Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 38)

Page 38 of 238
PDF with 1895 Questions

Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

  1. Perform an in-depth code review with an expert
  2. Validate functionality by running in a test environment
  3. Implement a servicelevel agreement.
  4. Utilize the change management process.

Answer(s): A

Explanation:

The risk associated with malicious functionality in outsourced application development is that the vendor may introduce unauthorized or harmful code into the enterprise's system, which could compromise its security, integrity, or performance. To mitigate this risk, the enterprise should perform an in-depth code review with an expert who can verify that the code meets the specifications, standards, and quality requirements, and that it does not contain any malicious or unwanted functionality. A code review is a systematic examination of the source code of a software program, which can identify errors, vulnerabilities, inefficiencies, or deviations from best practices. A code review can also ensure that the code is consistent, readable, maintainable, and well- documented.
An expert is someone who has the knowledge, skills, and experience to perform the code review effectively and efficiently. An expert may be an internal or external resource, depending on the availability, cost, and independence of the reviewer. A code review should be performed before the code is deployed to the production environment, and preferably at multiple stages of the development life cycle, such as design, testing, and integration.
A code review can also be complemented by other techniques, such as automated code analysis, testing, and scanning tools, which can detect common or known issues in the code. References =
ISACA, CRISC Review Manual, 7th Edition, 2022, p. 143 ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 143



The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response.
Which of the following should be the risk owner's NEXT action?

  1. Perform a risk assessment.
  2. Accept the risk of not implementing.
  3. Escalate to senior management.
  4. Update the implementation plan.

Answer(s): C

Explanation:

A risk treatment plan is a document that outlines the actions and resources required to implement the chosen risk response for a specific risk1. A risk response is a strategy or action that is taken or planned tomitigate or eliminate the risk, such as avoiding, transferring, reducing, or accepting the risk2. A risk owner is a person or entity that has the authority and accountability for a risk and its management3. If the implementation of a risk treatment plan will exceed the resources originally allocated for the risk response, the risk owner's next action should be to escalate to senior management, which is the group of senior leaders who have the authority and accountability for the organization's performance and governance4. By escalating to senior management, the risk owner can inform and consult them about the situation and the implications, and seek their guidance and approval for the necessary adjustments or alternatives. Escalating to senior management can also help to ensure that the risk treatment plan is aligned with the organization's strategy, vision, and mission, and that the risk response is consistent with the organization's risk appetite and tolerance5. Performing a risk assessment, accepting the risk of not implementing, and updating the implementation plan are not the best choices for the risk owner's next action, as they do not provide the same level of communication and consultation as escalating to senior management. Performing a risk assessment is a process that involves identifying, analyzing,

and evaluating the risks and their potential impacts on the organization's objectives and performance6. Performing a risk assessment can help to update and validate the risk information and the risk treatment plan, but it does not address the issue of the resource shortfall or the stakeholder expectations. Acceptingthe risk of not implementing is a decision that involves acknowledging and tolerating the risk or its impact without taking anyaction to reduce or eliminate it7. Accepting the risk of not implementing can help to avoid the additional cost and effort of the risk treatment plan, but it does not consider the potential consequences or the stakeholder interests. Updating the implementation plan is a process that involves revising and modifying the plan for executing the risk treatment plan, such as the scope,schedule, budget, or quality8. Updating the implementation plan can help to reflect the changes and updates in the risk treatment plan, but it does not resolve the problem of the resource gap or the stakeholder approval. References = 1: Risk Treatment and Response Plans - UNECE2: Risk Response Strategy and Contingency Plans - ProjectManagement.com3: [Risk Ownership - Risk Management] 4: [Senior Management - Definition, Roles and Responsibilities] 5: [Risk Appetite and Tolerance - ISACA] 6: [Risk Assessment - an overview | ScienceDirect Topics] 7: [Risk Acceptance - an overview | ScienceDirect Topics] 8: [Implementation Plan - an overview | ScienceDirect Topics] : [Risk and Information Systems Control Study Manual, Chapter 3: Risk Response, Section 3.1: Risk Response Options, pp. 113-115.] : [Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.] : [Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.1: Control Design, pp. 233-235.] :
[Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.2: Control Implementation, pp. 243-245.] :
[Risk and Information Systems Control Study Manual, Chapter 5: Information Systems Control Design and Implementation, Section 5.3: Control Monitoring and Maintenance, pp.
251-253.]



A risk practitioner learns that a risk owner has been accepting gifts from a supplier of IT products. Some of these IT products are used to implement controls and to mitigate risk to acceptable levels.
Which of the following should the risk practitioner do FIRST?

  1. Initiate disciplinary action against the risk owner.
  2. Reassess the risk and review the underlying controls.
  3. Review organizational ethics policies.
  4. Report the activity to the supervisor.

Answer(s): D

Explanation:

Reporting the activity to the supervisor is the first thing that the risk practitioner should do when learning that a risk owner has been accepting gifts from a supplier of IT products. This is because accepting gifts from a supplier of IT products can create a conflict of interest, compromise the integrity and objectivity of the risk owner, and violate the organizational ethics policies. Reporting the activity to the supervisor can help ensure that the issue is escalated to the appropriate authority, investigated, and resolved in a timely and transparent manner. According to the CRISC Review Manual 2022, one of the key risk response techniques is to report the risk to the relevant stakeholders, such as the supervisor1.

According to the web search results, reporting the activity to the supervisor is a common and recommended action when encountering a potential ethical violation in the workplace



Which of the following is the MOST important information to cover a business continuity awareness Ira nine, program for all employees of the organization?

  1. Recovery time objectives (RTOs)
  2. Segregation of duties
  3. Communication plan
  4. Critical asset inventory

Answer(s): C

Explanation:

The most important information to cover in a business continuity awareness training program for all employees of the organization is the communication plan. A communication plan is a document that defines the roles, responsibilities, procedures, and resources for communicating with the internal and external stakeholders before, during, and after a business continuity event. A communication plan helps to ensure that the relevant and accurate information is delivered to the appropriate parties in a timely and consistent manner, and that the feedback and responses are received and addressed accordingly. A communication plan also helps to maintain the trust, confidence, and reputation of the organization, and to comply with the legal or regulatory requirements. A communication plan is the most important information to cover in a business continuity awareness training program, because it helps to prepare and educate the employees on how to communicate effectively and efficiently in a business continuity event, and how to avoid or minimize the communication errors, gaps, or conflicts that could affect the business continuity performance and recovery. The other options are not as important as the communication plan, although they may also be covered in a business continuity awareness training program.

Recovery time objectives (RTOs), segregation of duties, and critical asset inventory are all factors that could affect the business continuity planning and implementation, but they are notthe most important information to cover in a business continuity awareness training program. References = 6



Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response.
Which of the following is the BEST way to address this type of issue in the long term?

  1. Perform a return on investment analysis.
  2. Review the risk register and risk scenarios.
  3. Calculate annualized loss expectancy of risk scenarios.
  4. Raise the maturity of organizational risk management.

Answer(s): D

Explanation:

The maturity of organizational risk management refers to the degree to which risk management is embedded and integrated into the organization's culture, processes, and decision-making1. A higher level of maturity implies that the organization has a clear and consistent understanding ofits risk appetite and tolerance, and that it can effectively identify, assess, respond, monitor, and communicate risks2.
The best way to address the issue of participants focusing on the financial cost to mitigate risk rather than choosing the most appropriate response is to raise the maturity of organizational risk management. This can help to:
Ensure that risk management is aligned with the organization's strategic objectives and values, and that risk responses are based on the potential impact and likelihood of risks, not just on the cost of mitigation
Foster a risk-aware culture that encourages proactive and collaborative risk management, and that recognizes and rewards good risk management practices Provide adequate training and guidance for risk management roles and responsibilities, and ensure that risk management skills and competencies are developed and maintained Implement a robust and consistent risk management framework, methodology, and tools that support the risk management process and enable continuous improvement and learning Enhance the quality and reliability of risk information and reporting, and ensure that risk management performance and outcomes are measured and evaluated3 References = Risk Maturity Model - Wikipedia, Risk Maturity Model - ISACA, Risk Maturity Model - IRM



Which of the following management action will MOST likely change the likelihood rating of a risk scenario related to remote network access?

  1. Updating the organizational policy for remote access
  2. Creating metrics to track remote connections
  3. Implementing multi-factor authentication
  4. Updating remote desktop software

Answer(s): C

Explanation:

The management action that will most likely change the likelihood rating of a risk scenario related to remote network access is implementing multi-factor authentication. Multi-factor authentication is a technique that requires the user to provide two or more pieces of evidence to verify their identity, such as a password, a token, or a biometric factor. Multi-factor authentication can help to reduce the likelihood of unauthorized or malicious access to theremote network, as it adds an extra layer of security and makes it harder for the attackers to compromise the user credentials. The other options are not as likely to change the likelihood rating of the risk scenario, as they are related to the update, creation, or maintenance of the remote network access, not the verification or protection of the remote network access. References = Risk and Information Systems Control Study Manual, Chapter
3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



Which of the following would be of GREATEST concern regarding an organization's asset management?

  1. Lack of a mature records management program
  2. Lack of a dedicated asset management team
  3. Decentralized asset lists
  4. Incomplete asset inventory

Answer(s): D

Explanation:

Asset management is the process of identifying, tracking, and maintaining the physical and information assets of an organization. Asset management helps to optimize the value, performance, and security of the assets, and support the business objectives and strategies.

The factor that would be of greatest concern regarding an organization's asset management is an incomplete asset inventory, which is a list of all the assets that the organization owns or uses. An incomplete asset inventory may indicate that the organization does not have a clear and accurate understanding of its assets, their location, ownership, value, dependencies, etc. This may lead to various risks, such as asset loss, theft, misuse, damage, underutilization, overutilization, etc. An incomplete asset inventory may also affect the asset classification, protection, recovery, and disposal processes. References = 6



Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

  1. Align business objectives with risk appetite.
  2. Enable risk-based decision making.
  3. Design and implement risk response action plans.
  4. Update risk responses in the risk register

Answer(s): B

Explanation:

According to the CRISC Review Manual, the primary purpose of periodically reviewing an organization's risk profile is to enable risk-based decision making, because it helps to ensure thatthe risk information is current, relevant, and accurate. The risk profile is a snapshot of the organization's risk exposure at a given point in time, based on the risk identification, analysis, and evaluation processes. Periodically reviewing the risk profile allows the organization tomonitor the changes in the risk environment, the effectiveness of the risk responses, and the impact of the risk events. This enables the organization to make informed decisions about the risk management strategies and priorities. The other options are not the primary purpose of periodically reviewing the risk profile, as they are related to other aspects of the risk management process. Aligning business objectives with risk appetite is the purpose of establishing the risk context, which defines the scope and boundaries of the risk management activities. Designing and implementing risk response action plans is the purpose of the risk response process, which involves selecting and executing the appropriate risk responses. Updating risk responses in the risk register is the outcome of the risk monitoring and reporting process, which involves tracking the risk performance and communicating the risk information to the stakeholders. References = CRISC Review Manual, 7th Edition, Chapter 2, Section 2.2.4, page 86.



Viewing page 38 of 238



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts