Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 39)

Page 39 of 238
PDF with 1895 Questions

Which of the following BEST supports the integration of IT risk management into an organization's strategic planning?

  1. Clearly defined organizational goals and objectives
  2. Incentive plans that reward employees based on IT risk metrics
  3. Regular organization-wide risk awareness training
  4. A comprehensive and documented IT risk management plan

Answer(s): D

Explanation:

A comprehensive and documented IT risk management plan provides a structured approach to identifying, assessing, and mitigating IT risks. Integrating this plan into the organization's strategic planning ensures that IT risk considerations are aligned with business objectives and are factored into decision-making processes at the strategic level.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 1: Governance, Section:
Risk Management Strategy.



A recently purchased IT application does not meet project requirements. Of the following, who is accountable for the potential impact?

  1. Business analyst
  2. Project sponsor
  3. IT project team
  4. IT project management office (PMO)

Answer(s): B



The PRIMARY purpose of IT control status reporting is to:

  1. ensure compliance with IT governance strategy.
  2. assist internal audit in evaluating and initiating remediation efforts.
  3. benchmark IT controls with Industry standards.
  4. facilitate the comparison of the current and desired states.

Answer(s): D

Explanation:

IT control status reporting is the process of collecting and analyzing data about the effectiveness and efficiency of IT controls. IT controls are the policies, procedures, and practices that ensure the confidentiality, integrity, and availability of IT resources and information. IT control status reporting helps to monitor the performance of IT controls against the predefined objectives and criteria, and to identify any gaps or issues that need to be addressed. IT control status reporting also provides information to the stakeholders about the current status and progress of IT control implementation and improvement. The primary purpose of IT control status reporting is to facilitate the comparison of the current and desired states of IT controls. This means that IT control status reporting helps to evaluate the gap between the actual and expected performance of IT controls, and to determine the actions and resources needed to close the gap. IT control status reporting also helps to align the IT controls with the business goals and strategies, and to ensure that the IT controls are delivering value to the organization. By comparing the current and desired states of IT controls, IT control status reporting enables continuous improvement and optimization of IT control processes and outcomes.
The other options are not the primary purpose of IT control status reporting, but rather some of the benefits or outcomes of it. IT control status reporting can help to ensure compliance with IT governance strategy,but it is not the main reason for doing it. IT governance is the framework that defines the roles, responsibilities, and relationships among the stakeholders involved in ITdecision making and oversight. IT control status reporting can support IT governance by providing relevant and reliable information to the stakeholders, and by demonstrating the accountability and transparency of IT control activities. However, IT control status reporting is not the same as IT governance, and it is not the only way to ensure compliance with IT governance strategy.
IT control status reporting can also assist internal audit in evaluating and initiating remediation efforts, but it is not the main objective of it. Internal audit is an independent and objective assurance and consulting activity that evaluates the adequacy and effectiveness of IT controls, and provides recommendations for improvement. IT control status reporting can provide input and evidence to the internal audit process, and help to identify the areas of IT control that need further review or testing. IT control status reporting can also help to monitor and track the implementation of the audit findings and recommendations, and to verify the results of the remediation efforts. However, IT control status reporting is not the same as internal audit, and it is not the only source of information for internal audit. Finally, IT control status reporting can benchmark IT controls with industry standards, but it is not the main goal of it. Industry standards are the best practices or guidelines that define the minimum requirements or expectations for IT control performance and quality. IT control status reporting can help to compare the IT controls with the industry standards, and to identify the areas of IT control that need to be enhanced or updated. IT control status reporting can also help to demonstrate the compliance or conformance of IT controls with the industry standards, and to provide assurance to the external parties or regulators. However, IT control status reporting is not the same as industry standards, and it is not the only way to benchmark IT controls. References =
Service Reporting in ITIL: Process, Objectives and Examples - KnowledgeHut Anatomy of an effective status report - Project Management Institute How to Create a Project Status Report [Template & Examples] Communicating Document Control Progress on a Project [CRISC Review Manual, 7th Edition]



Which of the following issues found during the review of a newly created disaster recovery plan (DRP) should be of MOST concern?

  1. Some critical business applications are not included in the plan
  2. Several recovery activities will be outsourced
  3. The plan is not based on an internationally recognized framework
  4. The chief information security officer (CISO) has not approved the plan

Answer(s): A

Explanation:

The most concerning issue found during the review of a newly created disaster recovery plan (DRP) is that some critical business applications are not included in the plan. This means that the DRP is incomplete and does not cover all the essential IT systems and services that support the business continuity. This could result in significant losses and damages in the event of a disaster. The other issues are not as critical, as they can be addressed by ensuring proper contracts, standards, and approvals are in place for the outsourced activities, the framework, and the CISO. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Response, Section 3.3: IT Risk Response Implementation, page 145.



Who should be accountable for monitoring the control environment to ensure controls are effective?

  1. Risk owner
  2. Security monitoring operations
  3. Impacted data owner
  4. System owner

Answer(s): A

Explanation:

The risk owner is the person or entity that has the accountability and authority to manage a risk. The risk owner should be accountable for monitoring the control environment to ensure controls are effective, as they are responsible for implementing, maintaining, and improving the risk controls, and for reporting and communicating the risk status and performance. The risk owner should also ensure that the controls are aligned with the risk appetite and tolerance of the enterprise, and that they support the achievement of the enterprise's objectives and value creation. References = Most Asked CRISC Exam Questions and

Answers. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 244.



In response to the threat of ransomware, an organization has implemented cybersecurity awareness activities. The risk practitioner's BEST recommendation to further reduce the impact of ransomware attacks would be to implement:

  1. two-factor authentication.
  2. continuous data backup controls.
  3. encryption for data at rest.
  4. encryption for data in motion.

Answer(s): B

Explanation:

Continuous data backup controls are the best recommendation to further reduce the impact of ransomware attacks, as they enable the organization to restore the data that has been encrypted or deleted by the ransomware without paying the ransom or losing the data. Continuous data backup controls ensure that the data is regularly and automatically backed up to a secure and separate location, and that the backup data is tested and verified for integrity and availability. Two-factor authentication, encryption for data at rest, and encryption for data in motion are not the best recommendations to further reduce the impact of ransomware attacks, as they do not address the recovery of the data that has been compromised by the ransomware. These controls may help to prevent or mitigate ransomware attacks, butnot to reduce their impact. References = CRISC by Isaca Actual Free Exam Q&As, question 207; CRISC: Certified in Risk & Information Systems Control Sample Questions, question 207.



A change management process has recently been updated with new testing procedures.
What is the NEXT course of action?

  1. Monitor processes to ensure recent updates are being followed.
  2. Communicate to those who test and promote changes.
  3. Conduct a cost-benefit analysis to justify the cost of the control.
  4. Assess the maturity of the change management process.

Answer(s): B

Explanation:

A change management process is a set of procedures and activities that ensure that any changes to the IT systems or applications are planned, approved, tested, implemented, and documented in a consistent and controlled manner.
A change management process has recently been updated with new testing procedures. This means that the process has been improved or modified to include new or additional steps or methods for verifying and validating the changes before they are deployed to the production environment.
The next course of action after updating the change management process with new testing procedures is to communicate to those who test and promote changes. This means that the change management team or function should inform and educate the people who are involved or affected by the changes, such as the developers, testers, users, customers, etc., about the new testing procedures, their purpose, benefits, requirements, and expectations. Communicating to those who test and promote changes helps to ensure that the new testing procedures are understood and followed by all the parties, that the changes are tested and promoted in accordance with the process standards and criteria, and that the changes are delivered with the expected quality and performance. The other options are not the next courses of action after updating the change management process with new testing procedures. They are either secondary or not essential for change management.
The references for this answer are:
Risk IT Framework, page 27
Information Technology & Security, page 21
Risk Scenarios Starter Pack, page 19



An organization's control environment is MOST effective when:

  1. controls perform as intended.
  2. controls operate efficiently.
  3. controls are implemented consistent
  4. control designs are reviewed periodically

Answer(s): A

Explanation:

The control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The control environment is most effective when the controls perform as intended, meaning that they achieve their objectives, mitigate the risks, and comply with the policies and regulations. The other options are desirable attributes of the controls, but they do not necessarily indicate the effectiveness of the control environment. References = Risk and Information Systems Control Study Manual, Chapter 2: IT Risk Assessment, Section 2.3: IT Control Assessment, page 69.



Viewing page 39 of 238



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts