Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 42)

Page 42 of 238
PDF with 1895 Questions

Real-time monitoring of security cameras implemented within a retail store is an example of which type of control?

  1. Preventive
  2. Deterrent
  3. Compensating
  4. Detective

Answer(s): D

Explanation:

Real-time monitoring is adetective control, as it is designed to identify and report suspicious or unauthorized activities as they occur. Detective controls provide feedback to mitigate ongoing risks and serve as an integral part of incident response plans.



Which of the following is the BEST way to mitigate the risk to IT infrastructure availability?

  1. Establishing a disaster recovery plan (DRP)
  2. Establishing recovery time objectives (RTOs)
  3. Maintaining a current list of staff contact delays
  4. Maintaining a risk register

Answer(s): A

Explanation:

The best way to mitigate the risk to IT infrastructure availability is to establish a disaster recovery plan (DRP), because a DRP is a document that defines the procedures and resources needed to restore the IT infrastructure and resume the critical business functions in the event of a disaster or disruption. A DRP helps to minimize the downtime, data loss, and financial impact of a disaster, and ensures the continuity of operations and services. The other options are not the best ways to mitigate the risk to IT infrastructure availability, although they may also be helpful in supporting the DRP. Establishing recovery time objectives (RTOs), maintaining a current list of staff contact details, and maintaining a risk register are examples of planning or monitoring activities that aim to define the requirements, roles, and responsibilities for the disaster recovery process, but they do not address the actual implementation or execution of the DRP. References = CRISC: Certified in Risk & Information Systems Control Sample Questions



Which of the following is the BEST key control indicator (KCI) for measuring the security of a blockchain network?

  1. Number of active nodes
  2. Blockchain size ingigabytes
  3. Average transaction speed
  4. Number of validated transactions

Answer(s): D

Explanation:

The number of validated transactions is a critical indicator of a blockchain network's security. It reflects the network's ability to accurately and securely process transactions, ensuring data integrity and trustworthiness. A higher number of validated transactions indicates robust consensus mechanisms and effective security controls within the blockchain infrastructure.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 4: Information Technology and Security, Section: Key Control Indicators.



A migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing.
Which part of the risk register should be updated FIRST?

  1. Payroll system risk factors
  2. Payroll system risk mitigation plans
  3. Payroll process owner
  4. Payroll administrative controls

Answer(s): B

Explanation:

Payroll system risk mitigation plans are the actions that are taken to reduce or eliminate the risk associated with payroll processing.
When a migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing, the first part of the risk register that should be updated is the payroll system risk mitigation plans. This is because the migration may introduce new risks or change the existing risks, and the risk mitigation plans may need to be revised or replaced accordingly. Updating the payroll system risk mitigation plans can help ensure that the risk level is acceptable and the payroll process is secure and reliable. According to the CRISC Review Manual 2022, one of the key risk treatment techniques is to update the risk action plan, which is a document that outlines the risk mitigation plans1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, updating the risk mitigation plans is the correct answer to this question2.
Payroll system risk factors, payroll process owner, and payroll administrative controls are not the first part of the risk register that should be updated when a migration is affecting a key risk scenario. Payroll system risk factors are the sources or causes of risk, such as threats, vulnerabilities, or uncertainties. Payroll process owner is the person who is responsible for the payroll process and its outcomes. Payroll administrative controls are the policies, procedures, or guidelines that govern the payroll process. These parts of the risk register may also need to be updated, but they are not as urgent or critical as the risk mitigation plans. Updating the risk factors, process owner, and administrative controls can help identify, assess, and monitor the risk, but they do not directly address the risk response. The risk response is the most important part of the risk management process, as it determines how the risk is handled and controlled.



A MAJOR advantage of using key risk indicators (KRIs) is that they:

  1. Identify scenarios that exceed defined risk appetite.
  2. Help with internal control assessments concerning risk appetite.
  3. Assess risk scenarios that exceed defined thresholds.
  4. Identify when risk exceeds defined thresholds.

Answer(s): D

Explanation:

KRIs provide measurable indicators that flag when risks exceed predefined thresholds, enabling swift and effective risk response. This supports theMonitoring and

Reportingfunction in risk management, ensuring risks are managed proactively.



The BEST use of key risk indicators (KRIs) is to provide:

  1. Early indication of increasing exposure to a specific risk.
  2. Lagging indication of major information security incidents.
  3. Early indication of changes to required risk response.
  4. Insight into the performance of a monitored process.

Answer(s): A

Explanation:

Key risk indicators are designed to provide early warnings about increasing risk exposure, enabling timely risk mitigation efforts. This supports proactive risk management, as outlined in theRisk Monitoring and Reportingdomain of CRISC.



Deviation from a mitigation action plan's completion date should be determined by which of the following?

  1. Change management as determined by a change control board
  2. Benchmarking analysis with similar completed projects
  3. Project governance criteria as determined by the project office
  4. The risk owner as determined by risk management processes

Answer(s): D

Explanation:

Deviation from a mitigation action plan's completion date should be determined by the risk owner as determined by risk management processes, because the risk owner is the person or entity who has the accountability and authority to manage the risk and its associated mitigation actions. The risk owner should monitor and report the progress and status of the mitigation action plan, and determine if there is any deviation from the expected completion date, based on the risk management processes and criteria. The other options are not the ones who should determine the deviation, because:
Option A: Change management as determined by a change control board is a process that ensures that any changes to the project scope, schedule, cost, or quality are controlled and approved, but it does not determine the deviation from the mitigation action plan's completion date, which is a risk management activity. Option B: Benchmarking analysis with similar completed projects is a technique that compares the performance and practices of the current project with those of similar or successful projects, but it does not determine the deviation from the mitigation action plan's completion date, which is a risk management activity. Option C: Project governance criteria as determined by the project office is a set of rules and standards that define the roles, responsibilities, and authority of the project stakeholders, but it does notdetermine the deviation from the mitigation action plan's completion date, which is a risk management activity. References = Risk and Information Systems Control Study

Manual, 7th Edition, ISACA, 2020, p. 122.



Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

  1. Identify information security controls in the requirements analysis
  2. Identify key risk indicators (KRIs) as process output.
  3. Design key performance indicators (KPIs) for security in system specifications.
  4. Include information security control specifications in business cases.

Answer(s): A

Explanation:

Information security risk factors are the sources of uncertainty that may affect the confidentiality, integrity, or availability of information assets within an organization. Information security risk factors can include threats, vulnerabilities, or impacts that may compromise the security of information assets. Information security risk factors should be mitigated when developing in-house applications, which are software applications that are designed, developed, and maintained by the organization itself, rather than by external vendors or providers. Mitigating information security risk factors when developing in-house applications canhelp prevent or reduce the occurrence or consequences of security incidents, such as data breaches, cyberattacks, unauthorized access, or data loss. The best way to ensure that information security risk factors are mitigated when developing in-house applications is to identify information security controls in the requirements analysis. The requirements analysis is the stage of the system development life cycle (SDLC) where the business needs and expectations of the application are defined and documented. The requirements analysis should include the functional and non-functional requirements of the application, such as the features, functions, performance, quality, reliability, and security of the application. Identifying information security controls in the requirements analysis can help ensure that the security requirements of the application are clearly specified and agreed upon by the stakeholders, and that they are aligned with the organization's security policies, standards, and regulations. Identifying information security controls in the requirements analysis can also help ensure that the security requirements are integrated into the design, development, testing, and deployment of the application, and that they are verified and validated throughout the SDLC. Identifying information security controls in the requirements analysis can also help ensure that the security requirements are traceable, measurable, and manageable, and that they can be monitored and reviewed for effectiveness and efficiency. References = THE SYSTEM DEVELOPMENT LIFE CYCLE (SDLC), p. 2- 3, System Development Life Cycle - GeeksforGeeks, 7.3: Systems Development Life Cycle -

Engineering LibreTexts, What Is SDLC? 7 Phases of System Development Life Cycle - Intetics.



Viewing page 42 of 238
Viewing questions 329 - 336 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts