Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 37)

Page 37 of 238
PDF with 1895 Questions

A risk practitioner is reviewing accountability assignments for data risk in the risk register.
Which of the following would pose the GREATEST concern?

  1. The risk owner is not the control owner for associated data controls.
  2. The risk owner is in a business unit and does not report through the IT department.
  3. The risk owner is listed as the department responsible for decision-making.
  4. The risk owner is a staff member rather than a department manager.

Answer(s): C

Explanation:

The risk owner is listed as the department responsible for decision making would pose the greatest concern for a risk practitioner who is reviewing accountability assignments for data risk in the risk register, as it indicates a lack of clarity and specificity on who is accountable for the risk and its response. The risk owner should be an individual, not a department, who has the authority and responsibility to manage the risk and its associated controls. The other options are not the greatest concern, as they do not necessarily imply a lack of accountability, but rather a possible difference in roles and responsibilities between the risk owner and the control owner, the business unit and the IT department, or the staff member and the department manager. References = CRISC Review Manual, 7th Edition, page 101.



An organization's board of directors is concerned about recent data breaches in the news and wants to assess its exposure to similar scenarios.
Which of the following is the BEST course of action?

  1. Evaluate the organization's existing data protection controls.
  2. Reassess the risk appetite andtolerance levels of the business.
  3. Evaluate the sensitivity of data that the business needs to handle.
  4. Review the organization's data retention policy and regulatory requirements.

Answer(s): A

Explanation:

Data Protection Controls:

Evaluating existing data protection controls involves reviewing and assessing the measures in place to protect sensitive data from breaches.
This includes technical, administrative, and physical controls designed to prevent unauthorized access, use, disclosure, disruption, modification, or destruction of data.
Steps in Evaluation:
Review Current Controls:Assess the effectiveness of encryption, access controls, data masking, and other security measures.
Identify Gaps:Determine if there are any weaknesses or vulnerabilities in the current controls.
Recommend Improvements:Suggest enhancements or additional controls to address identified gaps.
Importance of Evaluation:
Provides the board with a clear understanding of the organization's current security posture and exposure to data breaches.
Helps in identifying areas where additional controls or improvements are needed to mitigate risks effectively.
Comparing Other Actions:
Reassess Risk Appetite and Tolerance Levels:Important but secondary to understanding current controls.
Evaluate Data Sensitivity:Useful but should be part of a broader assessment of existing controls.
Review Data Retention Policy:Relevant for compliance but not directly addressing the immediate concern of data breaches.


Reference:

The CRISC Review Manual discusses the importance of evaluating data protection controls to understand and mitigate risks (CRISC Review Manual, Chapter 4: Information Technology and Security, Section 4.4 Data Protection and Privacy) .



A cloud service provider has completed upgrades to its cloud infrastructure to enhance service availability.
Which of the following is the MOST important key risk indicator (KRI) for management to monitor?

  1. Peak demand on the cloud service during business hours
  2. Percentage of technology upgrades resulting in security breaches
  3. Number of incidents with downtime exceeding contract threshold
  4. Percentage of servers not patched per policy

Answer(s): C

Explanation:

Monitoring the number of incidents with downtime exceeding the contract threshold is a critical KRI for assessing the effectiveness of infrastructure upgrades aimed at enhancing service availability. This metric directly reflects the provider's ability to meet agreed-upon service levels and helps identify areas requiring further improvement.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 4: Information Technology and Security, Section: Key Risk Indicators.



Which of the following is MOST important for successful incident response?

  1. The quantity of data logged by the attack control tools
  2. Blocking the attack route immediately
  3. The ability to trace the source of the attack
  4. The timeliness of attack recognition

Answer(s): D

Explanation:

The most important factor for successful incident response is the timeliness of attack recognition. Incident response is the process of detecting, analyzing, containing, eradicating, recovering, and reporting on security incidents that could affect the organization's IT systems or data. The timeliness of attack recognition is the speed and accuracy with which the organization can identify and confirm that an attack has occurred or is in progress. The timeliness of attack recognition is crucial for successful incident response, as it affects the ability and effectiveness of the organization to respond to and mitigate the attack, and to minimize the damage and impact of the attack. The other options are not as important as the timeliness of attack recognition, although they may also contribute to or influence the incident response. The quantity of data logged by the attack control tools, the ability to trace the source of the attack, and the blocking of the attack route immediately are all factors that could help or hinder the incident response, but they are not the most important factor for successful incident response. References = CISA Review Manual, 27th Edition, Chapter 5, Section 5.4.1, page 5-32.



Which of the following is the MOST important consideration for protecting data assets m a Business application system?

  1. Application controls are aligned with data classification lutes
  2. Applicationusers are periodically trained on proper data handling practices
  3. Encrypted communication is established between applications and data servers
  4. Offsite encrypted backups are automatically created by the application

Answer(s): A

Explanation:

The most important consideration for protecting data assets in a business application system is to ensure that the application controls are aligned with the data classification rules. Data classification rules define the level of sensitivity, confidentiality, and criticality of the data, andthe corresponding security requirements and controls. Application controls are the policies, procedures, and technical measures that are implemented at the application level to ensure the security, integrity, and availability of the data. Application controls should be designed and configured to match the data classification rules, so that the data is protected according to its value and risk. For example, if the data is classified as highly confidential, the application controls should enforce strong authentication, encryption, access control, logging, and auditing mechanisms. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 214.



Which of the following is the MOST important objective of embedding risk management practices into the initiation phase of the project management life cycle?

  1. To deliver projects on time and on budget
  2. To assess inherent risk
  3. To include project risk in the enterprise-wide IT risk profit.
  4. To assess risk throughout the project

Answer(s): B

Explanation:

The most important objective of embedding risk management practices into the initiation phase of the project management life cycle is to assess inherent risk. Inherent risk is the risk that exists before any controls or mitigations are applied. By assessing inherent risk in the initiation phase, the project team can identify the potential sources, causes, and impacts of risk that may affect the project objectives, scope, and deliverables. Assessing inherent risk in the initiation phase also helps to prioritize the risks, determine the risk appetite and tolerance, and plan the risk responses. Delivering projects on time and on budget, including project risk in the enterprise-wide IT risk profile, and assessing risk throughout the project are important objectives of risk management,but they are not the most important objective of embedding risk management practices into the initiation phase. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 2, Section 2.1.1.1, page 511
1: ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide, Answer to Question 658.



A service organization is preparing to adopt an IT control framework to comply with the contractual requirements of a new client.
Which of the following would be MOST helpful to the risk practitioner?

  1. Negotiating terms of adoption
  2. Understanding the timeframe to implement
  3. Completing a gap analysis
  4. Initiating the conversion

Answer(s): C

Explanation:

Completing a gap analysis identifies discrepancies between current controls and the requirements of the IT control framework, ensuring a focused approach to compliance. This supportsRisk Assessment for Compliance Requirements.



Which of the following is the BEST way for a risk practitioner to present an annual risk management update to the board''

  1. A summary of risk response plans with validation results
  2. Areport with control environment assessment results
  3. A dashboard summarizing key risk indicators (KRIs)
  4. A summary of IT risk scenarios with business cases

Answer(s): C

Explanation:

A dashboard summarizing key risk indicators (KRIs) is the best way for a risk practitioner to present an annual risk management update to the board because it provides a concise and visual overview of the current risk status, trends, and performance of the organization. KRIs are metrics that measure the likelihood and impact of risks, and help the board monitor and prioritize the most critical risks. A summary of risk response plans, a report with control environment assessment results, and a summary of IT risk scenarios are all useful information, but they are too detailed and technical for the board, who needs a high-level and strategic view of the risk management program. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.4.1, page 4-36.



Viewing page 37 of 238
Viewing questions 289 - 296 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts