management's riskappetite
  4. Hypothetical scenarios

Answer(s): B

Explanation:

The most important factor to identify when developing top-down risk scenarios is B.
Business objectives12
Top-down risk scenarios are based on the organization's strategic goals, objectives, and key performance indicators (KPIs), and they aim to identify the potential events or situations that could prevent or hinder the achievement of those goals and objectives12 By identifying the business objectives, the risk practitioner can align the risk scenarios with the organization's mission, vision, and values, and ensure that the risk scenarios are relevant, realistic, and meaningful for the senior management and other stakeholders12 The other factors are not as important as the business objectives when developing top-down risk scenarios, because they are either more relevant for bottom-up risk scenarios (A and D), or they are derived from the business objectives and the risk scenarios ©12



Which of the following is the MOST important consideration when determining the appropriate data retention period throughout the data management life cycle?

  1. Data storage and collection methods
  2. Data owner preferences
  3. Legal and regulatory requirements
  4. Choice of encryption algorithms

Answer(s): C

Explanation:

Legal and regulatory requirements are paramount when determining data retention periods. Compliance with laws such as GDPR, HIPAA, or industry-specific regulations ensures that data is retained appropriately and disposed of when no longer necessary, thereby mitigating legal risks.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 2: IT Risk Assessment, Section: Data Management and Privacy.



The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure:

  1. the risk strategy is appropriate
  2. KRIs and KPIs are aligned
  3. performance of controls is adequate
  4. the risk monitoring process has been established

Answer(s): A

Explanation:

The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure that the risk strategy is appropriate, because the risk strategy defines the enterprise's risk appetite, tolerance, and objectives, and guides the risk management process and activities. The board of directors should review the risk profile to ensure that it reflects the current internal and external environment, and that it aligns with the enterprise's strategy and goals. The other options are not the primary objective, because:
Option B: KRIs and KPIs are aligned is a desirable outcome of the risk strategy, but not the primary objective of the board of directors reviewing the risk profile. KRIs and KPIs are indicators that measure and monitor the risk exposure and performance of the enterprise, respectively, and they should be consistent with the risk strategy and objectives. Option C: Performance of controls is adequate is a result of the risk response, but not the primary objective of the board of directors reviewing the risk profile. Performance of controls is the degree to which the controls are effective and efficient in mitigating the risks, and it should be evaluated and reported by the risk management function and the internal audit function.
Option D: The risk monitoring process has been established is a prerequisite for the risk profile, but not the primary objective of the board of directors reviewing the risk profile. The risk monitoring process is the process of tracking and reporting the risk status and performance, and it should be implemented and executed by the risk management function and the business process owners. References = Risk and Information Systems Control Study

Manual, 7th Edition, ISACA, 2020, p. 119.



Which of the following is a drawback in the use of quantitative risk analysis?

  1. It assigns numeric values to exposures of assets.
  2. It requires more resources than other methods
  3. It produces the results in numeric form.
  4. It is based on impact analysis of information assets.

Answer(s): B

Explanation:

The drawback in the use of quantitative risk analysis is that it requires more resources than other methods. Quantitative risk analysis is a method of risk analysis that assigns numeric values to the exposures of assets, the impact and likelihood of risk events, and the cost and benefit of risk responses. Quantitative risk analysis can provide more precise and objective results, and support the risk-based decision making process. However, quantitative risk analysis also requires more resources than other methods, such as data, time, expertise, and tools, to collect, validate, and analyze the quantitative information, and to perform the complex calculations and simulations. Quantitative risk analysis may also be limited by the availability, reliability, and accuracy of thedata, and the assumptions and models used. Assigning numeric values to exposures of assets, producing the results in numeric form, and being based on impact analysis of information assets are not drawbacks, but characteristics of quantitative risk analysis. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 49.



An organization has made a decision to purchase a new IT system. During when phase of the system development life cycle (SDLC) will identified risk MOST likely lead to architecture and design trade-offs?

  1. Acquisition
  2. Implementation
  3. Initiation
  4. Operation and maintenance

Answer(s): A

Explanation:

The acquisition phase of the system development life cycle (SDLC) is the phase where the organization decides to purchase a new IT system from an external vendor or develop it internally. During this phase, the identified risks will most likely lead to architecture and design trade-offs, as the organization will have to balance the cost, quality, functionality, security, and performance of the new IT system. The organization will have to evaluate the different options and alternatives available, and select the one that best meets the business needs and the risk appetite. The other phases of the SDLC are not as likely to involve architecture and design trade-offs, as they are more focused on implementing, testing, deploying, and maintaining the new ITsystem. References = Risk and Information Systems

Control Study Manual, Chapter 3: IT Risk Response, Section 3.2: IT Risk Response Options, page 133.



Viewing page 30 of 238
Viewing questions 233 - 240 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts