Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 46)

Page 46 of 238
PDF with 1895 Questions

A risk practitioner has collaborated with subject matter experts from the IT department to develop a large list of potential key risk indicators (KRIs) for all IT operations within theorganization of the following, who should review the completed list and select the appropriate KRIs for implementation?

  1. IT security managers
  2. IT control owners
  3. IT auditors
  4. IT risk owners

Answer(s): D

Explanation:

IT risk owners are the most appropriate people to review the completed list of potential key risk indicators (KRIs) and select the ones that should be implemented. IT risk owners are the individuals who have the authority and accountability to manage the IT risks within their scope of responsibility. They are also responsible for defining the risk appetite, tolerance, and thresholds for their IT operations, and for ensuring that the KRIs are aligned with the business objectives and risk management strategy. IT security managers, IT control owners, and IT auditors are also involved in the risk management process, but they do not have the same level of authority and accountability as IT risk owners, and they may have different perspectives and priorities on the selection of KRIs. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.3.1, page 1-13.



Which of the following is the PRIMARY objective of a risk awareness program?

  1. To demonstrate senior management support
  2. To enhance organizational risk culture
  3. To increase awareness of risk mitigation controls
  4. To clearly define ownership of risk

Answer(s): B

Explanation:

A risk awareness program is a set of activities and communication methods that aim to increase the understanding and knowledge of risk among the stakeholders of an organization. The primary objective of a risk awareness program is to enhance the organizational risk culture, which is the shared values, beliefs, and attitudes that influence how risk is perceived and managed in the organization. A risk awareness program can help to promote a risk-aware culture by:
·Educating stakeholders on the concepts and benefits of risk management ·Aligning risk management with the organization's vision, mission, and objectives ·Encouraging stakeholder participation and collaboration in risk management processes ·Fostering a positive attitude towards risk taking and learning from failures ·Reinforcing risk management roles and responsibilities ·Recognizing and rewarding good risk management practices


Reference:

The answer is based on the following sources:
·CRISC Review Manual, 7th Edition, Chapter 2: IT Risk Assessment, page 781 ·Developing Collective Risk Leadership Through CRISC2



An organization has recently been experiencing frequent data corruption incidents. Implementing a file corruption detection tool as a risk response strategy will help to:

  1. reduce the likelihood of future events
  2. restore availability
  3. reduce the impact of future events
  4. address the root cause

Answer(s): C

Explanation:

Implementing a file corruption detection tool as a risk response strategy will help to reduce the impact of future events, as it will enable the organization to identify and correct the corrupted files before they cause further damage or loss. A file corruption detection tool is a software that scans and verifies the integrity and validity of the files, and alerts the users or administrators of any anomalies or errors. This helps to minimize the disruption and downtime caused by the data corruption incidents, and to preserve the quality and reliability of the data. Implementing a file corruption detection tool will not reduce the likelihood of future events, as it does not prevent or mitigate the causes or sources of the data corruption incidents. It will not restore availability, as it does not recover or restore the corrupted files, but only detects them. It will not address the root cause, as it does not analyze or eliminate the underlying factors that lead to the data corruption incidents. References = CRISC Certified in Risk and Information Systems Control ­ Question215; ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 215.



Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

  1. A change in the risk management policy
  2. A major security incident
  3. A change in the regulatory environment
  4. An increase in intrusion attempts

Answer(s): C

Explanation:

The most likely cause for a risk practitioner to reassess risk scenarios is a change in the regulatory environment. A regulatory environment is the set of laws, rules, and standards that apply to an organization and its activities, such as data privacy, security, compliance, or governance. A change in the regulatory environment can occur due to various factors, such as new legislation, court rulings, enforcement actions, or industry trends. A change in the regulatory environment can affect the risk scenarios that the organization faces, as it may introduce new or modified risks, or alter the probability or impact of existing risks. For example, a new regulation may require the organization to implement additional or different controls, or to report or disclose more information, which may increase the cost, complexity,

or vulnerability of the organization's processes and systems. A change in the regulatory environment may also affect the risk appetite, tolerance, and capacity of the organization, as it may impose different requirements or expectations for the organization's risk management performance and outcomes. Therefore, a risk practitioner should reassess the risk scenarios when there is a change in the regulatory environment, to ensure that the risk scenarios are accurate, complete, and relevant, and that the risk response strategies and plans are appropriate, effective, and compliant. The other options are not the most likely cause, although they may be related or influential to the riskscenarios. A change in the risk management policy is a change in the rules and guidelines that define how the organization manages its risks, such as the roles and responsibilities, the processes and procedures, the tools and techniques, or the reporting and communication. A change in the risk management policy can affect the risk scenarios, as it may change the way the organization identifies, analyzes, evaluates, and responds to the risks, but it does not directly create or modify the risks themselves. A major security incident is an event or situation that compromises the confidentiality, integrity, or availability of the organization's information or systems, such as a data breach, a denial-of-service attack, or a ransomware infection. A major security incident can affect the risk scenarios, as it may indicate or reveal the existence or severity of the risks, or trigger or escalate the consequences of the risks, but it is not a cause, rather it is an effect of the risks. An increase in intrusion attempts is an increase in the frequency or intensity of the unauthorized or malicious attempts to access or exploit the organization's information or systems, such as phishing, malware, or brute-force attacks. An increase in intrusion attempts can affect the risk scenarios, as it may increase the likelihood or impact of the risks, or expose or exacerbate the vulnerabilities of the organization's processes and systems, but it is not a cause, rather it is a manifestation of the risks. References = Risk Scenarios Toolkit -ISACA, How to Write Strong Risk Scenarios and Statements - ISACA, The Impact of Regulatory Change on Business - Deloitte



Which of the following is the PRIMARY reason that risk management is important in project management?

  1. It helps identify and mitigate potential issues that could derail projects.
  2. It helps to ensure project acceptance by end users.
  3. It reduces the risk associated with potential project scope creep.
  4. It facilitates agreement and collaboration on project goals among stakeholders.

Answer(s): A

Explanation:

Risk management in project management is crucial for identifying and mitigating potential issues that could jeopardize project success. By proactively addressing risks, project managers can ensure that projects are completed on time, within budget, and meet quality standards.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 1: Governance, Section:
Risk Management in Project Management.



An organization has detected unauthorized logins to its client database servers.
Which of the following should be of GREATEST concern?

  1. Potential increase in regulatory scrutiny
  2. Potential system downtime
  3. Potential theft of personal information
  4. Potential legal risk

Answer(s): C

Explanation:

Potential theft of personal information should be of greatest concern for an organization that has detected unauthorized logins to its client database servers, as it poses a serious threat to theconfidentiality, integrity, and availability of the client data and the reputation and trust of the organization. Potential theft of personal information is a scenario that involves the unauthorized access, disclosure, or use of the client data by malicious actors, such as hackers, competitors, or insiders. Potential theft of personal information can have significant impacts and consequences for the organization and its clients, such as:
It can compromise the privacy and security of the client data, and expose the clients to identity theft, fraud, or blackmail.
It can violate the legal and regulatory obligations and requirements of the organization, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS), and result in fines, penalties, or lawsuits. It can damage the reputation and credibility of the organization, and erode the confidence and loyalty of the clients, and lead to loss of business or market share. The other options are not the greatest concerns for an organization that has detected unauthorized logins to its client database servers. Potential increase in regulatory scrutiny is a possibleconsequence of the unauthorized logins, as it may trigger audits, investigations, or sanctions by the relevant authorities, but it is not the most critical or immediate concern. Potential system downtime is a possible consequence of the unauthorized logins, as it may disrupt or degrade the performance or availability of the database servers or the applications that depend on them, but it is not the most severe or lasting concern. Potential legal risk is a possible consequence of the unauthorized logins, as it may expose the organization to litigation or liability claims by the affected clients or parties, but it is not the most direct or urgent concern. References = Data Breach Response: A Guide for Business - Federal Trade Commission, IT Risk Resources | ISACA, How to Prevent Unauthorized Access to Your Database - ScaleGrid



The MAIN purpose of having a documented risk profile is to:

  1. comply with external and internal requirements.
  2. enable well-informed decision making.
  3. prioritize investment projects.
  4. keep the risk register up-to-date.

Answer(s): B

Explanation:

According to the Risk Management Essentials, a risk profile is established to enhance senior management's analysis and decision making related to priority setting and resource allocation. A risk profile is a description of a set of risks that an organization faces, and it helps to make the risks visible and understandable. By having a documented risk profile, an organization can identify the nature and level of the threats, assess the likelihood and impact of the risks, evaluate the effectiveness of the controls, and determine the risk appetite and tolerance. This information can help the organization to make well-informed decisions on how to manage the risks and achieve its objectives. References = Risk Management Essentials, Risk Profile: Definition, Importance for Individuals & Companies



While reviewing the risk register, a risk practitioner notices that different business units have significant variances in inherent risk for the same risk scenario.
Which of the following is the BEST course of action?

  1. Update the risk register with the average of residual risk for both business units.
  2. Review the assumptions of both risk scenarios to determine whether the variance is reasonable.
  3. Update the risk register toensure both risk scenarios have the highest residual risk.
  4. Request that both business units conduct another review of the risk.

Answer(s): B

Explanation:

The risk register is a document that records the identified risks, their analysis, and their responses. It is a useful tool for monitoring and controlling the risks throughout the project lifecycle. However, the risk register is not a static document and it should be updated regularly to reflect the changes in the risk environment and the project status. Therefore, when reviewing therisk register, a risk practitioner should not only look at the risk ratings, but also the assumptions and the rationale behind them. Different business units may have different perspectives, contexts, and data sources for the same risk scenario, which can result in significant variances in inherent risk. Inherent risk is the risk level before considering the existing controls or responses. Therefore, the best course of action is to review the assumptions of both risk scenarios to determine whether the variance is reasonable or not. This can help to identify any errors, inconsistencies, or biases in the risk assessment process, and to ensure that the risk register reflects the current and accurate state of the risks. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.1, p. 106-107



Viewing page 46 of 238



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts